From f5fbc0c5f26f2c130f5f613614a5a105ef3c222f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 26 2019 08:33:02 +0000 Subject: * Fri Jul 26 2019 Lukas Vrabec - 3.14.3-42 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Add interface collectd_manage_rw_content() - Allow lograte_t domain to manage collect_rw_content files and dirs - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources --- diff --git a/.gitignore b/.gitignore index 319330d..6339cf7 100644 --- a/.gitignore +++ b/.gitignore @@ -380,3 +380,5 @@ serefpolicy* /selinux-policy-fdfd2a5.tar.gz /selinux-policy-contrib-b130116.tar.gz /selinux-policy-a9fc760.tar.gz +/selinux-policy-contrib-b1b4062.tar.gz +/selinux-policy-5373647.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index ddc764b..0a17395 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 a9fc76087ade311464f299297ca37e38079333ef +%global commit0 537364746d3966d6a9f5d4906be2f69e1788061e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 b1301162a5b219bb1de5edb5b02ebf196a05b86c +%global commit1 b1b4062f58c921f61948632dcab84cb067733c14 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 41%{?dist} +Release: 42%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -714,6 +714,36 @@ exit 0 %endif %changelog +* Fri Jul 26 2019 Lukas Vrabec - 3.14.3-42 +- Allow spamd_update_t domain to read network state of system BZ(1733172) +- Allow dlm_controld_t domain to transition to the lvm_t +- Allow sandbox_web_client_t domain to do sys_chroot in user namespace +- Allow virtlockd process read virtlockd.conf file +- Add more permissions for session dbus types to make working dbus broker with systemd user sessions +- Allow sssd_t domain to read gnome config and named cache files +- Allow brltty to request to load kernel module +- Add svnserve_tmp_t label forl svnserve temp files to system private tmp +- Allow sssd_t domain to read kernel net sysctls BZ(1732185) +- Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool +- Allow cyrus work with PrivateTmp +- Make cgdcbxd_t domain working with SELinux enforcing. +- Make working wireshark execute byt confined users staff_t and sysadm_t +- Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) +- Allow svnserve_t domain to read system state +- Label user cron spool file with user_cron_spool_t +- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession +- Add interface collectd_manage_rw_content() +- Allow lograte_t domain to manage collect_rw_content files and dirs +- Allow ifconfig_t domain to manage vmware logs +- Remove system_r role from staff_u user. +- Add systemd_private_tmp_type attribute +- Allow systemd to load kernel modules during boot process. +- Allow sysadm_t and staff_t domains to read wireshark shared memory +- Label /usr/libexec/utempter/utempter as utemper_exec_t +- Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) +- Allow sysadm_t domain to create netlink selinux sockets +- Make cgdcbxd active in Fedora upstream sources + * Wed Jul 17 2019 Lukas Vrabec - 3.14.3-41 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession diff --git a/sources b/sources index 671a21e..ea84c91 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-policy-contrib-b130116.tar.gz) = b7d415d6018af7dfae8be6508d0a32fe2a88113ffae7d93831bd202d0f29b6ff1413f738f99bc1dd7577f9306e549e785130e1f15b8185cd97fb824e1c094c5b -SHA512 (selinux-policy-a9fc760.tar.gz) = deac19ea7287690f8b888fbff5f1363612cf6d31eb39b9d407ce724fdfa06684fde08216a96c396cf300a83a913863efe91e2656f61495821716114109c6def5 -SHA512 (container-selinux.tgz) = 90eef071f36bd4fa3f99d898b45f724324ac4e8de52b33d265cf91a4a5bdd5d3539e3604334eaed6e2816d0c2e4d652c4ce3a3325f2020715f2719c8f3486157 +SHA512 (selinux-policy-contrib-b1b4062.tar.gz) = 2aa27fa5bad0f8438c565c48a168ff92490189fed1649fc17de38c760db87f82cbe7635b25bc93dbb90be10331c8dfeda05aea30fc5efc81ff994f947765f891 +SHA512 (selinux-policy-5373647.tar.gz) = 8c088242e1785d6438b46d1bb214368a4c9de3a44e7a763ea46bb47baaaf72a250e7120275caf2672414c1940a5f9cd4a37cacf38bd2ec3c942516455e3d3bb8 +SHA512 (container-selinux.tgz) = c7c7b1bd0dd42c717aecdec8ef67a4700c62241ac8a8960a86520971f4e5e104946fad8824f69ad2d55a27ab52b9511ba35b75989e0bea49f10acb008ed4a0e0 SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4