From 6f4b33d229a100e66f0fbd71e780698cb9f74c09 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Apr 27 2018 13:06:45 +0000 Subject: * Fri Apr 27 2018 Lukas Vrabec - 3.14.1-23 - Allow dnssec_trigger_t domain to read system network state BZ(1570205) - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - gnome_data_filetrans macro should be in optional block - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t - Label /run/ebtables.lock as iptables_var_run_t - Allow udev_t domain to manage udev_rules_t char files. - Assign babel_port_t label to udp port 6696 - Add new interface lvm_map_config - Merge pull request #212 from stlaz/patch-1 - Allow local_login_t reads of udev_var_run_t context --- diff --git a/.gitignore b/.gitignore index 8db0631..c93b53e 100644 --- a/.gitignore +++ b/.gitignore @@ -273,3 +273,5 @@ serefpolicy* /selinux-policy-31ddb33.tar.gz /selinux-policy-contrib-a5ef4ca.tar.gz /selinux-policy-contrib-675493a.tar.gz +/selinux-policy-contrib-1d0500c.tar.gz +/selinux-policy-4ca2f9b.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index d4d5e4b..01579a7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 31ddb33465648c6d7873c02f6a853d90d11d825c +%global commit0 4ca2f9b2df5aeb7f0209654fcddaeb3df87075d5 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 675493a6b46534621467ce77b908b6784c3b3b24 +%global commit1 1d0500c0846e2145a834a7d0f160954d18fe7208 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,44 @@ exit 0 %endif %changelog +* Fri Apr 27 2018 Lukas Vrabec - 3.14.1-23 +- Allow dnssec_trigger_t domain to read system network state BZ(1570205) +- Add dac_override capability to mailman_mail_t domain +- Add dac_override capability to radvd_t domain +- Update openvswitch policy +- Add dac_override capability to oddjob_homedir_t domain +- Allow slapd_t domain to mmap slapd_var_run_t files +- Rename tang policy to tangd +- Allow virtd_t domain to relabel virt_var_lib_t files +- Allow logrotate_t domain to stop services via systemd +- Add tang policy +- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t +- Allow snapperd_t daemon to create unlabeled dirs. +- Make httpd_var_run_t mountpoint +- Allow hsqldb_t domain to mmap own temp files +- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence +- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP +- Add new Boolean tomcat_use_execmem +- Allow nfsd_t domain to read/write sysctl fs files +- Allow conman to read system state +- Allow brltty_t domain to be dbusd system client +- Allow zebra_t domain to bind on babel udp port +- Allow freeipmi domain to read sysfs_t files +- Allow targetd_t domain mmap lvm config files +- Allow abrt_t domain to manage kdump crash files +- gnome_data_filetrans macro should be in optional block +- Allow netutils_t domain to create bluetooth sockets +- Allow traceroute to bind on generic sctp node +- Allow traceroute to search network sysctls +- Allow systemd to use virtio console +- Label /dev/op_panel and /dev/opal-prd as opal_device_t +- Label /run/ebtables.lock as iptables_var_run_t +- Allow udev_t domain to manage udev_rules_t char files. +- Assign babel_port_t label to udp port 6696 +- Add new interface lvm_map_config +- Merge pull request #212 from stlaz/patch-1 +- Allow local_login_t reads of udev_var_run_t context + * Wed Apr 18 2018 Lukas Vrabec - 3.14.1-22 - Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) diff --git a/sources b/sources index 2e6e539..49eccf9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (container-selinux.tgz) = f695756ecfe78ab5539ffe2d71fcd502f7b8685072953ac07c7a23f0b651bfe60a45d7b56e0d28a9be2509793ab203fa5c038dfab58128c59f43ac078b5ceaee -SHA512 (selinux-policy-contrib-675493a.tar.gz) = 1afb022659771def785ff73fd5da899b698794c371ded18e30d8ab0db8c8900f1e2c7d1a6cb4ac02d742432e45b31ffbce3c9d92d97885d6b9ff731ebae8274c -SHA512 (selinux-policy-31ddb33.tar.gz) = 9b430dcd9c15c89b525f9a1d843c9a3f5a876735a9ccca2d2029c69e91391083e793fe4a59186d33223fa1c32c0ba84b2d0f8c08597885c477ea2903a8128f99 +SHA512 (selinux-policy-contrib-1d0500c.tar.gz) = f64237d4b925083f54549d5b1c14f3492ccf2cd2a633dd2f3187773fe88464d16e23ab679633fe5db0ae8ee569f76032b30c4ce55064d6d9216ac9358fb83a65 +SHA512 (selinux-policy-4ca2f9b.tar.gz) = be073eebd8af7ea3f7679647f8b91cac77ae4a9e6ac6c2f0b393510fe24ad9eba074a4854312c1a04fb4bba85eb057b70a14fc3254e4fb5af21adca3d08fdbe7 +SHA512 (container-selinux.tgz) = 2e7a22662f61a4acba4e3d7ccf16f7e307352af497dc988613cd45add0ada46476565619a97800fe84cead73a50605df2fd274a30eee0ba6f3cc24d3be01ea4f