From bb754b4cf6b4ce722611eaa994c5b06593c27264 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 10 2019 10:28:48 +0000 Subject: * Wed Jul 10 2019 Lukas Vrabec - 3.14.3-40 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow spamd_update_t domain to read state of other domains and can execute itself - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t --- diff --git a/.gitignore b/.gitignore index cc705ef..9d26c00 100644 --- a/.gitignore +++ b/.gitignore @@ -376,3 +376,5 @@ serefpolicy* /selinux-policy-3c23dee.tar.gz /selinux-policy-contrib-e3e6904.tar.gz /selinux-policy-1daf286.tar.gz +/selinux-policy-contrib-2607fb0.tar.gz +/selinux-policy-fdfd2a5.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 3e10e52..632eeb0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 1daf286cd7b5a9214c0b752c4cde010ea48bb740 +%global commit0 fdfd2a5966b41ff5342150f95d4b50e4db57d352 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 e3e69041c4fd0ef36f87c5bbd7c64062ddb82183 +%global commit1 2607fb011def01793b017d922c1b3d3e1f40311a %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 39%{?dist} +Release: 40%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -714,6 +714,37 @@ exit 0 %endif %changelog +* Wed Jul 10 2019 Lukas Vrabec - 3.14.3-40 +- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager +- Allow glusterd_t domain to setpgid +- Allow lsmd_t domain to execute /usr/bin/debuginfo-install +- Allow sbd_t domain to manage cgroup dirs +- Allow opafm_t domain to modify scheduling information of another process. +- Allow wireshark_t domain to create netlink netfilter sockets +- Allow gpg_agent_t domain to use nsswitch +- Allow httpd script types to mmap httpd rw content +- Allow dkim_milter_t domain to execute shell BZ(17116937) +- Allow sbd_t domain to use nsswitch +- Allow rhsmcertd_t domain to send signull to all domains +- Allow snort_t domain to create netlink netfilter sockets BZ(1723184) +- Dontaudit blueman to read state of all domains on system BZ(1722696) +- Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) +- Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) +- Replace "-" by "_" in types names +- Change condor_domain declaration in condor_systemctl +- Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) +- Allow spamd_update_t domain to read state of other domains and can execute itself +- Fix all interfaces which cannot by compiled because of typos +- Allow X userdomains to mmap user_fonts_cache_t dirs +- Allow auditd_t domain to send signals to audisp_remote_t domain +- Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) +- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files +- Add interface kernel_relabelfrom_usermodehelper() +- Dontaudit unpriv_userdomain to manage boot_t files +- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) +- Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) +- Allow associate efivarfs_t on sysfs_t + * Tue Jun 18 2019 Lukas Vrabec - 3.14.3-39 - Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) - cockpit: Support split-out TLS proxy diff --git a/sources b/sources index 7a63eaa..b5140df 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-e3e6904.tar.gz) = d51378364b31945bee97863252ea092ea6d7c566a913f3c7f8b4c7e68879630192470d7666fa757e962c6e2eb56a3baf60a97cc4c82a9d2f42af3eecbfbd2b25 -SHA512 (selinux-policy-1daf286.tar.gz) = e23d6fa820ba9209fd6622889a7c07823ec7175aa638ccbdcc1838c78594ffa6daeb697797df184fcfd24eed94111536502943dfcdfa10debd7eec2cc1705b07 -SHA512 (container-selinux.tgz) = 623ab7ba96947680eba7bb96ea49e169f52f60bd9c8181b508226ea71b80b10d03a13a46a178e7e8e41a1377f3e1fa558f7fb3b841a60b07bbd4f804ee1217ab +SHA512 (selinux-policy-contrib-2607fb0.tar.gz) = 616f83880ac861b0246aca9626ebc91f73b5ded754722e2eb4a6a28e8f6d3bda2797ace0a02f01e7b435d75c1d96d150abe2edc2bba1b852fe3427832780b0d7 +SHA512 (selinux-policy-fdfd2a5.tar.gz) = ff483ac6907f4abc70b15d4eb648b8d435df19adede83008d34b43fd29ba6d8616f45d2f2cbf9fb003e3025bb6ee68feccd2078e089807ed72ffb49a80a8ad4d +SHA512 (container-selinux.tgz) = da4c1c90f9733e9dbc58f15be1870ed66666996ad0afcf76346006d32c2a78e19ef5e26628ce86d95333e76a5d6f9f4cc4af7919a1b7683c9f3fe588e3ed34da SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2