commit: 22a4f2e181af93fca04ea7d31fcf4488a3c54d9a Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Tue Sep 23 14:05:33 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 16 00:13:57 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22a4f2e1
Update Changelog and VERSION for release 2.20250923. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> Changelog | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 165 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 5795df588..6aecf66ce 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,167 @@ +* Tue Sep 23 2025 Chris PeBenito <[email protected]> - 2.20250923 +Antonio Enrico Russo (4): + Remove redundancies + ssh: allow ProxyJump + ssh: allow connection to any port + gpg: follow links when connecting to agent + +Chris PeBenito (56): + unconfined: Promote anon_inode access to full access. + cloudinit: Add container engine admin access. + container: Add full watch permissions for container files. + systemd: Add syslog access to systemd-notify. + check_fc_files.py: Add additional optional pattern reduction. + filesystem: Drop reiserfs genfscon. + fstools: Remove noted reiserfs rules and file contexts. + cloudinit: Add sys_admin to set security.sehash. + sysnetwork: Silence sys_admin denials. + filesystem: Add labeling for pidfs. + filesystem: Fix pidfs typo. Change to task SID. + +Christian Göttsche (2): + build: drop obsolete setfiles option + policy_capabilities: add netif_wildcard and genfs_seclabel_wildcard + +Clayton Casciato (3): + ssh: allow sshd_t userdomain:key search + dbus: allow system_dbusd_t unconfined_t:fd use + systemd: allow systemd_logind_t unconfined_t:fd use + +Daniel Burgener (1): + Include read permission in rw_dirs_pattern + +Dave Sugar (1): + fix: when using timedatectl to set system time + +Dāvis (1): + Support Postfix aliases.lmdb + +Guido Trentalancia (4): + Add the new firmware_load permission. + Let the kernel load firmware files during boot. + Do not audit kernel attempts to load firmware files with the kernel_t + label. + Add the remaining permissions recently added in the kernel for the system + class. + +Kenton Groombridge (36): + container: allow containers to getpgid + container: allow spc to read netns files + container, kubernetes: various fixes for hugetlbfs usage + container, kubernetes: various fixes + kanidm: initial policy + authlogin: add tunable for nsswitch domains to connect to kanidm-unixd + systemd: allow systemd-user-runtime-dir to connect to kanidm-unixd + init: add tunable to allow mounton selinux config + systemd: allow systemd-user-runtime-dir to list systemd-userdbd runtime + dirs + init: allow init to write inherited logind sessions + sudo: allow locking user terminals + sysadm, systemd: allow sysadmins to connect to systemd-networkd over unix + stream sockets + container, kernel: add tunable to allow NFS to relabel container files + container: add tunable for spc to manage NFS mounts + zfs: various fixes + postgresql: various fixes + iptables, podman, init: various container fixes + container: allow spc to list unlabeled + systemd: allow logind to read the state of user sessions + container: rules for node exporter + kubernetes: fixes for kubelet + container: dontaudit request load module + container: allow kvm containers to read network state + kubernetes: fixes for kubeadm + container: add tunable to execmod ro files + postfix: allow smtpd to lock keytab files + sysadm: allow inheriting fds from systemd + container: add filecons for kubevirt + matrixd: allow sending signals to itself + sysadm: allow BPF debugging for container-related system domains + container: promote some process perms to all containers + container: demote execmem, execstack access + container: allow spc to use sys_admin in userns + various: make dbus optional + container: mirror capabilities to userns perms + systemd: allow users to run systemd-cgtop + +Marc Schiffbauer (14): + modules: add new incus service module + iptables: let nft dev_read_urand + iptables: allow incus_stream_connect_daemon + container: add incus/lxc specific file contexts + container: add new container_init_t local policy + qemu: add qemu_incus_managed tunable + sysadm: allow incus_stream_connect_daemon + dnsmasq: allow to be run by incus + dnsmasq: make dnsmasq work with systemd-resolved + zfs: allow connect to incus daemon + modules: only whitespace fixes spotted while editing modules + kernel: use mmap_read_files_pattern instead of read_files_pattern+allow + kernel: fix for two minor typos + incus: rm explicit fcontext for /usr/libexec/incus(/.*)? + +Michael Snook (1): + rpm: allow cap_sys_admin for writing security xattrs + +Nicolas PARLANT (1): + files context : fix multipath merged-usr + +Rahul Sandhu (6): + portage: gatekeep portage_fetch_t accessing all ports behind a tunable + seatd: new policy module + shutdown_t: fix exec of /sbin/shutdown by /sbin/halt + files: add a default file context spec for /proc + portage: domtrans udevadm out into udevadm_t + portage: allow executing systemctl for systemd.eclass + +Russell Coker (38): + bootloader (#933) + storage (#942) + container (#938) + newsystemd2 (#930) + Patches for systemd_nspawn_t + opensnitch daemon (#929) + mail (#936) + servers (#940) + systemd-binfmt-coredump-generator (#946) + some dpkg changes + udev (#941) + systemd-logind-nspawn-backlight (#945) + systemd-machined-modules-passwd (#948) + login (#943) + user-bubblewrap (#952) + systemd-rfkill-sessions-sysctl-sysusers-tmpfiles-userruntime (#950) + systemd-hostnamed-locale-logind (#947) + remove dupes (#963) + This patch removes commented out interfaces and a commented out template. + chromium (#965) + Allow plymouth to read kernel messages and sysctls rw input devices, and + signal init as well as some other small things. + mon misc (#976) + Fail2ban changes: + apt (#987) + acpi (#979) + selinuxutil (#988) + Some small fixes for the fingerprint daemon + dbus (#980) + xserver (#981) + services (#986) + systemd (#995) + misc-kernel-system (#1003) + strict2 (#1002) + miscnetwork (#1004) + justthefcerror (#1005) + strict (#999) + Some small patches for accountsd + usbguard (#1023) + +Tobias Wiese (1): + support/Makefile: don't remake *.fc and *.if files + +Yi Zhao (2): + udev: allow udev_t to watch udev_runtime_t directory + logging: update rules for audit + * Wed Jun 18 2025 Chris PeBenito <[email protected]> - 2.20250618 Antonio Enrico Russo (1): Remove unneeded backticks from gen_tunable diff --git a/VERSION b/VERSION index e64e7b05d..fd4749969 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20250618 +2.20250923
