@ -20,13 +20,12 @@
@@ -20,13 +20,12 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 252%{?dist}.1
Release: 266%{?dist}.1
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch0: policy-rhel-7.7-base.patch
patch1: policy-rhel-7.7-contrib.patch
patch2: policy-rhel-7.7.z-contrib.patch
patch0: policy-rhel-7.8-base.patch
patch1: policy-rhel-7.8-contrib.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@ -341,7 +340,6 @@ Based off of reference policy: Checked out revision 2.20091117
@@ -341,7 +340,6 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch0 -p1
@ -655,6 +653,131 @@ fi
@@ -655,6 +653,131 @@ fi
%endif
%changelog
* Fri May 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-266.1
- Allow nagios_plugin_domain execute programs in bin directories
Resolves: rhbz#1832219
* Wed Nov 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-266
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
Resolves: rhbz#1765063
* Thu Oct 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
Resolves: rhbz#1765063
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command
Resolves: rhbz#1765063
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263
- Update tmpreaper_t policy due to fuser command
Resolves: rhbz#1765063
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262
- Allow tmpreaper_t domain to read all domains state
Resolves: rhbz#1765063
* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
- Update sudo_role_template() to allow caller domain to read syslog pid files
Resolves: rhbz#1651253
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
- Allow sbd_t domain to check presence of processes labeled as cluster_t
Resolves: rhbz#1753623
* Wed Sep 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-259
- Allow ganesha_t domain to read system network state and connect to cyphesis_port_t
Resolves: rhbz#1653857
- Label /var/log/collectd.log as collectd_log_t
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions
Resolves: rhbz#1688729
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
Resolves: rhbz#1658319
- Update sbd policy to allow manage cgroups
Resolves: rhbz#1715136
- Allow sudo userdomain to run rpm related commands
- Update rpm_run() interface to avoid duplicate role transition in sudo_role_template
Resolves: rhbz#1651253
* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions
Resolves: rhbz#1688729
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label
Resolves: rhbz#1658319
* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257
- Update sbd policy to allow manage cgroups
Resolves: rhbz#1715136
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256
- Allow cupsd_t domain to manage cupsd_tmp_t temp link files
Resolves: rhbz#1719754
- Allow svnserve_t domain to read /dev/random
Resolves: rhbz#1727458
- Update sudodomains to make working confined users run sudo/su
Resolves: rhbz#1699391
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255
- Allow virtlockd process read virtlockd.conf file
Resolves: rhbz#1714896
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254
- Rebuild selinux-policy build because of broken RHEL-7.8 buildrood
during build of selinux-policy-3.13.1-253
Resolves: rhbz#1727341
* Mon Jul 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253
- Label user cron spool file with user_cron_spool_t
Resolves: rhbz#1727341
- Allow svnserve_t domain to read system state
Resolves: rhbz#1727458
- Update svnserve_t policy to make working svnserve hooks
Resolves: rhbz#1727458
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
Resolves: rhbz#1727379
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus
Resolves: rhbz#1727379
- Allow userdomain gkeyringd domain to create stream socket with userdomain
Resolves: rhbz#1727379
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634)
Resolves: rhbz#1719754
- Allow mysqld_t domain to manage cluster pid files
Resolves: rhbz#1715805
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
Resolves: rhbz#1714896
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
Resolves: rhbz#1705599
- Allow rhsmcertd_t domain to send signull to all domains
Resolves: rhbz#1701338
- Allow cloud_init_t domain to ccreate iptables files with correct SELinux label
Resolves: rhbz#1699249
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files
- Allow certmonger to geattr of filesystems BZ(1578755)
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports Resolves: rhbz#1687497
- Allow lograte_t domain to manage collect_rw_content files and dirs
Resolves: rhbz#1658319
- Add interface collectd_manage_rw_content()
- Allow glusterd_t domain to setpgid
Resolves: rhbz#1653857
- Allow sysadm_sudo_t to use SELinux tooling.
Resolves: rhbz#1727341
- Allow sysadm_t domain to create netlink selinux sockets
Resolves: rhbz#1727379
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t
Resolves: rhbz#1723877
- Allow crack_t domain read /et/passwd files
Resolves: rhbz#1721093
- Allow sysadm_t domain to dbus chat with rtkit daemon
Resolves: rhbz#1720546
- Allow x_userdomains to nnp domain transition to thumb_t domain
Resolves: rhbz#1712603
- Dontaudit writing to user home dirs by gnome-keyring-daemon
Resolves: rhbz#1703959
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service
Resolves: rhbz#1699391
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files
Resolves: rhbz#1699063
- Add interface kernel_relabelfrom_usermodehelper()
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252.1
- Allow sbd_t domain to use nsswitch
Resolves: rhbz#1728593
@ -931,7 +1054,7 @@ Resolves: rhbz#1627114
@@ -931,7 +1054,7 @@ Resolves: rhbz#1627114
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t
Resolves: rhbz#1567753
* Tue Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224
* Fri Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
Resolves: rhbz#1625678
- Allow chronyd_t domain to read virt_var_lib_t files
@ -942,7 +1065,7 @@ Resolves: rhbz#1624289
@@ -942,7 +1065,7 @@ Resolves: rhbz#1624289
- Add boolean: domain_can_mmap_files.
Resolves: rhbz#1460322
* Tue Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
* Sun Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223
- Make working SELinux sandbox with Wayland.
Resolves: rhbz#1624308
- Allow svirt_t domain to mmap svirt_image_t block files
basebuilder_pel7x64builder0
4 years ago