diff --git a/_servicedata b/_servicedata index a4efbe3..46f8b64 100644 --- a/_servicedata +++ b/_servicedata @@ -1,7 +1,7 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 0624d60d3924bc66ce6247492bd633de77f061e8 + 9593f3469572350fd17a1487788a13206b64d15e https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 https://gitlab.suse.de/jsegitz/selinux-policy.git diff --git a/selinux-policy-20231012.tar.xz b/selinux-policy-20231012.tar.xz deleted file mode 100644 index 2dffc72..0000000 --- a/selinux-policy-20231012.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dc15116e0dfe06454d2bf8c0ce1aa4f29307baa917c14705e656acffd16e5449 -size 756244 diff --git a/selinux-policy-20231030.tar.xz b/selinux-policy-20231030.tar.xz new file mode 100644 index 0000000..5000971 --- /dev/null +++ b/selinux-policy-20231030.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a5f73724304a7da5368a2b22611e82a2e95cdb6b27ca70a66737dd52a79e6dae +size 765820 diff --git a/selinux-policy.changes b/selinux-policy.changes index 7003691..27aca24 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,171 @@ +------------------------------------------------------------------- +Mon Oct 30 10:28:10 UTC 2023 - cathy.hu@suse.com + +- Update to version 20231030: + * Allow system_mail_t manage exim spool files and dirs + * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t + * Label /run/pcsd.socket with cluster_var_run_t + * ci: Run cockpit tests in PRs + * Add map_read map_write to kernel_prog_run_bpf + * Allow systemd-fstab-generator read all symlinks + * Allow systemd-fstab-generator the dac_override capability + * Allow rpcbind read network sysctls + * Support using systemd containers + * Allow sysadm_t to connect to iscsid using a unix domain stream socket + * Add policy for coreos installer + * Add policy for nvme-stas + * Confine systemd fstab,sysv,rc-local + * Label /etc/aliases.lmdb with etc_aliases_t + * Create policy for afterburn + * Make new virt drivers permissive + * Split virt policy, introduce virt_supplementary module + * Allow apcupsd cgi scripts read /sys + * Allow kernel_t to manage and relabel all files + * Add missing optional_policy() to files_relabel_all_files() + * Allow named and ndc use the io_uring api + * Deprecate common_anon_inode_perms usage + * Improve default file context(None) of /var/lib/authselect/backups + * Allow udev_t to search all directories with a filesystem type + * Implement proper anon_inode support + * Allow targetd write to the syslog pid sock_file + * Add ipa_pki_retrieve_key_exec() interface + * Allow kdumpctl_t to list all directories with a filesystem type + * Allow udev additional permissions + * Allow udev load kernel module + * Allow sysadm_t to mmap modules_object_t files + * Add the unconfined_read_files() and unconfined_list_dirs() interfaces + * Set default file context of HOME_DIR/tmp/.* to <> + * Allow kernel_generic_helper_t to execute mount(1) + * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t + * Allow systemd-localed create Xserver config dirs + * Allow sssd read symlinks in /etc/sssd + * Label /dev/gnss[0-9] with gnss_device_t + * Allow systemd-sleep read/write efivarfs variables + * ci: Fix version number of packit generated srpms + * Dontaudit rhsmcertd write memory device + * Allow ssh_agent_type create a sockfile in /run/user/USERID + * Set default file context of /var/lib/authselect/backups to <> + * Allow prosody read network sysctls + * Allow cupsd_t to use bpf capability + * Allow sssd domain transition on passkey_child execution conditionally + * Allow login_userdomain watch lnk_files in /usr + * Allow login_userdomain watch video4linux devices + * Change systemd-network-generator transition to include class file + * Revert "Change file transition for systemd-network-generator" + * Allow nm-dispatcher winbind plugin read/write samba var files + * Allow systemd-networkd write to cgroup files + * Allow kdump create and use its memfd: objects + * Allow fedora-third-party get generic filesystem attributes + * Allow sssd use usb devices conditionally + * Update policy for qatlib + * Allow ssh_agent_type manage generic cache home files + * Change file transition for systemd-network-generator + * Additional support for gnome-initial-setup + * Update gnome-initial-setup policy for geoclue + * Allow openconnect vpn open vhost net device + * Allow cifs.upcall to connect to SSSD also through the /var/run socket + * Grant cifs.upcall more required capabilities + * Allow xenstored map xenfs files + * Update policy for fdo + * Allow keepalived watch var_run dirs + * Allow svirt to rw /dev/udmabuf + * Allow qatlib to modify hardware state information. + * Allow key.dns_resolve connect to avahi over a unix stream socket + * Allow key.dns_resolve create and use unix datagram socket + * Use quay.io as the container image source for CI + * ci: Move srpm/rpm build to packit + * .copr: Avoid subshell and changing directory + * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file + * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t + * Make insights_client_t an unconfined domain + * Allow insights-client manage user temporary files + * Allow insights-client create all rpm logs with a correct label + * Allow insights-client manage generic logs + * Allow cloud_init create dhclient var files and init_t manage net_conf_t + * Allow insights-client read and write cluster tmpfs files + * Allow ipsec read nsfs files + * Make tuned work with mls policy + * Remove nsplugin_role from mozilla.if + * allow mon_procd_t self:cap_userns sys_ptrace + * Allow pdns name_bind and name_connect all ports + * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh + * ci: Move to actions/checkout@v3 version + * .copr: Replace chown call with standard workflow safe.directory setting + * .copr: Enable `set -u` for robustness + * .copr: Simplify root directory variable + * Allow rhsmcertd dbus chat with policykit + * Allow polkitd execute pkla-check-authorization with nnp transition + * Allow user_u and staff_u get attributes of non-security dirs + * Allow unconfined user filetrans chrome_sandbox_home_t + * Allow svnserve execute postdrop with a transition + * Do not make postfix_postdrop_t type an MTA executable file + * Allow samba-dcerpc service manage samba tmp files + * Add use_nfs_home_dirs boolean for mozilla_plugin + * Fix labeling for no-stub-resolv.conf + * Revert "Allow winbind-rpcd use its private tmp files" + * Allow upsmon execute upsmon via a helper script + * Allow openconnect vpn read/write inherited vhost net device + * Allow winbind-rpcd use its private tmp files + * Update samba-dcerpc policy for printing + * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty + * Allow nscd watch system db dirs + * Allow qatlib to read sssd public files + * Allow fedora-third-party read /sys and proc + * Allow systemd-gpt-generator mount a tmpfs filesystem + * Allow journald write to cgroup files + * Allow rpc.mountd read network sysctls + * Allow blueman read the contents of the sysfs filesystem + * Allow logrotate_t to map generic files in /etc + * Boolean: Allow virt_qemu_ga create ssh directory + * Allow systemd-network-generator send system log messages + * Dontaudit the execute permission on sock_file globally + * Allow fsadm_t the file mounton permission + * Allow named and ndc the io_uring sqpoll permission + * Allow sssd io_uring sqpoll permission + * Fix location for /run/nsd + * Allow qemu-ga get fixed disk devices attributes + * Update bitlbee policy + * Label /usr/sbin/sos with sosreport_exec_t + * Update policy for the sblim-sfcb service + * Add the files_getattr_non_auth_dirs() interface + * Fix the CI to work with DNF5 + * Make systemd_tmpfiles_t MLS trusted for lowering the level of files + * Revert "Allow insights client map cache_home_t" + * Allow nfsidmapd connect to systemd-machined over a unix socket + * Allow snapperd connect to kernel over a unix domain stream socket + * Allow virt_qemu_ga_t create .ssh dir with correct label + * Allow targetd read network sysctls + * Set the abrt_handle_event boolean to on + * Permit kernel_t to change the user identity in object contexts + * Allow insights client map cache_home_t + * Label /usr/sbin/mariadbd with mysqld_exec_t + * Allow httpd tcp connect to redis port conditionally + * Label only /usr/sbin/ripd and ripngd with zebra_exec_t + * Dontaudit aide the execmem permission + * Remove permissive from fdo + * Allow sa-update manage spamc home files + * Allow sa-update connect to systemlog services + * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t + * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t + * Allow bootupd search EFI directory + * Change init_audit_control default value to true + * Allow nfsidmapd connect to systemd-userdbd with a unix socket + * Add the qatlib module + * Add the fdo module + * Add the bootupd module + * Set default ports for keylime policy + * Create policy for qatlib + * Add policy for FIDO Device Onboard + * Add policy for bootupd + * Add support for kafs-dns requested by keyutils + * Allow insights-client execmem + * Add support for chronyd-restricted + * Add init_explicit_domain() interface + * Allow fsadm_t to get attributes of cgroup filesystems + * Add list_dir_perms to kerberos_read_keytab + * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t + * Allow sendmail manage its runtime files + ------------------------------------------------------------------- Thu Oct 12 07:59:22 UTC 2023 - cathy.hu@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index bd83261..684dcfa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20231012 +Version: 20231030 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc