import selinux-policy-3.14.3-65.el8

2021-03-30 15:41:57 -04:00 · 2021-03-30 15:41:57 -04:00 · dca2cf68db
parent e479b42144
commit dca2cf68db
4 changed files with 259 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-420bacb.tar.gz
-SOURCES/selinux-policy-contrib-876387c.tar.gz
+SOURCES/selinux-policy-33fd484.tar.gz
+SOURCES/selinux-policy-contrib-4beb213.tar.gz
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@ -1,3 +1,3 @@
-a5fc34a7fbfd13a2b86609bdea0bcc2b312163d1 SOURCES/container-selinux.tgz
-3756201d4d69bb4834cfaac8aff3398a1d8b482c SOURCES/selinux-policy-420bacb.tar.gz
-4de0c405f689cec37c49a8fc5054990f0fa27007 SOURCES/selinux-policy-contrib-876387c.tar.gz
+99c5dc0dbb5f824b2cc29d18e8911401677e0bb1 SOURCES/container-selinux.tgz
+4da13e377b1e178962423475a04832ed39581394 SOURCES/selinux-policy-33fd484.tar.gz
+45d3dbd0265f43953376baacdbc070a566eb429b SOURCES/selinux-policy-contrib-4beb213.tar.gz
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@ -2388,13 +2388,6 @@ minissdpd = module
 #
 freeipmi = module

-# Layer: contrib
-# Module: freeipmi
-# 
-# ipa policy module contain SELinux policies for IPA services
-#
-ipa = module
-
 # Layer: contrib
 # Module: mirrormanager
 # 
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 420bacb2c1f970da8f6b71d3338c1968bc1926db
+%global commit0 33fd4847deb2522105cfba82da5efb707025934c
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 876387c1df207a8364eacd41e6c0b89d13bba8c3
+%global commit1 4beb213356f6020d4ea6635dda6842cef88fb357
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})

 %define distro redhat
@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 48%{?dist}
+Release: 65%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -254,12 +254,12 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
-%{_sharedstatedir}/selinux/%1/active/commit_num \
-%{_sharedstatedir}/selinux/%1/active/users_extra \
-%{_sharedstatedir}/selinux/%1/active/homedir_template \
-%{_sharedstatedir}/selinux/%1/active/seusers \
-%{_sharedstatedir}/selinux/%1/active/file_contexts \
-%{_sharedstatedir}/selinux/%1/active/policy.kern \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
+%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
@ -715,6 +715,251 @@ exit 0
 %endif

 %changelog
+* Mon Feb 22 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-65
+- Relabel /usr/sbin/charon-systemd as ipsec_exec_t
+Resolves: rhbz#1889542
+
+* Wed Feb 17 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-64
+- Allow unconfined_t and kprop_t to create krb5_0.rcache2 with the right context
+Resolves: rhbz#1874527
+Resolves: rhbz#1877044
+- Allow rhsmcertd bind tcp sockets to a generic node
+Resolves: rhbz#1923985
+- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
+Resolves: rhbz#1889542
+- Allow strongswan start using swanctl method
+Resolves: rhbz#1889542
+- Allow systemd-importd manage machines.lock file
+Resolves: rhbz#1788055
+
+* Thu Feb 11 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-63
+- Allow rtkit_daemon_t domain set process nice value in user namespaces
+Resolves: rhbz#1910507
+- Allow gpsd read and write ptp4l_t shared memory.
+Resolves: rhbz#1803845
+- Label /var/run/pcsd-ruby.socket socket with cluster_var_run_t type
+Resolves: rhbz#1804626
+- Allow Certmonger to use opencryptoki services
+Resolves: rhbz#1894132
+- Dontaudit vhostmd to write in /var/lib/rpm/ dir and allow signull rpm
+Resolves: rhbz#1815603
+- Allow rhsmcertd_t read kpatch lib files
+Resolves: rhbz#1895322
+- Allow ipsec_t connectto ipsec_mgmt_t
+Resolves: rhbz#1848355
+- Allow IPsec to use opencryptoki services
+Resolves: rhbz#1894132
+- Allow systemd-importd create /run/systemd/machines.lock file
+Resolves: rhbz#1788055
+
+* Fri Jan 29 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-62
+- Allow rhsmcertd_t domain transition to kpatch_t
+Resolves: rhbz#1895322
+- Revert "Add kpatch_exec() interface"
+Resolves: rhbz#1895322
+- Revert "Allow rhsmcertd execute kpatch"
+Resolves: rhbz#1895322
+- Dontaudit NetworkManager_t domain to write to kdump temp pipies
+Resolves: rhbz#1842897
+- Allow NetworkManager_t domain to get status of samba services
+Resolves: rhbz#1781806
+- Allow openvswitch create and use xfrm netlink sockets
+Resolves: rhbz#1916046
+- Allow openvswitch_t perf_event write permission
+Resolves: rhbz#1916046
+- Add write_perf_event_perms object permission set
+Related: rhbz#1916046
+
+* Wed Jan 27 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-61
+- Add kpatch_exec() interface
+Resolves: rhbz#1895322
+- Allow rhsmcertd execute kpatch
+Resolves: rhbz#1895322
+- Allow openvswitch_t perf_event open permission
+Resolves: rhbz#1916046
+- Allow openvswitch fowner capability and create netlink sockets
+Resolves: rhbz#1883980
+- Add net_broadcast capability to openvswitch_t domain
+Resolves: rhbz#1883980
+- Update interface modutils_read_module_deps to allow caller domain also mmap modules_dep_t files
+Resolves: rhbz#1883980
+- Allow machinectl to run pull-tar
+Resolves: rhbz#1788055
+
+* Wed Jan 13 2021 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-60
+- Allow wireshark create and use rdma socket
+Resolves: rhbz#1844370
+- Allow to use nnp_transition in pulseaudio_role
+Resolves: rhbz#1854471
+- Allow certmonger fsetid capability
+Resolves: rhbz#1873211
+- Add rsync_sys_admin tunable to allow rsync sys_admin capability
+Resolves: rhbz#1889673
+- Allow sysadm read and write /dev/rfkill
+Resolves: rhbz#1831630
+- Allow staff_u run pam_console_apply
+Resolves: rhbz#1817690
+- Label /dev/vhost-vdpa-[0-9]+ as vhost_device_t
+Resolves: rhbz#1907485
+
+* Thu Dec 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-59
+- Add cron_dbus_chat_system_job() interface
+Resolves: rhbz#1883906
+- Dontaudit firewalld dac_override capability
+Resolves: rhbz#1759010
+- Allow tcsd the setgid capability
+Resolves: rhbz#1898694
+- Allow timedatex dbus chat with cron system domain
+Resolves: rhbz#1883906
+- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
+Resolves: rhbz#1854299
+- Allow pcp-pmcd manage perf_events
+Resolves: rhbz#1901958
+- Label /dev/isst_interface as cpu_device_t
+Resolves: rhbz#1902227
+- Allow ipsec set the context of a SPD entry to the default context
+Resolves: rhbz#1880474
+- Allow sysadm_u user and unconfined_domain_type manage perf_events
+Resolves: rhbz#1901958
+- Add manage_perf_event_perms object permissions set
+Resolves: rhbz#1901958
+- Add perf_event access vectors.
+Resolves: rhbz#1901958
+- Remove "ipa = module" from modules-targeted-contrib.conf
+Resolves: rhbz#1461914
+
+* Thu Dec  3 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-58
+- Allow kexec manage generic tmp files
+Resolves: rhbz#1896424
+- Update systemd-sleep policy
+Resolves: rhbz#1850177
+- Add groupadd_t fowner capability
+Resolves: rhbz#1884179
+
+* Tue Nov 24 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-57
+- Allow dovecot bind to smtp ports
+Resolves: rhbz#1881884
+- Change fetchmail temporary files path to /var/spool/mail
+Resolves: rhbz#1853389
+- Set file context for symlinks in /etc/httpd to etc_t
+Resolves: rhbz#1900650
+- Allow dnsmasq read public files
+Resolves: rhbz#1782539
+- Fix range for unreserved ports
+Resolves: rhbz#1794531
+- Introduce logging_syslogd_append_public_content tunable
+Resolves: rhbz#1823672
+- Add files_search_non_security_dirs() interface
+Resolves: rhbz#1823672
+- Add miscfiles_append_public_files() interface
+Resolves: rhbz#1823672
+
+* Thu Nov 12 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-56
+- Let keepalived bind a raw socket
+Resolves: rhbz#1895130
+- Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
+Resolves: rhbz#1853389
+- Allow arpwatch create and use rdma socket
+Resolves: rhbz#1843409
+- Set correct default file context for /usr/libexec/pcp/lib/*
+Resolves: rhbz#1886369
+- Allow systemd-logind manage efivarfs files
+Resolves: rhbz#1869979
+- Allow systemd_resolved_t to read efivarfs
+Resolves: rhbz#1869979
+- Allow systemd_modules_load_t to read efivarfs
+Resolves: rhbz#1869979
+- Allow read efivarfs_t files by domains executing systemctl file
+Resolves: rhbz#1869979
+- Introduce systemd_read_efivarfs_type attribute
+Resolves: rhbz#1869979
+
+* Mon Oct 26 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-55
+- Allow init dbus chat with kernel
+Resolves: rhbz#1694681
+- Confine systemd-sleep service
+Resolves: rhbz#1850177
+- Add default file context for /usr/libexec/pcp/lib/*
+Resolves: rhbz#1886369
+- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability
+Resolves: rhbz#1873658
+- Add fstools_rw_swap_files() interface
+Resolves: rhbz#1850177
+
+* Thu Sep 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-54
+- Allow plymouth sys_chroot capability
+Resolves: rhbz#1869814
+
+* Sun Aug 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-53
+- Allow certmonger fowner capability
+Resolves: rhbz#1870596
+- Define named file transition for saslauthd on /tmp/krb5_0.rcache2
+Resolves: rhbz#1870300
+- Label /usr/libexec/qemu-pr-helper with virtd_exec_t
+Resolves: rhbz#1867115
+
+* Thu Aug 13 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-52
+- Add ipa_helper_noatsecure() interface unconditionally
+Resolves: rhbz#1853432
+- Conditionally allow nagios_plugin_domain dbus chat with init
+Resolves: rhbz#1750821
+- Revert "Update allow rules set for nrpe_t domain"
+Resolves: rhbz#1750821
+- Add ipa_helper_noatsecure() interface to ipa.if
+Resolves: rhbz#1853432
+- Allow tomcat map user temporary files
+Resolves: rhbz#1857675
+- Allow tomcat manage user temporary files
+Resolves: rhbz#1857675
+- Add file context for /sys/kernel/tracing
+Resolves: rhbz#1847331
+- Define named file transition for sshd on /tmp/krb5_0.rcache2
+Resolves: rhbz#1848953
+
+* Mon Aug 03 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-51
+- Allow kadmind manage kerberos host rcache
+Resolves: rhbz#1863043
+- Allow virtlockd only getattr and lock block devices
+Resolves: rhbz#1832756
+- Allow qemu-ga read all non security file types conditionally
+Resolves: rhbz#1747960
+- Allow virtlockd manage VMs posix file locks
+Resolves: rhbz#1832756
+- Add dev_lock_all_blk_files() interface
+Resolves: rhbz#1832756
+- Allow systemd-logind dbus chat with fwupd
+Resolves: rhbz#1851932
+- Update xserver_rw_session macro
+Resolves: rhbz#1851448
+
+* Wed Jul 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-50
+- Revert "Allow qemu-kvm read and write /dev/mapper/control"
+This reverts commit f948eaf3d010215fc912e42013e4f88870279093.
+- Allow smbd get attributes of device files labeled samba_share_t
+Resolves: rhbz#1851816
+- Allow tomcat read user temporary files
+Resolves: rhbz#1857675
+- Revert "Dontaudit and disallow sys_admin capability for keepalived_t domain"
+Resolves: rhbz#1815281
+- Label /tmp/krb5_0.rcache2 with krb5_host_rcache_t
+Resolves: rhbz#1848953
+- Allow auditd manage kerberos host rcache files
+Resolves: rhbz#1855770
+
+* Thu Jul 09 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-49
+- Additional support for keepalived running in a namespace
+Resolves: rhbz#1815281
+- Allow keepalived manage its private type runtime directories
+Resolves: rhbz#1815281
+- Run ipa_helper_noatsecure(oddjob_t) only if the interface exists
+Resolves: rhbz#1853432
+- Allow oddjob_t process noatsecure permission for ipa_helper_t
+Resolves: rhbz#1853432
+- Allow domain dbus chat with systemd-resolved
+Resolves: rhbz#1852378
+- Define file context for /var/run/netns directory only
+Related: rhbz#1815281
+
 * Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-48
 - Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
 Resolves: rhbz#1836820