commit: a04001906d684a477ff1d0747bcdfe4270ac6d7f Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Wed Jun 18 18:02:16 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Jul 15 07:52:23 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0400190
Update Changelog and VERSION for release 2.20250618. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> Changelog | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 105 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 0527405ac..5795df588 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,107 @@ +* Wed Jun 18 2025 Chris PeBenito <[email protected]> - 2.20250618 +Antonio Enrico Russo (1): + Remove unneeded backticks from gen_tunable + +Benstone Zhang (1): + filesystem: support bcachefs + +Chris PeBenito (57): + lvm: Add fc entries for veritysetup. + bootloader: Chane efibootmgr from fsadm. + lldpad: Configure FW-LLDP on i40e NICs. + networkmanager: Watch systemd directories for nm-session-monitor. + systemd: Add log env to systemd-machine-id-setup. + validate-policy.yml: Change sechecker output to stdout and use tee to + collect the log. + +Clayton Casciato (15): + chronyd: fix dac_read_search denials + unconfined: fix oddjob security_compute_sid + firewalld: fix lib_t Python cache denial auditing + firewalld: fix firewalld_t firewalld_tmpfs_t exec + files, init: filetrans /run/machine-id etc_runtime_t + locallogin: dontaudit sulogin_t checkpoint_restore + locallogin: allow sulogin_t unconfined domtrans + locallogin: allow sulogin_t user_tty_device_t rw + oddjob: allow oddjob_mkhomedir_t privfd:fd use + oddjob: allow oddjob_mkhomedir_t user_terminals + systemd: allow systemd_generator_t use user ttys + files: add files_delete_var_chr_files interface + unconfined: allow firewalld_t unconfined_t:dbus send_msg + chronyd: allow chronyd_t kernel_t:system module_request + ssh: allow sshd_t kernel_t:system module_request + +Daniel Burgener (1): + Don't build the fc subs dist install path in the builtappfiles target + +Daniel De Graaf (1): + systemd: allow reading /dev/cpu/0/msr + +Dave Sugar (7): + Fix mislabeling of /etc/shadow + Module for ipmitool + Label snmp unit files + NNP transition interface for dmesg + Let modules-load.d call commands from modprobe.d + NNP transition interface for chronyc + fix building when dbus module is not enabled + +Guido Trentalancia (6): + Add the minimum set of additional permissions to the screen module, as + required to run version 5. + Revert db33386c014fce3890b0b3832a605bc5d1762d8c + Improve the style of the screen module by removing a recently added + unneeded interface. + Fix the file context definition for the screen utility executable file + according to the new install rules in place since at least version + 4.5.1. + Since version 5.0.1 the screen utility also requires the + CAP_DAC_READ_SEARCH capability. + Add a comment in the xserver module about the need to read and write + xserver tmpfs files for the Qt library version 5 (boolean). + +Maciej Czarnecki (2): + Allow to specify module version + fixup! Allow to specify module version + +Nicolas PARLANT (4): + Add setcap to knotd / add knotc_initrc_domtrans + use init_use_script_ptys for knotc in initscript + sshd: label sshd-auth as sshd_exec_t #797 + +Pat Riehecky (1): + Permit init_t to start a detached screen session + +Rahul Sandhu (1): + auditd: don't grant write as implied by manage_files_pattern for logs + +Russell Coker (15): + This patch removed the sysadmin capability from cups. This is the one + change needed to dramatically reduce the potential damage from a + compromise of cupsd. + Policy for needrestart to run with minimum privs so it can't be exploited + Policy for the userspace feedback daemon for handsets, for vibration etc + Fix for thunderbolt, laben the run dir, dontaudit the net_admin capability + for the usual reasons, allow writing to sysfs for the force_power file, + and allow reading udev runtime files + New version of the kea PR with the order issues fixed + Made the changes requested + File contexts for new files for xdm/xserver + apt and aptcacher changes + Updates for recent versions of ntpd interacting with systemd + Some small phone related patches + fwupd-fixed-more (#928) + changed the order as requested + changed the netlink_route_socket operations to { create_socket_perms + nlmsg_write } as requested + networking (#937) + device (#939) + +Yi Zhao (2): + systemd: allow system --user to get attributes of nsfs inodes + systemd: allow systemd-hostnamed and systemd-rfkill to get attributes of + nsfs inodes + * Thu Feb 13 2025 Chris PeBenito <[email protected]> - 2.20250213 Björn Esser (1): authlogin: fix regex for /etc/tcb diff --git a/VERSION b/VERSION index 22fcf3aad..e64e7b05d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20250213 +2.20250618
