From 22263f276073fa4ab0c77c0302ac6e22de024115 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 20 2018 12:17:00 +0000 Subject: * Thu Sep 20 2018 Lukas Vrabec - 3.14.1-43 - Allow certmonger to manage cockpit_var_run_t pid files - Allow cockpit_ws_t domain to manage cockpit services - Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs - Add interface apache_read_tmp_dirs() - Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t - Add interface apcupsd_read_power_files() - Allow systemd labeled as init_t to execute logrotate in logrotate_t domain - Allow dac_override capability to amanda_t domain - Allow geoclue_t domain to get attributes of fs_t filesystems - Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client - Allow cockpit_t domain to read systemd state - Allow abrt_t domain to write to usr_t files - Allow cockpit to create motd file in /var/run/cockpit - Label /usr/sbin/pcsd as cluster_exec_t - Allow pesign_t domain to getattr all fs - Allow tomcat servers to manage usr_t files - Dontaudit tomcat serves to append to /dev/random device - Allow dirsrvadmin_script_t domain to read httpd tmp files - Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs - Revert "Allow firewalld_t domain to read random device" - Allow postfix domains to mmap system db files - Allow geoclue_t domain to execute own tmp files - Allow virt_qemu_ga_t domain to read network state BZ(1592145) - Update ibacm_read_pid_files interface to allow also reading link files - Allow zebra_t domain to create packet_sockets - Allow opafm_t domain to list sysfs - Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t - Allow polydomain to create /tmp-inst labeled as tmp_t - Revert "Allow polydomain to create /tmp-inst labeled as tmp_t" - Allow systemd to read apcupsd power files - Allow polydomain to create /tmp-inst labeled as tmp_t - Allow systemd_resolved_t domain to bind on udp howl port - Add new boolean use_virtualbox Resolves: rhbz#1510478 - Allow sshd_t domain to read cockpit pid files - Allow syslogd_t domain to manage cert_t files - Allow getattr as part of files_mounton_kernel_symbol_table. - Fix typo "aduit" -> "audit" - Revert "Add new interface dev_map_userio()" - Add new interface dev_map_userio() - Allow systemd to read ibacm pid files --- diff --git a/.gitignore b/.gitignore index 94572c0..d561d88 100644 --- a/.gitignore +++ b/.gitignore @@ -310,3 +310,5 @@ serefpolicy* /selinux-policy-b76437e.tar.gz /selinux-policy-contrib-67dc065.tar.gz /selinux-policy-aae7b80.tar.gz +/selinux-policy-7239af5.tar.gz +/selinux-policy-contrib-6480d47.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index b8fdef1..3e7123e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 aae7b80a1f26b09968d9e26531961c797b01cd5a +%global commit0 7239af5997d9deab1b10acc7f82efdea9cd46f36 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 67dc0654d6703e29397ebf87ed162d0a819d0352 +%global commit1 6480d47a776424895d144f7e1c1e61f10b038aa4 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 42%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,48 @@ exit 0 %endif %changelog +* Thu Sep 20 2018 Lukas Vrabec - 3.14.1-43 +- Allow certmonger to manage cockpit_var_run_t pid files +- Allow cockpit_ws_t domain to manage cockpit services +- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs +- Add interface apache_read_tmp_dirs() +- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t +- Add interface apcupsd_read_power_files() +- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain +- Allow dac_override capability to amanda_t domain +- Allow geoclue_t domain to get attributes of fs_t filesystems +- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client +- Allow cockpit_t domain to read systemd state +- Allow abrt_t domain to write to usr_t files +- Allow cockpit to create motd file in /var/run/cockpit +- Label /usr/sbin/pcsd as cluster_exec_t +- Allow pesign_t domain to getattr all fs +- Allow tomcat servers to manage usr_t files +- Dontaudit tomcat serves to append to /dev/random device +- Allow dirsrvadmin_script_t domain to read httpd tmp files +- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs +- Revert "Allow firewalld_t domain to read random device" +- Allow postfix domains to mmap system db files +- Allow geoclue_t domain to execute own tmp files +- Allow virt_qemu_ga_t domain to read network state BZ(1592145) +- Update ibacm_read_pid_files interface to allow also reading link files +- Allow zebra_t domain to create packet_sockets +- Allow opafm_t domain to list sysfs +- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t" +- Allow systemd to read apcupsd power files +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Allow systemd_resolved_t domain to bind on udp howl port +- Add new boolean use_virtualbox Resolves: rhbz#1510478 +- Allow sshd_t domain to read cockpit pid files +- Allow syslogd_t domain to manage cert_t files +- Allow getattr as part of files_mounton_kernel_symbol_table. +- Fix typo "aduit" -> "audit" +- Revert "Add new interface dev_map_userio()" +- Add new interface dev_map_userio() +- Allow systemd to read ibacm pid files + * Thu Sep 06 2018 Lukas Vrabec - 3.14.1-42 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t diff --git a/sources b/sources index 0a20af1..b6bbcc2 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-67dc065.tar.gz) = 7d6edce040c6b273c0b906727acc3850e1fffb4a4f1d94d186a9ef7286be9d78701dc44b293cc7673bca50f70e1fc986526b814daf803de3d0fc33e1f076f30a -SHA512 (selinux-policy-aae7b80.tar.gz) = 8f886187e30d652767b685e2a5d4502b5ead2d438e8d34f5f5b53c66d0dd49e8055a3cd8d1c20b77ca7ef04c52464fab967cc9b6129ee54a8894e93b5f7663dd -SHA512 (container-selinux.tgz) = 8351770beece6efcd7de77d5b7b59b43845d77ff083658ea14d4ca750debe3ab1e2a558c1dfe19d2254b4d24f05588cdf76d630c4486f6129032bb495afb4f9e +SHA512 (selinux-policy-7239af5.tar.gz) = 0c692f569ae2d0d12ae2df191c4d541741ee6228ee71058f0feae33f0e647622fa0cff5a214d81558374e3e4c518a0aa572ce1c998bb7fc5d57da01d2a57fae9 +SHA512 (selinux-policy-contrib-6480d47.tar.gz) = 2fe0c7afae44f0bc2c7ba7f74540dd8098f1d4ebf6bdda2194dd15c5d4527e6e9fee0625805af084d8afb5eb6709a739542f0823905db442d0fc1f337bf30987 +SHA512 (container-selinux.tgz) = 8ce9ec9d1d2235130c3243b43682e681f66325e6db38dce6c7389ddb8580f518d764ec5b900253534b92c67963d242ba0c7514835ab6a20e35fed79541a6885d