import selinux-policy-3.14.3-93.el8

.gitignore

@@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-8f56f63.tar.gz
+SOURCES/selinux-policy-642155b.tar.gz
-SOURCES/selinux-policy-contrib-2a53cd0.tar.gz
+SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz

.selinux-policy.metadata

@@ -1,3 +1,3 @@
-0d1a0214195d9519327846c21d7ac90b7da218c1 SOURCES/container-selinux.tgz
+e531ed72bd4055f40cb0152b1f81842c96af37c5 SOURCES/container-selinux.tgz
-672cfe526149ad56c857a79856e769548d9ead8e SOURCES/selinux-policy-8f56f63.tar.gz
+26b6cee1e1baf47309bfc5055781869abb589a2d SOURCES/selinux-policy-642155b.tar.gz
-6e84adfa8c88519a3c24f6f8426d59868bcd6050 SOURCES/selinux-policy-contrib-2a53cd0.tar.gz
+17a4e399dbf5dd7266a5bf3904aad633e3889351 SOURCES/selinux-policy-contrib-0e4a7a0.tar.gz

SOURCES/modules-targeted-contrib.conf

@@ -2656,3 +2656,10 @@ rrdcached = module
 # stratisd
 #
 stratisd = module
+
+# Layer: contrib
+# Module: insights_client
+#
+# insights_client
+#
+insights_client = module

SPECS/selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 8f56f631a921d043bc8176f7c64a38cd77b48f66
+%global commit0 642155b226a48d3edbdc1a13fb9a9fece74140f7
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 2a53cd02bd0d06568ecc549b15321f658d00babd
+%global commit1 0e4a7a0e5879fd49a239fb71e000c4967fe98eca
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -24,12 +24,12 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 31
-%define POLICYCOREUTILSVER 2.9
+%define POLICYCOREUTILSVER 2.9-19
 %define CHECKPOLICYVER 2.9
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 79%{?dist}
+Release: 93%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -141,6 +141,7 @@ SELinux policy development and man page package
 %dir %{_usr}/share/selinux/devel
 %dir %{_usr}/share/selinux/devel/include
 %{_usr}/share/selinux/devel/include/*
+%exclude %{_usr}/share/selinux/devel/include/contrib/container.if
 %dir %{_usr}/share/selinux/devel/html
 %{_usr}/share/selinux/devel/html/*html
 %{_usr}/share/selinux/devel/html/*css
@@ -264,6 +265,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
 #%{_libexecdir}/selinux/selinux-factory-reset \
 #%{_unitdir}/selinux-factory-reset@.service \
 #%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service \
@@ -715,6 +717,262 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 24 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-93
+- Allow systemd-networkd dbus chat with sosreport
+Resolves: rhbz#1949493
+- Allow sysadm_passwd_t to relabel passwd and group files
+Resolves: rhbz#2053457
+- Allow confined sysadmin to use tool vipw
+Resolves: rhbz#2053457
+- Allow sosreport dbus chat with abrt and timedatex
+Resolves: rhbz#1949493
+- Remove unnecessary /etc file transitions for insights-client
+Resolves: rhbz#2031853
+- Label all content in /var/lib/insights with insights_client_var_lib_t
+Resolves: rhbz#2031853
+- Update insights-client policy
+Resolves: rhbz#2031853
+- Update insights-client: fc pattern, motd, writing to etc
+Resolves: rhbz#2031853
+- Remove permissive domain for insights_client_t
+Resolves: rhbz#2031853
+- New policy for insight-client
+Resolves: rhbz#2031853
+- Add the insights_client module
+Resolves: rhbz#2031853
+- Update specfile to buildrequire policycoreutils-devel >= 2.9-19
+- Add modules_checksum to %files
+
+* Wed Feb 16 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-92
+- Allow postfix_domain read dovecot certificates 1/2
+Resolves: rhbz#2043599
+- Dontaudit dirsrv search filesystem sysctl directories 1/2
+Resolves: rhbz#2042568
+- Allow chage domtrans to sssd
+Resolves: rhbz#2054718
+- Allow postfix_domain read dovecot certificates 2/2
+Resolves: rhbz#2043599
+- Allow ctdb create cluster logs
+Resolves: rhbz#2049481
+- Allow alsa bind mixer controls to led triggers
+Resolves: rhbz#2049730
+- Allow alsactl set group Process ID of a process
+Resolves: rhbz#2049730
+- Dontaudit mdadm list dirsrv tmpfs dirs
+Resolves: rhbz#2011174
+- Dontaudit dirsrv search filesystem sysctl directories 2/2
+Resolves: rhbz#2042568
+- Revert "Label NetworkManager-dispatcher service with separate context"
+Related: rhbz#1989070
+- Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager"
+Related: rhbz#1989070
+
+* Wed Feb 09 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-91
+- Allow NetworkManager-dispatcher dbus chat with NetworkManager
+Resolves: rhbz#1989070
+
+* Fri Feb 04 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-90
+- Fix badly indented used interfaces
+Resolves: rhbz#2030156
+- Allow domain transition to sssd_t 1/2
+Resolves: rhbz#2022690
+- Allow confined users to use kinit,klist and etc.
+Resolves: rhbz#2026598
+- Allow login_userdomain open/read/map system journal
+Resolves: rhbz#2046481
+- Allow init read stratis data symlinks 2/2
+Resolves: rhbz#2048514
+- Label new utility of NetworkManager nm-priv-helper
+Resolves: rhbz#1986076
+- Label NetworkManager-dispatcher service with separate context
+Resolves: rhbz#1989070
+- Allow domtrans to sssd_t and role access to sssd
+Resolves: rhbz#2030156
+- Creating interface sssd_run_sssd()
+Resolves: rhbz#2030156
+- Allow domain transition to sssd_t 2/2
+Resolves: rhbz#2022690
+- Allow timedatex dbus chat with xdm
+Resolves: rhbz#2040214
+- Associate stratisd_data_t with device filesystem
+Resolves: rhbz#2048514
+- Allow init read stratis data symlinks 1/2
+Resolves: rhbz#2048514
+- Allow rhsmcertd create rpm hawkey logs with correct label
+Resolves: rhbz#1949871
+
+* Wed Jan 26 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-89
+- Allow NetworkManager talk with unconfined user over unix domain dgram socket
+Resolves: rhbz#2044048
+- Allow system_mail_t read inherited apache system content rw files
+Resolves: rhbz#1988339
+- Add apache_read_inherited_sys_content_rw_files() interface
+Related: rhbz#1988339
+- Allow rhsm-service execute its private memfd: objects
+Resolves: rhbz#2029873
+- Allow dirsrv read configfs files and directories
+Resolves: rhbz#2042568
+- Label /run/stratisd with stratisd_var_run_t
+Resolves: rhbz#1879585
+- Fix path for excluding container.if from selinux-policy-devel
+Resolves: rhbz#1861968
+
+* Thu Jan 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-88
+- Revert "Label /etc/cockpit/ws-certs.d with cert_t"
+Related: rhbz#1907473
+
+* Tue Jan 18 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-87
+- Set default file context for /sys/firmware/efi/efivars
+Resolves: rhbz#2039458
+- Allow sysadm_t start and stop transient services
+Resolves: rhbz#2031065
+- Label /etc/cockpit/ws-certs.d with cert_t
+Resolves: rhbz#1907473
+- Allow smbcontrol read the network state information
+Resolves: rhbz#2033873
+- Allow rhsm-service read/write its private memfd: objects
+Resolves: rhbz#2029873
+- Allow fcoemon request the kernel to load a module
+Resolves: rhbz#1940317
+- Allow radiusd connect to the radacct port
+Resolves: rhbz#2038955
+- Label /var/lib/shorewall6-lite with shorewall_var_lib_t
+Resolves: rhbz#2041447
+- Exclude container.if from selinux-policy-devel
+Resolves: rhbz#1861968
+
+* Mon Jan 03 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-86
+- Allow sysadm execute sysadmctl in sysadm_t domain using sudo
+Resolves: rhbz#2013749
+- Allow local_login_t get attributes of tmpfs filesystems
+Resolves: rhbz#2015539
+- Allow local_login_t get attributes of filesystems with ext attributes
+Resolves: rhbz#2015539
+- Allow local_login_t domain to getattr cgroup filesystem
+Resolves: rhbz#2015539
+- Allow systemd read unlabeled symbolic links
+Resolves: rhbz#2021835
+- Allow userdomains use pam_ssh_agent_auth for passwordless sudo
+Resolves: rhbz#1917879
+- Allow sudodomains execute passwd in the passwd domain
+Resolves: rhbz#1943572
+- Label authcompat.py with authconfig_exec_t
+Resolves: rhbz#1919122
+- Dontaudit pkcsslotd sys_admin capability
+Resolves: rhbz#2021887
+- Allow lldpd connect to snmpd with a unix domain stream socket
+Resolves: rhbz#1991029
+
+* Tue Dec 07 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-85
+- Allow unconfined_t to node_bind icmp_sockets in node_t domain
+Resolves: rhbz#2025445
+- Allow rhsmcertd get attributes of tmpfs_t filesystems
+Resolves: rhbz#2015820
+- The nfsdcld service is now confined by SELinux
+Resolves: rhbz#2026588
+- Allow smbcontrol use additional socket types
+Resolves: rhbz#2027740
+- Allow lldpd use an snmp subagent over a tcp socket
+Resolves: rhbz#2028379
+
+* Wed Nov 24 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-84
+- Allow sysadm_t read/write pkcs shared memory segments
+Resolves: rhbz#1965251
+- Allow sysadm_t connect to sanlock over a unix stream socket
+Resolves: rhbz#1965251
+- Allow sysadm_t dbus chat with sssd
+Resolves: rhbz#1965251
+- Allow sysadm_t set attributes on character device nodes
+Resolves: rhbz#1965251
+- Allow sysadm_t read and write watchdog devices
+Resolves: rhbz#1965251
+- Allow sysadm_t connect to cluster domains over a unix stream socket
+Resolves: rhbz#1965251
+- Allow sysadm_t dbus chat with tuned 2/2
+Resolves: rhbz#1965251
+- Update userdom_exec_user_tmp_files() with an entrypoint rule
+Resolves: rhbz#1920883
+- Allow sudodomain send a null signal to sshd processes
+Resolves: rhbz#1966945
+- Allow sysadm_t dbus chat with tuned 1/2
+Resolves: rhbz#1965251
+- Allow cloud-init dbus chat with systemd-logind
+Resolves: rhbz#2009769
+- Allow svnserve send mail from the system
+Resolves: rhbz#2004843
+- Allow svnserve_t domain to read system state
+Resolves: rhbz#2004843
+
+* Tue Nov 09 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-83
+- VQP: Include IANA-assigned TCP/1589
+Resolves: rhbz#1924038
+- Label port 3785/udp with bfd_echo
+Resolves: rhbz#1924038
+- Allow sysadm_t dbus chat with realmd_t
+Resolves: rhbz#2000488
+- Support sanlock VG automated recovery on storage access loss 1/2
+Resolves: rhbz#1985000
+- Revert "Support sanlock VG automated recovery on storage access loss"
+Resolves: rhbz#1985000
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- radius: Lexical sort of service-specific corenet rules by service name
+Resolves: rhbz#1924038
+- radius: Allow binding to the BDF Control and Echo ports
+Resolves: rhbz#1924038
+- radius: Allow binding to the DHCP client port
+Resolves: rhbz#1924038
+- radius: Allow net_raw; allow binding to the DHCP server ports
+Resolves: rhbz#1924038
+- Support hitless reloads feature in haproxy
+Resolves: rhbz#2015423
+- Allow redis get attributes of filesystems with extended attributes
+Resolves: rhbz#2015435
+- Support sanlock VG automated recovery on storage access loss 2/2
+Resolves: rhbz#1985000
+- Revert "Support sanlock VG automated recovery on storage access loss"
+Resolves: rhbz#1985000
+
+* Wed Oct 20 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-82
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- Allow proper function sosreport in sysadmin role
+Resolves: rhbz#1965251
+- Allow systemd execute user bin files
+Resolves: rhbz#1860443
+- Label /dev/crypto/nx-gzip with accelerator_device_t
+Resolves: rhbz#2011166
+- Allow ipsec_t and login_userdomain named file transition in tmpfs
+Resolves: rhbz#2001599
+- Support sanlock VG automated recovery on storage access loss
+Resolves: rhbz#1985000
+- Allow proper function sosreport via iotop
+Resolves: rhbz#1965251
+- Call pkcs_tmpfs_named_filetrans for certmonger
+Resolves: rhbz#2001599
+- Allow ibacm the net_raw and sys_rawio capabilities
+Resolves: rhbz#2010644
+- Support new PING_CHECK health checker in keepalived
+Resolves: rhbz#2010873
+- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script
+Resolves: rhbz#2011239
+
+* Mon Oct 04 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-81
+- Allow unconfined domains to bpf all other domains
+Resolves: rhbz#1991443
+- Allow vmtools_unconfined_t domain transition to rpm_script_t
+Resolves: rhbz#1872245
+- Allow unbound connectto unix_stream_socket
+Resolves: rhbz#1905441
+- Label /usr/sbin/virtproxyd as virtd_exec_t
+Resolves: rhbz#1854332
+- Allow postfix_domain to sendto unix dgram sockets.
+Resolves: rhbz#1920521
+
+* Thu Sep 16 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-80
+- Allow rhsmcertd_t dbus chat with anaconda install_t
+Resolves: rhbz#2004990
+
 * Fri Aug 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-79
 - Introduce xdm_manage_bootloader booelan
 Resolves: rhbz#1994096