* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4

- Update vmtools policy - Allow virt_qemu_ga_t domain to read udev_var_run_t files - Update nagios_run_sudo boolean with few allow rules related to accessing sssd - Update travis CI to install selinux-policy dependencies without checking for gpg check - Allow journalctl_t domain to mmap syslogd_var_run_t files - Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 - Allow sbd_t domain to bypass permission checks for sending signals - Allow sbd_t domain read/write all sysctls - Allow kpatch_t domain to communicate with policykit_t domsin over dbus - Allow boltd_t to stream connect to sytem dbus - Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820) - Allow all domains to send dbus msgs to vmtools_unconfined_t processes - Label /dev/pkey as crypt_device_t - Allow sudodomains to write to systemd_logind_sessions_t pipes. - Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. - Allow ifconfig_t domain to read /dev/random BZ(1687516) - Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660 - Update travis CI to install selinux-policy dependencies without checking for gpg check - Label /usr/sbin/nodm as xdm_exec_t same as other display managers - Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin - Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221 - Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
2019-03-12 18:42:45 +01:00 · 2019-03-12 18:42:45 +01:00 · a8da133b94
parent 43393ba497
commit a8da133b94
3 changed files with 32 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -345,3 +345,5 @@ serefpolicy*
 /selinux-policy-108b4cd.tar.gz
 /selinux-policy-contrib-925fb5e.tar.gz
 /selinux-policy-aa6253c.tar.gz
+/selinux-policy-contrib-c199027.tar.gz
+/selinux-policy-4c00590.tar.gz
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 aa6253cf8dbcff8d0d73a94c95b22a4813481bd8
+%global commit0 4c00590e9ef306b76eddd6099f21f4a2a2953d5b
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 925fb5e79748b46e0dd5962ed2df760a9a287079
+%global commit1 c199027807f785d4c18da80d89b000c75d80137f
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -706,6 +706,30 @@ exit 0
 %endif

 %changelog
+* Wed Mar 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-4
+- Update vmtools policy
+- Allow virt_qemu_ga_t domain to read udev_var_run_t files
+- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
+- Update travis CI to install selinux-policy dependencies without checking for gpg check
+- Allow journalctl_t domain to mmap syslogd_var_run_t files
+- Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046
+- Allow sbd_t domain to bypass permission checks for sending signals
+- Allow sbd_t domain read/write all sysctls
+- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
+- Allow boltd_t to stream connect to sytem dbus
+- Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820)
+- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
+- Label /dev/pkey as crypt_device_t
+- Allow sudodomains to write to systemd_logind_sessions_t pipes.
+- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
+- Allow ifconfig_t domain to read /dev/random BZ(1687516)
+- Fix interface modutils_run_kmod() where was used old interface modutils_domtrans_insmod instead of new one modutils_domtrans_kmod() Resolves: rhbz#1686660
+- Update travis CI to install selinux-policy dependencies without checking for gpg check
+- Label /usr/sbin/nodm as xdm_exec_t same as other display managers
+- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
+- Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221
+- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
+
 * Wed Feb 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-3
 - Reverting https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 because "%pretrans" cannot use shell scripts.
 Resolves: rhbz#1683365
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (selinux-policy-contrib-925fb5e.tar.gz) = 67db505efbb50744e38502a1f95fdd84ce869107fd42dc8eb840f58d562dba4957c48dbb9400c0acce146c2707cf5ab3823459f5710fa5448f10ac8beec00c1b
-SHA512 (selinux-policy-aa6253c.tar.gz) = 93fe4655ddf9833d0e40a6dc741691c8520b4e71cc8ef939151d5980d9519e8ba8ec175e1970455cb9166630570633c58fa86231dd5eac02b5e239ffaa4d86e2
-SHA512 (container-selinux.tgz) = bfc07f23e367f2ae42d1296656ecc0122712e482682a81e435a346071819eb3c9b4ad37b3f914565e76376c4ac61d60d55cf901af1ce2cf0f19497b9b08cc75c
+SHA512 (selinux-policy-contrib-c199027.tar.gz) = 6310ac4d95d1adbc2049f7b7720f894474e19748f05e145109b038047e992cf9a11a020a8d39d7acb7f31046381286cd77ff51d74613d033926af8940da2614b
+SHA512 (selinux-policy-4c00590.tar.gz) = bb353aa1f4f63dbfdc7e558fa53f663969c51e4e81a493fcd3c424714d1e3dcfb4e9c2d06806726730b0871cb201cf254343498a48cc6a5a63a2a72fd4a29eb6
+SHA512 (container-selinux.tgz) = 08977a95836779814bd3aeb9523d4671c9139332c8ce65655ada00ec85fbfdc55c1f9ca0480b3aa75585274bff929d0d94c6008585ce75467a60640237774a0d