* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
- Don't make kernel_t an unconfined domain - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition - Allow kernel_t to execute systemctl to do a poweroff/reboot - Grant basic permissions to the domain created by systemd_systemctl_domain() - Allow kernel_t to request module loading - Allow kernel_t to do compute_create - Allow kernel_t to manage perf events - Grant almost all capabilities to kernel_t - Allow kernel_t to fully manage all devices - Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" - Allow pulseaudio to write to session_dbusd tmp socket files - Allow systemd and unconfined_domain_type create user_namespace - Add the user_namespace security class - Reuse tmpfs_t also for the ramfs filesystem - Label udf tools with fsadm_exec_t - Allow networkmanager_dispatcher_plugin work with nscd - Watch_sb all file type directories. - Allow spamc read hardware state information files - Allow sysadm read ipmi devices - Allow insights client communicate with cupsd, mysqld, openvswitch, redis - Allow insights client read raw memory devices - Allow the spamd_update_t domain get generic filesystem attributes - Dontaudit systemd-gpt-generator the sys_admin capability - Allow ipsec_t only read tpm devices - Allow cups-pdf connect to the system log service - Allow postfix/smtpd read kerberos key table - Allow syslogd read network sysctls - Allow cdcc mmap dcc-client-map files - Add watch and watch_sb dosfs interface
This commit is contained in:
Zdenek Pytela
parent
4f5786b58d
commit
8263376e4d
|
|
@ -1,6 +1,6 @@
|
|||
# github repo with selinux-policy sources
|
||||
%global giturl https://github.com/fedora-selinux/selinux-policy
|
||||
%global commit 3c80e8b26a1ff6f8f282169e0971e705daddb01a
|
||||
%global commit 1e8688ea694393c9d918939322b72dfb44a01792
|
||||
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
||||
|
||||
%define distro redhat
|
||||
|
|
@ -23,7 +23,7 @@
|
|||
%define CHECKPOLICYVER 3.2
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 38.1
|
||||
Version: 38.2
|
||||
Release: 1%{?dist}
|
||||
License: GPL-2.0-or-later
|
||||
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
||||
|
|
@ -816,6 +816,37 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Dec 06 2022 Zdenek Pytela <zpytela@redhat.com> - 38.2-1
|
||||
- Don't make kernel_t an unconfined domain
|
||||
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
|
||||
- Allow kernel_t to execute systemctl to do a poweroff/reboot
|
||||
- Grant basic permissions to the domain created by systemd_systemctl_domain()
|
||||
- Allow kernel_t to request module loading
|
||||
- Allow kernel_t to do compute_create
|
||||
- Allow kernel_t to manage perf events
|
||||
- Grant almost all capabilities to kernel_t
|
||||
- Allow kernel_t to fully manage all devices
|
||||
- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue"
|
||||
- Allow pulseaudio to write to session_dbusd tmp socket files
|
||||
- Allow systemd and unconfined_domain_type create user_namespace
|
||||
- Add the user_namespace security class
|
||||
- Reuse tmpfs_t also for the ramfs filesystem
|
||||
- Label udf tools with fsadm_exec_t
|
||||
- Allow networkmanager_dispatcher_plugin work with nscd
|
||||
- Watch_sb all file type directories.
|
||||
- Allow spamc read hardware state information files
|
||||
- Allow sysadm read ipmi devices
|
||||
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
||||
- Allow insights client read raw memory devices
|
||||
- Allow the spamd_update_t domain get generic filesystem attributes
|
||||
- Dontaudit systemd-gpt-generator the sys_admin capability
|
||||
- Allow ipsec_t only read tpm devices
|
||||
- Allow cups-pdf connect to the system log service
|
||||
- Allow postfix/smtpd read kerberos key table
|
||||
- Allow syslogd read network sysctls
|
||||
- Allow cdcc mmap dcc-client-map files
|
||||
- Add watch and watch_sb dosfs interface
|
||||
|
||||
* Mon Nov 21 2022 Zdenek Pytela <zpytela@redhat.com> - 38.1-1
|
||||
- Revert "Allow sysadm_t read raw memory devices"
|
||||
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
||||
|
|
|
|||
4
sources
4
sources
|
|
@ -1,3 +1,3 @@
|
|||
SHA512 (selinux-policy-3c80e8b.tar.gz) = c3d9e981d8f9ad4d749b70ed3cd7e84bb4951f1e0b8d90e0062111dc43514f47f9c61da1f48b3693843286ddb864ee9c80052b9d9ac7e8a7d581a4fa1f8fb173
|
||||
SHA512 (selinux-policy-1e8688e.tar.gz) = e490022c1a05e68f523cb717fb47044a37b0b54b58b06003e2f646d9c44b688fa5c96d657a0ac29e95877b6d3f056a4a08120e9a67b9d1603c87ce8a7e2e3d44
|
||||
SHA512 (container-selinux.tgz) = 06340531ebc60308955cb4f7a99b68b04688925bc5a904a3d4a5143f32fa8dd0dee53bce006366de706c14b619378862f5377e0fbe7a5a2e789b66d7820ec599
|
||||
SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
|
||||
SHA512 (container-selinux.tgz) = 20f368b761fcd01c5ca9b7f9e0be7b5b805727a28eb07d16e8b2e678251afdc90d26cc8145972e8db16ed619833185e57e01d55161a2f75e68e4535c513153b2
|
||||
|
|
|
|||
Loading…
Reference in New Issue