commit: eda98a3afa77322916144fbf27e290932d4495e8 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Mon Sep 16 17:52:00 2024 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Sep 21 22:28:30 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eda98a3a
Update Changelog and VERSION for release 2.20240916. Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> Changelog | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 137 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index a1938b4f0..1e9edc872 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,139 @@ +* Mon Sep 16 2024 Chris PeBenito <[email protected]> - 2.20240916 +Amisha Jain (1): + Sepolicy changes for bluez to access uhid + +Chris PeBenito (54): + uml: Remove excessive access from user domains on uml_exec_t. + cron: Use raw entrypoint rule for system_cronjob_t. + docker: Fix dockerc typo in container_engine_executable_file + minissdpd: Revoke kernel module loading permissions. + xen: Revoke kernel module loading permissions. + cups: Remove PTAL. + xen: Drop xend/xm stack. + certbot: Drop execmem. + cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. + tests.yml: Add sechecker testing. + systemd: Add basic systemd-analyze rules. + cloudinit: Add support for cloud-init-growpart. + filesystem/systemd: memory.pressure fixes. + init: Add homectl dbus access. + device: Move dev_rw_uhid definition. + devices: Change dev_rw_uhid() to use a policy pattern. + tests.yml: Divide into reusable workflows. + tests.yml: Add policy diff on PRs. + bluetooth: Move line. + +Christian Göttsche (4): + getty: grant checkpoint_restore + quote: read localization + systemd: allow notify client to stat socket + Makefile: drop duplicate quotes + +Dave Sugar (4): + Setup domain for dbus selinux interface + Update SOS report to work on RHEL9 + Need map perm for cockpit 300.4 + Additional permissions when fapolicyd.conf more strict + +Dmitry Sharshakov (1): + filesystem, devices: move gadgetfs to usbfs_t + +Grzegorz Filo (1): + files context for merged-usr profile on gentoo + +Guido Trentalancia (1): + Allow interactive user terminal output for the NetLabel management tool. + +Kenton Groombridge (46): + init: allow systemd to use sshd pidfds + fail2ban: allow reading net sysctls + dovecot: allow dovecot-auth to read SASL keytab + userdom: allow users to read user home dir symlinks + postgres: add a standalone execmem tunable + asterisk: allow binding to all unreserved UDP ports + bootloader: allow systemd-boot to manage EFI binaries + matrixd: add tunable for binding to all unreserved ports + container: allow system container engines to mmap runtime files + container: allow containers to getcap + systemd: allow systemd-sysctl to search tmpfs + container, podman: various fixes + container, crio, kubernetes: minor fixes + various: various fixes + systemd: allow systemd-logind to use sshd pidfds + sysnetwork: allow ifconfig to read usr files + postfix: allow smtpd to mmap SASL keytab files + sudo: allow systemd-logind to read cgroup state of sudo + su, sudo: allow sudo to signal all su domains + asterisk: allow watching spool dirs + dbus, init: add interface for pidfd usage + init: use pidfds from local login + haproxy: initial policy + sysadm: make haproxy admin + container: allow containers to execute tmpfs files + node_exporter: allow reading localization + netutils: allow ping to read net sysctls + postfix: allow postfix pipe to watch mail spool + asterisk: allow reading certbot lib + node_exporter: allow reading RPC sysctls + systemd: allow logind to use locallogin pidfds + sshd: label sshd-session as sshd_exec_t + iptables: allow reading usr files + podman: allow managing init runtime units + haproxy: allow interactive usage + kubernetes: allow kubelet to create unlabeled dirs + container: allow super privileged containers to manage BPF dirs + dbus: dontaudit session bus domains the netadmin capability + container, kubernetes: add supporting rules for kubevirt and multus + container: allow spc various rules for kubevirt + iptables: allow reading container engine tmp files + container: add container_kvm_t and supporting kubevirt rules + various: rules required for DV manipulation in kubevirt + testing: add container_kvm_t to net admin exempt list + container: allow reading generic certs + kubernetes: allow kubelet to connect all TCP ports + +Matt Sheets (1): + Allow systemd to pass down sig mask + +Naga Bhavani Akella (3): + Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix + stream sockets. + Setting bluetooth helper domain for bluetoothctl + Adding SE Policy rules to allow usage of unix stream sockets by dbus and + bluetooth contexts when Gatt notifications are turned on by remote. + +Raghavender Reddy Bujala (1): + Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets. + +Rick Alther (2): + fix: minor correction in MCS_CATS range comment + Set the type on /etc/machine-info to net_conf_t so hostnamectl can + manipulate it (CRUD) + +Yi Zhao (12): + sysnetwork: fixes for dhcpcd + newrole: allow newrole to search faillock runtime directory + selinuxutil: make policykit optional + userdomain: allow administrative user to get attributes of shadow history + file + systemd: make xdg optional + systemd: set context to systemd_networkd_var_lib_t for + /var/lib/systemd/network + systemd: allow systemd-networkd to manage sock files under + /run/systemd/netif + systemd: allow system --user to create netlink_route_socket + systemd: add policy for systemd-nsresourced + devices: add label vsock_device_t for /dev/vsock + systemd: fix policy for systemd-ssh-generator + systemd: allow systemd-hostnamed to read vsock device + +freedom1b2830 (2): + Reorder perms and classes + Reorder perms and classes + +nisbet-hubbard (1): + Update mysql.fc + * Mon Feb 26 2024 Chris PeBenito <[email protected]> - 2.20240226 Chris PeBenito (174): tests.yml: Pin ubuntu 20.04. diff --git a/VERSION b/VERSION index 238b92fda..3cbd6b36e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20240226 +2.20240916
