-
Notifications
You must be signed in to change notification settings - Fork 141
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Changelog and VERSION for release 2.20220520.
Signed-off-by: Chris PeBenito <[email protected]>
- Loading branch information
Showing
2 changed files
with
313 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,315 @@ | ||
| * Fri May 20 2022 Chris PeBenito <[email protected]> - 2.20220520 | ||
| Björn Esser (1): | ||
| authlogin: add fcontext for tcb | ||
|
|
||
| Chris PeBenito (118): | ||
| 0xC0ncord/bugfix/systemd-user-exec-apps-hookup | ||
| systemd, ssh, ntp: Read fips_enabled crypto sysctl. | ||
| systemd: Unit generator fixes. | ||
| systemd: Revise tmpfiles factory to allow writing all configs. | ||
| systemd: User runtime reads user cgroup files. | ||
| logging: Add audit_control for journald. | ||
| udev: Manage EFI variables. | ||
| ntp: Handle symlink to drift directory. | ||
| logging: Allow auditd to stat() dispatcher executables. | ||
| Drop module versioning. | ||
| tests.yml: Disable policy_module() selint checks. | ||
| systemd: Change journal file context to MLS system high. | ||
| Revert "users: remove MCS categories from default users" | ||
| systemd: Add systemd-homed and systemd-userdbd. | ||
| systemd, ssh: Crypto sysctl use. | ||
| systemd: Additional fixes for fs getattrs. | ||
| systemd: Updates for generators and kmod-static-nodes.service. | ||
| domain: Allow lockdown for all domains. | ||
| postfix, spamassassin: Fix missed type renames after alias removals. | ||
| cron, dbus, policykit, postfix: Minor style fixes. | ||
| Make hide_broken_symptoms unconditional. | ||
| puppet: Style fixes. | ||
| matrixd: Cleanups. | ||
| matrixd: SELint fixes. | ||
| mailmain: Fix check_fc_files issue. | ||
| mailmain: Fix SELint issues. | ||
| postfix: Move lines. | ||
| apache: Remove unnecessary require in apache_exec(). | ||
| seusers: Remove sddm. | ||
| Add a vulnerability handling process. | ||
|
|
||
| Christian Goettsche (1): | ||
| check_fc_files: allow optional @ character | ||
|
|
||
| Christian Göttsche (11): | ||
| filesystem: add fs_use_trans for ramfs | ||
| Ignore umask on when installing headers | ||
| Revert "tests.yml: Disable policy_module() selint checks." | ||
| build.conf: bump policy version in comment | ||
| flask: add new kernel security classes | ||
| policy_capabilities: add ioctl_skip_cloexec | ||
| policy.dtd: more strict bool/tunable and infoflow validation | ||
| Makefile: invoke python with -bb | ||
| Rules.monolithic: add target to generate CIL policy | ||
| Makefile: use override for adding options | ||
| Rules.modular: add pure-load target | ||
|
|
||
| Dave Sugar (4): | ||
| Allow iscsid to request kernel module load | ||
| Allow iscsid to check fips_enabled | ||
| sshd: allow to run /usr/bin/fipscheck (to check fips state) | ||
| systemd: resolve error with systemd-sysctl | ||
|
|
||
| Fabrice Fontaine (2): | ||
| policy/modules/services/samba.te: make crack optional | ||
| policy/modules/services/wireguard.te: make iptables optional | ||
|
|
||
| Gao Xiang (1): | ||
| Add erofs as a SELinux capable file system | ||
|
|
||
| Henrik Grindal Bakken (1): | ||
| snmp: Fix typo in /var/net-snmp rule | ||
|
|
||
| Jonathan Davies (12): | ||
| chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access | ||
| net_admin capability, this is required for its `hwtimestamp` option, | ||
| which otherwise returns: | ||
| virt.te: Fixed typo in virtlogd_t virt_common_runtime_t | ||
| manage_files_pattern. | ||
| obfs4proxy: Added policy. | ||
| tor: Added interfaces and types for obfs4proxy support. | ||
| corenetwork.te.in: Added ntske port. | ||
| chronyd.te: Added support for bind/connect/recv/send NTS packets. | ||
| chronyd: Allow access to read certs. | ||
| obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms. | ||
| policy/*: Replaced rw_netlink_socket_perms with | ||
| create_netlink_socket_perms. | ||
| node_exporter: Added initial policy. | ||
| systemd.te: Added boolean for allowing dhcpd server packets. | ||
| systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in | ||
| systemd_stream_connect_userdb(). | ||
|
|
||
| Kenton Groombridge (174): | ||
| userdomain: add user exec domain attribute and interface | ||
| systemd: assign user exec attribute to systemd --user instances | ||
| systemd: add interface to support monitoring and output capturing of child | ||
| processes | ||
| wm: add user exec domain attribute to wm domains | ||
| ssh: add interface to execute and transition to ssh client | ||
| userdomain: add interface to allow mapping all user home content | ||
| git, roles: add policy for git client | ||
| apache, roles: use user exec domain attribute | ||
| screen, roles: use user exec domain attribute | ||
| git, roles: use user exec domain attribute | ||
| postgresql, roles: use user exec domain attribute | ||
| ssh, roles: use user exec domain attribute | ||
| sudo, roles: use user exec domain attribute | ||
| syncthing, roles: use user exec domain attribute | ||
| xscreensaver, roles: use user exec domain attribute | ||
| xserver, roles, various: use user exec domain attribute | ||
| authlogin, roles: use user exec domain attribute | ||
| bluetooth, roles: use user exec domain attribute | ||
| cdrecord, roles: use user exec domain attribute | ||
| chromium, roles: use user exec domain attribute | ||
| cron, roles: use user exec domain attribute | ||
| dirmngr, roles: use user exec domain attribute | ||
| evolution, roles: use user exec domain attribute | ||
| games, roles: use user exec domain attribute | ||
| gnome, roles: use user exec domain attribute | ||
| gpg, roles: use user exec domain attribute | ||
| irc, roles: use user exec domain attribute | ||
| java, roles: use user exec domain attribute | ||
| libmtp, roles: use user exec domain attribute | ||
| lpd, roles: use user exec domain attribute | ||
| mozilla, roles: use user exec domain attribute | ||
| mplayer, roles: use user exec domain attribute | ||
| mta, roles: use user exec domain attribute | ||
| openoffice, roles: use user exec domain attribute | ||
| pulseaudio, roles: use user exec domain attribute | ||
| pyzor, roles: use user exec domain attribute | ||
| razor, roles: use user exec domain attribute | ||
| rssh, roles: use user exec domain attribute | ||
| spamassassin, roles: use user exec domain attribute | ||
| su, roles: use user exec domain attribute | ||
| telepathy, roles: use user exec domain attribute | ||
| thunderbird, roles: use user exec domain attribute | ||
| tvtime, roles: use user exec domain attribute | ||
| uml, roles: use user exec domain attribute | ||
| userhelper, roles: use user exec domain attribute | ||
| vmware, roles: use user exec domain attribute | ||
| wireshark, roles: use user exec domain attribute | ||
| wm, roles: use user exec domain attribute | ||
| hadoop, roles: use user exec domain attribute | ||
| shutdown, roles: use user exec domain attribute | ||
| cryfs, roles: use user exec domain attribute | ||
| wine: use user exec domain attribute | ||
| mono: use user exec domain attribute | ||
| sudo: add tunable to control user exec domain access | ||
| su: add tunable to control user exec domain access | ||
| shutdown: add tunable to control user exec domain access | ||
| mpd, pulseaudio: split domtrans and client access | ||
| mcs: deprecate mcs overrides | ||
| mcs: restrict create, relabelto on mcs files | ||
| fs: add pseudofs attribute and interfaces | ||
| devices: make usbfs pseudofs instead of noxattrfs | ||
| git: fix typo in git hook exec access | ||
| dovecot, spamassassin: allow dovecot to execute spamc | ||
| mta, spamassassin: fixes for rspamd | ||
| certbot, various: allow various services to read certbot certs | ||
| usbguard, sysadm: misc fixes | ||
| ssh: fix for polyinstantiation | ||
| sysadm, systemd: fixes for systemd-networkd | ||
| asterisk: allow reading generic certs | ||
| bind: fixes for unbound | ||
| netutils: fix ping | ||
| policykit, systemd: allow policykit to watch systemd logins and sessions | ||
| spamassassin: fix file contexts for rspamd symlinks | ||
| mcs: add additional constraints to databases | ||
| mcs: constrain misc IPC objects | ||
| mcs: combine single-level object creation constraints | ||
| various: deprecate mcs override interfaces | ||
| corenet: make netlabel_peer_t mcs constrained | ||
| mcs: constrain context contain access | ||
| mcs: only constrain mcs_constrained_type for db accesses | ||
| guest, xguest: remove apache role access | ||
| wine: fix roleattribute statement | ||
| testing: accept '@' as a valid ending character in filecon checker | ||
| users: remove MCS categories from default users | ||
| various: remove various mcs ranged transitions | ||
| kernel: add various supporting interfaces for containers | ||
| kernel, rpc, systemd: deprecate kernel_mounton_proc | ||
| devices, kernel: deprecate dev_mounton_sysfs | ||
| devices: add interfaces to remount sysfs and device filesystems | ||
| init: add interface to run init bpf programs | ||
| systemd: add interface to dbus chat with systemd-machined | ||
| userdom: add interfaces to relabel generic user home content | ||
| init: add interface to setsched on init | ||
| init: allow systemd to renice all other domains | ||
| sysnetwork: add interfaces for /run/netns | ||
| container, virt: move svirt lxc domains to new container module | ||
| container: svirt_lxc_net_t is now container_t | ||
| container: fixup rules | ||
| container: add interface to identify container mountpoints | ||
| various: make various types a mountpoint for containers | ||
| container: add base attributes for containers and container engines | ||
| container: initial support for container engines | ||
| container, gpg, userdom: allow container engines to execute gpg | ||
| container: allow containers to use container ptys | ||
| container, mount: allow mount to getattr on container fs | ||
| various: various userns capability permissions | ||
| container: allow containers the chroot capability | ||
| container: allow containers various userns capabilities | ||
| container: allow containers to watch all container files | ||
| container, podman: initial support for podman | ||
| filesystem: add supporting FUSEFS interfaces | ||
| dbus: add supporting interfaces and rules for rootless podman | ||
| systemd: add private type for systemd user manager units | ||
| container: add role access templates | ||
| container, podman, systemd: initial support for rootless podman | ||
| container: add required admin rules | ||
| sysadm: allow container admin access | ||
| container: call podman access in container access | ||
| staff, unconfined: allow container user access | ||
| container: add policy for privileged containers | ||
| container: allow containers to read read-only container files | ||
| container: add tunable for containers to manage cgroups | ||
| container: add tunables for containers to use nfs and cifs | ||
| container: add tunable to allow engines to mounton non security | ||
| container, iptables: dontaudit iptables rw on /ptmx | ||
| xdg: add interface to search xdg data directories | ||
| container, podman: add policy for conmon | ||
| kernel: add filetrans interface for unlabeled dirs | ||
| container, docker: add initial support for docker | ||
| container: call docker access in container access | ||
| userdomain: add type for user bin files | ||
| systemd: allow systemd user managers to execute user bin files | ||
| systemd: use stream socket perms in systemd_user_app_status | ||
| systemd: add supporting interfaces for user daemons | ||
| rootlesskit: new policy module | ||
| container, docker, rootlesskit: add support for rootless docker | ||
| docker: call rootlesskit access in docker access | ||
| container: drop old commented rules | ||
| lxc_contexts: add ro_file and sandbox_lxc_process contexts | ||
| container: allow containers to getsession | ||
| docker: make rootlesskit optional | ||
| docker: add missing call to init_daemon_domain() | ||
| podman: add explicit range transition for conmon | ||
| init: split access for systemd runtime units | ||
| dbus: fixes for dbus-broker | ||
| dbus, policykit: add tunables for dbus-broker access | ||
| docker, podman: container units now have the runtime unit type | ||
| init: allow systemd to nnp_transition and nosuid_transition to daemon | ||
| domains | ||
| files, init: allow init to remount filesystems mounted on /boot | ||
| sudo: fixes for polyinstantiation | ||
| locallogin: fix for polyinstantiation | ||
| authlogin: dontaudit getcap chkpwd | ||
| systemd: various fixes | ||
| systemd: add support for systemd-resolved stubs | ||
| getty, locallogin: cgroup fixes | ||
| unconfined: fixes for bluetooth dbus chat and systemd | ||
| udev: allow udev to start the systemd system object | ||
| networkmanager: allow getting systemd system status | ||
| container, podman: allow podman to create and write config files | ||
| podman: allow system podman to interact with container transient units | ||
| podman: fix role associations | ||
| container, podman: allow containers to interact with conmon | ||
| podman: add rules for systemd container units | ||
| container, init: allow init to remount container filesystems | ||
| container: allow generic containers to read the vm_overcommit sysctl | ||
| container: add tunables to allow containers to access public content | ||
| container: add missing capabilities | ||
| container: also allow containers to watch public content | ||
| podman: allow podman to watch journal dirs | ||
| sysadm: allow sysadm to watch journal directories | ||
| git: add missing file contexts | ||
| udica-templates: initial commit of udica templates | ||
| makefile: add install target for udica templates | ||
| github: test install of udica templates | ||
|
|
||
| Laurent Bigonville (2): | ||
| docker: On debian dockerd and docker-proxy are in /usr/sbin | ||
| container: On Debian, runc is installed in /usr/sbin | ||
|
|
||
| Pedro (1): | ||
| File context for nginx cache files | ||
|
|
||
| Russell Coker (8): | ||
| remove aliases from 20210203 | ||
| dontaudit net_admin without hide_broken_symptoms | ||
| puppet V3 | ||
| matrixd-synapse policy V3 | ||
| mailman3 V3 | ||
| certbot V3 | ||
| init dbus patch for GetDynamicUsers with systemd_use_nss() V2 | ||
| new sddm V2 | ||
|
|
||
| Vit Mojzis (1): | ||
| Improve error message on duplicate definition of interface | ||
|
|
||
| Yi Zhao (24): | ||
| rpc: remove obsolete comment line | ||
| secadm: allow secadm to read selinux policy | ||
| rpcbind: allow sysadm to run rpcinfo | ||
| samba: allow smbd_t to send and receive messages from avahi over dbus | ||
| rpc: add dac_read_search capability for rpcd_t | ||
| bluetooth: fixes for bluetoothd | ||
| avahi: allow avahi_t to watch /etc/avahi directory | ||
| udev: allow udev_t to watch udev_rules_t dir | ||
| rpc: allow rpc.mountd to list/watch NFS server directory | ||
| usermanage: do not audit attempts to getattr of proc for passwd_t and | ||
| useradd_t | ||
| selinuxutil: allow setfiles_t to read kernel sysctl | ||
| rngd: fixes for rngd | ||
| dbus: allow dbus-daemon to map SELinux status page | ||
| bind: fixes for bind | ||
| passwd: allow passwd to map SELinux status page | ||
| ipsec: fixes for strongswan | ||
| samba: fixes for smbd/nmbd | ||
| ntp: allow ntpd to set rlimit_memlock | ||
| ssh: do not audit attempts by ssh-keygen to read proc | ||
| acpid: allow acpid to watch the directories in /dev | ||
| bluetooth: allow bluetoothd to create alg_socket | ||
| systemd: allow systemd-hostnamed to read udev runtime files | ||
| su: allow su to map SELinux status page | ||
| modutils: allow kmod_t to write keys | ||
|
|
||
| * Wed Sep 08 2021 Chris PeBenito <[email protected]> - 2.20210908 | ||
| Andreas Freimuth (2): | ||
| Prefer user_fonts_config_t over xdg_config_t | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 2.20210908 | ||
| 2.20220520 |