From 9364159b1834ed5a338be9a9ad266b3ad7c7a24a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 24 May 2018 16:07:11 +0200 Subject: [PATCH] * Thu May 24 2018 Lukas Vrabec - 3.14.2-20 - Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Update dev_map_xserver_misc interface to allo mmaping char devices instead of files - Allow noatsecure permission for all domain transitions from systemd. - Allow systemd to read tangd db files - Fix typo in ssh.if file - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used --- .gitignore | 2 ++ selinux-policy.spec | 29 ++++++++++++++++++++++++++--- sources | 6 +++--- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 4ca19df9..aba78e74 100644 --- a/.gitignore +++ b/.gitignore @@ -283,3 +283,5 @@ serefpolicy* /selinux-policy-contrib-19624b4.tar.gz /selinux-policy-contrib-5ae0301.tar.gz /selinux-policy-ba72e52.tar.gz +/selinux-policy-877fde5.tar.gz +/selinux-policy-contrib-12d91da.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 394c590c..9c452691 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 ba72e52d6e782b6c0bc4da292da81065d5b5c8b3 +%global commit0 877fde5e4cceb08ad0cf0e8110b1fca267e943f7 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 5ae0301be43d26dead51a7ec36f1c07b80dca638 +%global commit1 12d91dabfa5b0c6c8a69e76f3caae0e6d60c9d1b %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,29 @@ exit 0 %endif %changelog +* Thu May 24 2018 Lukas Vrabec - 3.14.2-20 +- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files +- Allow mailman_mail_t domain to search for apache configs +- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. +- Improve procmail_domtrans() to allow mmaping procmail_exec_t +- Allow ptrace arbitrary processes +- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) +- Allow certmonger to geattr of filesystems BZ(1578755) +- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files +- Allow noatsecure permission for all domain transitions from systemd. +- Allow systemd to read tangd db files +- Fix typo in ssh.if file +- Allow xdm_t domain to mmap xserver_misc_device_t files +- Allow xdm_t domain to execute systemd-coredump binary +- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set +- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries +- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary +- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries +- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. +- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface +- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used + + * Tue May 22 2018 Lukas Vrabec - 3.14.2-19 - Increase dependency versions of policycoreutils and checkpolicy packages diff --git a/sources b/sources index 82cc60d1..1ee528de 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-5ae0301.tar.gz) = 14d6a14c3f3227114f1539070a9b998b3875888a0a0e669f52cac86696ee55f2411d727f96d4763569171a7232f6a16b63cdfe0ae768df0b52b3c032f19d5d53 -SHA512 (selinux-policy-ba72e52.tar.gz) = edae928ecbcadd6ff0313a5414c88f8aaad609b7b7fbcbaa4a89574fdbe77fd73f3424c7671b4152a14fd49ec1559c73297779bcd2c727e438bb42a50f420d19 -SHA512 (container-selinux.tgz) = 719e82f66868cc356f79ada820e88d15334e9616b1090e5c944af357fe0edf7dcbeaad66223e00ffcaa921aa88c46a5b33f43ace28de844693bbfb290bd130a4 +SHA512 (selinux-policy-877fde5.tar.gz) = 29f4074fd84d026077bab774f72d63a538fa1b84ac5ff3b07e026e78f2031edd494a16b6a6930f7741be85124b4881a77744730dfe01a22cb938c2245778b523 +SHA512 (selinux-policy-contrib-12d91da.tar.gz) = 38afcb055eb582db1fa2f1207badb5eddfd5ee632e52e75f2449bd65d8a3fe81177430220b75dd13838fd5ecd4cc3f2402a3bcd6c5fbc367145aea66a09d7e88 +SHA512 (container-selinux.tgz) = c38b1799acb4f517655be8ede3f05debcebd81624e00bd9d429a277d8eecbf17d15618631bed8ce03c63286d574a61ebfb0782d6dd77c5e70d616fb1e968aed9