rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17

Browse Source 
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for  /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
This commit is contained in:
Lukas Vrabec 2018-05-21 01:48:14 +02:00
parent 4d2de689d5
commit 844794a0f4
No known key found for this signature in database
GPG Key ID: 47201AC42F29CE06
3 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -279,3 +279,5 @@ serefpolicy*
/selinux-policy-17160ee.tar.gz /selinux-policy-17160ee.tar.gz
/selinux-policy-contrib-4f6a859.tar.gz /selinux-policy-contrib-4f6a859.tar.gz
/selinux-policy-718d75d.tar.gz /selinux-policy-718d75d.tar.gz
/selinux-policy-cab8dc9.tar.gz
/selinux-policy-contrib-19624b4.tar.gz

41
selinux-policy.spec
View File

@ -1,11 +1,11 @@
# github repo with selinux-policy base sources # github repo with selinux-policy base sources
%global git0 https://github.com/fedora-selinux/selinux-policy %global git0 https://github.com/fedora-selinux/selinux-policy
%global commit0 718d75d6ef457c74ce1defac3b2d671b3d1f71eb %global commit0 cab8dc9056f382289b0559b3bdf336aa09ef8105
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# github repo with selinux-policy contrib sources # github repo with selinux-policy contrib sources
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
%global commit1 4f6a859548cce112341679e720b88f7d1cb674d7 %global commit1 19624b4009a0a252a57e7192dea7d3d322fcd0da
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%define distro redhat %define distro redhat
@ -29,7 +29,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.14.2 Version: 3.14.2
Release: 16%{?dist} Release: 17%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@ -718,6 +718,41 @@ exit 0
%endif %endif
%changelog %changelog
* Mon May 21 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-17
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
* Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16 * Mon Apr 30 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.14.2-16
- Allow systemd to mmap files with var_log_t label - Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session - Allow x_userdomains read/write to xserver session

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (selinux-policy-718d75d.tar.gz) = 176da6f3835a17e21e8e0c7377130a90bd2bcd1807cb60ee5eb9070ba843793660ca059d63296236aca98d810b68e1b72cd98e1d351ebe3a46274be1de418137 SHA512 (selinux-policy-cab8dc9.tar.gz) = d922ec08de3f8a47b312b00d9a64a73466e230b3e8344768f95d762b5e1f52f3d99b77ee5d5901ff76d3ecfa315daecbec428ef6f1a4b9322588ff8fc721f4ae
SHA512 (selinux-policy-contrib-4f6a859.tar.gz) = 3f2ac4cf26466a324adcc952286c20254cbd0e40149b9948eb623b03804ec056355deefa231dd9e4910097f5b0874f358f1731b68b47c746859a2f02adab23a6 SHA512 (selinux-policy-contrib-19624b4.tar.gz) = 25a8fb5a856dc8cb5f2ab42bb9a16371488172393ba8fbcb4aa35f021b00dd9ccd5e40f3fd249799e38bdb6a3461da6ef7b8794ce0250209cad789258959d8fe
SHA512 (container-selinux.tgz) = 847b4649718df078e824e344adb95868ed272a4133ac39147b2afac54289ffbd62584b540f6744fbd1b945573ce23e6dbcc425d780d37b5894a1ca5b4cca177e SHA512 (container-selinux.tgz) = 04f324dcf9ecc426157686679201eac943cc535a6d33dec9d7da221585170bc2af89a076a00fc35a10fa0d8be6acce877f19e427bcea5598d72b47f698534ff8