From b1087928cf9aae3ae9a8d1a7659b74784fc66c16 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Feb 17 2022 22:37:33 +0000 Subject: * Thu Feb 17 2022 Zdenek Pytela - 36.3-1 - Update NetworkManager-dispatcher policy to use scripts - Allow init mounton kernel messages device - Revert "Make dbus-broker service working on s390x arch" - Remove permissive domain for insights_client_t - Allow userdomain read symlinks in /var/lib - Allow iptables list cgroup directories - Dontaudit mdadm list dirsrv tmpfs dirs - Dontaudit dirsrv search filesystem sysctl directories - Allow chage domtrans to sssd - Allow postfix_domain read dovecot certificates - Allow systemd-networkd create and use netlink netfilter socket - Allow nm-dispatcher read nm-dispatcher-script symlinks - filesystem.te: add genfscon rule for ntfs3 filesystem - Allow rhsmcertd get attributes of cgroup filesystems - Allow sandbox_web_client_t watch various dirs - Exclude container.if from policy devel files - Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm --- diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c10356..7a9a578 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit 369f900039cff9443e86fdf7254ba8b11dc6adb5 +%global commit e0c5ad17b8fc9547912085b142476a5eee6109cb %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -23,7 +23,7 @@ %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 36.2 +Version: 36.3 Release: 1%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz @@ -143,6 +143,7 @@ and some additional files. %dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* +%exclude %{_datadir}/selinux/devel/include/container.if %dir %{_datadir}/selinux/devel/html %{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*css @@ -286,7 +287,7 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p rm -f ${FILE_CONTEXT}.pre; \ fi; \ # rebuilding the rpm database still can sometimes result in an incorrect context \ -%{_sbindir}/restorecon -R /var/lib/rpm \ +%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; @@ -808,6 +809,25 @@ exit 0 %endif %changelog +* Thu Feb 17 2022 Zdenek Pytela - 36.3-1 +- Update NetworkManager-dispatcher policy to use scripts +- Allow init mounton kernel messages device +- Revert "Make dbus-broker service working on s390x arch" +- Remove permissive domain for insights_client_t +- Allow userdomain read symlinks in /var/lib +- Allow iptables list cgroup directories +- Dontaudit mdadm list dirsrv tmpfs dirs +- Dontaudit dirsrv search filesystem sysctl directories +- Allow chage domtrans to sssd +- Allow postfix_domain read dovecot certificates +- Allow systemd-networkd create and use netlink netfilter socket +- Allow nm-dispatcher read nm-dispatcher-script symlinks +- filesystem.te: add genfscon rule for ntfs3 filesystem +- Allow rhsmcertd get attributes of cgroup filesystems +- Allow sandbox_web_client_t watch various dirs +- Exclude container.if from policy devel files +- Run restorecon on /usr/lib/sysimage/rpm instead of /var/lib/rpm + * Fri Feb 11 2022 Zdenek Pytela - 36.2-1 - Allow sysadm_passwd_t to relabel passwd and group files - Allow confined sysadmin to use tool vipw diff --git a/sources b/sources index f097c80..95856f7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-369f900.tar.gz) = a69bb7af266f013325de204e66877a4a8bb5345cf8e332efe1cb3c0993da312e0bd3bef687e366064bfe940854fe9ed24605afa08cdadfcdbbab238a9b255572 +SHA512 (selinux-policy-e0c5ad1.tar.gz) = 22de0b261754fdcf478a4b88a9f166752adf7b7dd80e88cb1b40d6b13104eafe854a9cca372e7d9433dc55c24c4e73e535b3f8a1a59748c8fcb99817691bb078 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 -SHA512 (container-selinux.tgz) = a9d05e8d035f7eef322d87fdcae842bb7675379dd2b7015a60363f8ede35c1c43ca43026a9944c79b456de8616da6255d8552a8e838535a33a14a7ea17229d97 +SHA512 (container-selinux.tgz) = bd68a2fa40597ae4a5f303094aca4c10691abe66c763246e902687aa6e06b7f007590215e360bb6fcba2d2dc781d92c94f5c575c9cbb4724adec2ec139de5b54