Skip to content

Commit

Permalink
Update Changelog and VERSION for release 2.20231002.
Browse files Browse the repository at this point in the history 
Signed-off-by: Chris PeBenito <[email protected]>
  • Loading branch information
@pebenito
pebenito committed Oct 2, 2023
1 parent 7022e51 commit c6e84e7
Show file tree
Hide file tree
Showing 2 changed files with 340 additions and 1 deletion.
339 changes: 339 additions & 0 deletions Changelog
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,342 @@
* Mon Oct 02 2023 Chris PeBenito <[email protected]> - 2.20231002
Chris PeBenito (122):
tests.yml: Pin ubuntu 20.04.
tests.yml: Pin ubuntu 20.04.
fstools: Move lines.
munin: Move munin_rw_tcp_sockets() implementation.
munin: Whitespace change.
systemd: Tmpfilesd can correct seusers on files.
iscsi: Read initiatorname.iscsi.
lvm: Add fc entry for /etc/multipath/*
sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
Define user_namespace object class.
chromium: Allow user namespace creation.
mozilla: Allow user namespace creation.
systemd: Allow user namespace creation.
container: Allow user namespace creation for all container engines.
Update eg25manager.te
switcheroo: Whitespace fix.
unconfined: Keys are linkable by systemd.
postgresql: Move lines
Add append to rw and manage lnk_file permission sets for consistency.

Christian Schneider (1):
systemd-generator: systemd_generator_t load kernel modules used for e.g.
zram-generator

Corentin LABBE (20):
udev: permit to read hwdb
fstools: handle gentoo place for drivedb.h
mount: dbus interface must be optional
mcelog: add missing file context for triggers
munin: add file context for common functions file
rsyslog: add label for /var/empty/dev/log
munin: disk-plugin: transition to fsadm
munin: add fc for munin-node plugin state
usermanage: permit groupadd to read kernel sysctl
portage: Remove old binary location
portage: add go/hg source control files
portage: add new location for portage commands
portage: add missing go/hg context in new distfiles location
mandb: permit to read inherited cron files
selinuxutil: do not audit load_policy trying to use portage ptys
selinuxutil: permit run_init to read kernel sysctl
portage: add misc mising rules
smartmon: allow smartd to read fsadm_db_t files
smartmon: add domain for update-smart-drivedb
dovecot: add missing permissions

Dave Sugar (21):
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
Allow local login to read /run/motd
Label pwhistory_helper
If domain can read system_dbusd_var_lib_t files, also allow symlinks
systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
Allow iceauth write to xsession log
Allow system_dbusd_t to start/stop all units
Updates for utempter
Allow display manager to read hwdata
Allow search xdm_var_run_t directories along with reading files.
Solve issue with no keyboard/mouse on X login screen
separate label for /etc/security/opasswd
Fix some ssh agent denials
For systemd-hostnamed service to run
Allow rsyslog to drop capabilities
/var/lib/sddm should be xdm_var_lib_t
resolve lvm_t issues at shutdown with LUKS encrypted devices
Allow all users to (optionally) send syslog messages
Resolve some denials with colord
separate domain for journalctl during init

David Sommerseth (1):
openvpn: Allow netlink genl

Florian Schmidt (1):
Add label and interfaces for kernel PSI files

George Zenner (1):
Signed-off-by: George Zenner <[email protected]>

Grzegorz Filo (3):
Shell functions used during boot by initrc_t shall be bin_t and defined in
corecommands.fc
Dir transition goes with dir create perms.
Keep context of blkid file/dir when created by zpool.

Guido Trentalancia (47):
The pulseaudio daemon and client do not normally need to use the network
for most computer systems that need to play and record audio.
The kernel domain should be able to mounton runtime directories during
switch_root, otherwise parts of the boot process might fail on some
systems (for example, the udev daemon).
The kernel domain should be able to mounton default directories during
switch_root.
The pulseaudio module should be able to read alsa library directories.
Fix the pulseaudio module file transition for named sockets in tmp
directories.
Fix the dbus module so that automatic file type transitions are used not
only for files and directories, but also for named sockets.
Fix the dbus module so that temporary session named sockets can be read
and written in the role template and by system and session bus clients.
Update the dbus role template so that permissions to get the attributes of
the proc filesystem are included.
Let pulseaudio search debugfs directories, as currently done with other
modules.
Separate the tunable permissions to write xserver tmpfs files from the
tunable permissions to write X server shared memory.
Fix a security bug in the xserver module (interfaces) which was wrongly
allowing an interface to bypass existing tunable policy logic related
to X shared memory and xserver tmpfs files write permissions.
Add missing permissions to execute binary files for the evolution_alarm_t
domain.
Add the permissions to manage the fonts cache (fontconfig) to the window
manager role template.
Add permissions to watch libraries directories to the userdomain login
user template interface.
Update the xscreensaver module in order to work with the latest version
(tested with version 6.06).
Include the X server tmpfs rw permissions in the X shared memory write
access tunable policy under request from Christoper PeBenito.
Revert the following commit (ability to read /usr files), as it is no
longer needed, after the database file got its own label:
Update the kernel module to remove misplaced or at least really obsolete
permissions during kernel module loading.
Introduce a new "logging_syslog_can_network" boolean and make the
net_admin capability as well as all corenetwork permissions previously
granted to the syslog daemon conditional upon such boolean being true.
Let the openoffice domain manage fonts cache (fontconfig).
Update the openoffice module so that it can create Unix stream sockets
with its own label and use them both as a client and a server.
Let mplayer to act as a dbus session bus client (needed by the vlc media
player).
Add permissions to read device sysctls to mplayer.
Remove misplaced permission from mount interface mount_exec.
Remove a vulnerability introduced by a logging interface which allows to
execute log files.
Improved wording for the new xserver tunable policy booleans introduced
with the previous three commits.
Fix another security bug companion of the one fixed in the following
previous commit:
Fix another security bug similar to the ones that have been recently fixed
in the following two commits:
Remove duplicate permissions in the xserver module
xserver_restricted_role() interface.
Dbus creates Unix domain sockets (in addition to listening on and
connecting to them), so its policy module is modified accordingly.
Remove a logging interface from the userdomain module since it has now
been moved to the xscreensaver domain.
Create a new specific file label for the random seed file saved before
shutting down or rebooting the system and rework the interface needed
to manage such file.
Fix the shutdown policy in order to make use of the newly created file
label and interface needed to manage the random seed file.
Update the gpg module so that the application is able to fetch new keys
from the network.
Dbus creates Unix domain sockets not only for the system bus, but also for
the session bus (in addition to connecting to them), so its policy
module is modified accordingly.
Update the gnome module so that the gconf daemon is able to create Unix
domain sockets and accept or listen connections on them.
Fix the recently introduced "logging_syslog_can_network" tunable policy,
by including TCP/IP socket creation permissions.
Introduce a new interface in the mta module to manage the mail transport
agent configuration directories and files.
Add new gpg interfaces for gpg_agent execution and to avoid auditing
search operations on files and directories that are not strictly needed
and might pose a security risk.
Extend the scope of the "spamassassin_can_network" tunable policy boolean
to all network access (except the relative dontaudit rules).
Update the spamassassin module in order to better support the rules
updating script; this achieved by employing two distinct domains for
increased security and network isolation: a first domain is used for
fetching the updated rules from the network and second domain is used
for verifying the GPG signatures of the received rules.
Under request from Christopher PeBenito, merge the two spamassassin rules
updating SELinux domains introduced in the previous change in order to
reduce the non-swappable kernel memory used by the policy.
Introduce a new "dbus_can_network" boolean which controls whether or not
the dbus daemon can act as a server over TCP/IP networks and defaults
to false, as this is generally insecure, except when using the local
loopback interface.
Introduce two new booleans for the X server and X display manager domains
which control whether or not the respective domains allow the TCP/IP
server networking functionality.
The X display manager uses an authentication mechanism based on an
authorization file which is critical for X security.
Merge branch 'main' into x_fixes_pr2
Let openoffice perform temporary file transitions and manage link files.

Kenton Groombridge (68):
corenet: add portcon for kubernetes
kubernetes: initial policy module
sysadm: allow running kubernetes
crio: new policy module
crio, kubernetes: allow k8s admins to run CRI-O
container: add type for container plugins
various: fixes for kubernetes
kubernetes: add policy for kubectl
various: fixes for kubernetes
container, kernel: add tunable to allow spc to create NFS servers
container: add tunable to allow containers to use huge pages
container, kubernetes: add private type for generic container devices
container: add tunable to use dri devices
container, kubernetes: add rules for device plugins running as spc
various: allow using glusterfs as backing storage for k8s
container, miscfiles: transition to s0 for public content created by
containers
container: add tunable to allow spc to use tun-tap devices
container: correct admin_pattern() usage
systemd: add policy for systemd-pcrphase
hddtemp: add missing rules for interactive usage
netutils: minor fixes for nmap and traceroute
container: add rules required for metallb BGP speakers
filesystem, init: allow systemd to setattr on ramfs dirs
logging: allow domains sending syslog messages to connect to kernel unix
stream sockets
init, sysadm: allow sysadm to manage systemd runtime units
podman: allow podman to stop systemd transient units
userdom: allow admin users to use tcpdiag netlink sockets
container: allow container admins the sysadm capability in user namespaces
postfix: allow postfix master to map data files
sasl: add filecon for /etc/sasl2 keytab
obj_perm_sets: add mmap_manage_file_perms
various: use mmap_manage_file_perms
postfix, sasl: allow postfix smtp daemon to read SASL keytab
various: fixes for libvirtd and systemd-machined
portage: label eix cache as portage_cache_t
container: add missing filetrans and filecon for containerd/docker
container, init, systemd: add policy for quadlet
container: fixes for podman 4.4.0
container: fixes for podman run --log-driver=passthrough
node_exporter: various fixes
redis: add missing rules for runtime filetrans
podman, selinux: move lines, add missing rules for --network=host
netutils: fixes for iftop
kernel, zfs: add filetrans for kernel creating zpool cache file
zfs: allow sending signals to itself
zfs: add runtime filetrans for dirs
init: make init_runtime_t useable for systemd units
various: make /etc/machine-id etc_runtime_t
init, systemd: allow init to create userdb runtime symlinks
init: allow initrc_t to getcap
systemd: allow systemd-userdbd to getcap
logging: allow systemd-journald to list cgroups
fs, udev: allow systemd-udevd various cgroup perms
logging, systemd: allow relabelfrom,relabelto on systemd journal files by
systemd-journald
files, systemd: allow systemd-tmpfiles to relabel config file symlinks
systemd: add rules for systemd-zram-generator
systemd: allow systemd-pcrphase to read generic certs
fs, init: allow systemd-init to set the attributes of efivarfs files
init: allow systemd-init to set the attributes of unallocated terminals
systemd: allow systemd-resolved to bind to UDP port 5353
init: allow initrc_t to create netlink_kobject_uevent_sockets
raid: allow mdadm to read udev runtime files
raid: allow mdadm to create generic links in /dev/md
fstools: allow fsadm to read utab
glusterfs: allow glusterd to bind to all TCP unreserved ports
kubernetes: allow kubelet to read etc runtime files
chromium: allow chromium-naclhelper to create user namespaces
container: rework capabilities

Luca Boccassi (4):
Set label systemd-oomd
Add separate label for cgroup's memory.pressure files
systemd: also allow to mounton memory.pressure
systemd: allow daemons to access memory.pressure

Mathieu Tortuyaux (1):
container: fix cilium denial

Oleksii Miroshko (1):
Fix templates parsing in gentemplates.sh

Pat Riehecky (1):
container: set default context for local-path-provisioner

Renato Caldas (1):
kubernetes: allow kubelet to read /proc/sys/vm files.

Russell Coker (23):
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
eg25-manager (Debian package eg25-manager) is a daemon aimed at
configuring and monitoring the Quectel EG25 modem on a running system.
It is used on the PinePhone (Pro) and performs the following functions:
* power on/off * startup configuration using AT commands * AGPS
data upload * status monitoring (and restart if it becomes
unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus
proxy Industrial I/O subsystem is intended to provide support for
devices that in some sense are analog to digital or digital to analog
convertors . Devices that fall into this category are: * ADCs *
Accelerometers * Gyros * IMUs * Capacitance to Digital Converters
(CDCs) * Pressure Sensors * Color, Light and Proximity Sensors *
Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital
Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain
Amplifiers (VGA, PGA)
Fixed dependency on unconfined_t
Comment sysfs better
Daemon to control authentication for Thunderbolt.
Daemon to monitor memory pressure and notify applications and change …
(#670)
switcheroo is a daemon to manage discrete vs integrated GPU use for apps
policy for power profiles daemon, used to change power settings
some misc userdomain fixes
debian motd.d directory (#689)
policy for the Reliability Availability servicability daemon (#690)
policy patches for anti-spam daemons (#698)
Added tmpfs file type for postgresql Small mysql stuff including
anon_inode
small ntp and dns changes (#703)
small network patches (#707)
small storage changes (#706)
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
small systemd patches (#708)
misc small patches for cron policy (#701)
mon.te patches as well as some fstools patches related to it (#697)
misc small email changes (#704)

Yi Zhao (8):
systemd: add capability sys_resource to systemd_userdbd_t
systemd: allow systemd-sysctl to search directories on ramfs
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
mount: allow mount_t to get attributes for all directories
loadkeys: do not audit attempts to get attributes for all directories
systemd: allow systemd-networkd to create file in /run/systemd directory
systemd: allow journalctl to create /var/lib/systemd/catalog
bind: fix for named service

freedom1b2830 (1):
mplayer:vlc paths

* Tue Nov 01 2022 Chris PeBenito <[email protected]> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.
Expand Down
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.20221101
2.20231002

0 comments on commit c6e84e7

Please sign in to comment.