* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1

- Update NetworkManager-dispatcher policy to use scripts
- Allow init mounton kernel messages device
- Revert "Make dbus-broker service working on s390x arch"
- Remove permissive domain for insights_client_t
- Allow userdomain read symlinks in /var/lib
- Allow iptables list cgroup directories
- Dontaudit mdadm list dirsrv tmpfs dirs
- Dontaudit dirsrv search filesystem sysctl directories
- Allow chage domtrans to sssd
- Allow postfix_domain read dovecot certificates
- Allow systemd-networkd create and use netlink netfilter socket
- Allow nm-dispatcher read nm-dispatcher-script symlinks
- filesystem.te: add genfscon rule for ntfs3 filesystem
- Allow rhsmcertd get attributes of cgroup filesystems
- Allow sandbox_web_client_t watch various dirs
- Exclude container.if from policy devel files
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
This commit is contained in:
Zdenek Pytela 2022-02-17 23:37:33 +01:00
parent 652ddc6c42
commit b1087928cf
2 changed files with 25 additions and 5 deletions

View File

@ -1,6 +1,6 @@
# github repo with selinux-policy sources # github repo with selinux-policy sources
%global giturl https://github.com/fedora-selinux/selinux-policy %global giturl https://github.com/fedora-selinux/selinux-policy
%global commit 369f900039cff9443e86fdf7254ba8b11dc6adb5 %global commit e0c5ad17b8fc9547912085b142476a5eee6109cb
%global shortcommit %(c=%{commit}; echo ${c:0:7}) %global shortcommit %(c=%{commit}; echo ${c:0:7})
%define distro redhat %define distro redhat
@ -23,7 +23,7 @@
%define CHECKPOLICYVER 3.2 %define CHECKPOLICYVER 3.2
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 36.2 Version: 36.3
Release: 1%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
@ -143,6 +143,7 @@ and some additional files.
%dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/include %dir %{_datadir}/selinux/devel/include
%{_datadir}/selinux/devel/include/* %{_datadir}/selinux/devel/include/*
%exclude %{_datadir}/selinux/devel/include/container.if
%dir %{_datadir}/selinux/devel/html %dir %{_datadir}/selinux/devel/html
%{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*html
%{_datadir}/selinux/devel/html/*css %{_datadir}/selinux/devel/html/*css
@ -286,7 +287,7 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
rm -f ${FILE_CONTEXT}.pre; \ rm -f ${FILE_CONTEXT}.pre; \
fi; \ fi; \
# rebuilding the rpm database still can sometimes result in an incorrect context \ # rebuilding the rpm database still can sometimes result in an incorrect context \
%{_sbindir}/restorecon -R /var/lib/rpm \ %{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
continue; \ continue; \
fi; fi;
@ -808,6 +809,25 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Feb 17 2022 Zdenek Pytela <zpytela@redhat.com> - 36.3-1
- Update NetworkManager-dispatcher policy to use scripts
- Allow init mounton kernel messages device
- Revert "Make dbus-broker service working on s390x arch"
- Remove permissive domain for insights_client_t
- Allow userdomain read symlinks in /var/lib
- Allow iptables list cgroup directories
- Dontaudit mdadm list dirsrv tmpfs dirs
- Dontaudit dirsrv search filesystem sysctl directories
- Allow chage domtrans to sssd
- Allow postfix_domain read dovecot certificates
- Allow systemd-networkd create and use netlink netfilter socket
- Allow nm-dispatcher read nm-dispatcher-script symlinks
- filesystem.te: add genfscon rule for ntfs3 filesystem
- Allow rhsmcertd get attributes of cgroup filesystems
- Allow sandbox_web_client_t watch various dirs
- Exclude container.if from policy devel files
- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm
* Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1 * Fri Feb 11 2022 Zdenek Pytela <zpytela@redhat.com> - 36.2-1
- Allow sysadm_passwd_t to relabel passwd and group files - Allow sysadm_passwd_t to relabel passwd and group files
- Allow confined sysadmin to use tool vipw - Allow confined sysadmin to use tool vipw

View File

@ -1,3 +1,3 @@
SHA512 (selinux-policy-369f900.tar.gz) = a69bb7af266f013325de204e66877a4a8bb5345cf8e332efe1cb3c0993da312e0bd3bef687e366064bfe940854fe9ed24605afa08cdadfcdbbab238a9b255572 SHA512 (selinux-policy-e0c5ad1.tar.gz) = 22de0b261754fdcf478a4b88a9f166752adf7b7dd80e88cb1b40d6b13104eafe854a9cca372e7d9433dc55c24c4e73e535b3f8a1a59748c8fcb99817691bb078
SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
SHA512 (container-selinux.tgz) = a9d05e8d035f7eef322d87fdcae842bb7675379dd2b7015a60363f8ede35c1c43ca43026a9944c79b456de8616da6255d8552a8e838535a33a14a7ea17229d97 SHA512 (container-selinux.tgz) = bd68a2fa40597ae4a5f303094aca4c10691abe66c763246e902687aa6e06b7f007590215e360bb6fcba2d2dc781d92c94f5c575c9cbb4724adec2ec139de5b54