diff --git a/.gitignore b/.gitignore index 66b9eed..eeb67e5 100644 --- a/.gitignore +++ b/.gitignore @@ -329,3 +329,5 @@ serefpolicy* /selinux-policy-366c17e.tar.gz /selinux-policy-contrib-783b56e.tar.gz /selinux-policy-39a221d.tar.gz +/selinux-policy-contrib-e33e818.tar.gz +/selinux-policy-a80fdd7.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 4424375..e5bf623 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 39a221d9ae4971c5371efdea7f940d899c770f5c +%global commit0 a80fdd7c6ed788931efaeda8f204815ab09a4cd7 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 783b56ea2b30b3cc7985f9e852a68f50c14d8e02 +%global commit1 e33e818157093ca4a36945656fb063d9a57de858 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 47%{?dist} +Release: 48%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -713,6 +713,36 @@ exit 0 %endif %changelog +* Sat Feb 02 2019 Lukas Vrabec - 3.14.2-48 +- Allow sensord_t domain to use nsswitch and execute shell +- Allow opafm_t domain to execute lib_t files +- Allow opafm_t domain to manage kdump_crash_t files and dirs +- Allow virt domains to read/write cephfs filesystems +- Allow virtual machine to write to fixed_disk_device_t +- Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585 +- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t +- Allow vhostmd_t read libvirt configuration files +- Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains +- Allow boltd_t domain to read cache_home_t files BZ(1669911) +- Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912) +- Allow gpg_agent_t to create own tmpfs dirs and sockets +- Add multiple interfaces for vpnc interface file +- Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572) +- Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702) +- In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp). +- Allow gssd_t domain to manage kernel keyrings of every domain. +- Revert "Allow gssd_t domain to read/write kernel keyrings of every domain." +- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block +- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t +- Allow staff_t user to systemctl iptables units. +- Allow systemd to read selinux logind config +- Allow transition from init_t domain to user_t domain during ssh login with confined user user_u Resolves: rhbz#1664448 +- Add interface systemd_hostnamed_signull() +- Allow init_t domain access to USB ttys BZ(1663620) +- Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions. +- Allow init_t create a directory in directories with var_log_t label +- Add new interface domain_manage_all_domains_keyrings() + * Tue Jan 15 2019 Lukas Vrabec - 3.14.2-47 - Allow plymouthd_t search efivarfs directory BZ(1664143) - Allow arpwatch send e-mail notifications BZ(1657327) diff --git a/sources b/sources index 7ea7ff3..1bfa982 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-783b56e.tar.gz) = 35c989f1274ffc5a440c20a1270767907b8efc1f782cb700e0263befa6fd6b6d7128f8ef919ae5017d6adeeae006aa01f483e8e3d50fe1ef1ce88f8a063bf177 -SHA512 (selinux-policy-39a221d.tar.gz) = 08210a8aea56d2038026471636cad35ad118c3e6e2b273b3b7b179321709da725300c208cb2ecc9a422550efa7226480f61301aa5b7aac9fb77d732a7cb741b7 -SHA512 (container-selinux.tgz) = f71958bc5f174d7189fde7b76a445d26fa16b07f74daf7ade7c62ac436efaf11815f2424f45053e815c4d199ce80e460fe7f96b9f6b44dc7336cb13c76b97248 +SHA512 (selinux-policy-contrib-e33e818.tar.gz) = 2a6b9a3ad0f112d364e9927ac7c3ca20dee0c2c6ecd32543ca425c833b3e146c5bcab1570d7482fcc9f2ae0e0fed0f87f6410bfa92e200e37d60cb53067e82d3 +SHA512 (selinux-policy-a80fdd7.tar.gz) = f393d11049fd8dbaeb15ef9d86d8991abc7473cfc92cb6148da394437adb3c1d953b66556b027a8913fa70dfc1ceb2fb0777d7cfd4dcde69a1fc425ce6865b43 +SHA512 (container-selinux.tgz) = a206076eaa1cc8fde6bc2b81d09519dbfc6e94f635deb5a273ee7de62f202b2a197d7d6897aaa135f99bdcabe68113910136b6aa7ae293e7cae64f02df8a0065