* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3

- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
This commit is contained in:
Lukas Vrabec 2019-09-13 17:04:11 +02:00
parent 72de5a3804
commit f1d354de29
No known key found for this signature in database
GPG Key ID: 47201AC42F29CE06
3 changed files with 55 additions and 6 deletions

2
.gitignore vendored
View File

@ -399,3 +399,5 @@ serefpolicy*
/selinux-policy-contrib-c55a896.tar.gz /selinux-policy-contrib-c55a896.tar.gz
/selinux-policy-6a0cb45.tar.gz /selinux-policy-6a0cb45.tar.gz
/selinux-policy-contrib-8ce79b2.tar.gz /selinux-policy-contrib-8ce79b2.tar.gz
/selinux-policy-contrib-c5a8fd2.tar.gz
/selinux-policy-3e6f5ff.tar.gz

View File

@ -1,11 +1,11 @@
# github repo with selinux-policy base sources # github repo with selinux-policy base sources
%global git0 https://github.com/fedora-selinux/selinux-policy %global git0 https://github.com/fedora-selinux/selinux-policy
%global commit0 6a0cb453ba0dcbbc7e75fa04a6647936ccdb339a %global commit0 3e6f5ff6a8472c461de91690fe49fe2f12f76066
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
# github repo with selinux-policy contrib sources # github repo with selinux-policy contrib sources
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib %global git1 https://github.com/fedora-selinux/selinux-policy-contrib
%global commit1 8ce79b2c82b2d3e62bb4b22404e755bad7131c98 %global commit1 c5a8fd2a369b81fa96880776dc723a4038af1c49
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%define distro redhat %define distro redhat
@ -29,7 +29,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.14.5 Version: 3.14.5
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
@ -787,6 +787,53 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Sep 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-3
- Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)
- Allow gssproxy_t domain read state of all processes on system
- Fix typo in cachefilesd module
- Allow cachefilesd_t domain to read/write cachefiles_device_t devices
- Remove setting label for /dev/cachefilesd char device from cachefilesd policy. This should be added in base policy
- Add sys_admin capability for keepalived_t labeled processes
- Allow user_mail_domain attribute to manage files labeled as etc_aliases_t.
- Create new type ipmievd_helper_t domain for loading kernel modules.
- Run stratisd service as stratisd_t
- Fix abrt_upload_watch_t in abrt policy
- Update keepalived policy
- Update cron_role, cron_admin_role and cron_unconfined_role to avoid *_t_t types
- Revert "Create admin_crontab_t and admin_crontab_tmp_t types"
- Revert "Update cron_role() template to accept third parameter with SELinux domain prefix"
- Allow amanda_t to manage its var lib files and read random_device_t
- Create admin_crontab_t and admin_crontab_tmp_t types
- Add setgid and setuid capabilities to keepalived_t domain
- Update cron_role() template to accept third parameter with SELinux domain prefix
- Allow psad_t domain to create tcp diag sockets BZ(1750324)
- Allow systemd to mount fwupd_cache_t BZ(1750288)
- Allow chronyc_t domain to append to all non_security files
- Update zebra SELinux policy to make it work also with frr service
- Allow rtkit_daemon_t domain set process nice value in user namespaces BZ(1750024)
- Dontaudit rhsmcertd_t to write to dirs labeled as lib_t BZ(1556763)
- Label /var/run/mysql as mysqld_var_run_t
- Allow chronyd_t domain to manage and create chronyd_tmp_t dirs,files,sock_file objects.
- Update timedatex policy to manage localization
- Allow sandbox_web_type domains to sys_ptrace and sys_chroot in user namespaces
- Update gnome_dontaudit_read_config
- Allow devicekit_var_lib_t dirs to be created by systemd during service startup. BZ(1748997)
- Allow systemd labeled as init_t domain to remount rootfs filesystem
- Add interface files_remount_rootfs()
- Dontaudit sys_admin capability for iptables_t SELinux domain
- Label /dev/cachefilesd as cachefiles_device_t
- Make stratisd policy active
- Allow userdomains to dbus chat with policykit daemon
- Update userdomains to pass correct parametes based on updates from cron_*_role interfaces
- New interface files_append_non_security_files()
- Label 2618/tcp and 2618/udp as priority_e_com_port_t
- Label 2616/tcp and 2616/udp as appswitch_emp_port_t
- Label 2615/tcp and 2615/udp as firepower_port_t
- Label 2610/tcp and 2610/udp as versa_tek_port_t
- Label 2613/tcp and 2613/udp as smntubootstrap_port_t
- Label 3784/tcp and 3784/udp as bfd_control_port_t
- Remove rule allowing all processes to stream connect to unconfined domains
* Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2 * Wed Sep 04 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.5-2
- Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket - Allow zabbix_t domain to manage zabbix_var_lib_t sock files and connect to unix_stream_socket
- Dontaudit sandbox web types to setattr lib_t dirs - Dontaudit sandbox web types to setattr lib_t dirs

View File

@ -1,4 +1,4 @@
SHA512 (container-selinux.tgz) = aeb4861d2f79b35ee10c1ad12280ea8d84ee33546eff2321287de98102093e2e004f689557ec884af929cc71bdcb38c9cc2ecf00226433a44a6e52d1d11959b4 SHA512 (selinux-policy-contrib-c5a8fd2.tar.gz) = 57fb899c9c7501272d9e773774b9c1dfae97274ddfcfa7698ac34c803722b51c1282bcc4b6aa35292d93ce3063395298ef3b794f191698d6b6e6b1968d376685
SHA512 (selinux-policy-3e6f5ff.tar.gz) = a5f2bfd9f6a9ad4fb857f432b02cae4b259399d1d00a807d0403bd5c4d05a9ce1c23a522c5a71c21953005ee96988cbf6a0e49cc46ba5a3be4f65d5b39cb3f9b
SHA512 (container-selinux.tgz) = 632dfadfbe4f94867194f77ef5bcd8348b08288ab943091f1def637ad826dd1e3a88f998dd0cc154c860c6cc4a8281da6759fc484bcd133424a4a5dea75ed6f8
SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
SHA512 (selinux-policy-6a0cb45.tar.gz) = b0058489dffe2de2bebcb9f7b9a1bf6d143e5c6fa0ed50bd1fff1b52be052f5f958d0feb4b9bd82d763dd87d6979bd8a37a52f7be52bbf44f76a8bc90439c79e
SHA512 (selinux-policy-contrib-8ce79b2.tar.gz) = e36bb51c1bcb553a54a95a29cb6440b6f120c805d5fa34e324da181d45abc4c489db51b58296df73c45bc702a86eadbb13001c2e88efa590f18128fff6fe3e9e