From 833e3136e5a0153d46a3e03686e113a2f46501d3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 6 Sep 2018 22:33:33 +0200 Subject: [PATCH] * Thu Sep 06 2018 Lukas Vrabec - 3.14.3-2 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Add read interfaces for mysqld_log_t that was added in commit df832bf - Allow boltd_t to dbus chat with xdm_t - Conntrackd need to load kernel module to work - Allow mysqld sys_nice capability - Update boltd policy based on SELinux denials from rhbz#1607974 - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Add boolean: domain_can_mmap_files. - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev() --- .gitignore | 2 ++ selinux-policy.spec | 53 ++++++++++++++++++++++++++++++++++++++++++--- sources | 6 ++--- 3 files changed, 55 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 898ef0c4..20be205b 100644 --- a/.gitignore +++ b/.gitignore @@ -306,3 +306,5 @@ serefpolicy* /selinux-policy-contrib-ab97c9d.tar.gz /selinux-policy-c8dfe84.tar.gz /selinux-policy-contrib-a342008.tar.gz +/selinux-policy-contrib-5ed2192.tar.gz +/selinux-policy-38c6414.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 52428567..53e5dd07 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 c8dfe84c09d2d197265f1d883f8b11527f5846c9 +%global commit0 38c6414d2dac8b3e77914561f34babdf93ef27ff %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 a3420086d85dcd5b7407c3101587047369c45ea1 +%global commit1 5ed2192d563e34d3f1e7c4f7b2673af960de8769 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -709,6 +709,53 @@ exit 0 %endif %changelog +* Thu Sep 06 2018 Lukas Vrabec - 3.14.3-2 +- Allow tomcat services create link file in /tmp +- Label /etc/shorewall6 as shorewall_etc_t +- Allow winbind_t domain kill in user namespaces +- Allow firewalld_t domain to read random device +- Allow abrt_t domain to do execmem +- Allow geoclue_t domain to execute own var_lib_t files +- Allow openfortivpn_t domain to read system network state +- Allow dnsmasq_t domain to read networkmanager lib files +- sssd: Allow to limit capabilities using libcap +- sssd: Remove unnecessary capability +- sssd: Do not audit usage of lib nss_systemd.so +- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file +- Add correct namespace_init_exec_t context to /etc/security/namespace.d/* +- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files +- Allow exim_t domain to mmap bin files +- Allow mysqld_t domain to executed with nnp transition +- Allow svirt_t domain to mmap svirt_image_t block files +- Add caps dac_read_search and dav_override to pesign_t domain +- Allow iscsid_t domain to mmap userio chr files +- Add read interfaces for mysqld_log_t that was added in commit df832bf +- Allow boltd_t to dbus chat with xdm_t +- Conntrackd need to load kernel module to work +- Allow mysqld sys_nice capability +- Update boltd policy based on SELinux denials from rhbz#1607974 +- Allow systemd to create symlinks in for /var/lib +- Add comment to show that template call also allows changing shells +- Document userdom_change_password_template() behaviour +- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file +- Fix typo in logging SELinux module +- Allow usertype to mmap user_tmp_type files +- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue +- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" +- Add boolean: domain_can_mmap_files. +- Allow ipsec_t domian to mmap own tmp files +- Add .gitignore file +- Add execute_no_trans permission to mmap_exec_file_perms pattern +- Allow sudodomain to search caller domain proc info +- Allow audisp_remote_t domain to read auditd_etc_t +- netlabel: Remove unnecessary sssd nsswitch related macros +- Allow to use sss module in auth_use_nsswitch +- Limit communication with init_t over dbus +- Add actual modules.conf to the git repo +- Add few interfaces to optional block +- Allow sysadm_t and staff_t domain to manage systemd unit files +- Add interface dev_map_userio_dev() + * Tue Aug 28 2018 Lukas Vrabec - 3.14.3-1 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() diff --git a/sources b/sources index 8d2e6ec0..adea865e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-c8dfe84.tar.gz) = 1932e821f40e5f255580c9fd6ac48fdbe78ec86c89de04bba9a297e4971e4c96c3127ef890ab4a864b33f2230aad3b31b1aae08b509e501864763e3a53b11f05 -SHA512 (selinux-policy-contrib-a342008.tar.gz) = 3e49ff37fa815ff18ff9e6daa02c385b660ef9f63e7cdd475895f864834d5a8afd7f5355f2c5c936c370861f45606d82cf1c38c0f149ee7d3e7aba4e114adfbc -SHA512 (container-selinux.tgz) = 5ec87fe001d2c6256d7e97963e9ab44fc1068cd0df251a7f40547505f2f6c8e9e20ff0056da9bce7d37afb6649da6dfe605248885293d5d39b48e378d2554570 +SHA512 (selinux-policy-contrib-5ed2192.tar.gz) = 6d8c08980a10b498155893d7c9d949c89761622b4b16ca1e4c80d78ebd97791ee9e59112b725aae8402aec382214001cb9952e0e22b11698abacaea74ae7db41 +SHA512 (selinux-policy-38c6414.tar.gz) = a0d47bee2311baea12ade3a1f6460a76ba3e479314838957e5225c0e8ec0926ae0e9027b6204f1d5153f7e8b0ef207e4bbb30d9ee16bf1f5396ad87626b78528 +SHA512 (container-selinux.tgz) = a563b1da0a6c3b4bd1b171b263e171cd1a99758130c9c0e7d351df7709aa6f0e52e5e6eb211469697db0bdb86adf9de6c0b5f5935c928611854867084327114d