import CS selinux-policy-38.1.35-2.el9_3

2024-04-30 11:41:37 +00:00 · 2024-04-30 11:41:37 +00:00 · 52c9844480
commit 52c9844480
parent fa31a515e6
5 changed files with 220 additions and 26 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-1f99cda.tar.gz
+SOURCES/selinux-policy-eb644c8.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,2 +1,2 @@
-748ecd1fd956fb9d99ce15a3047c8fef5ba72772 SOURCES/container-selinux.tgz
-e25d3dfc89a94e2de7bc601f8862dca207e54b97 SOURCES/selinux-policy-1f99cda.tar.gz
+d0e251101057533cea4c5e7c63d77bbf93b00847 SOURCES/container-selinux.tgz
+2698c41ea1a4ddd780992e1eacc53d5bb4b09b15 SOURCES/selinux-policy-eb644c8.tar.gz
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@ -21,3 +21,4 @@
 /sysroot/tmp         /tmp
 /var/usrlocal        /usr/local
 /var/mnt             /mnt
+/bin                 /usr/bin
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -706,13 +706,6 @@ git = module
 # 
 glance = module

-# Layer: contrib
-# Module: glusterd
-#  
-#  policy for glusterd service
-#
-glusterd =  module
-
 # Layer: apps
 # Module: gnome
 #
@ -2719,3 +2712,31 @@ fdo = module
 #  qatlib - Intel QuickAssist technology library and resources management
 #
 qatlib = module
+
+# Layer: contrib
+# Module: nvme_stas
+#
+# nvme_stas
+#
+nvme_stas = module
+
+# Layer: contrib
+# Module: coreos_installer
+#
+# coreos_installer
+#
+coreos_installer = module
+
+# Layer: contrib
+# Module: afterburn
+#
+# afterburn
+#
+afterburn = module
+
+# Layer: contrib
+# Module: sap_unconfined
+#
+#  sap_unconfined
+#
+sap = module
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,6 +1,6 @@
 # github repo with selinux-policy sources
 %global giturl https://github.com/fedora-selinux/selinux-policy
-%global commit 1f99cdaa26c4ecbb26362cb21f6cd3eb0ec473a3
+%global commit eb644c87c0bb3d4b19be1b28975ce9c6333f0279
 %global shortcommit %(c=%{commit}; echo ${c:0:7})

 %define distro redhat
@ -23,8 +23,8 @@
 %define CHECKPOLICYVER 3.2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 38.1.23
-Release: 1%{?dist}.2
+Version: 38.1.35
+Release: 2%{?dist}
 License: GPLv2+
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 Source1: modules-targeted-base.conf
@ -809,21 +809,193 @@ exit 0
 %endif

 %changelog
-* Wed Jan 10 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.23-1.2
- Allow qatlib set attributes of vfio device files
-Resolves: RHEL-19052
- Allow qatlib load kernel modules
-Resolves: RHEL-19052
- Allow qatlib run lspci
-Resolves: RHEL-19052
- Allow qatlib manage its private runtime socket files
-Resolves: RHEL-19052
- Allow qatlib read/write vfio devices
-Resolves: RHEL-19052
+* Thu Mar 14 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-2
+- Rebuild
+Resolves: RHEL-26663

-* Tue Dec 05 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.23-1.1
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.35-1
+- Allow wdmd read hardware state information
+Resolves: RHEL-26663
+
+* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.34-1
+- Allow wdmd list the contents of the sysfs directories
+Resolves: RHEL-26663
+- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
+Resolves: RHEL-26660
+
+* Thu Feb 22 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.33-1
+- Allow thumb_t to watch and watch_reads mount_var_run_t
+Resolves: RHEL-26073
+- Allow opafm create NFS files and directories
+Resolves: RHEL-17820
+- Label /tmp/libdnf.* with user_tmp_t
+Resolves: RHEL-11250
+
+* Thu Feb 15 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.32-1
+- Dontaudit subscription manager setfscreate and read file contexts
+Resolves: RHEL-21635
+- Allow xdm_t to watch and watch_reads mount_var_run_t
+Resolves: RHEL-24841
+- Allow unix dgram sendto between exim processes
+Resolves: RHEL-21902
+- Allow utempter_t use ptmx
+Resolves: RHEL-24946
+- Only allow confined user domains to login locally without unconfined_login
+Resolves: RHEL-1551
+- Add userdom_spec_domtrans_confined_admin_users interface
+Resolves: RHEL-1551
+- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
+Resolves: RHEL-1551
+- Add userdom_spec_domtrans_admin_users interface
+Resolves: RHEL-1551
+- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
+Resolves: RHEL-1551
+
+* Thu Jan 25 2024 Juraj Marcin <jmarcin@redhat.com> - 38.1.31-1
+- Allow chronyd-restricted read chronyd key files
+Resolves: RHEL-18219
+- Allow conntrackd_t to use bpf capability2
+Resolves: RHEL-22277
+- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
+Resolves: RHEL-14735
+- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
+Resolves: RHEL-14505
+- Add interface for write-only access to NetworkManager rw conf
+Resolves: RHEL-14505
+- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
+Resolves: RHEL-11792
+
+* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.30-1
+- Allow sysadm execute traceroute in sysadm_t domain using sudo
+Resolves: RHEL-14077
+- Allow qatlib set attributes of vfio device files
+Resolves: RHEL-19051
+- Allow qatlib load kernel modules
+Resolves: RHEL-19051
+- Allow qatlib run lspci
+Resolves: RHEL-19051
+- Allow qatlib manage its private runtime socket files
+Resolves: RHEL-19051
+- Allow qatlib read/write vfio devices
+Resolves: RHEL-19051
+- Allow syslog to run unconfined scripts conditionally
+Resolves: RHEL-11174
+- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
+Resolves: RHEL-11174
+- Allow sendmail MTA connect to sendmail LDA
+Resolves: RHEL-15175
+- Allow sysadm execute tcpdump in sysadm_t domain using sudo
+Resolves: RHEL-15432
+- Allow opafm search nfs directories
+Resolves: RHEL-17820
+- Allow mdadm list stratisd data directories
+Resolves: RHEL-19276
+- Update cyrus_stream_connect() to use sockets in /run
+Resolves: RHEL-19282
+- Allow collectd connect to statsd port
+Resolves: RHEL-21044
+- Allow insights-client transition to sap unconfined domain
+Resolves: RHEL-21452
+- Create the sap module
+Resolves: RHEL-21452
+
+* Thu Dec 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.29-1
+- Add init_explicit_domain() interface
+Resolves: RHEL-18219
+- Allow dovecot_auth_t connect to postgresql using UNIX socket
+Resolves: RHEL-16850
+- Allow keepalived_t to use sys_ptrace of cap_userns
+Resolves: RHEL-17156
+- Make `bootc` be `install_exec_t`
+Resolves: RHEL-19199
+- Add support for chronyd-restricted
+Resolves: RHEL-18219
+- Label /dev/vas with vas_device_t
+Resolves: RHEL-17336
+- Allow gpsd use /dev/gnss devices
+Resolves: RHEL-16676
+- Allow sendmail manage its runtime files
+Resolves: RHEL-15175
+- Add support for syslogd unconfined scripts
+Resolves: RHEL-11174
+
+* Thu Nov 30 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.28-1
+- Create interface selinux_watch_config and add it to SELinux users
+Resolves: RHEL-1555
+- Allow  winbind_rpcd_t processes access when samba_export_all_* is on
+Resolves: RHEL-16273
+- Allow samba-dcerpcd connect to systemd_machined over a unix socket
+Resolves: RHEL-16273
+- Allow winbind-rpcd make a TCP connection to the ldap port
+Resolves: RHEL-16273
+- Allow sudodomain read var auth files
+Resolves: RHEL-16708
+- Allow auditd read all domains process state
+Resolves: RHEL-14285
+- Allow rsync read network sysctls
+Resolves: RHEL-14638
+- Add dhcpcd bpf capability to run bpf programs
+Resolves: RHEL-15326
+- Allow systemd-localed create Xserver config dirs
+Resolves: RHEL-16716
+- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
+Resolves: RHEL-1553
+- Update sendmail policy module for opensmtpd
+Resolves: RHEL-15175
+
+* Tue Nov 14 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.27-1
+- Remove glusterd module
+Resolves: RHEL-1548
+- Improve default file context(None) of /var/lib/authselect/backups
+Resolves: RHEL-15220
+- Set default file context of /var/lib/authselect/backups to <<none>>
+Resolves: RHEL-15220
+- Create policy for afterburn
+Resolves: RHEL-12591
+- Allow unconfined_domain_type use io_uring cmd on domain
+Resolves: RHEL-11792
+- Add policy for coreos installer
+Resovles: RHEL-5164
+- Add policy for nvme-stas
+Resolves: RHEL-1557
+- Label /var/run/auditd.state as auditd_var_run_t
+Resolves: RHEL-14374
+- Allow ntp to bind and connect to ntske port.
+Resolves: RHEL-15085
 - Allow ip an explicit domain transition to other domains
-Resolves: RHEL-14248
+Resolves: RHEL-14246
+- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
+Resolves: RHEL-14289
+- Allow sssd domain transition on passkey_child execution conditionally
+Resolves: RHEL-14014
+- Allow sssd use usb devices conditionally
+Resolves: RHEL-14014
+- Allow kdump create and use its memfd: objects
+Resolves: RHEL-14413
+
+* Tue Oct 31 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.26-1
+- Allow kdump create and use its memfd: objects
+Resolves: RHEL-14413
+
+* Fri Oct 20 2023 Zdenek Pytela <zpytela@redhat.com> - 38.1.25-1
+- Add map_read map_write to kernel_prog_run_bpf
+Resolves: RHEL-2653
+- Allow sysadm_t read nsfs files
+Resolves: RHEL-5146
+- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
+Resolves: RHEL-14029
+- Allow system_mail_t manage exim spool files and dirs
+Resolves: RHEL-14110
+- Label /run/pcsd.socket with cluster_var_run_t
+Resolves: RHEL-1664
+
+* Fri Sep 29 2023 Juraj Marcin <jmarcin@redhat.com> - 38.1.24-1
+- Allow cupsd_t to use bpf capability
+Resolves: RHEL-3633
+- Label /dev/gnss[0-9] with gnss_device_t
+Resolves: RHEL-9936
+- Dontaudit rhsmcertd write memory device
+Resolves: RHEL-1547

 * Fri Aug 25 2023 Nikola Knazekova <nknazeko@redhat.com> - 38.1.23-1
 - Allow cups-pdf connect to the system log service