From 5d5eb8e7fc7060e48013c84154116e8686d2cbe2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 20 2018 06:54:04 +0000 Subject: * Thu Sep 20 2018 Lukas Vrabec - 3.14.3-3 - Allow certmonger to manage cockpit_var_run_t pid files - Allow cockpit_ws_t domain to manage cockpit services - Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs - Add interface apache_read_tmp_dirs() - Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t - Add interface apcupsd_read_power_files() - Allow systemd labeled as init_t to execute logrotate in logrotate_t domain - Allow dac_override capability to amanda_t domain - Allow geoclue_t domain to get attributes of fs_t filesystems - Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client - Allow cockpit_t domain to read systemd state - Allow abrt_t domain to write to usr_t files - Allow cockpit to create motd file in /var/run/cockpit - Label /usr/sbin/pcsd as cluster_exec_t - Allow pesign_t domain to getattr all fs - Allow tomcat servers to manage usr_t files - Dontaudit tomcat serves to append to /dev/random device - Allow dirsrvadmin_script_t domain to read httpd tmp files - Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs - Fix path where are sources for CI - Revert "Allow firewalld_t domain to read random device" - Add travis CI for selinux-policy-contrib repo - Allow postfix domains to mmap system db files - Allow geoclue_t domain to execute own tmp files - Update ibacm_read_pid_files interface to allow also reading link files - Allow zebra_t domain to create packet_sockets - Allow opafm_t domain to list sysfs - Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t - Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. - Allow chronyd_t domain to read virt_var_lib_t files - Allow systemd to read apcupsd power files - Revert "Allow polydomain to create /tmp-inst labeled as tmp_t" - Allow polydomain to create /tmp-inst labeled as tmp_t - Allow polydomain to create /tmp-inst labeled as tmp_t - Allow systemd_resolved_t domain to bind on udp howl port - Add new boolean use_virtualbox Resolves: rhbz#1510478 - Allow sshd_t domain to read cockpit pid files - Allow syslogd_t domain to manage cert_t files - Fix path where are sources for CI - Add travis.yml to to create CI for selinux-policy sources - Allow getattr as part of files_mounton_kernel_symbol_table. - Fix typo "aduit" -> "audit" - Revert "Add new interface dev_map_userio()" - Add new interface dev_map_userio() - Allow systemd to read ibacm pid files --- diff --git a/selinux-policy.spec b/selinux-policy.spec index 53e5dd0..ade0180 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 38c6414d2dac8b3e77914561f34babdf93ef27ff +%global commit0 9c42b2893707c6a5a694c25b03ffafc951305575 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 5ed2192d563e34d3f1e7c4f7b2673af960de8769 +%global commit1 dab4b50b7d2268b6cfb675754903b1a413008bba %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -709,6 +709,53 @@ exit 0 %endif %changelog +* Thu Sep 20 2018 Lukas Vrabec - 3.14.3-3 +- Allow certmonger to manage cockpit_var_run_t pid files +- Allow cockpit_ws_t domain to manage cockpit services +- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs +- Add interface apache_read_tmp_dirs() +- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t +- Add interface apcupsd_read_power_files() +- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain +- Allow dac_override capability to amanda_t domain +- Allow geoclue_t domain to get attributes of fs_t filesystems +- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client +- Allow cockpit_t domain to read systemd state +- Allow abrt_t domain to write to usr_t files +- Allow cockpit to create motd file in /var/run/cockpit +- Label /usr/sbin/pcsd as cluster_exec_t +- Allow pesign_t domain to getattr all fs +- Allow tomcat servers to manage usr_t files +- Dontaudit tomcat serves to append to /dev/random device +- Allow dirsrvadmin_script_t domain to read httpd tmp files +- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs +- Fix path where are sources for CI +- Revert "Allow firewalld_t domain to read random device" +- Add travis CI for selinux-policy-contrib repo +- Allow postfix domains to mmap system db files +- Allow geoclue_t domain to execute own tmp files +- Update ibacm_read_pid_files interface to allow also reading link files +- Allow zebra_t domain to create packet_sockets +- Allow opafm_t domain to list sysfs +- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t +- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. +- Allow chronyd_t domain to read virt_var_lib_t files +- Allow systemd to read apcupsd power files +- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t" +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Allow polydomain to create /tmp-inst labeled as tmp_t +- Allow systemd_resolved_t domain to bind on udp howl port +- Add new boolean use_virtualbox Resolves: rhbz#1510478 +- Allow sshd_t domain to read cockpit pid files +- Allow syslogd_t domain to manage cert_t files +- Fix path where are sources for CI +- Add travis.yml to to create CI for selinux-policy sources +- Allow getattr as part of files_mounton_kernel_symbol_table. +- Fix typo "aduit" -> "audit" +- Revert "Add new interface dev_map_userio()" +- Add new interface dev_map_userio() +- Allow systemd to read ibacm pid files + * Thu Sep 06 2018 Lukas Vrabec - 3.14.3-2 - Allow tomcat services create link file in /tmp - Label /etc/shorewall6 as shorewall_etc_t diff --git a/sources b/sources index adea865..f4dfb65 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-contrib-5ed2192.tar.gz) = 6d8c08980a10b498155893d7c9d949c89761622b4b16ca1e4c80d78ebd97791ee9e59112b725aae8402aec382214001cb9952e0e22b11698abacaea74ae7db41 -SHA512 (selinux-policy-38c6414.tar.gz) = a0d47bee2311baea12ade3a1f6460a76ba3e479314838957e5225c0e8ec0926ae0e9027b6204f1d5153f7e8b0ef207e4bbb30d9ee16bf1f5396ad87626b78528 -SHA512 (container-selinux.tgz) = a563b1da0a6c3b4bd1b171b263e171cd1a99758130c9c0e7d351df7709aa6f0e52e5e6eb211469697db0bdb86adf9de6c0b5f5935c928611854867084327114d +SHA512 (selinux-policy-9c42b28.tar.gz) = 6fe28d188723b1b6881fc3debdba5f577ca7292fd5dc49331267d979ec9b2d5c127093e59eda02894016b7d5f9e5acd971baf158d409dd71efc2907a538792d4 +SHA512 (selinux-policy-contrib-dab4b50.tar.gz) = f75ccf7d02520c85ca80f80b00101713689595e82765605c6a3a33e6c6488fd04885b06ff36d50f88741182b8d010e5157133ff9a5679fc1a45bbd09b461859b +SHA512 (container-selinux.tgz) = c104778b2744fdcf42ec8c8e98c846d9db103f7b320ab4e13c26d6b3fd25da2fba3ee94d00e3b638687be5f98d31fddd5906c87928be9ad8d667b41c0f100ecc