|
|
@ -20,13 +20,12 @@ |
|
|
|
Summary: SELinux policy configuration |
|
|
|
Summary: SELinux policy configuration |
|
|
|
Name: selinux-policy |
|
|
|
Name: selinux-policy |
|
|
|
Version: 3.13.1 |
|
|
|
Version: 3.13.1 |
|
|
|
Release: 252%{?dist}.1 |
|
|
|
Release: 266%{?dist}.1 |
|
|
|
License: GPLv2+ |
|
|
|
License: GPLv2+ |
|
|
|
Group: System Environment/Base |
|
|
|
Group: System Environment/Base |
|
|
|
Source: serefpolicy-%{version}.tgz |
|
|
|
Source: serefpolicy-%{version}.tgz |
|
|
|
patch0: policy-rhel-7.7-base.patch |
|
|
|
patch0: policy-rhel-7.8-base.patch |
|
|
|
patch1: policy-rhel-7.7-contrib.patch |
|
|
|
patch1: policy-rhel-7.8-contrib.patch |
|
|
|
patch2: policy-rhel-7.7.z-contrib.patch |
|
|
|
|
|
|
|
Source1: modules-targeted-base.conf |
|
|
|
Source1: modules-targeted-base.conf |
|
|
|
Source31: modules-targeted-contrib.conf |
|
|
|
Source31: modules-targeted-contrib.conf |
|
|
|
Source2: booleans-targeted.conf |
|
|
|
Source2: booleans-targeted.conf |
|
|
@ -341,7 +340,6 @@ Based off of reference policy: Checked out revision 2.20091117 |
|
|
|
%prep |
|
|
|
%prep |
|
|
|
%setup -n serefpolicy-contrib-%{version} -q -b 29 |
|
|
|
%setup -n serefpolicy-contrib-%{version} -q -b 29 |
|
|
|
%patch1 -p1 |
|
|
|
%patch1 -p1 |
|
|
|
%patch2 -p1 |
|
|
|
|
|
|
|
contrib_path=`pwd` |
|
|
|
contrib_path=`pwd` |
|
|
|
%setup -n serefpolicy-%{version} -q |
|
|
|
%setup -n serefpolicy-%{version} -q |
|
|
|
%patch0 -p1 |
|
|
|
%patch0 -p1 |
|
|
@ -655,6 +653,131 @@ fi |
|
|
|
%endif |
|
|
|
%endif |
|
|
|
|
|
|
|
|
|
|
|
%changelog |
|
|
|
%changelog |
|
|
|
|
|
|
|
* Fri May 15 2020 Zdenek Pytela <zpytela@redhat.com> - 3.13.1-266.1 |
|
|
|
|
|
|
|
- Allow nagios_plugin_domain execute programs in bin directories |
|
|
|
|
|
|
|
Resolves: rhbz#1832219 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Wed Nov 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-266 |
|
|
|
|
|
|
|
- Dontaudit tmpreaper_t getting attributes from sysctl_type files |
|
|
|
|
|
|
|
Resolves: rhbz#1765063 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Thu Oct 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-265 |
|
|
|
|
|
|
|
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t |
|
|
|
|
|
|
|
Resolves: rhbz#1765063 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-264 |
|
|
|
|
|
|
|
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command |
|
|
|
|
|
|
|
Resolves: rhbz#1765063 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Wed Oct 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-263 |
|
|
|
|
|
|
|
- Update tmpreaper_t policy due to fuser command |
|
|
|
|
|
|
|
Resolves: rhbz#1765063 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-262 |
|
|
|
|
|
|
|
- Allow tmpreaper_t domain to read all domains state |
|
|
|
|
|
|
|
Resolves: rhbz#1765063 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Mon Oct 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261 |
|
|
|
|
|
|
|
- Update sudo_role_template() to allow caller domain to read syslog pid files |
|
|
|
|
|
|
|
Resolves: rhbz#1651253 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Fri Oct 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260 |
|
|
|
|
|
|
|
- Allow sbd_t domain to check presence of processes labeled as cluster_t |
|
|
|
|
|
|
|
Resolves: rhbz#1753623 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Wed Sep 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-259 |
|
|
|
|
|
|
|
- Allow ganesha_t domain to read system network state and connect to cyphesis_port_t |
|
|
|
|
|
|
|
Resolves: rhbz#1653857 |
|
|
|
|
|
|
|
- Label /var/log/collectd.log as collectd_log_t |
|
|
|
|
|
|
|
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions |
|
|
|
|
|
|
|
Resolves: rhbz#1688729 |
|
|
|
|
|
|
|
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label |
|
|
|
|
|
|
|
Resolves: rhbz#1658319 |
|
|
|
|
|
|
|
- Update sbd policy to allow manage cgroups |
|
|
|
|
|
|
|
Resolves: rhbz#1715136 |
|
|
|
|
|
|
|
- Allow sudo userdomain to run rpm related commands |
|
|
|
|
|
|
|
- Update rpm_run() interface to avoid duplicate role transition in sudo_role_template |
|
|
|
|
|
|
|
Resolves: rhbz#1651253 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Fri Aug 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-258 |
|
|
|
|
|
|
|
- Update gnome_role_template() interface to make working sysadm_u SELinux able to login to X sessions |
|
|
|
|
|
|
|
Resolves: rhbz#1688729 |
|
|
|
|
|
|
|
- Update collectd policy to allow daemon create /var/log/collectd with collectd_log_t label |
|
|
|
|
|
|
|
Resolves: rhbz#1658319 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Wed Aug 14 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-257 |
|
|
|
|
|
|
|
- Update sbd policy to allow manage cgroups |
|
|
|
|
|
|
|
Resolves: rhbz#1715136 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Tue Aug 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-256 |
|
|
|
|
|
|
|
- Allow cupsd_t domain to manage cupsd_tmp_t temp link files |
|
|
|
|
|
|
|
Resolves: rhbz#1719754 |
|
|
|
|
|
|
|
- Allow svnserve_t domain to read /dev/random |
|
|
|
|
|
|
|
Resolves: rhbz#1727458 |
|
|
|
|
|
|
|
- Update sudodomains to make working confined users run sudo/su |
|
|
|
|
|
|
|
Resolves: rhbz#1699391 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Tue Aug 06 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-255 |
|
|
|
|
|
|
|
- Allow virtlockd process read virtlockd.conf file |
|
|
|
|
|
|
|
Resolves: rhbz#1714896 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Fri Jul 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-254 |
|
|
|
|
|
|
|
- Rebuild selinux-policy build because of broken RHEL-7.8 buildrood |
|
|
|
|
|
|
|
during build of selinux-policy-3.13.1-253 |
|
|
|
|
|
|
|
Resolves: rhbz#1727341 |
|
|
|
|
|
|
|
* Mon Jul 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-253 |
|
|
|
|
|
|
|
- Label user cron spool file with user_cron_spool_t |
|
|
|
|
|
|
|
Resolves: rhbz#1727341 |
|
|
|
|
|
|
|
- Allow svnserve_t domain to read system state |
|
|
|
|
|
|
|
Resolves: rhbz#1727458 |
|
|
|
|
|
|
|
- Update svnserve_t policy to make working svnserve hooks |
|
|
|
|
|
|
|
Resolves: rhbz#1727458 |
|
|
|
|
|
|
|
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession |
|
|
|
|
|
|
|
Resolves: rhbz#1727379 |
|
|
|
|
|
|
|
- Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus |
|
|
|
|
|
|
|
Resolves: rhbz#1727379 |
|
|
|
|
|
|
|
- Allow userdomain gkeyringd domain to create stream socket with userdomain |
|
|
|
|
|
|
|
Resolves: rhbz#1727379 |
|
|
|
|
|
|
|
- Allow cupsd_t to create lnk_files in /tmp. BZ(1401634) |
|
|
|
|
|
|
|
Resolves: rhbz#1719754 |
|
|
|
|
|
|
|
- Allow mysqld_t domain to manage cluster pid files |
|
|
|
|
|
|
|
Resolves: rhbz#1715805 |
|
|
|
|
|
|
|
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. |
|
|
|
|
|
|
|
Resolves: rhbz#1714896 |
|
|
|
|
|
|
|
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain |
|
|
|
|
|
|
|
Resolves: rhbz#1705599 |
|
|
|
|
|
|
|
- Allow rhsmcertd_t domain to send signull to all domains |
|
|
|
|
|
|
|
Resolves: rhbz#1701338 |
|
|
|
|
|
|
|
- Allow cloud_init_t domain to ccreate iptables files with correct SELinux label |
|
|
|
|
|
|
|
Resolves: rhbz#1699249 |
|
|
|
|
|
|
|
- Allow dnsmasq_t domain to manage NetworkManager_var_lib_t files |
|
|
|
|
|
|
|
- Allow certmonger to geattr of filesystems BZ(1578755) |
|
|
|
|
|
|
|
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports Resolves: rhbz#1687497 |
|
|
|
|
|
|
|
- Allow lograte_t domain to manage collect_rw_content files and dirs |
|
|
|
|
|
|
|
Resolves: rhbz#1658319 |
|
|
|
|
|
|
|
- Add interface collectd_manage_rw_content() |
|
|
|
|
|
|
|
- Allow glusterd_t domain to setpgid |
|
|
|
|
|
|
|
Resolves: rhbz#1653857 |
|
|
|
|
|
|
|
- Allow sysadm_sudo_t to use SELinux tooling. |
|
|
|
|
|
|
|
Resolves: rhbz#1727341 |
|
|
|
|
|
|
|
- Allow sysadm_t domain to create netlink selinux sockets |
|
|
|
|
|
|
|
Resolves: rhbz#1727379 |
|
|
|
|
|
|
|
- Allow systemd_resolved_t to dbusd chat with NetworkManager_t |
|
|
|
|
|
|
|
Resolves: rhbz#1723877 |
|
|
|
|
|
|
|
- Allow crack_t domain read /et/passwd files |
|
|
|
|
|
|
|
Resolves: rhbz#1721093 |
|
|
|
|
|
|
|
- Allow sysadm_t domain to dbus chat with rtkit daemon |
|
|
|
|
|
|
|
Resolves: rhbz#1720546 |
|
|
|
|
|
|
|
- Allow x_userdomains to nnp domain transition to thumb_t domain |
|
|
|
|
|
|
|
Resolves: rhbz#1712603 |
|
|
|
|
|
|
|
- Dontaudit writing to user home dirs by gnome-keyring-daemon |
|
|
|
|
|
|
|
Resolves: rhbz#1703959 |
|
|
|
|
|
|
|
- Update logging_send_audit_msgs(sudodomain() to control TTY auditing for netlink socket for audit service |
|
|
|
|
|
|
|
Resolves: rhbz#1699391 |
|
|
|
|
|
|
|
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files |
|
|
|
|
|
|
|
Resolves: rhbz#1699063 |
|
|
|
|
|
|
|
- Add interface kernel_relabelfrom_usermodehelper() |
|
|
|
|
|
|
|
|
|
|
|
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252.1 |
|
|
|
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252.1 |
|
|
|
- Allow sbd_t domain to use nsswitch |
|
|
|
- Allow sbd_t domain to use nsswitch |
|
|
|
Resolves: rhbz#1728593 |
|
|
|
Resolves: rhbz#1728593 |
|
|
@ -931,7 +1054,7 @@ Resolves: rhbz#1627114 |
|
|
|
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t |
|
|
|
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t |
|
|
|
Resolves: rhbz#1567753 |
|
|
|
Resolves: rhbz#1567753 |
|
|
|
|
|
|
|
|
|
|
|
* Tue Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224 |
|
|
|
* Fri Sep 07 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-224 |
|
|
|
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. |
|
|
|
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs. |
|
|
|
Resolves: rhbz#1625678 |
|
|
|
Resolves: rhbz#1625678 |
|
|
|
- Allow chronyd_t domain to read virt_var_lib_t files |
|
|
|
- Allow chronyd_t domain to read virt_var_lib_t files |
|
|
@ -942,7 +1065,7 @@ Resolves: rhbz#1624289 |
|
|
|
- Add boolean: domain_can_mmap_files. |
|
|
|
- Add boolean: domain_can_mmap_files. |
|
|
|
Resolves: rhbz#1460322 |
|
|
|
Resolves: rhbz#1460322 |
|
|
|
|
|
|
|
|
|
|
|
* Tue Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223 |
|
|
|
* Sun Sep 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-223 |
|
|
|
- Make working SELinux sandbox with Wayland. |
|
|
|
- Make working SELinux sandbox with Wayland. |
|
|
|
Resolves: rhbz#1624308 |
|
|
|
Resolves: rhbz#1624308 |
|
|
|
- Allow svirt_t domain to mmap svirt_image_t block files |
|
|
|
- Allow svirt_t domain to mmap svirt_image_t block files |
|
|
|