From 16f34f925e3f0ae2687bc96cf0e84cf846396df4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 10 2019 08:30:51 +0000 Subject: * Wed Apr 10 2019 Lukas Vrabec - 3.14.3-28 - Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t - Allow tlp_t domain also write to nvme_devices block devices BZ(1696943) - Remove travis.yml file from f30 branch, we have CI for Fedora Rawhide thats should be enough. - Fix typo in rhsmcertd SELinux module - Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files - Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t - Revert bad fix breaking gnome_filetrans_fontconfig_home_content() - /var/lib/rsyslog should have mls system high on MLS enabled system - Allow systemd-logind read and write user domain terminals BZ(1696852) - Allow systemd_modules_load to read modules_dep_t files - Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667) - Allow unconfined users to use vsock unlabeled sockets - Add interface kernel_rw_unlabeled_vsock_socket() - Allow unconfined users to use smc unlabeled sockets - Add interface kernel_rw_unlabeled_smc_socket - Remove duplicate definition of kernel_rw_kernel_sysctl() - Allow systemd_resolved_t domain to read system network state BZ(1697039) - Allow systemd to mounton kernel sysctls BZ(1696201) - Add interface kernel_mounton_kernel_sysctl() BZ(1696201) - Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t - Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201 - Introduce new type pkcs11_modules_conf_t. --- diff --git a/.gitignore b/.gitignore index c847a49..da225ae 100644 --- a/.gitignore +++ b/.gitignore @@ -354,3 +354,5 @@ serefpolicy* /selinux-policy-549ed43.tar.gz /selinux-policy-contrib-7010ac2.tar.gz /selinux-policy-50cc590.tar.gz +/selinux-policy-contrib-e3fc2d1.tar.gz +/selinux-policy-9f0ed19.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index bae0ffb..19a90d9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 50cc590ecdd0797c653a7685b559b5c48e9c3d30 +%global commit0 9f0ed19b288f8e2886640b3b19394157f731600a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 7010ac2d758cea65ee6aad1a9a8814c52e1ae89b +%global commit1 e3fc2d12c3454e80ce12a3c91738a7e8dfd61261 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -714,6 +714,30 @@ exit 0 %endif %changelog +* Wed Apr 10 2019 Lukas Vrabec - 3.14.3-28 +- Fix broken networkmanager interface for allowing manage lib files for dnsmasq_t +- Allow tlp_t domain also write to nvme_devices block devices BZ(1696943) +- Remove travis.yml file from f30 branch, we have CI for Fedora Rawhide thats should be enough. +- Fix typo in rhsmcertd SELinux module +- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files +- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t +- Revert bad fix breaking gnome_filetrans_fontconfig_home_content() +- /var/lib/rsyslog should have mls system high on MLS enabled system +- Allow systemd-logind read and write user domain terminals BZ(1696852) +- Allow systemd_modules_load to read modules_dep_t files +- Allow systemd labeled as init_t to setattr on unallocated ttys BZ(1697667) +- Allow unconfined users to use vsock unlabeled sockets +- Add interface kernel_rw_unlabeled_vsock_socket() +- Allow unconfined users to use smc unlabeled sockets +- Add interface kernel_rw_unlabeled_smc_socket +- Remove duplicate definition of kernel_rw_kernel_sysctl() +- Allow systemd_resolved_t domain to read system network state BZ(1697039) +- Allow systemd to mounton kernel sysctls BZ(1696201) +- Add interface kernel_mounton_kernel_sysctl() BZ(1696201) +- Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t +- Allow systemd to mounton several systemd direstory to increase security of systemd Resolves: rhbz#1696201 +- Introduce new type pkcs11_modules_conf_t. + * Wed Apr 03 2019 Lukas Vrabec - 3.14.3-27 - Allow fontconfig file transition for xguest_u user - Add gnome_filetrans_fontconfig_home_content interface diff --git a/sources b/sources index b4894d7..3dbba4c 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-7010ac2.tar.gz) = 641ae2d0d978fe14146a64aa6f8b46ef8aa5e62ac98fb634655584cc956d886ca47fc97b2050322d336f76db3bae638c32e7a680593399a114749eb01156ab07 -SHA512 (selinux-policy-50cc590.tar.gz) = 60ef20c47c859692cef7e4f4655509db36c8c172805ee7e2f370017ffed6f7c8c0c8284df4cbc7eed8fbac26318fd875eb5ba7e0093c6058af29c7a467652a2d -SHA512 (container-selinux.tgz) = 26ad476acfe898dfcd337260436e587a2022afcdfad61aacc5c47b12a330ad97d743d812fb0d220635c53027661d33cf8838c7e76f01d14606937b1bcd01718f +SHA512 (selinux-policy-contrib-e3fc2d1.tar.gz) = cac7ea385c2a3be209969a4e2fe0d52d7017d8dcd76c9bc92fcdc88b4b7528f34ac113119523a5fa233fa7c53486982d621f99dca702edfca0abe30ae3b1e057 +SHA512 (selinux-policy-9f0ed19.tar.gz) = c936e1cff16417ef6320b443b1c591cb8f1b13f7e87d6ffdd7666de60ef27279add61313e690d804b6a37f559036adb602078db9eacf32cabd43d663c1938c8f +SHA512 (container-selinux.tgz) = 8ec176e7ef77112b5f0bc7791a2dc29324b73d5bac8dc6a5772b4126f26eb86d7c18df087a8b6dadcd30e0a001529c24a7288ec83ea53e39cb9029ac4267095a SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2