diff --git a/.gitignore b/.gitignore index 4017591..68fb9ad 100644 --- a/.gitignore +++ b/.gitignore @@ -276,3 +276,5 @@ serefpolicy* /selinux-policy-contrib-1d0500c.tar.gz /selinux-policy-4ca2f9b.tar.gz /selinux-policy-2874230.tar.gz +/selinux-policy-contrib-608e3d6.tar.gz +/selinux-policy-cb236ab.tar.gz diff --git a/selinux-policy.spec b/selinux-policy.spec index 48fbbdb..f5f6ade 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 2874230fd90e69ad4f185b20296cb9004caefa5a +%global commit0 cb236abc70e83b8563be2ac9ea3b68f123f0f244 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 1d0500c0846e2145a834a7d0f160954d18fe7208 +%global commit1 608e3d60937224770e85c4aa91817b0c4c5eac27 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.1 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz @@ -718,6 +718,55 @@ exit 0 %endif %changelog +* Mon May 21 2018 Lukas Vrabec - 3.14.1-25 +- Add dac_override capability to remote_login_t domain +- Allow chrome_sandbox_t to mmap tmp files +- Update ulogd SELinux security policy +- Allow rhsmcertd_t domain send signull to apache processes +- Allow systemd socket activation for modemmanager +- Allow geoclue to dbus chat with systemd +- Fix file contexts on conntrackd policy +- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE +- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets +- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t +- Allow nscd_t domain to be system dbusd client +- Allow abrt_t domain to read sysctl +- Add dac_read_search capability for tangd +- Allow systemd socket activation for rshd domain +- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t +- Allow kdump_t domain to map /boot files +- Allow conntrackd_t domain to send msgs to syslog +- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t +- Allow swnserve_t domain to stream connect to sasl domain +- Allow smbcontrol_t to create dirs with samba_var_t label +- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) +- Allow tangd to read public sssd files BZ(1509054) +- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) +- Allow ctdb_t domain modify ctdb_exec_t files +- Allow firewalld_t domain to create netlink_netfilter sockets +- Allow radiusd_t domain to read network sysctls +- Allow pegasus_t domain to mount tracefs_t filesystem +- Allow psad_t domain to read all domains state +- Allow tomcat_t domain to connect to mongod_t tcp port +- Allow dovecot and postfix to connect to systemd stream sockets +- Make nmbd_t domain dbus system client BZ(1569856) +- Merge pull request #55 from SISheogorath/fix/tlp-policy +- Merge pull request #54 from tmzullinger/rawhide +- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168) +- Allow gssproxy_t domain to read gssd_t state BZ(1572945) +- Allow create systemd to mount pid files +- Add files_map_boot_files() interface +- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) +- Fix typo xserver SELinux module +- Allow systemd to mmap files with var_log_t label +- Allow x_userdomains read/write to xserver session +- Allow users staff and sysadm to run wireshark on own domain +- Fix typos s/xserver/xdm/ for allow creating xserver misc devices +- Allow systemd-bootchart to create own tmpfs files +- Merge pull request #213 from tmzullinger/rawhide +- Allow xdm_t domain to install Nouveau drivers BZ(1570996) +- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) + * Sat Apr 28 2018 Lukas Vrabec - 3.14.1-24 - Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) diff --git a/sources b/sources index 0ff11af..856a146 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (selinux-policy-2874230.tar.gz) = d1fa0fe7127cea2926174774c69174e5b07cb112203bd5fca21098a4634e653316d7bbd8ce632e9bda1bb009b19f17b5e58f232c19cffc3d0a68f0ce9881223a -SHA512 (selinux-policy-contrib-1d0500c.tar.gz) = f64237d4b925083f54549d5b1c14f3492ccf2cd2a633dd2f3187773fe88464d16e23ab679633fe5db0ae8ee569f76032b30c4ce55064d6d9216ac9358fb83a65 -SHA512 (container-selinux.tgz) = e0c6d703d12dc67c66915680af17f88582fedb0f4e68b74ead1a784f53ac8a3b0ee6c78d13a387cc7fedf5db297ec9355ce3ff408e7790c44c551c809cc26c14 +SHA512 (selinux-policy-contrib-608e3d6.tar.gz) = 0d029ea7065479b03d305a8d22bc95ef27e190a0729adf61a8dedea5afeeac25bdfff7b6b4f211922da19961b7ddd3473ec14e84dc392f581c21f87d81a51d58 +SHA512 (selinux-policy-cb236ab.tar.gz) = 962e158813992877edec0c4e5e6eeb1d7e9a94e29155a3484ac4d59fc7b66ed63cfe6d01be165e78a4d1e3d6bd9182eeada5efaf21f2eca3fa459664308582c9 +SHA512 (container-selinux.tgz) = 30dca9db85c175851f750198d80ce7285ed47661113db65f41c439325472ecf9baa4814f6b677ab67106404b98b6775f5149a90bc6bdf4fdccf2804f27381a4a