From 72be2b6d57111333ba73d22ded0a4001d4e26ac5 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 15 Feb 2024 18:25:24 +0100 Subject: [PATCH] * Thu Feb 15 2024 Zdenek Pytela - 3.14.3-136 - Transition from sudodomains to crontab_t when executing crontab_exec_t Resolves: RHEL-1388 - Fix label of pseudoterminals created from sudodomain Resolves: RHEL-1388 - Allow login_userdomain to manage session_dbusd_tmp_t dirs/files Resolves: RHEL-22500 - Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t Resolves: RHEL-23442 - Allow admin user read/write on fixed_disk_device_t Resolves: RHEL-23434 - Only allow confined user domains to login locally without unconfined_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_confined_admin_users interface Resolves: RHEL-1628 - Only allow admindomain to execute shell via ssh with ssh_sysadm_login Resolves: RHEL-1628 - Add userdom_spec_domtrans_admin_users interface Resolves: RHEL-1628 - Move ssh dyntrans to unconfined inside unconfined_login tunable policy Resolves: RHEL-1628 - Allow utempter_t use ptmx Resolves: RHEL-25002 - Dontaudit subscription manager setfscreate and read file contexts Resolves: RHEL-21639 - Don't audit crontab_domain write attempts to user home Resolves: RHEL-1388 - Add crontab_domtrans interface Resolves: RHEL-1388 - Add dbus_manage_session_tmp_files interface Resolves: RHEL-22500 - Allow httpd read network sysctls Resolves: RHEL-22748 - Allow keepalived_unconfined_script_t dbus chat with init Resolves: RHEL-22843 --- .gitignore | 2 ++ selinux-policy.spec | 42 +++++++++++++++++++++++++++++++++++++++--- sources | 6 +++--- 3 files changed, 44 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 503bdaab..0b6a094e 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,5 @@ SOURCES/selinux-policy-contrib-c6da44c.tar.gz /selinux-policy-contrib-61ad859.tar.gz /selinux-policy-61dd8ba.tar.gz /selinux-policy-contrib-de23cff.tar.gz +/selinux-policy-82ab8ed.tar.gz +/selinux-policy-contrib-6292557.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 80e13eb3..f103bba8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 61dd8ba370aedb16deafa02188ea920dd5378e6c +%global commit0 82ab8ed59e218529e7d4ed54c3d9a41fdf92a223 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 de23cffbbbbd97d50fa461217ef05e258f398c4b +%global commit1 6292557be1c849ca97bb2d6da2393e7ab02a6f0d %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 135%{?dist} +Release: 136%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -718,6 +718,42 @@ exit 0 %endif %changelog +* Thu Feb 15 2024 Zdenek Pytela - 3.14.3-136 +- Transition from sudodomains to crontab_t when executing crontab_exec_t +Resolves: RHEL-1388 +- Fix label of pseudoterminals created from sudodomain +Resolves: RHEL-1388 +- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files +Resolves: RHEL-22500 +- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t +Resolves: RHEL-23442 +- Allow admin user read/write on fixed_disk_device_t +Resolves: RHEL-23434 +- Only allow confined user domains to login locally without unconfined_login +Resolves: RHEL-1628 +- Add userdom_spec_domtrans_confined_admin_users interface +Resolves: RHEL-1628 +- Only allow admindomain to execute shell via ssh with ssh_sysadm_login +Resolves: RHEL-1628 +- Add userdom_spec_domtrans_admin_users interface +Resolves: RHEL-1628 +- Move ssh dyntrans to unconfined inside unconfined_login tunable policy +Resolves: RHEL-1628 +- Allow utempter_t use ptmx +Resolves: RHEL-25002 +- Dontaudit subscription manager setfscreate and read file contexts +Resolves: RHEL-21639 +- Don't audit crontab_domain write attempts to user home +Resolves: RHEL-1388 +- Add crontab_domtrans interface +Resolves: RHEL-1388 +- Add dbus_manage_session_tmp_files interface +Resolves: RHEL-22500 +- Allow httpd read network sysctls +Resolves: RHEL-22748 +- Allow keepalived_unconfined_script_t dbus chat with init +Resolves: RHEL-22843 + * Fri Jan 26 2024 Zdenek Pytela - 3.14.3-135 - Label /tmp/libdnf.* with user_tmp_t Resolves: RHEL-11249 diff --git a/sources b/sources index 663da77b..444b6d7e 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-61dd8ba.tar.gz) = 2caf963866ae326e11d21000f12dd6944e6257ca35dc767b363c74cd6bd1512ce398c0089a5e7f430e73b76aefa4759e8d4e4597e4d4fd311af46da2a4e5b07b -SHA512 (selinux-policy-contrib-de23cff.tar.gz) = 02c9bab8bd59b0c314a1e20e44a7e4e08d4976a1de8e5a9d0766ff37dd809bb44e958ff9e8db157e24981e73380142d9441e92a81397db1d363353e5b76b0be9 -SHA512 (container-selinux.tgz) = c61cb7bb7f452d52ddf5be88ef266a40ff93190cb9c16a6cb255febf334bb8e1599db885503c036e9014903aa4191804b81f7b7e236011ca28ac7f3c0b156452 +SHA512 (selinux-policy-82ab8ed.tar.gz) = 3ddb370e9c1d6c832368c26761987b073477ce1ae6d012d45a13ed8efede4ccbb9ce2de5b0ac4a0eae3c1d1d00161001de0803e57fe6e730532f1531879fe9c9 +SHA512 (selinux-policy-contrib-6292557.tar.gz) = 38a4104b01b151859fb85c91705647462fd6bda89d4055911c689a6cf30a4a01e4e3dd7e2d40ffe1813e5aae41c495ecec8bb7711f473bc35ce6095028887b73 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 +SHA512 (container-selinux.tgz) = 4df29305bf3fb3c89a673547e8265461881b5bd764d2b34855ca2b1b64aa4acd842908ff4c8e35dd3d27dc935645c16b26872b29258cc48a606dbe3dcd7da3fe