From 67e8194a73fe566e727277104bb0ad94b41f2cae Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: May 24 2018 12:07:05 +0000 Subject: * Thu May 24 2018 Lukas Vrabec - 3.14.1-28 - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Allow hypervvssd_t domain to read fixed disk devices - Allow several domains to manage ecryptfs_t filesystem - Allow userdom_use_user_ttys for loadkeys_t domain - Add dac_override capability to cachefiles_kernel_t domain - Allow blueman to execute ldconfig BZ(1577581) - Allow gpg_pinentry_t domain to read state of gpg_t processes - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used - Associate sysctl_vm_overcommit_t with fs_t - Allow systemd creating bluetooth sockets - Allow ssh client to read network sysctl BZ(1574170) - Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files --- diff --git a/.gitignore b/.gitignore index 94ce76c..b7f6564 100644 --- a/.gitignore +++ b/.gitignore @@ -280,3 +280,5 @@ serefpolicy* /selinux-policy-cb236ab.tar.gz /selinux-policy-0abb218.tar.gz /selinux-policy-contrib-012057a.tar.gz +/selinux-policy-contrib-a1b70e6.tar.gz +/selinux-policy-ba962ad.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index a4bc426..077ab9e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 0abb218a48e7c4dc866fba0a056cbade4f9a40dc +%global commit0 ba962ad08bd9d6b1043b4ebaa652edd6d776370b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 012057a8ec3e3fc42db67548012b48ce3314fe4a +%global commit1 a1b70e6149cab9d3f1662258a075d022806e7978 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,33 @@ exit 0 %endif %changelog +* Thu May 24 2018 Lukas Vrabec - 3.14.1-28 +- Allow mailman_mail_t domain to search for apache configs +- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. +- Improve procmail_domtrans() to allow mmaping procmail_exec_t +- Allow ptrace arbitrary processes +- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) +- Allow certmonger to geattr of filesystems BZ(1578755) +- Allow hypervvssd_t domain to read fixed disk devices +- Allow several domains to manage ecryptfs_t filesystem +- Allow userdom_use_user_ttys for loadkeys_t domain +- Add dac_override capability to cachefiles_kernel_t domain +- Allow blueman to execute ldconfig BZ(1577581) +- Allow gpg_pinentry_t domain to read state of gpg_t processes +- Allow xdm_t domain to mmap xserver_misc_device_t files +- Allow xdm_t domain to execute systemd-coredump binary +- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set +- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries +- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary +- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries +- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. +- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface +- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used +- Associate sysctl_vm_overcommit_t with fs_t +- Allow systemd creating bluetooth sockets +- Allow ssh client to read network sysctl BZ(1574170) +- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files + * Tue May 22 2018 Lukas Vrabec - 3.14.1-27 - Increase dependency versions of policycoreutils and checkpolicy packages diff --git a/sources b/sources index 7a6a9f6..d0e4685 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-0abb218.tar.gz) = b9b55e215e70bd8b88bda91b857125737fb911154dcb5e2147b584befdc7fd92b8b7f36db5900e8d279e126dbff9e87ddb9174639a8e15f9572b791e5a2bccb6 -SHA512 (selinux-policy-contrib-012057a.tar.gz) = c85ff4cf5b1ab81323c6117e12e2f397b54eae4cc870acd3474a07bfa4e0af44563d2319429743c2e4c78f6b498536fdbe0f7bff1840674b0ed5fdc00f884a03 -SHA512 (container-selinux.tgz) = 17e293f0cff800aded2e4ee015a6ce22f17dd1f7904cc8f519c1ca74ee9ae6627edb139fd6f7e08d46dcf586ec2ec659dc3c180118fce8f161579b074f90620e +SHA512 (selinux-policy-contrib-a1b70e6.tar.gz) = 2959b575b51d45034b663ed3f2790b5e6c41c7c84f6bccaca31d7363ee5ad9be4cbb2753d4dc137069acb44dbeb099bee7df481351d5027f6d78b88c3f07698a +SHA512 (selinux-policy-ba962ad.tar.gz) = c0009bf84d731d2562a88b53d6c891d887fd0d0a35e94759acd773e154dcbfbcaa73056c0c6629dea7ad8c86451a8d0c70cf27f186f7cbbdaee618f71574bdfb +SHA512 (container-selinux.tgz) = e60e43e525ede3704b73155fc777f90d241ee0044714de084816efded0ca913d2aaa85a131bde4660663c51f8e9ef7d146fab7980e20e8b416e947d35034c851