From 2f077bfc9d7c62c24cb286b56b01434aacc67b8e Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 06 2018 21:24:42 +0000 Subject: * Thu Sep 06 2018 Lukas Vrabec - 3.14.1-42 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Add read interfaces for mysqld_log_t that was added in commit df832bf - Allow boltd_t to dbus chat with xdm_t - Conntrackd need to load kernel module to work - Allow mysqld sys_nice capability - Update boltd policy based on SELinux denials from rhbz#1607974 - Allow readhead_t domain to mmap own pid files - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev() - Allow ssh servers to have dac_override capability - Allow dhcpc_t domain to read /dev/random --- diff --git a/.gitignore b/.gitignore index 66b29de..94572c0 100644 --- a/.gitignore +++ b/.gitignore @@ -308,3 +308,5 @@ serefpolicy* /selinux-policy-0986607.tar.gz /selinux-policy-contrib-115c61f.tar.gz /selinux-policy-b76437e.tar.gz +/selinux-policy-contrib-67dc065.tar.gz +/selinux-policy-aae7b80.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index c68a02e..b8fdef1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 b76437eace10b4935cd7a678c929652cd387133b +%global commit0 aae7b80a1f26b09968d9e26531961c797b01cd5a %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 115c61f6ed9fd80f92179099a1002bb675c8490d +%global commit1 67dc0654d6703e29397ebf87ed162d0a819d0352 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 41%{?dist} +Release: 42%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,55 @@ exit 0 %endif %changelog +* Thu Sep 06 2018 Lukas Vrabec - 3.14.1-42 +- Allow tomcat services create link file in /tmp +- Label /etc/shorewall6 as shorewall_etc_t +- Allow winbind_t domain kill in user namespaces +- Allow firewalld_t domain to read random device +- Allow abrt_t domain to do execmem +- Allow geoclue_t domain to execute own var_lib_t files +- Allow openfortivpn_t domain to read system network state +- Allow dnsmasq_t domain to read networkmanager lib files +- sssd: Allow to limit capabilities using libcap +- sssd: Remove unnecessary capability +- sssd: Do not audit usage of lib nss_systemd.so +- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file +- Add correct namespace_init_exec_t context to /etc/security/namespace.d/* +- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files +- Allow exim_t domain to mmap bin files +- Allow mysqld_t domain to executed with nnp transition +- Allow svirt_t domain to mmap svirt_image_t block files +- Add caps dac_read_search and dav_override to pesign_t domain +- Allow iscsid_t domain to mmap userio chr files +- Add read interfaces for mysqld_log_t that was added in commit df832bf +- Allow boltd_t to dbus chat with xdm_t +- Conntrackd need to load kernel module to work +- Allow mysqld sys_nice capability +- Update boltd policy based on SELinux denials from rhbz#1607974 +- Allow readhead_t domain to mmap own pid files +- Allow systemd to create symlinks in for /var/lib +- Add comment to show that template call also allows changing shells +- Document userdom_change_password_template() behaviour +- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file +- Fix typo in logging SELinux module +- Allow usertype to mmap user_tmp_type files +- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue +- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" +- Allow ipsec_t domian to mmap own tmp files +- Add .gitignore file +- Add execute_no_trans permission to mmap_exec_file_perms pattern +- Allow sudodomain to search caller domain proc info +- Allow audisp_remote_t domain to read auditd_etc_t +- netlabel: Remove unnecessary sssd nsswitch related macros +- Allow to use sss module in auth_use_nsswitch +- Limit communication with init_t over dbus +- Add actual modules.conf to the git repo +- Add few interfaces to optional block +- Allow sysadm_t and staff_t domain to manage systemd unit files +- Add interface dev_map_userio_dev() +- Allow ssh servers to have dac_override capability +- Allow dhcpc_t domain to read /dev/random + * Tue Aug 28 2018 Lukas Vrabec - 3.14.1-41 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() diff --git a/sources b/sources index c58d51a..0a20af1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-115c61f.tar.gz) = 19894618a14e6ef614ddde4ce4b035f9d15cdf2b4bfd88e5d04d38fb94baf90f02058edeea98b0cbd20ae3036461c8b52dbc4cfea1ac718e9e1dc7e1f74fa02c -SHA512 (selinux-policy-b76437e.tar.gz) = f19009f52662c621589e1f27343c4483af2d6ad6213d45df2719f60830944124c5a63fae2fc27d90831e023bb171632f587863d0e352fba89cec4851cff02f37 -SHA512 (container-selinux.tgz) = 6e9b11700696c60642e75fad1ab0cb2de8eba1c7ea907d61e12d83eda50aa7d846ad4fa8ccacffd9ad85e283a9c9efa91033ede81f242aaf1b278c25e2409399 +SHA512 (selinux-policy-contrib-67dc065.tar.gz) = 7d6edce040c6b273c0b906727acc3850e1fffb4a4f1d94d186a9ef7286be9d78701dc44b293cc7673bca50f70e1fc986526b814daf803de3d0fc33e1f076f30a +SHA512 (selinux-policy-aae7b80.tar.gz) = 8f886187e30d652767b685e2a5d4502b5ead2d438e8d34f5f5b53c66d0dd49e8055a3cd8d1c20b77ca7ef04c52464fab967cc9b6129ee54a8894e93b5f7663dd +SHA512 (container-selinux.tgz) = 8351770beece6efcd7de77d5b7b59b43845d77ff083658ea14d4ca750debe3ab1e2a558c1dfe19d2254b4d24f05588cdf76d630c4486f6129032bb495afb4f9e