From 64c741479fd8209ecc2db4a3cafa1d74c990b6d3 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Sep 2023 14:11:30 +0000 Subject: [PATCH] import CS selinux-policy-3.14.3-128.el8 --- .gitignore | 4 +- .selinux-policy.metadata | 6 +- SPECS/selinux-policy.spec | 145 +++++++++++++++++++++++++++++++++++++- 3 files changed, 147 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 041ee17..d71b5e6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-426c028.tar.gz -SOURCES/selinux-policy-contrib-c6da44c.tar.gz +SOURCES/selinux-policy-b5586ba.tar.gz +SOURCES/selinux-policy-contrib-267743a.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index d110037..b564898 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -bbb33f1d3ec06ac961c111b66a324496cbe9768f SOURCES/container-selinux.tgz -8f77181d801751fdd49e7a537b291af8b455ed51 SOURCES/selinux-policy-426c028.tar.gz -84a66625f87ed784dc752c76eca051d058abfa8d SOURCES/selinux-policy-contrib-c6da44c.tar.gz +3c2810a578a2983781de5c969ba7a7dd7b6227d7 SOURCES/container-selinux.tgz +7de814a764fbd6c004c726b384e9f919a3af3883 SOURCES/selinux-policy-b5586ba.tar.gz +9fe88da07caee56a7d36642383d1913e01f339e6 SOURCES/selinux-policy-contrib-267743a.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 0ee5c6b..9fa2a42 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 426c028e3d055a6ae74f8bf7cc92107f3e43a5ea +%global commit0 b5586baa73b14fb8ca458fa4bbe70522b1ec264b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 c6da44cc670eb76341a756f7d338e60cfa7cd8ac +%global commit1 267743aa7d7e85fe2bf3ccd199927d6c00bb4439 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 117%{?dist} +Release: 128%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -165,6 +165,7 @@ SELinux policy documentation package %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* +%exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_usr}/share/doc/%{name} %define makeCmds() \ @@ -717,6 +718,144 @@ exit 0 %endif %changelog +* Fri Aug 25 2023 Zdenek Pytela - 3.14.3-128 +- Allow ssh_agent_type manage generic cache home files +Resolves: rhbz#2177704 +- Add chromium_sandbox_t setcap capability +Resolves: rhbz#2221573 + +* Thu Aug 17 2023 Zdenek Pytela - 3.14.3-127 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3 +Resolves: rhbz#2229726 + +* Fri Aug 11 2023 Zdenek Pytela - 3.14.3-126 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2 +Resolves: rhbz#2229726 +- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t +Resolves: rhbz#2177704 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2 +Resolves: rhbz#2229726 +- Make insights_client_t an unconfined domain +Resolves: rhbz#2225527 +- Allow insights-client create all rpm logs with a correct label +Resolves: rhbz#2229559 +- Allow insights-client manage generic logs +Resolves: rhbz#2229559 + +* Fri Aug 04 2023 Zdenek Pytela - 3.14.3-125 +- Allow user_u and staff_u get attributes of non-security dirs +Resolves: rhbz#2216151 +- Allow unconfined user filetrans chrome_sandbox_home_t 1/2 +Resolves: rhbz#2221573 +- Allow unconfined user filetrans chrome_sandbox_home_t 2/2 +Resolves: rhbz#2221573 +- Allow insights-client execmem +Resolves: rhbz#2225233 +- Allow svnserve execute postdrop with a transition +Resolves: rhbz#2004843 +- Do not make postfix_postdrop_t type an MTA executable file +Resolves: rhbz#2004843 +- Allow samba-dcerpc service manage samba tmp files +Resolves: rhbz#2210771 +- Update samba-dcerpc policy for printing +Resolves: rhbz#2210771 + +* Thu Jul 20 2023 Zdenek Pytela - 3.14.3-124 +- Add the files_getattr_non_auth_dirs() interface +Resolves: rhbz#2076937 +- Update policy for the sblim-sfcb service +Resolves: rhbz#2076937 +- Dontaudit sfcbd sys_ptrace cap_userns +Resolves: rhbz#2076937 +- Label /usr/sbin/sos with sosreport_exec_t +Resolves: rhbz#2167731 +- Allow sa-update manage spamc home files +Resolves: rhbz#2222200 +- Allow sa-update connect to systemlog services +Resolves: rhbz#2222200 +- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t +Resolves: rhbz#2222200 + +* Thu Jun 29 2023 Zdenek Pytela - 3.14.3-123 +- Label only /usr/sbin/ripd and ripngd with zebra_exec_t +Resolves: rhbz#2213606 +- Allow httpd tcp connect to redis port conditionally +Resolves: rhbz#2213965 +- Exclude container-selinux manpage from selinux-policy-doc +Resolves: rhbz#2218362 + +* Thu Jun 15 2023 Nikola Knazekova - 3.14.3-122 +- Update cyrus_stream_connect() to use sockets in /run +Resolves: rhbz#2165752 +- Allow insights-client map generic log files +Resolves: rhbz#2214572 +- Allow insights-client work with pipe and socket tmp files +Resolves: rhbz#2207819 +- Allow insights-client getsession process permission +Resolves: rhbz#2207819 +- Allow keepalived to manage its tmp files +Resolves: rhbz#2179335 + +* Thu May 25 2023 Zdenek Pytela - 3.14.3-121 +- Update pkcsslotd policy for sandboxing 2/2 +Resolves: rhbz#2208162 +- Update pkcsslotd policy for sandboxing 1/2 +Resolves: rhbz#2208162 +- Allow abrt_t read kernel persistent storage files +Resolves: rhbz#2207914 +- Add allow rules for lttng-sessiond domain +Resolves: rhbz#2203509 +- Allow rpcd_lsad setcap and use generic ptys +Resolves: rhbz#2107106 +- Allow samba-dcerpcd connect to systemd_machined over a unix socket +Resolves: rhbz#2107106 +- Dontaudit targetd search httpd config dirs +Resolves: rhbz#2203720 + +* Thu May 11 2023 Zdenek Pytela - 3.14.3-120 +- Allow unconfined service inherit signal state from init +Resolves: rhbz#2177254 +- Allow systemd-pstore delete kernel persistent storage files +Resolves: rhbz#2181558 +- Add fs_delete_pstore_files() interface +Resolves: rhbz#2181558 +- Allow certmonger manage cluster library files +Resolves: rhbz#2177836 +- Allow samba-rpcd work with passwords +Resolves: rhbz#2107106 +- Allow snmpd read raw disk data +Resolves: rhbz#2160000 +- Allow cluster_t dbus chat with various services +Resolves: rhbz#2196524 + +* Fri Apr 21 2023 Zdenek Pytela - 3.14.3-119 +- Add unconfined_server_read_semaphores() interface +Resolves: rhbz#2183351 +- Allow systemd-pstore read kernel persistent storage files +Resolves: rhbz#2181558 +- Add fs_read_pstore_files() interface +Resolves: rhbz#2181558 +- Allow insights-client work with teamdctl +Resolves: rhbz#2185158 +- Allow insights-client read unconfined service semaphores +Resolves: rhbz#2183351 +- Allow insights-client get quotas of all filesystems +Resolves: rhbz#2183351 + +* Thu Apr 13 2023 Zdenek Pytela - 3.14.3-118 +- Allow login_pgm setcap permission +Resolves: rhbz#2172541 +- Label /run/fsck with fsadm_var_run_t +Resolves: rhbz#2184348 +- Add boolean qemu-ga to run unconfined script +Resolves: rhbz#2028762 +- Allow dovecot-deliver write to the main process runtime fifo files +Resolves: rhbz#2170495 +- Allow certmonger dbus chat with the cron system domain +Resolves: rhbz#2173289 +- Allow insights-client read all sysctls +Resolves: rhbz#2177607 + * Thu Feb 16 2023 Zdenek Pytela - 3.14.3-117 - Fix opencryptoki file names in /dev/shm Resolves: rhbz#2028637