From cd07f124435c22164b739d277331cf01591df888 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 28 2018 22:34:15 +0000 Subject: * Tue Aug 28 2018 Lukas Vrabec - 3.14.1-41 - Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket - Add interface devicekit_mounton_var_lib() - Allow httpd_t domain to mmap tmp files - Allow tcsd_t domain to have dac_override capability - Allow cupsd_t to rename cupsd_etc_t files - Allow iptables_t domain to create rawip sockets - Allow amanda_t domain to mmap own tmpfs files - Allow fcoemon_t domain to write to sysfs_t dirs - Allow dovecot_auth_t domain to have dac_override capability - Allow geoclue_t domain to mmap own tmp files - Allow chronyc_t domain to read network state - Allow apcupsd_t domain to execute itself - Allow modemmanager_t domain to stream connect to sssd - Allow chonyc_t domain to rw userdomain pipes - Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files - Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks - Allow nagios_script_t domain to mmap nagios_spool_t files - Allow geoclue_t domain to mmap geoclue_var_lib_t files - Allow geoclue_t domain to map generic certs - Update munin_manage_var_lib_files to allow manage also dirs - Allow nsd_t domain to create new socket file in /var/run/nsd.ctl - Fix typo in virt SELinux policy module - Allow virtd_t domain to create netlink_socket - Allow rpm_t domain to write to audit - Allow nagios_script_t domain to mmap nagios_etc_t files - Update nscd_socket_use() to allow caller domain to stream connect to nscd_t - Allow kdumpctl_t domain to getattr fixed disk device in mls - Fix typo in stapserver policy - Dontaudit abrt_t domain to write to usr_t dirs - Revert "Allow rpcbind to bind on all unreserved udp ports" - Allow rpcbind to bind on all unreserved udp ports - Allow virtlogd to execute itself - Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files - Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs - Allos systemd to socket activate ibacm service - Allow dirsrv_t domain to mmap user_t files - Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files - Allow kdumpctl to write to files on all levels - Allow httpd_t domain to mmap httpd_config_t files - Allow sanlock_t domain to connectto to unix_stream_socket - Revert "Add same context for symlink as binary" - Allow mysql execute rsync - Update nfsd_t policy because of ganesha features - Allow conman to getattr devpts_t - Allow tomcat_domain to connect to smtp ports - Allow tomcat_t domain to mmap tomcat_var_lib_t files - Allow nagios_t domain to mmap nagios_log_t files - Allow kpropd_t domain to mmap krb5kdc_principal_t files - Allow kdumpctl_t domain to read fixed disk storage --- diff --git a/.gitignore b/.gitignore index 4191a5a..66b29de 100644 --- a/.gitignore +++ b/.gitignore @@ -306,3 +306,5 @@ serefpolicy* /selinux-policy-contrib-77702b6.tar.gz /selinux-policy-contrib-0ba1eea.tar.gz /selinux-policy-0986607.tar.gz +/selinux-policy-contrib-115c61f.tar.gz +/selinux-policy-b76437e.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index ec01d14..c68a02e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 09866077249068744d567bdcdf01fc85c89c32ae +%global commit0 b76437eace10b4935cd7a678c929652cd387133b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 0ba1eeafdeb4e9cbaa3c5c58529ab04a3e7cef52 +%global commit1 115c61f6ed9fd80f92179099a1002bb675c8490d %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 40%{?dist} +Release: 41%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,88 @@ exit 0 %endif %changelog +* Tue Aug 28 2018 Lukas Vrabec - 3.14.1-41 +- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket +- Add interface devicekit_mounton_var_lib() +- Allow httpd_t domain to mmap tmp files +- Allow tcsd_t domain to have dac_override capability +- Allow cupsd_t to rename cupsd_etc_t files +- Allow iptables_t domain to create rawip sockets +- Allow amanda_t domain to mmap own tmpfs files +- Allow fcoemon_t domain to write to sysfs_t dirs +- Allow dovecot_auth_t domain to have dac_override capability +- Allow geoclue_t domain to mmap own tmp files +- Allow chronyc_t domain to read network state +- Allow apcupsd_t domain to execute itself +- Allow modemmanager_t domain to stream connect to sssd +- Allow chonyc_t domain to rw userdomain pipes +- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files +- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks +- Allow nagios_script_t domain to mmap nagios_spool_t files +- Allow geoclue_t domain to mmap geoclue_var_lib_t files +- Allow geoclue_t domain to map generic certs +- Update munin_manage_var_lib_files to allow manage also dirs +- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl +- Fix typo in virt SELinux policy module +- Allow virtd_t domain to create netlink_socket +- Allow rpm_t domain to write to audit +- Allow nagios_script_t domain to mmap nagios_etc_t files +- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t +- Allow kdumpctl_t domain to getattr fixed disk device in mls +- Fix typo in stapserver policy +- Dontaudit abrt_t domain to write to usr_t dirs +- Revert "Allow rpcbind to bind on all unreserved udp ports" +- Allow rpcbind to bind on all unreserved udp ports +- Allow virtlogd to execute itself +- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files +- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs +- Allos systemd to socket activate ibacm service +- Allow dirsrv_t domain to mmap user_t files +- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files +- Allow kdumpctl to write to files on all levels +- Allow httpd_t domain to mmap httpd_config_t files +- Allow sanlock_t domain to connectto to unix_stream_socket +- Revert "Add same context for symlink as binary" +- Allow mysql execute rsync +- Update nfsd_t policy because of ganesha features +- Allow conman to getattr devpts_t +- Allow tomcat_domain to connect to smtp ports +- Allow tomcat_t domain to mmap tomcat_var_lib_t files +- Allow nagios_t domain to mmap nagios_log_t files +- Allow kpropd_t domain to mmap krb5kdc_principal_t files +- Allow kdumpctl_t domain to read fixed disk storage +- Fix issue with aliases in apache interface file +- Add same context for symlink as binary +- Allow boltd_t to send logs to journal +- Allow colord_use_nfs to allow colord also mmap nfs_t files +- Allow mysqld_safe_t do execute itself +- Allow smbd_t domain to chat via dbus with avahi daemon +- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t +- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain +- Add alias httpd__script_t to _script_t to make sepolicy generate working +- Allow dhcpc_t domain to read /dev/random +- Allow systemd to mounton device_var_lib_t dirs +- Allow systemd to mounton kernel system table +- Label also chr_file /dev/mtd.* devices as fixed_disk_device_t +- Allow syslogd_t domain to create netlink generic sockets +- Label /dev/tpmrm[0-9]* as tpm_device_t +- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t +- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl +- Allow insmod_t domain to read iptables pid files +- Allow systemd to mounton /etc +- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry +- Allow xserver_t domain to start using systemd socket activation +- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature +- Associate several proc labels to fs_t +- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run +- Fix typo in syslogd policy +- Update syslogd policy to make working elasticsearch +- Label tcp and udp ports 9200 as wap_wsp_port +- Allow few domains to rw inherited kdumpctl tmp pipes +- label /var/lib/pgsql/data/log as postgresql_log_t +- Allow sysadm_t domain to accept socket +- Allow systemd to manage passwd_file_t + * Fri Aug 10 2018 Lukas Vrabec - 3.14.1-40 - Fix issue with aliases in apache interface file - Add same context for symlink as binary diff --git a/sources b/sources index 09ec5dc..c58d51a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-0ba1eea.tar.gz) = 3b70bd20a602c292e4d6eb9d44ae31d8a5bece1fb66fa6325f9bd4ce86aa0b15458ec07423cfc63ae0f7b17073dd177d452375d5c43012ad68fa32b8f5c27b5c -SHA512 (selinux-policy-0986607.tar.gz) = 71555621d788fb1d79fd70b05772048d7c8995693b0d8d12b056262ec06defb72002db7318d8fb2232e1de25c7f3de2183bdc95781fe7bd4d44048ea5df633a9 -SHA512 (container-selinux.tgz) = 1e084f3df917b68bb4647fb2a954b262c43370b7456582d6f00f9ba2be1eeb1719aa7b22799382638062388d6b3c26b34d85d2f02c48bbba39d15a5fe051c3fc +SHA512 (selinux-policy-contrib-115c61f.tar.gz) = 19894618a14e6ef614ddde4ce4b035f9d15cdf2b4bfd88e5d04d38fb94baf90f02058edeea98b0cbd20ae3036461c8b52dbc4cfea1ac718e9e1dc7e1f74fa02c +SHA512 (selinux-policy-b76437e.tar.gz) = f19009f52662c621589e1f27343c4483af2d6ad6213d45df2719f60830944124c5a63fae2fc27d90831e023bb171632f587863d0e352fba89cec4851cff02f37 +SHA512 (container-selinux.tgz) = 6e9b11700696c60642e75fad1ab0cb2de8eba1c7ea907d61e12d83eda50aa7d846ad4fa8ccacffd9ad85e283a9c9efa91033ede81f242aaf1b278c25e2409399