Compare commits
No commits in common. "c8" and "imports/c8s/selinux-policy-3.14.3-106.el8" have entirely different histories.
c8
...
imports/c8
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,3 +1,3 @@
|
|||||||
SOURCES/container-selinux.tgz
|
SOURCES/container-selinux.tgz
|
||||||
SOURCES/selinux-policy-552905c.tar.gz
|
SOURCES/selinux-policy-contrib-49d512d.tar.gz
|
||||||
SOURCES/selinux-policy-contrib-635888d.tar.gz
|
SOURCES/selinux-policy-e0a8ee2.tar.gz
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
e87338b5f56ae6e78c5a461e9bcadfc9333a1cd6 SOURCES/container-selinux.tgz
|
cb55df9b9c41c798f00c6557bd42f691a03b001c SOURCES/container-selinux.tgz
|
||||||
ac42e4401f30f57e1ffea73fb82ba208d5f96c88 SOURCES/selinux-policy-552905c.tar.gz
|
bb74431e494936bd97fa9baac3f04c80b72fd110 SOURCES/selinux-policy-contrib-49d512d.tar.gz
|
||||||
1776ee65081f2f9cf8113923854c5ad1ee28b4a6 SOURCES/selinux-policy-contrib-635888d.tar.gz
|
2a4f0892f05eba5d144bd36f7d8fd9423b43d4bf SOURCES/selinux-policy-e0a8ee2.tar.gz
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
# github repo with selinux-policy base sources
|
# github repo with selinux-policy base sources
|
||||||
%global git0 https://github.com/fedora-selinux/selinux-policy
|
%global git0 https://github.com/fedora-selinux/selinux-policy
|
||||||
%global commit0 552905cb94a7790fb51586b7778d303be21692a4
|
%global commit0 e0a8ee21365132c1f4668c975670621c889c5e35
|
||||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||||
|
|
||||||
# github repo with selinux-policy contrib sources
|
# github repo with selinux-policy contrib sources
|
||||||
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
||||||
%global commit1 635888d8ead909d158ac612b59e518534c9104f4
|
%global commit1 49d512d4d8f17250aaf5524bdfea85180c6dbe56
|
||||||
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
||||||
|
|
||||||
%define distro redhat
|
%define distro redhat
|
||||||
@ -29,7 +29,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.14.3
|
Version: 3.14.3
|
||||||
Release: 139%{?dist}
|
Release: 106%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
||||||
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
||||||
@ -148,7 +148,7 @@ SELinux policy development and man page package
|
|||||||
%{_usr}/share/selinux/devel/Makefile
|
%{_usr}/share/selinux/devel/Makefile
|
||||||
%{_usr}/share/selinux/devel/example.*
|
%{_usr}/share/selinux/devel/example.*
|
||||||
%{_usr}/share/selinux/devel/policy.*
|
%{_usr}/share/selinux/devel/policy.*
|
||||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
%ghost %{_sharedstatedir}/sepolgen/interface_info
|
||||||
|
|
||||||
%post devel
|
%post devel
|
||||||
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||||
@ -165,7 +165,6 @@ SELinux policy documentation package
|
|||||||
%files doc
|
%files doc
|
||||||
%{_mandir}/man*/*
|
%{_mandir}/man*/*
|
||||||
%{_mandir}/ru/*/*
|
%{_mandir}/ru/*/*
|
||||||
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
||||||
%doc %{_usr}/share/doc/%{name}
|
%doc %{_usr}/share/doc/%{name}
|
||||||
|
|
||||||
%define makeCmds() \
|
%define makeCmds() \
|
||||||
@ -443,7 +442,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
|
|||||||
|
|
||||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||||
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
|
|
||||||
|
|
||||||
@ -718,523 +717,6 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-139
|
|
||||||
- Allow wdmd read hardware state information
|
|
||||||
Resolves: RHEL-27507
|
|
||||||
|
|
||||||
* Fri Mar 08 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-138
|
|
||||||
- Allow wdmd list the contents of the sysfs directories
|
|
||||||
Resolves: RHEL-27507
|
|
||||||
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
|
||||||
Resolves: RHEL-27394
|
|
||||||
|
|
||||||
* Thu Feb 22 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-137
|
|
||||||
- Differentiate between staff and sysadm when executing crontab with sudo
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow su domains write login records
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Revert "Allow su domains write login records"
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Add crontab_admin_domtrans interface
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow gpg manage rpm cache
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
|
|
||||||
* Thu Feb 15 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-136
|
|
||||||
- Transition from sudodomains to crontab_t when executing crontab_exec_t
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Fix label of pseudoterminals created from sudodomain
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Allow login_userdomain to manage session_dbusd_tmp_t dirs/files
|
|
||||||
Resolves: RHEL-22500
|
|
||||||
- Label /dev/ngXnY and /dev/nvme-subsysX with nvme_device_t
|
|
||||||
Resolves: RHEL-23442
|
|
||||||
- Allow admin user read/write on fixed_disk_device_t
|
|
||||||
Resolves: RHEL-23434
|
|
||||||
- Only allow confined user domains to login locally without unconfined_login
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Add userdom_spec_domtrans_confined_admin_users interface
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Add userdom_spec_domtrans_admin_users interface
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
|
||||||
Resolves: RHEL-1628
|
|
||||||
- Allow utempter_t use ptmx
|
|
||||||
Resolves: RHEL-25002
|
|
||||||
- Dontaudit subscription manager setfscreate and read file contexts
|
|
||||||
Resolves: RHEL-21639
|
|
||||||
- Don't audit crontab_domain write attempts to user home
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Add crontab_domtrans interface
|
|
||||||
Resolves: RHEL-1388
|
|
||||||
- Add dbus_manage_session_tmp_files interface
|
|
||||||
Resolves: RHEL-22500
|
|
||||||
- Allow httpd read network sysctls
|
|
||||||
Resolves: RHEL-22748
|
|
||||||
- Allow keepalived_unconfined_script_t dbus chat with init
|
|
||||||
Resolves: RHEL-22843
|
|
||||||
|
|
||||||
* Fri Jan 26 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-135
|
|
||||||
- Label /tmp/libdnf.* with user_tmp_t
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
- Allow su domains write login records
|
|
||||||
Resolves: RHEL-2606
|
|
||||||
- Allow gpg read rpm cache
|
|
||||||
Resolves: RHEL-11249
|
|
||||||
- Allow unix dgram sendto between exim processes
|
|
||||||
Resolves: RHEL-21903
|
|
||||||
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
|
|
||||||
Resolves: RHEL-17687
|
|
||||||
- Add interface for write-only access to NetworkManager rw conf
|
|
||||||
Resolves: RHEL-17687
|
|
||||||
- Allow conntrackd_t to use sys_admin capability
|
|
||||||
Resolves: RHEL-22276
|
|
||||||
|
|
||||||
* Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134
|
|
||||||
- Allow syslog to run unconfined scripts conditionally
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Allow collectd connect to statsd port
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow collectd_t read network state symlinks
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow collectd_t domain to create netlink_generic_socket sockets
|
|
||||||
Resolves: RHEL-19482
|
|
||||||
- Allow opafm search nfs directories
|
|
||||||
Resolves: RHEL-19426
|
|
||||||
- Allow mdadm list stratisd data directories
|
|
||||||
Resolves: RHEL-21374
|
|
||||||
|
|
||||||
* Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133
|
|
||||||
- Label /dev/acpi_thermal_rel char device with acpi_device_t
|
|
||||||
Resolves: RHEL-18027
|
|
||||||
- Allow sysadm execute traceroute in sysadm_t domain using sudo
|
|
||||||
Resolves: RHEL-9947
|
|
||||||
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
|
|
||||||
Resolves: RHEL-15398
|
|
||||||
- Add support for syslogd unconfined scripts
|
|
||||||
Resolves: RHEL-10087
|
|
||||||
- Label /dev/wmi/dell-smbios as acpi_device_t
|
|
||||||
Resolves: RHEL-18027
|
|
||||||
- Make named_zone_t and named_var_run_t a part of the mountpoint attribute
|
|
||||||
Resolves: RHEL-1954
|
|
||||||
- Dontaudit rhsmcertd write memory device
|
|
||||||
Resolves: RHEL-17721
|
|
||||||
|
|
||||||
* Tue Nov 28 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-132
|
|
||||||
- Allow sudodomain read var auth files
|
|
||||||
Resolves: RHEL-16567
|
|
||||||
- Update cifs interfaces to include fs_search_auto_mountpoints()
|
|
||||||
Resolves: RHEL-14072
|
|
||||||
- Allow systemd-localed create Xserver config dirs
|
|
||||||
Resolves: RHEL-16715
|
|
||||||
- Label /var/run/auditd.state as auditd_var_run_t
|
|
||||||
Resolves: RHEL-14376
|
|
||||||
- Allow auditd read all domains process state
|
|
||||||
Resolves: RHEL-14471
|
|
||||||
- Allow sudo userdomain to run rpm related commands
|
|
||||||
Resolves: RHEL-1679
|
|
||||||
- Remove insights_client_watch_lib_dirs() interface
|
|
||||||
Resolves: RHEL-16185
|
|
||||||
|
|
||||||
* Wed Nov 08 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-131
|
|
||||||
- Additional permissions for ip-vrf
|
|
||||||
Resolves: RHEL-9981
|
|
||||||
- Allow ip an explicit domain transition to other domains
|
|
||||||
Resolves: RHEL-9981
|
|
||||||
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
|
|
||||||
Resolves: RHEL-5845
|
|
||||||
- Allow system_mail_t manage exim spool files and dirs
|
|
||||||
Resolves: RHEL-14186
|
|
||||||
|
|
||||||
* Wed Oct 04 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-130
|
|
||||||
- Label msmtp and msmtpd with sendmail_exec_t
|
|
||||||
Resolves: RHEL-1678
|
|
||||||
- Set default file context of HOME_DIR/tmp/.* to <<none>>
|
|
||||||
Resolves: RHEL-1099
|
|
||||||
- Improve default file context(None) of /var/lib/authselect/backups
|
|
||||||
Resolves: RHEL-3539
|
|
||||||
|
|
||||||
* Fri Sep 29 2023 Lukas Vrabec <lvrabec@redhat.com> - 3.14.3-129
|
|
||||||
- Set default file context of /var/lib/authselect/backups to <<none>>
|
|
||||||
Resolves: RHEL-3539
|
|
||||||
- Add file context specification for /usr/libexec/realmd
|
|
||||||
Resolves: RHEL-2147
|
|
||||||
- Add numad the ipc_owner capability
|
|
||||||
Resolves: RHEL-2415
|
|
||||||
|
|
||||||
* Fri Aug 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-128
|
|
||||||
- Allow ssh_agent_type manage generic cache home files
|
|
||||||
Resolves: rhbz#2177704
|
|
||||||
- Add chromium_sandbox_t setcap capability
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
|
|
||||||
* Thu Aug 17 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-127
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
|
|
||||||
* Fri Aug 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-126
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t
|
|
||||||
Resolves: rhbz#2177704
|
|
||||||
- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2
|
|
||||||
Resolves: rhbz#2229726
|
|
||||||
- Make insights_client_t an unconfined domain
|
|
||||||
Resolves: rhbz#2225527
|
|
||||||
- Allow insights-client create all rpm logs with a correct label
|
|
||||||
Resolves: rhbz#2229559
|
|
||||||
- Allow insights-client manage generic logs
|
|
||||||
Resolves: rhbz#2229559
|
|
||||||
|
|
||||||
* Fri Aug 04 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-125
|
|
||||||
- Allow user_u and staff_u get attributes of non-security dirs
|
|
||||||
Resolves: rhbz#2216151
|
|
||||||
- Allow unconfined user filetrans chrome_sandbox_home_t 1/2
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
- Allow unconfined user filetrans chrome_sandbox_home_t 2/2
|
|
||||||
Resolves: rhbz#2221573
|
|
||||||
- Allow insights-client execmem
|
|
||||||
Resolves: rhbz#2225233
|
|
||||||
- Allow svnserve execute postdrop with a transition
|
|
||||||
Resolves: rhbz#2004843
|
|
||||||
- Do not make postfix_postdrop_t type an MTA executable file
|
|
||||||
Resolves: rhbz#2004843
|
|
||||||
- Allow samba-dcerpc service manage samba tmp files
|
|
||||||
Resolves: rhbz#2210771
|
|
||||||
- Update samba-dcerpc policy for printing
|
|
||||||
Resolves: rhbz#2210771
|
|
||||||
|
|
||||||
* Thu Jul 20 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-124
|
|
||||||
- Add the files_getattr_non_auth_dirs() interface
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Update policy for the sblim-sfcb service
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Dontaudit sfcbd sys_ptrace cap_userns
|
|
||||||
Resolves: rhbz#2076937
|
|
||||||
- Label /usr/sbin/sos with sosreport_exec_t
|
|
||||||
Resolves: rhbz#2167731
|
|
||||||
- Allow sa-update manage spamc home files
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
- Allow sa-update connect to systemlog services
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t
|
|
||||||
Resolves: rhbz#2222200
|
|
||||||
|
|
||||||
* Thu Jun 29 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-123
|
|
||||||
- Label only /usr/sbin/ripd and ripngd with zebra_exec_t
|
|
||||||
Resolves: rhbz#2213606
|
|
||||||
- Allow httpd tcp connect to redis port conditionally
|
|
||||||
Resolves: rhbz#2213965
|
|
||||||
- Exclude container-selinux manpage from selinux-policy-doc
|
|
||||||
Resolves: rhbz#2218362
|
|
||||||
|
|
||||||
* Thu Jun 15 2023 Nikola Knazekova <nknazeko@redhat.com> - 3.14.3-122
|
|
||||||
- Update cyrus_stream_connect() to use sockets in /run
|
|
||||||
Resolves: rhbz#2165752
|
|
||||||
- Allow insights-client map generic log files
|
|
||||||
Resolves: rhbz#2214572
|
|
||||||
- Allow insights-client work with pipe and socket tmp files
|
|
||||||
Resolves: rhbz#2207819
|
|
||||||
- Allow insights-client getsession process permission
|
|
||||||
Resolves: rhbz#2207819
|
|
||||||
- Allow keepalived to manage its tmp files
|
|
||||||
Resolves: rhbz#2179335
|
|
||||||
|
|
||||||
* Thu May 25 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-121
|
|
||||||
- Update pkcsslotd policy for sandboxing 2/2
|
|
||||||
Resolves: rhbz#2208162
|
|
||||||
- Update pkcsslotd policy for sandboxing 1/2
|
|
||||||
Resolves: rhbz#2208162
|
|
||||||
- Allow abrt_t read kernel persistent storage files
|
|
||||||
Resolves: rhbz#2207914
|
|
||||||
- Add allow rules for lttng-sessiond domain
|
|
||||||
Resolves: rhbz#2203509
|
|
||||||
- Allow rpcd_lsad setcap and use generic ptys
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Dontaudit targetd search httpd config dirs
|
|
||||||
Resolves: rhbz#2203720
|
|
||||||
|
|
||||||
* Thu May 11 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-120
|
|
||||||
- Allow unconfined service inherit signal state from init
|
|
||||||
Resolves: rhbz#2177254
|
|
||||||
- Allow systemd-pstore delete kernel persistent storage files
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Add fs_delete_pstore_files() interface
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Allow certmonger manage cluster library files
|
|
||||||
Resolves: rhbz#2177836
|
|
||||||
- Allow samba-rpcd work with passwords
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow snmpd read raw disk data
|
|
||||||
Resolves: rhbz#2160000
|
|
||||||
- Allow cluster_t dbus chat with various services
|
|
||||||
Resolves: rhbz#2196524
|
|
||||||
|
|
||||||
* Fri Apr 21 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-119
|
|
||||||
- Add unconfined_server_read_semaphores() interface
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
- Allow systemd-pstore read kernel persistent storage files
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Add fs_read_pstore_files() interface
|
|
||||||
Resolves: rhbz#2181558
|
|
||||||
- Allow insights-client work with teamdctl
|
|
||||||
Resolves: rhbz#2185158
|
|
||||||
- Allow insights-client read unconfined service semaphores
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
- Allow insights-client get quotas of all filesystems
|
|
||||||
Resolves: rhbz#2183351
|
|
||||||
|
|
||||||
* Thu Apr 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-118
|
|
||||||
- Allow login_pgm setcap permission
|
|
||||||
Resolves: rhbz#2172541
|
|
||||||
- Label /run/fsck with fsadm_var_run_t
|
|
||||||
Resolves: rhbz#2184348
|
|
||||||
- Add boolean qemu-ga to run unconfined script
|
|
||||||
Resolves: rhbz#2028762
|
|
||||||
- Allow dovecot-deliver write to the main process runtime fifo files
|
|
||||||
Resolves: rhbz#2170495
|
|
||||||
- Allow certmonger dbus chat with the cron system domain
|
|
||||||
Resolves: rhbz#2173289
|
|
||||||
- Allow insights-client read all sysctls
|
|
||||||
Resolves: rhbz#2177607
|
|
||||||
|
|
||||||
* Thu Feb 16 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-117
|
|
||||||
- Fix opencryptoki file names in /dev/shm
|
|
||||||
Resolves: rhbz#2028637
|
|
||||||
- Allow system_cronjob_t transition to rpm_script_t
|
|
||||||
Resolves: rhbz#2154242
|
|
||||||
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
|
||||||
Resolves: rhbz#2154242
|
|
||||||
- Allow httpd work with tokens in /dev/shm
|
|
||||||
Resolves: rhbz#2028637
|
|
||||||
- Allow keepalived to set resource limits
|
|
||||||
Resolves: rhbz#2168638
|
|
||||||
- Allow insights-client manage fsadm pid files
|
|
||||||
|
|
||||||
* Thu Feb 09 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-116
|
|
||||||
- Allow sysadm_t run initrc_t script and sysadm_r role access
|
|
||||||
Resolves: rhbz#2039662
|
|
||||||
- Allow insights-client manage fsadm pid files
|
|
||||||
Resolves: rhbz#2166802
|
|
||||||
- Add journalctl the sys_resource capability
|
|
||||||
Resolves: rhbz#2136189
|
|
||||||
|
|
||||||
* Thu Jan 26 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-115
|
|
||||||
- Fix syntax problem in redis.te
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
- Allow unconfined user filetransition for sudo log files
|
|
||||||
Resolves: rhbz#2164047
|
|
||||||
- Allow winbind-rpcd make a TCP connection to the ldap port
|
|
||||||
Resolves: rhbz#2152642
|
|
||||||
- Allow winbind-rpcd manage samba_share_t files and dirs
|
|
||||||
Resolves: rhbz#2152642
|
|
||||||
- Allow insights-client work with su and lpstat
|
|
||||||
Resolves: rhbz#2134125
|
|
||||||
- Allow insights-client read nvme devices
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow insights-client tcp connect to all ports
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow redis-sentinel execute a notification script
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
|
|
||||||
* Thu Jan 12 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-114
|
|
||||||
- Add interfaces in domain, files, and unconfined modules
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow sysadm_t read/write ipmi devices
|
|
||||||
Resolves: rhbz#2148561
|
|
||||||
- Allow sudodomain use sudo.log as a logfile
|
|
||||||
Resolves: rhbz#2143762
|
|
||||||
- Add insights additional capabilities
|
|
||||||
Resolves: rhbz#2158779
|
|
||||||
- Allow insights client work with gluster and pcp
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow prosody manage its runtime socket files
|
|
||||||
Resolves: rhbz#2157902
|
|
||||||
- Allow system mail service read inherited certmonger runtime files
|
|
||||||
Resolves: rhbz#2143337
|
|
||||||
- Add lpr_roles to system_r roles
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
|
|
||||||
* Thu Dec 15 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-113
|
|
||||||
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow systemd-socket-proxyd get filesystems attributes
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow sysadm read ipmi devices
|
|
||||||
Resolves: rhbz#2148561
|
|
||||||
- Allow system mail service read inherited certmonger runtime files
|
|
||||||
Resolves: rhbz#2143337
|
|
||||||
- Add lpr_roles to system_r roles
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client tcp connect to various ports
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client work with pcp and manage user config files
|
|
||||||
Resolves: rhbz#2151111
|
|
||||||
- Allow insights-client dbus chat with various services
|
|
||||||
Resolves: rhbz#2152867
|
|
||||||
- Allow insights-client dbus chat with abrt
|
|
||||||
Resolves: rhbz#2152867
|
|
||||||
- Allow redis get user names
|
|
||||||
Resolves: rhbz#2112228
|
|
||||||
- Add winbind-rpcd to samba_enable_home_dirs boolean
|
|
||||||
Resolves: rhbz#2143696
|
|
||||||
|
|
||||||
* Wed Nov 30 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-112
|
|
||||||
- Allow ipsec_t only read tpm devices
|
|
||||||
Resolves: rhbz#2147380
|
|
||||||
- Allow ipsec_t read/write tpm devices
|
|
||||||
Resolves: rhbz#2147380
|
|
||||||
- Label udf tools with fsadm_exec_t
|
|
||||||
Resolves: rhbz#1972230
|
|
||||||
- Allow the spamd_update_t domain get generic filesystem attributes
|
|
||||||
Resolves: rhbz#2144501
|
|
||||||
- Allow cdcc mmap dcc-client-map files
|
|
||||||
Resolves: rhbz#2144505
|
|
||||||
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow insights client read raw memory devices
|
|
||||||
Resolves: rhbz#2143878
|
|
||||||
- Allow winbind-rpcd get attributes of device and pty filesystems
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow postfix/smtpd read kerberos key table
|
|
||||||
Resolves: rhbz#1983308
|
|
||||||
|
|
||||||
* Fri Nov 11 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-111
|
|
||||||
- Add domain_unix_read_all_semaphores() interface
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow iptables list cgroup directories
|
|
||||||
Resolves: rhbz#2134820
|
|
||||||
- Allow systemd-hostnamed dbus chat with init scripts
|
|
||||||
Resolves: rhbz#2111632
|
|
||||||
- Allow systemd to read symlinks in /var/lib
|
|
||||||
Resolves: rhbz#2118784
|
|
||||||
- Allow insights-client domain transition on semanage execution
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client create gluster log dir with a transition
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client manage generic locks
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow insights-client unix_read all domain semaphores
|
|
||||||
Resolves: rhbz#2141311
|
|
||||||
- Allow winbind-rpcd use the terminal multiplexor
|
|
||||||
Resolves: rhbz#2107106
|
|
||||||
- Allow mrtg send mails
|
|
||||||
Resolves: rhbz#2103675
|
|
||||||
- Allow sssd dbus chat with system cronjobs
|
|
||||||
Resolves: rhbz#2132922
|
|
||||||
- Allow postfix/smtp and postfix/virtual read kerberos key table
|
|
||||||
Resolves: rhbz#1983308
|
|
||||||
|
|
||||||
* Thu Oct 20 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-110
|
|
||||||
- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
|
|
||||||
Resolves: rhbz#208441
|
|
||||||
- Add the dev_map_vhost() interface
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow init remount all file_type filesystems
|
|
||||||
Resolves: rhbz#2122239
|
|
||||||
- added policy for systemd-socket-proxyd
|
|
||||||
Resolves: rhbz#2088441
|
|
||||||
- Allow virt_domain map vhost devices
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow virt domains to access xserver devices
|
|
||||||
Resolves: rhbz#2122920
|
|
||||||
- Allow rotatelogs read httpd_log_t symlinks
|
|
||||||
Resolves: rhbz#2030633
|
|
||||||
- Allow vlock search the contents of the /dev/pts directory
|
|
||||||
Resolves: rhbz#2122838
|
|
||||||
- Allow system cronjobs dbus chat with setroubleshoot
|
|
||||||
Resolves: rhbz#2125008
|
|
||||||
- Allow ptp4l_t name_bind ptp_event_port_t
|
|
||||||
Resolves: rhbz#2130168
|
|
||||||
- Allow pcp_domain execute its private memfd: objects
|
|
||||||
Resolves: rhbz#2090711
|
|
||||||
- Allow samba-dcerpcd use NSCD services over a unix stream socket
|
|
||||||
Resolves: rhbz#2121709
|
|
||||||
- Allow insights-client manage samba var dirs
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
|
|
||||||
* Wed Oct 12 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-109
|
|
||||||
- Add the files_map_read_etc_files() interface
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client manage samba var dirs
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client send null signal to rpm and system cronjob
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Update rhcd policy for executing additional commands 4
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client connect to postgresql with a unix socket
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow insights-client domtrans on unix_chkpwd execution
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Add file context entries for insights-client and rhc
|
|
||||||
Resolves: rhbz#2132230
|
|
||||||
- Allow snmpd_t domain to trace processes in user namespace
|
|
||||||
Resolves: rhbz#2121084
|
|
||||||
- Allow sbd the sys_ptrace capability
|
|
||||||
Resolves: rhbz#2124552
|
|
||||||
- Allow pulseaudio create gnome content (~/.config)
|
|
||||||
Resolves: rhbz#2124387
|
|
||||||
|
|
||||||
* Thu Sep 08 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-108
|
|
||||||
- Allow unconfined_service_t insights client content filetrans
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow nsswitch_domain to connect to systemd-machined using a unix socket
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add init_status_all_script_files() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add dev_dontaudit_write_raw_memory() and dev_read_vsock() interfaces
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 5
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Confine insights-client systemd unit
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 4
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Change rhsmcertd_t to insights_client_t in insights-client policy
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow insights-client send signull to unconfined_service_t
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 3
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow journalctl read init state
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution 2
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
|
|
||||||
* Thu Aug 25 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-107
|
|
||||||
- Label 319/udp port with ptp_event_port_t
|
|
||||||
Resolves: rhbz#2118628
|
|
||||||
- Allow unconfined and sysadm users transition for /root/.gnupg
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add the kernel_read_proc_files() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Add userdom_view_all_users_keys() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow system_cronjob_t domtrans to rpm_script_t
|
|
||||||
Resolves: rhbz#2118362
|
|
||||||
- Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
|
||||||
Resolves: rhbz#2117199
|
|
||||||
- Allow chronyd bind UDP sockets to ptp_event ports
|
|
||||||
Resolves: rhbz#2118628
|
|
||||||
- Allow samba-bgqd to read a printer list
|
|
||||||
Resolves: rhbz#2118958
|
|
||||||
- Add gpg_filetrans_admin_home_content() interface
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Update insights-client policy for additional commands execution
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow gpg read and write generic pty type
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Allow chronyc read and write generic pty type
|
|
||||||
Resolves: rhbz#2119507
|
|
||||||
- Disable rpm verification on interface_info
|
|
||||||
Resolves: rhbz#2119472
|
|
||||||
|
|
||||||
* Wed Aug 10 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-106
|
* Wed Aug 10 2022 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-106
|
||||||
- Allow networkmanager to signal unconfined process
|
- Allow networkmanager to signal unconfined process
|
||||||
Resolves: rhbz#1918148
|
Resolves: rhbz#1918148
|
||||||
|
Loading…
Reference in New Issue
Block a user