import selinux-policy-3.14.3-117.el8

2023-03-28 09:06:52 +00:00 · 2023-03-28 09:06:52 +00:00 · 822017147e
commit 822017147e
parent d39caaffc8
3 changed files with 211 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-9db72ed.tar.gz
-SOURCES/selinux-policy-contrib-5e2c252.tar.gz
+SOURCES/selinux-policy-426c028.tar.gz
+SOURCES/selinux-policy-contrib-c6da44c.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-37036a3f9ec27f942a2b186db25f3c0551784c4e SOURCES/container-selinux.tgz
-d9e66219a3c1a29e8af4da26ed471297d3281fcc SOURCES/selinux-policy-9db72ed.tar.gz
-dd2ac90c589a5a5110bf578b014754b69f2232c7 SOURCES/selinux-policy-contrib-5e2c252.tar.gz
+bbb33f1d3ec06ac961c111b66a324496cbe9768f SOURCES/container-selinux.tgz
+8f77181d801751fdd49e7a537b291af8b455ed51 SOURCES/selinux-policy-426c028.tar.gz
+84a66625f87ed784dc752c76eca051d058abfa8d SOURCES/selinux-policy-contrib-c6da44c.tar.gz
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 9db72ed4345b0f26e798cb301f306fb4ee303844
+%global commit0 426c028e3d055a6ae74f8bf7cc92107f3e43a5ea
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 5e2c252146f379cd25df50de97816f6771d9d79b
+%global commit1 c6da44cc670eb76341a756f7d338e60cfa7cd8ac
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 107%{?dist}
+Release: 117%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -717,6 +717,209 @@ exit 0
 %endif

 %changelog
+* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
+- Fix opencryptoki file names in /dev/shm
+Resolves: rhbz#2028637
+- Allow system_cronjob_t transition to rpm_script_t
+Resolves: rhbz#2154242
+- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
+Resolves: rhbz#2154242
+- Allow httpd work with tokens in /dev/shm
+Resolves: rhbz#2028637
+- Allow keepalived to set resource limits
+Resolves: rhbz#2168638
+- Allow insights-client manage fsadm pid files
+
+* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
+- Allow sysadm_t run initrc_t script and sysadm_r role access
+Resolves: rhbz#2039662
+- Allow insights-client manage fsadm pid files
+Resolves: rhbz#2166802
+- Add journalctl the sys_resource capability
+Resolves: rhbz#2136189
+
+* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
+- Fix syntax problem in redis.te
+Resolves: rhbz#2112228
+- Allow unconfined user filetransition for sudo log files
+Resolves: rhbz#2164047
+- Allow winbind-rpcd make a TCP connection to the ldap port
+Resolves: rhbz#2152642
+- Allow winbind-rpcd manage samba_share_t files and dirs
+Resolves: rhbz#2152642
+- Allow insights-client work with su and lpstat
+Resolves: rhbz#2134125
+- Allow insights-client read nvme devices
+Resolves: rhbz#2143878
+- Allow insights-client tcp connect to all ports
+Resolves: rhbz#2143878
+- Allow redis-sentinel execute a notification script
+Resolves: rhbz#2112228
+
+* Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
+- Add interfaces in domain, files, and unconfined modules
+Resolves: rhbz#2141311
+- Allow sysadm_t read/write ipmi devices
+Resolves: rhbz#2148561
+- Allow sudodomain use sudo.log as a logfile
+Resolves: rhbz#2143762
+- Add insights additional capabilities
+Resolves: rhbz#2158779
+- Allow insights client work with gluster and pcp
+Resolves: rhbz#2141311
+- Allow prosody manage its runtime socket files
+Resolves: rhbz#2157902
+- Allow system mail service read inherited certmonger runtime files
+Resolves: rhbz#2143337
+- Add lpr_roles  to system_r roles
+Resolves: rhbz#2151111
+
+* Thu Dec 15 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-113
+- Allow systemd-socket-proxyd get attributes of cgroup filesystems
+Resolves: rhbz#2088441
+- Allow systemd-socket-proxyd get filesystems attributes
+Resolves: rhbz#2088441
+- Allow sysadm read ipmi devices
+Resolves: rhbz#2148561
+- Allow system mail service read inherited certmonger runtime files
+Resolves: rhbz#2143337
+- Add lpr_roles  to system_r roles
+Resolves: rhbz#2151111
+- Allow insights-client tcp connect to various ports
+Resolves: rhbz#2151111
+- Allow insights-client work with pcp and manage user config files
+Resolves: rhbz#2151111
+- Allow insights-client dbus chat with various services
+Resolves: rhbz#2152867
+- Allow insights-client dbus chat with abrt
+Resolves: rhbz#2152867
+- Allow redis get user names
+Resolves: rhbz#2112228
+- Add winbind-rpcd to samba_enable_home_dirs boolean
+Resolves: rhbz#2143696
+
+* Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-112
+- Allow ipsec_t only read tpm devices
+Resolves: rhbz#2147380
+- Allow ipsec_t read/write tpm devices
+Resolves: rhbz#2147380
+- Label udf tools with fsadm_exec_t
+Resolves: rhbz#1972230
+- Allow the spamd_update_t domain get generic filesystem attributes
+Resolves: rhbz#2144501
+- Allow cdcc mmap dcc-client-map files
+Resolves: rhbz#2144505
+- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
+Resolves: rhbz#2143878
+- Allow insights client read raw memory devices
+Resolves: rhbz#2143878
+- Allow winbind-rpcd get attributes of device and pty filesystems
+Resolves: rhbz#2107106
+- Allow postfix/smtpd read kerberos key table
+Resolves: rhbz#1983308
+
+* Fri Nov 11 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-111
+- Add domain_unix_read_all_semaphores() interface
+Resolves: rhbz#2141311
+- Allow iptables list cgroup directories
+Resolves: rhbz#2134820
+- Allow systemd-hostnamed dbus chat with init scripts
+Resolves: rhbz#2111632
+- Allow systemd to read symlinks in /var/lib
+Resolves: rhbz#2118784
+- Allow insights-client domain transition on semanage execution
+Resolves: rhbz#2141311
+- Allow insights-client create gluster log dir with a transition
+Resolves: rhbz#2141311
+- Allow insights-client manage generic locks
+Resolves: rhbz#2141311
+- Allow insights-client unix_read all domain semaphores
+Resolves: rhbz#2141311
+- Allow winbind-rpcd use the terminal multiplexor
+Resolves: rhbz#2107106
+- Allow mrtg send mails
+Resolves: rhbz#2103675
+- Allow sssd dbus chat with system cronjobs
+Resolves: rhbz#2132922
+- Allow postfix/smtp and postfix/virtual read kerberos key table
+Resolves: rhbz#1983308
+
+* Thu Oct 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-110
+- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
+Resolves: rhbz#208441
+- Add the dev_map_vhost() interface
+Resolves: rhbz#2122920
+- Allow init remount all file_type filesystems
+Resolves: rhbz#2122239
+- added policy for systemd-socket-proxyd
+Resolves: rhbz#2088441
+- Allow virt_domain map vhost devices
+Resolves: rhbz#2122920
+- Allow virt domains to access xserver devices
+Resolves: rhbz#2122920
+- Allow rotatelogs read httpd_log_t symlinks
+Resolves: rhbz#2030633
+- Allow vlock search the contents of the /dev/pts directory
+Resolves: rhbz#2122838
+- Allow system cronjobs dbus chat with setroubleshoot
+Resolves: rhbz#2125008
+- Allow ptp4l_t name_bind ptp_event_port_t
+Resolves: rhbz#2130168
+- Allow pcp_domain execute its private memfd: objects
+Resolves: rhbz#2090711
+- Allow samba-dcerpcd use NSCD services over a unix stream socket
+Resolves: rhbz#2121709
+- Allow insights-client manage samba var dirs
+Resolves: rhbz#2132230
+
+* Wed Oct 12 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-109
+- Add the files_map_read_etc_files() interface
+Resolves: rhbz#2132230
+- Allow insights-client manage samba var dirs
+Resolves: rhbz#2132230
+- Allow insights-client send null signal to rpm and system cronjob
+Resolves: rhbz#2132230
+- Update rhcd policy for executing additional commands 4
+Resolves: rhbz#2132230
+- Allow insights-client connect to postgresql with a unix socket
+Resolves: rhbz#2132230
+- Allow insights-client domtrans on unix_chkpwd execution
+Resolves: rhbz#2132230
+- Add file context entries for insights-client and rhc
+Resolves: rhbz#2132230
+- Allow snmpd_t domain to trace processes in user namespace
+Resolves: rhbz#2121084
+- Allow sbd the sys_ptrace capability
+Resolves: rhbz#2124552
+- Allow pulseaudio create gnome content (~/.config)
+Resolves: rhbz#2124387
+
+* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-108
+- Allow unconfined_service_t insights client content filetrans
+Resolves: rhbz#2119507
+- Allow nsswitch_domain to connect to systemd-machined using a unix socket
+Resolves: rhbz#2119507
+- Add init_status_all_script_files() interface
+Resolves: rhbz#2119507
+- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces
+Resolves: rhbz#2119507
+- Update insights-client policy for additional commands execution 5
+Resolves: rhbz#2119507
+- Confine insights-client systemd unit
+Resolves: rhbz#2119507
+- Update insights-client policy for additional commands execution 4
+Resolves: rhbz#2119507
+- Change rhsmcertd_t to insights_client_t in insights-client policy
+Resolves: rhbz#2119507
+- Allow insights-client send signull to unconfined_service_t
+Resolves: rhbz#2119507
+- Update insights-client policy for additional commands execution 3
+Resolves: rhbz#2119507
+- Allow journalctl read init state
+Resolves: rhbz#2119507
+- Update insights-client policy for additional commands execution 2
+Resolves: rhbz#2119507
+
 * Thu Aug 25 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-107
 - Label 319/udp port with ptp_event_port_t
 Resolves: rhbz#2118628