commit: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Wed Feb 3 13:38:27 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 6 21:15:10 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b
Update Changelog and VERSION for release 2.20210203. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 194 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 59037863..50cd31fc 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,196 @@ +* Wed Feb 03 2021 Chris PeBenito <[email protected]> - 2.20210203 +(GalaxyMaster) (1): + added policy for systemd-socket-proxyd + +0xC0ncord (1): + userdomain, xserver: move xdg rules to userdom_xdg_user_template + +Anthony PERARD (1): + xen: Allow xenstored to map /proc/xen/xsd_kva + +Antoine Tenart (15): + udev: allow udevadm to retrieve xattrs + locallogin: allow login to get attributes of procfs + logging: allow systemd-journal to write messages to the audit socket + sysnetwork: allow to read network configuration files + dbus: add two interfaces to allow reading from directories and named + sockets + dbus: allow clients to list runtime dirs and named sockets + systemd: add extra systemd_generator_t rules + systemd: allow systemd-hwdb to search init runtime directories + systemd: allow systemd-network to get attributes of fs + systemd: allow systemd-resolve to read in tmpfs + corecommands: add entry for Busybox shell + systemd: allow systemd-getty-generator to read and write unallocated ttys + systemd: allow systemd-network to list the runtime directory + ntp: allow systemd-timesyn to watch dbus objects + ntp: allow systemd-timesyn to setfscreate + +Chris PeBenito (117): + Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into + jpds-acpid_shutdown + .travis.yml: Point selint at only the policy dir. + corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module + version bump. + systemd: Move systemd-pstore block up in alphabetical order. + Switch to GitHub actions for CI actions. + systemd: Whitespace changes. + systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to + systemd_stream_connect_socket_proxyd(). + Drop criteria on github actions. + userdomain: Fix error in calling userdom_xdg_user_template(). + systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. + Makefile: Add -E to setfiles labeling targets. + udev: Drop udev_tbl_t. + udev: Systemd 246 merged udev and udevadm executables. + devicekit: Udisks uses udevadm, it does not exec udev. + Remove modules for programs that are deprecated or no longer supported. + chromium: Whitespace changes. + chromium: Move naclhelper lines. + certbot: Whitespace changes. + certbot: Drop aliases since they have never had the old names in + refpolicy. + certbot: Reorder fc lines. + miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. + userdomain: Move lines. + certbot: Fix lint issues. + memlockd: Move lines. + memlockd: Whitespace fixes. + memlockd: Fix lint issue. + file_patterns.spt: Add a mmap_manage_files_pattern(). + apache, mysql, postgrey, samba, squid: Apply new + mmap_manage_files_pattern(). + devicekit, jabber, samba: Move lines. + cron: Make backup call for system_cronjob_t optional. + samba: Fix samba_runtime_t alias use. + samba: Move service interface definitions. + sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba + block. + samba: Add missing userspace class requirements in unit interfaces. + apache: Fix lint error. + apache: Really fix lint error. + aptcacher: Drop broken config interfaces. + samba: Fix lint error. + 0xC0ncord/feature/sudodomain_http_connect_boolean + 0xC0ncord/bugfix/systemd_system_custom_unit_fc + dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. + apt, bootloader: Move lines. + systemd: Move lines. + systemd: Fix lint errors. + systemd: Rename systemd_use_machined_devpts(). + Bump module versions for release. + +Christian Göttsche (16): + postfixpolicyd: split multi-class rule + init/systemd: allow systemd to map the SELinux status page + selinux: add selinux_use_status_page and deprecate + selinux_map_security_files + genhomedircon: drop backwards compatibility section + genhomedircon: require match for home directory name + genhomedircon: drop unused functions + genhomedircon: generate file contexts for %{USERNAME} and %{USERID} + genhomedircon: misc pylint cleanup + genhomedircon: improve error messages for min uid search + Rules.monolithic: ignore version mismatch + gitignore: ignore monolithic generated files + Preset OUTPUT_POLICY to 32 + Rules.monolithic: do not suppress load_policy warning messages + Rules.monolithic: tweak checkpolicy arguments + Rules.monolithic: drop dead variable + Rules.monolithic: add missing phony declarations + +Daniel Burgener (4): + Allow init to mount over the system bus + Allow systemd-ask-password to watch files + Use self keyword when an AV rule source type matches destination + Fix typo in comment + +Dannick Pomerleau (1): + access_vectors: Add new capabilities to cap2 + +Dave Sugar (9): + Looks like this got dropped in pull request #294 + Allow snmpd to read hwdata + Updates for corosync to work in enforcing + To get pacemaker working in enforcing + pacemaker systemd permissions + Allow pacemaker to map/read/write corosync shared memory files + Allow systemd-modules-load to search kernel keys + pcs_snmpd_agent_t fix denials to allow it to read needed queues + Work with xdg module disabled + +David Schadlich (1): + add policy for pcs_snmp_agent + +Deepak Rawat (1): + Add selinux-policy for systemd-pstore service + +Dominick Grift (1): + bind: add a few fc specs for unbound + +Guido Trentalancia (1): + Add LVM module permissions needed to open cryptsetup devices. + +Jason Zaman (5): + userdomain: Add watch on home dirs + getty: allow watching file /run/agetty.reload + Add transition on gentoo init_t to openrc + init: upstream fcontexts from gentoo policy + systemd: make remaining dbus_* optional + +Jonathan Davies (8): + acpi.te: Allow acpid_t to shutdown the system - this is required to handle + shutdown calls from libvirt. Fixes #298. + acpi.te: Removed unnecessary init_write_initctl(). + userdomain.if: Marked usbguard user modify tunable as optional so usbguard + may be excluded. + portage: Added /var/cache/distfiles path. + init: Added fcontext for openrc-init. + init: Added fcontext for openrc-shutdown. + apps/screen.fc: Added fcontext for tmux xdg directory. + apps/screen.te: Allow screen to search xdg directories. + +Kenton Groombridge (11): + devices: add interface for IOCTL on input devices + virt: add boolean to allow evdev passthrough + stunnel: add log type and rules + fail2ban: allow reading systemd journal + spamassassin: add rspamd support and tunable + apache: add interface for list dir perms on httpd content + sudo: add tunable for HTTP connections + init: label systemd units in /etc + certbot: add support for acme.sh + lvm: add lvm_tmpfs_t type and rules + Various fixes + +Peter Morrow (1): + selinux: add selinux_get_all_booleans() interface + +Richard Haines (1): + Ensure correct monolithic binary policy is loaded + +Russell Coker (11): + base chrome/chromium patch fixed + latest iteration of certbot policy as patch + yet more strict patches fixed + remove deprecated from 20190201 + more Chrome stuff + latest memlockd patch + misc services patches with changes Dominick and Chris wanted + misc network patches with Dominick's changes*2 + new version of filetrans patch + misc apps and admin patches + machined + +Yi Zhao (1): + sysnet: allow dhcpcd to create socket file + +bauen1 (4): + systemd: private type for /run/systemd/userdb + authlogin: connect to userdb + systemd-logind: utilize nsswitch + selint: fix S-010 + * Tue Aug 18 2020 Chris PeBenito <[email protected]> - 2.20200818 Alexander Miroshnichenko (2): openvpn: more versatile file context regex for ipp.txt diff --git a/VERSION b/VERSION index dff6b732..d20cfcef 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20200818 +2.20210203
