commit: da5d83301f05b2410493a56eab1ad8f1753657eb Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Sun Jan 14 19:08:09 2018 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Thu Jan 18 16:31:46 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da5d8330
Update Changelog and VERSION for release. Changelog | 210 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 211 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index ed68767c..b0310fbb 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,213 @@ +* Sun Jan 14 2018 Chris PeBenito <[email protected]> - 2.20180114 +Adam Duskett (1): + fix regex escape sequence error. + +Anthony PERARD (1): + Update for Xen 4.7 + +Chad Hanson (1): + Fix implementation of MLS file relabel attributes + +Chris PeBenito (74): + Module version bump for patches from Guido Trentalancia and Anthony + PERARD. + Rules.modular: Fix file context verification. + Remove deprecated interfaces older than one year old. + .travis.yml: Use git tag instead of release tarball for selinux userspace. + kernel: Module version bump for patch from Nicolas Iooss. + Remove complement and wildcard in allow rules. + logging: Move line. + Module version bump for patches from Nicolas Iooss. + Module version bump for fixes from Nicolas Iooss. + Update contrib. + dbus: move comments out of the file context definitions + Update contrib. + systemd, udev: Module version bump. + systemd: Whitespace fix. + Module version bump for patches from Nicolas Iooss. + init: Move fc lines. + init: Module version bump for patch from Dave Sugar. + files: Move files_check_write_pid_dirs interface. + terminal: Rename term_create_devpts. + Several module version bumps. + init: Move init_spec_daemon_domain implementation. + Module version bumps. + init: Rename init_rlimit_inherit to init_inherit_rlimit. + init: Whitespace fix. + Module version bumps. + spamassassin: Fix build error. + init: Fix XML error. + spamassassin: Add missing requirement in spamassassin_admin(). + sysadm,fstools: Module version bump. + authlogin, logging, udev: Module version bump. + init: Remove sm-notify.pid fc entry which collides with the rpc module. + corecommands, xserver, systemd, userdomain: Version bumps. + Update contrib. + Update contrib. + corecommands: Module version bump. + init: Module version bump. + Merge pull request #125 from lalozano/master + devices: Module version bump. + Module version bumps. + Merge branch 'master' of git://github.com/davidgraz/refpolicy + ipsec: Module version bump. + Merge branch 'master' of git://github.com/aduskett/refpolicy + init: Clean up line placement in init_systemd blocks. + files: Whitespace fix. + Merge branch 'systemd-networkd' + files, init, sysnetwork, systemd: Module version bumps. + Merge pull request #128 from williamcroberts/fc-sort-fixups + Update contrib. + files, netutils: Module version bump. + miscfiles: Module version bump. + Update contrib. + files, userdomain: Module version bump. + kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: + Module version bumps. + Several module version bumps. + Module version bumps. + dmesg, locallogin, modutils: Module version bump. + loadable_module.spt: Add debugging comments for tunable_policy blocks. + networkmanager: Grant access to unlabeled PKeys + filesystem: Rename fs_relabel_cgroup_lnk_files. + corcmd, fs, xserver, init, systemd, userdomain: Module version bump. + xserver, sysnetwork, systemd: Module version bump. + xserver: Module version bump. + init: Module version bump. + Update contrib. + mls, xserver, systemd, userdomain: Module version bump. + storage, userdomain: Module version bump. + Add new mmap permission set and pattern support macros. + Add missing mmap_*_files_pattern macros. + Revise mmap_file_perms deprecation warning message. + Update contrib. + hostname: Module version bump. + Update contrib. + init: Module version bump. + Bump module versions for release. + +Christian Göttsche (6): + update travis + rkhunter: add interfaces for var_run and lock dir access check + dphysswapfile: add interfaces and sysadm access + hostname: cmdline usage + signal perms sort + filesystem: add fs_rw_inherited_hugetlbfs_files for apache module + init: add init_rw_inherited_stream_socket + +David Graziano (1): + system/ipsec: Add signull access for strongSwan + +David Sugar (20): + Strip spaces from NAME + Separate read and write interface for tun_tap_device_t + Label RHEL specific systemd binaries + Label /etc/rsyslog.d as syslog_conf_t + Add init_spec_daemon_domain interface + Add status into init_startstop_service interface + Add int_rlimit_inherit interface + remove interface init_inherit_rlimit + Fix problem labeling /run/log/journal/* + Denial relabeling /run/systemd/private + policy for systemd-networkd + Label /var/lib/lightdm-data + Change label for ~/.xsession-errors + Work around systemd-logind patch not in RHEL 7.x yet + RHEL 7.4 has moved the location of /usr/libexec/sesh to + /usr/libexec/sudo/sesh + Create interfaces to write to inherited xserver log files. + label systemd-shutdown so shutdown works + Make an attribute for objects in /run/user/%{USERID}/* + Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t + (user_runtime_content_type) + Allow systemd_logind to delete user_runtime_content_type files + +David Sugar via refpolicy (2): + label /etc/mcelog/mcelog.setup correctly (for RHEL) + Allow xdm_t to read /proc/sys/crypto/fips_enabled + +Guido Trentalancia (4): + userdomain: allow netlink_kobject_uvent_socket creation + xserver: do not audit ioctl operations on log files + fc_sort: memory leakages + base: create a type for SSL private keys + +Jason Zaman (8): + Allow sysadm to map all non auth files + userdomain: allow admin to rw tape storage + files: fcontext for /etc/zfs/zpool.cache + mls mcs: Add constraints for key class + Add key interfaces and perms + gssproxy: Allow others to stream connect + userdomain: Allow public content access + storage: Add fcontexts for NVMe disks + +Jason Zaman via refpolicy (3): + udev: map module objects to load kernel modules + syslog: allow map persist file + sudo: add fcontext for /run/sudo/ts/USERNAME + +Konrad Rzeszutek Wilk (2): + kernel/xen: Update for Xen 4.6 + kernel/xen: Add map permission to the dev_rw_xen + +Krzysztof Nowicki (2): + Add policy for systemd GPT generator + Allow systemd to relabel cgroupfs legacy symlinks + +Laurent Bigonville (2): + Allow domains using sysnet_dns_name_resolve() interface to access NSS + mymachines files + Add private type for systemd logind inhibit files and pipes + +Luis A. Lozano (1): + Avoid memory leak warning. + +Luis Ressel (15): + modutils: libkmod mmap()s modules.dep and *.ko's + libraries: ldconfig maps its "aux-cache" during cache updates + userdomain: Add various interfaces granting the map permission + files: Create files_map_usr_files interface + selinuxutil: Add map permissions neccessary for semanage + kernel: Add map permission to the dev_{read, write}_sound* interfaces + miscfiles: Allow libfontconfig consumers to map the fonts cache + userdomain: man-db needs to map its 'index.db' cache + logging: Various audit tools (auditctl, ausearch, etc) map their config + and logs + Grant all permissions neccessary for Xorg and basic X clients + libraries: Add fc entry for musl's ld.so config + xserver: Allow xdm_t to map usr_t files + locallogin: Grant local_login_t the dac_read_search capability + dmesg: Grant read access to /usr/share/terminfo + modutils: Dontaudit CAP_SYS_ADMIN checks for modprobe + +Luis Ressel via refpolicy (2): + kernel/files.if: files_list_kernel_modules should grant read perms for + symlinks + netutils: Grant netutils_t map perms for the packet_socket class + +Nicolas Iooss (9): + Add module_load permission to self when loading modules is allowed + audit: allow reading /etc/localtime + corecommands: label dhcpcd hook scripts bin_t + Add "/usr/(.*/)?bin(/.*)?" pattern back + Allow dhcpcd to use generic netlink and raw IP sockets + corecommands: label Arch Linux pacman's scripts as bin_t + init: allow systemd to create /dev/pts as devpts_t + init: allow systemd to relabel /dev and /run + corecommands: label systemd script directories bin_t + +Nicolas Iooss via refpolicy (1): + terminal: /dev/pts exists in /dev filesystem + +Russell Coker (4): + systemd nspawn and backlight + udev and dhcpd + minor nspawn, dnsmasq, and mon patches + refpolicy and certs + +William Roberts (1): + fc_sort: use calloc instead of malloc + * Sat Aug 05 2017 Chris PeBenito <[email protected]> - 2.20170805 Chris PeBenito (134): Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. diff --git a/VERSION b/VERSION index 70034956..838b5716 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20170805 +2.20180114
