import selinux-policy-3.14.3-48.el8

.gitignore

@@ -1,3 +1,3 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-contrib-20346b0.tar.gz
-SOURCES/selinux-policy-d76fcee.tar.gz
+SOURCES/selinux-policy-420bacb.tar.gz
+SOURCES/selinux-policy-contrib-876387c.tar.gz

.selinux-policy.metadata

@@ -1,3 +1,3 @@
-ebdfca6c003d85c7ef844b24ddcce74f6a00fb0d SOURCES/container-selinux.tgz
-6c9e28f9df02de9eab3afee49ed11a5231bcf860 SOURCES/selinux-policy-contrib-20346b0.tar.gz
-251b98b0076ddfe2dc4ffac49838c089cbe90be7 SOURCES/selinux-policy-d76fcee.tar.gz
+a5fc34a7fbfd13a2b86609bdea0bcc2b312163d1 SOURCES/container-selinux.tgz
+3756201d4d69bb4834cfaac8aff3398a1d8b482c SOURCES/selinux-policy-420bacb.tar.gz
+4de0c405f689cec37c49a8fc5054990f0fa27007 SOURCES/selinux-policy-contrib-876387c.tar.gz

SPECS/selinux-policy.spec

@@ -1,11 +1,11 @@
 # github repo with selinux-policy base sources
 %global git0 https://github.com/fedora-selinux/selinux-policy
-%global commit0 d76fceec695c24f195633137f40b5dacba5a8759
+%global commit0 420bacb2c1f970da8f6b71d3338c1968bc1926db
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 # github repo with selinux-policy contrib sources
 %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
-%global commit1 20346b0f238e84d0ad58bc1a3c96f6ed3fb1da3d
+%global commit1 876387c1df207a8364eacd41e6c0b89d13bba8c3
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 %define distro redhat
@@ -29,7 +29,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.14.3
-Release: 30%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
 Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@@ -715,6 +715,211 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-48
+- Allow systemd_private_tmp(dirsrv_tmp_t) instead of dirsrv_t
+Resolves: rhbz#1836820
+
+* Mon Jun 29 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-47
+- Allow virtlogd_t manage virt lib files
+Resolves: rhbz#1832756
+- Allow pdns server to read system state
+Resolves: rhbz#1801214
+- Support systemctl --user in machinectl
+Resolves: rhbz#1788616
+- Allow chkpwd_t read and write systemd-machined devpts character nodes
+Resolves: rhbz#1788616
+- Allow init_t write to inherited systemd-logind sessions pipes
+Resolves: rhbz#1788616
+- Label systemd-growfs and systemd-makefs as fsadm_exec_t
+Resolves: rhbz#1820798
+- Allow staff_u and user_u setattr generic usb devices
+Resolves: rhbz#1783325
+- Allow sysadm_t dbus chat with accountsd
+Resolves: rhbz#1828809
+
+* Tue Jun 23 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-46
+- Fix description tag for the sssd_connect_all_unreserved_ports tunable
+Related: rhbz#1826748
+- Allow journalctl process set its resource limits
+Resolves: rhbz#1825894
+- Add sssd_access_kernel_keys tunable to conditionally access kernel keys
+Resolves: rhbz#1802062
+- Make keepalived work with network namespaces
+Resolves: rhbz#1815281
+- Create sssd_connect_all_unreserved_ports boolean
+Resolves: rhbz#1826748
+- Allow hypervkvpd to request kernel to load a module
+Resolves: rhbz#1842414
+- Allow systemd_private_tmp(dirsrv_tmp_t)
+Resolves: rhbz#1836820
+- Allow radiusd connect to gssproxy over unix domain stream socket
+Resolves: rhbz#1813572
+- Add fwupd_cache_t file context for '/var/cache/fwupd(/.*)?'
+Resolves: rhbz#1832231
+- Modify kernel_rw_key() not to include append permission
+Related: rhbz#1802062
+- Add kernel_rw_key() interface to access to kernel keyrings
+Related: rhbz#1802062
+- Modify systemd_delete_private_tmp() to use delete_*_pattern macros
+Resolves: rhbz#1836820
+- Allow systemd-modules to load kernel modules
+Resolves: rhbz#1823246
+- Add cachefiles_dev_t as a typealias to cachefiles_device_t
+Resolves: rhbz#1814796
+
+* Mon Jun 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-45
+- Remove files_mmap_usr_files() call for particular domains
+Related: rhbz#1801214
+- Allow dirsrv_t list cgroup directories
+Resolves: rhbz#1836795
+- Create the kerberos_write_kadmind_tmp_files() interface
+Related: rhbz#1841488
+- Allow realmd_t dbus chat with accountsd_t
+Resolves: rhbz#1792895
+- Allow nagios_plugin_domain execute programs in bin directories
+Resolves: rhbz#1815621
+- Update allow rules set for nrpe_t domain
+Resolves: rhbz#1750821
+- Allow Gluster mount client to mount files_type
+Resolves: rhbz#1753626
+- Allow qemu-kvm read and write /dev/mapper/control
+Resolves: rhbz#1835909
+- Introduce logrotate_use_cifs boolean
+Resolves: rhbz#1795923
+- Allow ptp4l_t sys_admin capability to run bpf programs
+Resolves: rhbz#1759214
+- Allow rhsmd mmap /etc/passwd
+Resolves: rhbz#1814644
+- Remove files_mmap_usr_files() call for systemd_localed_t
+Related: rhbz#1801214
+- Allow domain mmap usr_t files
+Resolves: rhbz#1801214
+- Allow libkrb5 lib read client keytabs
+Resolves: rhbz#1831769
+- Add files_dontaudit_manage_boot_dirs() interface
+Related: rhbz#1803868
+- Create files_create_non_security_dirs() interface
+Related: rhbz#1840265
+- Add new interface dev_mounton_all_device_nodes()
+Related: rhbz#1840265
+- Add new interface dev_create_all_files()
+Related: rhbz#1840265
+- Allow sshd write to kadmind temporary files
+Resolves: rhbz#1841488
+- Create init_create_dirs boolean to allow init create directories
+Resolves: rhbz#1832231
+- Do not audit staff_t and user_t attempts to manage boot_t entries
+Resolves: rhbz#1803868
+- Allow systemd to relabel all files on system.
+Resolves: rhbz#1818981
+- Make dbus-broker service working on s390x arch
+Resolves: rhbz#1840265
+
+* Wed May 20 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-44
+- Make boinc_var_lib_t label system mountdir attribute
+Resolves: rhbz#1779070
+- Allow aide to be executed by systemd with correct (aide_t) domain
+Resolves: rhbz#1814809
+- Allow chronyc_t domain to use nsswitch
+Resolves: rhbz#1772852
+- Allow nscd_socket_use() for domains in nscd_use() unconditionally
+Resolves: rhbz#1772852
+- Allow gluster geo-replication in rsync mode
+Resolves: rhbz#1831109
+- Update networkmanager_read_pid_files() to allow also list_dir_perms
+Resolves: rhbz#1781818
+- Allow associating all labels with CephFS
+Resolves: bz#1814689
+- Allow tcpdump sniffing offloaded (RDMA) traffic
+Resolves: rhbz#1834773
+
+* Fri Apr 17 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-43
+- Update radiusd policy
+Resolves: rhbz#1803407
+- Allow sssd read NetworkManager's runtime directory
+Resolves: rhbz#1781818
+- Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
+Resolves: rhbz#1777506
+- Allow ipa_helper_t to read kr5_keytab_t files
+Resolves: rhbz#1769423
+- Add ibacm_t ipc_lock capability
+Resolves: rhbz#1754719
+- Allow opafm_t to create and use netlink rdma sockets.
+Resolves: rhbz#1786670
+- Allow ptp4l_t create and use packet_socket sockets
+Resolves: rhbz#1759214
+- Update ctdbd_t policy
+Resolves: rhbz#1735748
+- Allow glusterd synchronize between master and slave
+Resolves: rhbz#1824662
+- Allow auditd poweroff or switch to single mode
+Resolves: rhbz#1826788
+- Allow init_t set the nice level of all domains
+Resolves: rhbz#1819121
+- Label /etc/sysconfig/ip6?tables\.save as system_conf_t
+Resolves: rhbz#1776873
+- Add file context entry and file transition for /var/run/pam_timestamp
+Resolves: rhbz#1791957
+
+* Wed Apr 08 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-42
+- Allow ssh-keygen create file in /var/lib/glusterd
+Resolves: rhbz#1816663
+- Update ctdbd_manage_lib_files() to also allow mmap ctdbd_var_lib_t files
+Resolves: rhbz#1819243
+- Remove container interface calling by named_filetrans_domain.
+- Makefile: fix tmp/%.mod.fc target
+Resolves: rhbz#1821191
+
+* Mon Mar 16 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-41
+- Allow NetworkManager read its unit files and manage services
+- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
+Resolves: rhbz#1806894
+
+* Tue Feb 18 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-40
+- Update virt_read_qemu_pid_files inteface
+Resolves: rhbz#1782925
+
+* Sat Feb 15 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-39
+- Allow vhostmd communication with hosted virtual machines
+- Add and update virt interfaces
+Resolves: rhbz#1782925
+
+* Tue Jan 28 2020 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-38
+- Dontaudit timedatex_t read file_contexts_t and validate security contexts
+Resolves: rhbz#1779098
+
+* Tue Jan 21 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-37
+- Make stratisd_t domain unconfined for RHEL-8.2
+Resolves: rhbz#1791557
+- stratisd_t policy updates
+Resolves: rhbz#1791557
+
+* Thu Jan 16 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-36
+- Label /stratis as stratisd_data_t
+Resolves: rhbz#1791557
+
+* Tue Jan 14 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-35
+- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
+Resolves: rhbz#1790795
+
+* Mon Jan 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-34
+- Added macro for stratisd to chat over dbus
+- Add dac_override capability to stratisd_t domain
+- Allow userdomain to chat with stratisd over dbus.
+Resolves: rhbz#1787298
+
+* Fri Jan 10 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-33
+- Update files_create_var_lib_dirs() interface to allow caller domain also set attributes of var_lib_t directory
+Resolves: rhbz#1778126
+
+* Wed Jan 08 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-32
+- Allow create udp sockets for abrt_upload_watch_t domains
+Resolves: rhbz#1777761
+
+* Wed Jan 08 2020 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-31
+- Allow sssd_t domain to read kernel net sysctls
+Resolves: rhbz#1777042
+
 * Fri Dec 13 2019 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-30
 - Allow userdomain dbus chat with systemd_resolved_t
 Resolves: rhbz#1773463