diff --git a/.gitignore b/.gitignore index ba2fcb1..d71b5e6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-9a47a4a.tar.gz -SOURCES/selinux-policy-contrib-a8396fe.tar.gz +SOURCES/selinux-policy-b5586ba.tar.gz +SOURCES/selinux-policy-contrib-267743a.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index e5a75d7..b564898 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,3 +1,3 @@ -d83aa4d6d4668e9ca15a3e5160506af44eaf56f1 SOURCES/container-selinux.tgz -3a0184fb534ece4e1fb8b5c2102c9d615ef49623 SOURCES/selinux-policy-9a47a4a.tar.gz -7fbb4d1e48eeed45e637fe3c0ac63f2fed74dfe6 SOURCES/selinux-policy-contrib-a8396fe.tar.gz +3c2810a578a2983781de5c969ba7a7dd7b6227d7 SOURCES/container-selinux.tgz +7de814a764fbd6c004c726b384e9f919a3af3883 SOURCES/selinux-policy-b5586ba.tar.gz +9fe88da07caee56a7d36642383d1913e01f339e6 SOURCES/selinux-policy-contrib-267743a.tar.gz diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 7db5870..9fa2a42 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,11 +1,11 @@ # github repo with selinux-policy base sources %global git0 https://github.com/fedora-selinux/selinux-policy -%global commit0 9a47a4acc0a62b081f8681508a87f974de4bfd7f +%global commit0 b5586baa73b14fb8ca458fa4bbe70522b1ec264b %global shortcommit0 %(c=%{commit0}; echo ${c:0:7}) # github repo with selinux-policy contrib sources %global git1 https://github.com/fedora-selinux/selinux-policy-contrib -%global commit1 a8396fef9ea6130a68308bfbd54dfc656fb5037f +%global commit1 267743aa7d7e85fe2bf3ccd199927d6c00bb4439 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7}) %define distro redhat @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 117%{?dist}.3 +Release: 128%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -165,6 +165,7 @@ SELinux policy documentation package %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* +%exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_usr}/share/doc/%{name} %define makeCmds() \ @@ -717,43 +718,143 @@ exit 0 %endif %changelog -* Tue Aug 29 2023 Zdenek Pytela - 3.14.3-117.3 -- Add unconfined_server_read_semaphores() interface -Resolves: rhbz#2233929 +* Fri Aug 25 2023 Zdenek Pytela - 3.14.3-128 +- Allow ssh_agent_type manage generic cache home files +Resolves: rhbz#2177704 +- Add chromium_sandbox_t setcap capability +Resolves: rhbz#2221573 + +* Thu Aug 17 2023 Zdenek Pytela - 3.14.3-127 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 3 +Resolves: rhbz#2229726 + +* Fri Aug 11 2023 Zdenek Pytela - 3.14.3-126 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 1/2 +Resolves: rhbz#2229726 +- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t +Resolves: rhbz#2177704 +- Allow cloud_init create dhclient var files and init_t manage net_conf_t 2/2 +Resolves: rhbz#2229726 +- Make insights_client_t an unconfined domain +Resolves: rhbz#2225527 - Allow insights-client create all rpm logs with a correct label -Resolves: rhbz#2233929 +Resolves: rhbz#2229559 - Allow insights-client manage generic logs -Resolves: rhbz#2233929 +Resolves: rhbz#2229559 + +* Fri Aug 04 2023 Zdenek Pytela - 3.14.3-125 +- Allow user_u and staff_u get attributes of non-security dirs +Resolves: rhbz#2216151 +- Allow unconfined user filetrans chrome_sandbox_home_t 1/2 +Resolves: rhbz#2221573 +- Allow unconfined user filetrans chrome_sandbox_home_t 2/2 +Resolves: rhbz#2221573 - Allow insights-client execmem -Resolves: rhbz#2233929 +Resolves: rhbz#2225233 +- Allow svnserve execute postdrop with a transition +Resolves: rhbz#2004843 +- Do not make postfix_postdrop_t type an MTA executable file +Resolves: rhbz#2004843 +- Allow samba-dcerpc service manage samba tmp files +Resolves: rhbz#2210771 +- Update samba-dcerpc policy for printing +Resolves: rhbz#2210771 + +* Thu Jul 20 2023 Zdenek Pytela - 3.14.3-124 +- Add the files_getattr_non_auth_dirs() interface +Resolves: rhbz#2076937 +- Update policy for the sblim-sfcb service +Resolves: rhbz#2076937 +- Dontaudit sfcbd sys_ptrace cap_userns +Resolves: rhbz#2076937 +- Label /usr/sbin/sos with sosreport_exec_t +Resolves: rhbz#2167731 +- Allow sa-update manage spamc home files +Resolves: rhbz#2222200 +- Allow sa-update connect to systemlog services +Resolves: rhbz#2222200 +- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t +Resolves: rhbz#2222200 + +* Thu Jun 29 2023 Zdenek Pytela - 3.14.3-123 +- Label only /usr/sbin/ripd and ripngd with zebra_exec_t +Resolves: rhbz#2213606 +- Allow httpd tcp connect to redis port conditionally +Resolves: rhbz#2213965 +- Exclude container-selinux manpage from selinux-policy-doc +Resolves: rhbz#2218362 + +* Thu Jun 15 2023 Nikola Knazekova - 3.14.3-122 +- Update cyrus_stream_connect() to use sockets in /run +Resolves: rhbz#2165752 - Allow insights-client map generic log files -Resolves: rhbz#2233929 +Resolves: rhbz#2214572 - Allow insights-client work with pipe and socket tmp files -Resolves: rhbz#2233929 +Resolves: rhbz#2207819 - Allow insights-client getsession process permission -Resolves: rhbz#2233929 -- Allow insights-client work with teamdctl -Resolves: rhbz#2233929 -- Allow insights-client read unconfined service semaphores -Resolves: rhbz#2233929 -- Allow insights-client get quotas of all filesystems -Resolves: rhbz#2233929 -- Allow insights-client read all sysctls -Resolves: rhbz#2233931 - -* Mon Jun 12 2023 Zdenek Pytela - 3.14.3-117.2 -- Label /run/fsck with fsadm_var_run_t -Resolves: rhbz#2212328 +Resolves: rhbz#2207819 +- Allow keepalived to manage its tmp files +Resolves: rhbz#2179335 + +* Thu May 25 2023 Zdenek Pytela - 3.14.3-121 +- Update pkcsslotd policy for sandboxing 2/2 +Resolves: rhbz#2208162 +- Update pkcsslotd policy for sandboxing 1/2 +Resolves: rhbz#2208162 +- Allow abrt_t read kernel persistent storage files +Resolves: rhbz#2207914 +- Add allow rules for lttng-sessiond domain +Resolves: rhbz#2203509 +- Allow rpcd_lsad setcap and use generic ptys +Resolves: rhbz#2107106 +- Allow samba-dcerpcd connect to systemd_machined over a unix socket +Resolves: rhbz#2107106 +- Dontaudit targetd search httpd config dirs +Resolves: rhbz#2203720 -* Mon May 15 2023 Zdenek Pytela - 3.14.3-117.1 +* Thu May 11 2023 Zdenek Pytela - 3.14.3-120 +- Allow unconfined service inherit signal state from init +Resolves: rhbz#2177254 - Allow systemd-pstore delete kernel persistent storage files -Resolves: rhbz#2188268 +Resolves: rhbz#2181558 - Add fs_delete_pstore_files() interface -Resolves: rhbz#2188268 +Resolves: rhbz#2181558 +- Allow certmonger manage cluster library files +Resolves: rhbz#2177836 +- Allow samba-rpcd work with passwords +Resolves: rhbz#2107106 +- Allow snmpd read raw disk data +Resolves: rhbz#2160000 +- Allow cluster_t dbus chat with various services +Resolves: rhbz#2196524 + +* Fri Apr 21 2023 Zdenek Pytela - 3.14.3-119 +- Add unconfined_server_read_semaphores() interface +Resolves: rhbz#2183351 - Allow systemd-pstore read kernel persistent storage files -Resolves: rhbz#2188268 +Resolves: rhbz#2181558 - Add fs_read_pstore_files() interface -Resolves: rhbz#2188268 +Resolves: rhbz#2181558 +- Allow insights-client work with teamdctl +Resolves: rhbz#2185158 +- Allow insights-client read unconfined service semaphores +Resolves: rhbz#2183351 +- Allow insights-client get quotas of all filesystems +Resolves: rhbz#2183351 + +* Thu Apr 13 2023 Zdenek Pytela - 3.14.3-118 +- Allow login_pgm setcap permission +Resolves: rhbz#2172541 +- Label /run/fsck with fsadm_var_run_t +Resolves: rhbz#2184348 +- Add boolean qemu-ga to run unconfined script +Resolves: rhbz#2028762 +- Allow dovecot-deliver write to the main process runtime fifo files +Resolves: rhbz#2170495 +- Allow certmonger dbus chat with the cron system domain +Resolves: rhbz#2173289 +- Allow insights-client read all sysctls +Resolves: rhbz#2177607 * Thu Feb 16 2023 Zdenek Pytela - 3.14.3-117 - Fix opencryptoki file names in /dev/shm