From a21c8e6fb2ab0f13e27ca82aa46a7ba2ceae67f4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 06 2018 20:55:05 +0000 Subject: * Thu Sep 06 2018 Lukas Vrabec - 3.14.2-34 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t - Allow winbind_t domain kill in user namespaces - Allow firewalld_t domain to read random device - Allow abrt_t domain to do execmem - Allow geoclue_t domain to execute own var_lib_t files - Allow openfortivpn_t domain to read system network state - Allow dnsmasq_t domain to read networkmanager lib files - sssd: Allow to limit capabilities using libcap - sssd: Remove unnecessary capability - sssd: Do not audit usage of lib nss_systemd.so - Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file - Add correct namespace_init_exec_t context to /etc/security/namespace.d/* - Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files - Allow exim_t domain to mmap bin files - Allow mysqld_t domain to executed with nnp transition - Allow svirt_t domain to mmap svirt_image_t block files - Add caps dac_read_search and dav_override to pesign_t domain - Allow iscsid_t domain to mmap userio chr files - Add read interfaces for mysqld_log_t that was added in commit df832bf - Allow boltd_t to dbus chat with xdm_t - Conntrackd need to load kernel module to work - Allow mysqld sys_nice capability - Update boltd policy based on SELinux denials from rhbz#1607974 - Allow systemd to create symlinks in for /var/lib - Add comment to show that template call also allows changing shells - Document userdom_change_password_template() behaviour - update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file - Fix typo in logging SELinux module - Allow usertype to mmap user_tmp_type files - In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue - Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" - Add boolean: domain_can_mmap_files. - Allow ipsec_t domian to mmap own tmp files - Add .gitignore file - Add execute_no_trans permission to mmap_exec_file_perms pattern - Allow sudodomain to search caller domain proc info - Allow audisp_remote_t domain to read auditd_etc_t - netlabel: Remove unnecessary sssd nsswitch related macros - Allow to use sss module in auth_use_nsswitch - Limit communication with init_t over dbus - Add actual modules.conf to the git repo - Add few interfaces to optional block - Allow sysadm_t and staff_t domain to manage systemd unit files - Add interface dev_map_userio_dev() --- diff --git a/.gitignore b/.gitignore index 898ef0c..20be205 100644 --- a/.gitignore +++ b/.gitignore @@ -306,3 +306,5 @@ serefpolicy* /selinux-policy-contrib-ab97c9d.tar.gz /selinux-policy-c8dfe84.tar.gz /selinux-policy-contrib-a342008.tar.gz +/selinux-policy-contrib-5ed2192.tar.gz +/selinux-policy-38c6414.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 945a8de..645856d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 c8dfe84c09d2d197265f1d883f8b11527f5846c9 +%global commit0 38c6414d2dac8b3e77914561f34babdf93ef27ff %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 a3420086d85dcd5b7407c3101587047369c45ea1 +%global commit1 5ed2192d563e34d3f1e7c4f7b2673af960de8769 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -709,6 +709,53 @@ exit 0 %endif %changelog +* Thu Sep 06 2018 Lukas Vrabec - 3.14.2-34 +- Allow tomcat services create link file in /tmp +- Label /etc/shorewall6 as shorewall_etc_t +- Allow winbind_t domain kill in user namespaces +- Allow firewalld_t domain to read random device +- Allow abrt_t domain to do execmem +- Allow geoclue_t domain to execute own var_lib_t files +- Allow openfortivpn_t domain to read system network state +- Allow dnsmasq_t domain to read networkmanager lib files +- sssd: Allow to limit capabilities using libcap +- sssd: Remove unnecessary capability +- sssd: Do not audit usage of lib nss_systemd.so +- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file +- Add correct namespace_init_exec_t context to /etc/security/namespace.d/* +- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files +- Allow exim_t domain to mmap bin files +- Allow mysqld_t domain to executed with nnp transition +- Allow svirt_t domain to mmap svirt_image_t block files +- Add caps dac_read_search and dav_override to pesign_t domain +- Allow iscsid_t domain to mmap userio chr files +- Add read interfaces for mysqld_log_t that was added in commit df832bf +- Allow boltd_t to dbus chat with xdm_t +- Conntrackd need to load kernel module to work +- Allow mysqld sys_nice capability +- Update boltd policy based on SELinux denials from rhbz#1607974 +- Allow systemd to create symlinks in for /var/lib +- Add comment to show that template call also allows changing shells +- Document userdom_change_password_template() behaviour +- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file +- Fix typo in logging SELinux module +- Allow usertype to mmap user_tmp_type files +- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue +- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern" +- Add boolean: domain_can_mmap_files. +- Allow ipsec_t domian to mmap own tmp files +- Add .gitignore file +- Add execute_no_trans permission to mmap_exec_file_perms pattern +- Allow sudodomain to search caller domain proc info +- Allow audisp_remote_t domain to read auditd_etc_t +- netlabel: Remove unnecessary sssd nsswitch related macros +- Allow to use sss module in auth_use_nsswitch +- Limit communication with init_t over dbus +- Add actual modules.conf to the git repo +- Add few interfaces to optional block +- Allow sysadm_t and staff_t domain to manage systemd unit files +- Add interface dev_map_userio_dev() + * Tue Aug 28 2018 Lukas Vrabec - 3.14.2-33 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() diff --git a/sources b/sources index 736caf0..a3ed514 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-c8dfe84.tar.gz) = 1932e821f40e5f255580c9fd6ac48fdbe78ec86c89de04bba9a297e4971e4c96c3127ef890ab4a864b33f2230aad3b31b1aae08b509e501864763e3a53b11f05 -SHA512 (selinux-policy-contrib-a342008.tar.gz) = 3e49ff37fa815ff18ff9e6daa02c385b660ef9f63e7cdd475895f864834d5a8afd7f5355f2c5c936c370861f45606d82cf1c38c0f149ee7d3e7aba4e114adfbc -SHA512 (container-selinux.tgz) = 0744fdf4cf47434b47428316fc8293571d66ed205c4dbacc2452bb67be17a35a0b799335f7c05d1ce019dbab92697f09139a91230948f07639ae73535452297a +SHA512 (selinux-policy-contrib-5ed2192.tar.gz) = 6d8c08980a10b498155893d7c9d949c89761622b4b16ca1e4c80d78ebd97791ee9e59112b725aae8402aec382214001cb9952e0e22b11698abacaea74ae7db41 +SHA512 (selinux-policy-38c6414.tar.gz) = a0d47bee2311baea12ade3a1f6460a76ba3e479314838957e5225c0e8ec0926ae0e9027b6204f1d5153f7e8b0ef207e4bbb30d9ee16bf1f5396ad87626b78528 +SHA512 (container-selinux.tgz) = 6e8d8e0ee3cfa630f85cd3232ce04714d4b83d9ed30293dcfc47185968ea6fc0aca27fc577cfce7abc7d671c9a53f235ec6d052ca005b624aa050a49a394091a