From 44d9aaa3c3a711eda1c467646241c8a14ce8e624 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 03 2018 10:24:22 +0000 Subject: * Tue Jul 03 2018 Lukas Vrabec - 3.14.1-34 - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files - Allow chronyc_t domain to use nscd shm - Label /var/lib/tomcats dir as tomcat_var_lib_t - Allow lsmd_t domain to mmap lsmd_plugin_exec_t files - Add ibacm policy - Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t - Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t - Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services - Allow crond_t domain to create netlink selinux sockets and dac_override cap. - Allow radiusd_t domain to have dac_override capability - Allow amanda_t domain to have setgid capability - Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label - Allow abrt_t domain to write to rhsmcertd pid files - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control - Add vhostmd_t domain to read/write to svirt images - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files - Allow sssd_t and slpad_t domains to mmap generic certs - Allow chronyc_t domain use inherited user ttys - Allow stapserver_t domain to mmap own tmp files - Allow systemd to mounton core kernel interface - Add dac_override capability to ipsec_t domain BZ(1589534) - Allow systemd domain to mmap lvm config files BZ(1594584) - Allow systemd to write systemd_logind_inhibit_var_run_t fifo files - Allows systemd to get attribues of core kernel interface BZ(1596928) - Allow systemd_modules_load_t to access unabeled infiniband pkeys - Allow init_t domain to create netlink rdma sockets for ibacm policy - Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files - Allow lvm_t domain to write files to all mls levels - Add to su_role_template allow rule for creating netlink_selinux sockets - Allow sysadm_t domain to mmap hwdb db - Allow udev_t domain to mmap kernel modules - Allow sysadm_screen_t to have capability dac_override and chown - Allow sysadm_t domain to mmap journal - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Label /etc/systemd/system.control/ dir as systemd_unit_file_t --- diff --git a/.gitignore b/.gitignore index 127d5de..21596a8 100644 --- a/.gitignore +++ b/.gitignore @@ -292,3 +292,5 @@ serefpolicy* /selinux-policy-contrib-cbece46.tar.gz /selinux-policy-contrib-48a2c03.tar.gz /selinux-policy-61f6126.tar.gz +/selinux-policy-b05b119.tar.gz +/selinux-policy-contrib-2dd0063.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 8fe94d1..e3e9393 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 61f61268f8caf7741b4d429c785581037ca22e61 +%global commit0 b05b119f976cb652f49bff5a6676eadd9dc01a5e %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 48a2c03804e2568b3d7027d154d5d180b03818f6 +%global commit1 2dd0063de5360db3475c4d40fd8ceb91120a1f40 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,68 @@ exit 0 %endif %changelog +* Tue Jul 03 2018 Lukas Vrabec - 3.14.1-34 +- Add dac_read_search capability to thumb_t domain +- Add dac_override capability to cups_pdf_t domain BZ(1594271) +- Add net_admin capability to connntrackd_t domain BZ(1594221) +- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) +- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) +- Allow motion_t to mmap video devices BZ(1590446) +- Add dac_override capability to mpd_t domain BZ(1585358) +- Allow fsdaemon_t domain to write to mta home files BZ(1588212) +- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) +- Allow sssd_t domain to write to general cert files BZ(1589339) +- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) +- Allow cockpit_session_t to read kernel network state BZ(1596941) +- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) +- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files +- Allow chronyc_t domain to use nscd shm +- Label /var/lib/tomcats dir as tomcat_var_lib_t +- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files +- Add ibacm policy +- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t +- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t +- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services +- Allow crond_t domain to create netlink selinux sockets and dac_override cap. +- Allow radiusd_t domain to have dac_override capability +- Allow amanda_t domain to have setgid capability +- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary +- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label +- Allow abrt_t domain to write to rhsmcertd pid files +- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control +- Add vhostmd_t domain to read/write to svirt images +- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files +- Allow sssd_t and slpad_t domains to mmap generic certs +- Allow chronyc_t domain use inherited user ttys +- Allow stapserver_t domain to mmap own tmp files +- Allow systemd to mounton core kernel interface +- Add dac_override capability to ipsec_t domain BZ(1589534) +- Allow systemd domain to mmap lvm config files BZ(1594584) +- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files +- Allows systemd to get attribues of core kernel interface BZ(1596928) +- Allow systemd_modules_load_t to access unabeled infiniband pkeys +- Allow init_t domain to create netlink rdma sockets for ibacm policy +- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files +- Allow lvm_t domain to write files to all mls levels +- Add to su_role_template allow rule for creating netlink_selinux sockets +- Allow sysadm_t domain to mmap hwdb db +- Allow udev_t domain to mmap kernel modules +- Allow sysadm_screen_t to have capability dac_override and chown +- Allow sysadm_t domain to mmap journal +- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide +- Label /etc/systemd/system.control/ dir as systemd_unit_file_t +- Merge pull request #215 from bachradsusi/merge-conf-from-fedora +- Allow sysadm_t and staff_t domains to use sudo io logging +- Allow sysadm_t domain create sctp sockets +- Add snapperd_contexts to the policy +- Use system_u:system_r:unconfined_t:s0 in userhelper_context +- Remove unneeded system_u seusers mapping. +- Fedora targeted default user is unconfined_u, root is unconfined_u as well +- Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. +- Change failsafe_context to unconfined_r:unconfined_t:s0 +- Update lxc_contexts from Fedora config.tgz +- Add lxc_contexts config file + * Thu Jun 14 2018 Lukas Vrabec - 3.14.1-33 - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd diff --git a/sources b/sources index 1e96851..c4a14cb 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-48a2c03.tar.gz) = dbf157503b599bbbef9fc01bd33166ae23cf2d0ebe40c4c5adcccd2e0c3b62549b1c8caf58044d693131f77e277e842be9685f1d0986ef5c7817b225b65b54aa -SHA512 (selinux-policy-61f6126.tar.gz) = 63bbb69d1e0b55c84172f283b45d54b85fda6efdd43aa7b7e7215d4840ef16a05ea58ef48a493f0c47635f14830e5d1ef0bf7417a35654b63be9d7537d2dafbc -SHA512 (container-selinux.tgz) = 18419dafa076be34d211c84ef99c9affbbd027469cf3c71c26b4acba185f80302f7a2b65f55545f1e9579d5522f43673431ace61f3dde97c6af883653ac1344b +SHA512 (selinux-policy-b05b119.tar.gz) = bf1b58d01306a5ae8b79b02bb54bf8481bdba7edc736fe8ecf6abb0bd533bd7e25568466e2acd2167dd76a0ef3379eef4c920aeb8d9f0fb42f501f23afcd1f29 +SHA512 (selinux-policy-contrib-2dd0063.tar.gz) = 6be34ba2d21cc6efd286de80cf377600282a725f7416e39f595cf903aa16afac515351f217418b4429aa7972f6a4339a4da87f6bcb1688faf7fb238fcb08b7bd +SHA512 (container-selinux.tgz) = 02efde2e9637eefa0e5a20104b0388a3a6a227401166a82e73c08b423cb8b798e3e9cc0ee036c8c6b17d09bcca5293886eee25cd6338c6284e8a7f2dcf722498