1 |
commit: 744101042e9ae8eab4f942963b64dcaf5f2c738a |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Fri Feb 1 20:03:42 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74410104 |
7 |
|
8 |
Update Changelog and VERSION for release. |
9 |
|
10 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
11 |
|
12 |
Changelog | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
13 |
VERSION | 2 +- |
14 |
2 files changed, 235 insertions(+), 1 deletion(-) |
15 |
|
16 |
diff --git a/Changelog b/Changelog |
17 |
index 116e228a..75d5fae0 100644 |
18 |
--- a/Changelog |
19 |
+++ b/Changelog |
20 |
@@ -1,3 +1,237 @@ |
21 |
+* Fri Feb 01 2019 Chris PeBenito <pebenito@××××.org> - 2.20190201 |
22 |
+Alexander Miroshnichenko (16): |
23 |
+ Add signal_perms setpgid setsched permissions to syncthing_t. |
24 |
+ Add corecmd_exec_bin permissions to syncthing_t. |
25 |
+ Allow syncthing_t to read network state. |
26 |
+ Allow syncthing_t to execute ifconfig/iproute2. |
27 |
+ Add required permissions for nsd_t to be able running. |
28 |
+ Add nsd_admin interface to sysadm.te. |
29 |
+ Add map permission to lvm_t on lvm_metadata_t. |
30 |
+ Add comment for map on lvm_metadata_t. |
31 |
+ Remove syncthing tunable_policy. |
32 |
+ Remove unneeded braces from nsd.te. |
33 |
+ Add new interface fs_rmw_hugetlbfs_files. |
34 |
+ Add map permission for postgresql_t to postgresql_tmp_t files. |
35 |
+ Add dovecot_can_connect_db boolean. |
36 |
+ fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface |
37 |
+ Add hostapd service module |
38 |
+ minor updates redis module to be able to start the app |
39 |
+ |
40 |
+Chris PeBenito (85): |
41 |
+ mozilla, devices, selinux, xserver, init, iptables: Module version bump. |
42 |
+ devices: Module version bump. |
43 |
+ misc_patterns.spt: Remove unnecessary brackets. |
44 |
+ ipsec: Module version bump. |
45 |
+ fstools: Module version bump. |
46 |
+ corecommands: Module version bump. |
47 |
+ xserver: Module version bump. |
48 |
+ Merge pull request #1 from bigon/fix-sepolgen-ifgen |
49 |
+ Remove unused translate permission in context userspace class. |
50 |
+ logrotate: Module version bump. |
51 |
+ miscfiles: Module version bump. |
52 |
+ Merge pull request #3 from bigon/xdp-socket |
53 |
+ obj_perm_sets.spt: Add xdp_socket to socket_class_set. |
54 |
+ clamav, ssh, init: Module version bump. |
55 |
+ amavis, apache, clamav, exim, mta, udev: Module version bump. |
56 |
+ dnsmasq: Whitespace fix in file contexts. |
57 |
+ dnsmasq: Reorder lines in file contexts. |
58 |
+ Merge branch 'master' of https://github.com/bigon/refpolicy |
59 |
+ Merge branch 'resolved' of https://github.com/bigon/refpolicy |
60 |
+ Merge branch 'iscsi' of https://github.com/bigon/refpolicy |
61 |
+ Various modules: Version bump. |
62 |
+ dnsmasq: Module version bump. |
63 |
+ Merge branch 'minissdpd' of https://github.com/bigon/refpolicy |
64 |
+ cron, minissdpd, ntp, systemd: Module version bump. |
65 |
+ dbus, xserver, init, logging, modutils: Module version bump. |
66 |
+ Merge branch 'syncthing' of https://github.com/alexminder/refpolicy |
67 |
+ syncthing: Whitespace change |
68 |
+ Merge branch 'lvm' of https://github.com/alexminder/refpolicy |
69 |
+ lvm, syncthing: Module version bump. |
70 |
+ sigrok: Remove extra comments. |
71 |
+ networkmanager: Add ICMPv6 comment |
72 |
+ sysnetwork: Move optional block in sysnet_dns_name_resolve(). |
73 |
+ sysnetwork: Move lines. |
74 |
+ dpkg: Rename dpkg_read_script_tmp_links(). |
75 |
+ apt, rpm: Remove and move lines to fix fc conflicts. |
76 |
+ sudo: Whitespace fix. |
77 |
+ many: Module version bumps for changes from Russell Coker. |
78 |
+ systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). |
79 |
+ init: Remove inadvertent merge. |
80 |
+ Merge branch 'nsd' of https://github.com/alexminder/refpolicy |
81 |
+ nsd: Merge two rules into one. |
82 |
+ Merge branch 'ssh_dac_read_search' of |
83 |
+ git://github.com/fishilico/selinux-refpolicy |
84 |
+ Merge branch 'restorecond_getattr_cgroupfs' of |
85 |
+ git://github.com/fishilico/selinux-refpolicy |
86 |
+ Merge branch 'systemd-logind-getutxent' of |
87 |
+ git://github.com/fishilico/selinux-refpolicy |
88 |
+ various: Module version bump. |
89 |
+ iptables: Module version bump. |
90 |
+ Add CONTRIBUTING file. |
91 |
+ kernel, systemd: Move lines. |
92 |
+ kernel, jabber, ntp, init, logging, systemd: Module version bump. |
93 |
+ Merge branch 'systemd-journald_units_symlinks' of |
94 |
+ git://github.com/fishilico/selinux-refpolicy |
95 |
+ init, logging: Module version bump. |
96 |
+ Merge branch 'services_single_usr_bin' of |
97 |
+ git://github.com/fishilico/selinux-refpolicy |
98 |
+ Merge branch 'init_rename_pid_interfaces' of |
99 |
+ git://github.com/fishilico/selinux-refpolicy |
100 |
+ various: Module name bump. |
101 |
+ Merge branch 'systemd-rfkill' of |
102 |
+ git://github.com/fishilico/selinux-refpolicy |
103 |
+ systemd: Whitespace change |
104 |
+ systemd: Module version bump. |
105 |
+ Merge branch 'restorecond-symlinks' of |
106 |
+ git://github.com/fishilico/selinux-refpolicy |
107 |
+ Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy |
108 |
+ usermanage, cron, selinuxutil: Module version bump. |
109 |
+ logging, sysnetwork, systemd: Module version bump. |
110 |
+ Merge branch 'restorecond-dontaudit-symlinks' of |
111 |
+ git://github.com/fishilico/selinux-refpolicy |
112 |
+ selinuxutil: Module version bump. |
113 |
+ Merge branch 'dbus-dynamic-uid' of |
114 |
+ git://github.com/fishilico/selinux-refpolicy |
115 |
+ xserver: Move line |
116 |
+ systemd: Move interface implementation. |
117 |
+ various: Module version bump. |
118 |
+ dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). |
119 |
+ dpkg: Move interface implementations. |
120 |
+ init: Rename init_read_generic_units_links() to |
121 |
+ init_read_generic_units_symlinks(). |
122 |
+ init: Drop unnecessary userspace class dependence in |
123 |
+ init_read_generic_units_symlinks(). |
124 |
+ chromium: Whitespace fixes. |
125 |
+ chromium: Move line. |
126 |
+ Merge branch 'dovecot' of git://github.com/alexminder/refpolicy |
127 |
+ dovecot: Move lines. |
128 |
+ various: Module version bump. |
129 |
+ Merge branch 'postgres' of git://github.com/alexminder/refpolicy |
130 |
+ filesystem, postgresql: Module version bump. |
131 |
+ hostapd: Whitespace change. |
132 |
+ hostapd: Move line. |
133 |
+ various: Module version bump. |
134 |
+ redis: Move line. |
135 |
+ redis: Module version bump. |
136 |
+ corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version |
137 |
+ bump. |
138 |
+ Bump module versions for release. |
139 |
+ |
140 |
+David Sugar (15): |
141 |
+ Interface to allow reading of virus signature files. |
142 |
+ Update CUSTOM_BUILDOPT |
143 |
+ Add interface udev_run_domain |
144 |
+ Allow clamd_t to read /proc/sys/crypt/fips_enabled |
145 |
+ Interface to add domain allowed to be read by ClamAV for scanning. |
146 |
+ Add interfaces to control clamav_unit_t systemd services |
147 |
+ Allow clamd to use sent file descriptor |
148 |
+ Add interfaces to control ntpd_unit_t systemd services |
149 |
+ interface to enable/disable systemd_networkd service |
150 |
+ Interface to read cron_system_spool_t |
151 |
+ Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled |
152 |
+ Allow kmod to read /proc/sys/crypto/fips_enabled |
153 |
+ Allow dbus to access /proc/sys/crypto/fips_enabled |
154 |
+ Add missing require for 'daemon' attribute. |
155 |
+ Allow auditctl_t to read bin_t symlinks. |
156 |
+ |
157 |
+Dominick Grift (1): |
158 |
+ unconfined: add a note about DBUS |
159 |
+ |
160 |
+Guido Trentalancia (1): |
161 |
+ Add sigrok contrib module |
162 |
+ |
163 |
+Jagannathan Raman (1): |
164 |
+ vhost: Add /dev/vhost-scsi device of type vhost_device_t. |
165 |
+ |
166 |
+Jason Zaman (10): |
167 |
+ selinux: compute_access_vector requires creating netlink_selinux_sockets |
168 |
+ mozilla: xdg updates |
169 |
+ xserver: label .cache/fontconfig as user_fonts_cache_t |
170 |
+ Allow map xserver_misc_device_t for nvidia driver |
171 |
+ iptables: fcontexts for 1.8.0 |
172 |
+ devices: introduce dev_dontaudit_read_sysfs |
173 |
+ files: introduce files_dontaudit_read_etc_files |
174 |
+ kernel: introduce kernel_dontaudit_read_kernel_sysctl |
175 |
+ userdomain: introduce userdom_user_home_dir_filetrans_user_cert |
176 |
+ Add chromium policy upstreamed from Gentoo |
177 |
+ |
178 |
+Laurent Bigonville (10): |
179 |
+ policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to |
180 |
+ make sepolgen-ifgen happy |
181 |
+ Add xdp_socket security class and access vectors |
182 |
+ irqbalance now creates an abstract socket |
183 |
+ Allow semanage_t to connect to system D-Bus bus |
184 |
+ Allow ntpd_t to read init state |
185 |
+ Add systemd_dbus_chat_resolved() interface |
186 |
+ Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names |
187 |
+ Allow systemd_resolved_t to bind to port 53 and use net_raw |
188 |
+ Allow iscsid_t to create a netlink_iscsi_socket |
189 |
+ Allow minissdpd_t to create a unix_stream_socket |
190 |
+ |
191 |
+Luis Ressel (7): |
192 |
+ corecommands: Fix /usr/share/apr* fc |
193 |
+ xserver: Allow user fonts (and caches) to be mmap()ed. |
194 |
+ Add fc for /var/lib/misc/logrotate.status |
195 |
+ Realign logrotate.fc, remove an obvious comment |
196 |
+ miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t |
197 |
+ services/ssh: Don't audit accesses from ssh_t to /dev/random |
198 |
+ system/init: Give init_spec_daemon_domain()s the "daemon" attribute |
199 |
+ |
200 |
+Lukas Vrabec (1): |
201 |
+ Improve domain_transition_pattern to allow mmap entrypoint bin file. |
202 |
+ |
203 |
+Nicolas Iooss (11): |
204 |
+ fstools: label e2mmpstatus as fsadm_exec_t |
205 |
+ ssh: use dac_read_search instead of dac_override |
206 |
+ selinuxutil: allow restorecond to try counting the number of files in |
207 |
+ cgroup fs |
208 |
+ systemd: allow systemd-logind to use getutxent() |
209 |
+ Allow systemd-journald to read systemd unit symlinks |
210 |
+ Label service binaries in /usr/bin like /usr/sbin |
211 |
+ init: rename *_pid_* interfaces to use "runtime" |
212 |
+ systemd: add policy for systemd-rfkill |
213 |
+ selinuxutil: allow restorecond to read symlinks |
214 |
+ selinuxutil: restorecond is buggy when it dereferencies symlinks |
215 |
+ dbus: allow using dynamic UID |
216 |
+ |
217 |
+Petr Vorel (1): |
218 |
+ dnsmasq: Require log files to have .log suffix |
219 |
+ |
220 |
+Russell Coker (19): |
221 |
+ misc services patches |
222 |
+ misc interfaces |
223 |
+ last misc stuff |
224 |
+ systemd related interfaces |
225 |
+ systemd misc |
226 |
+ missing from previous |
227 |
+ cron trivial |
228 |
+ mls stuff |
229 |
+ logging |
230 |
+ some little stuff |
231 |
+ trivial system cronjob |
232 |
+ another trivial |
233 |
+ more tiny stuff |
234 |
+ map systemd private dirs |
235 |
+ tiny stuff for today |
236 |
+ yet more tiny stuff |
237 |
+ yet another little patch |
238 |
+ chromium |
239 |
+ more misc stuff |
240 |
+ |
241 |
+Sugar, David (9): |
242 |
+ Allow greeter to start dbus |
243 |
+ pam_faillock creates files in /run/faillock |
244 |
+ Add interface to get status of iptables service |
245 |
+ Add interface to start/stop iptables service |
246 |
+ label journald configuraiton files syslog_conf_t |
247 |
+ Interface with systemd_hostnamed over dbus to set hostname |
248 |
+ Modify type for /etc/hostname |
249 |
+ Add interface clamav_run |
250 |
+ Add interface to read journal files |
251 |
+ |
252 |
+Yuli Khodorkovskiy (1): |
253 |
+ ipsec: add missing permissions for pluto |
254 |
+ |
255 |
* Sun Jul 01 2018 Chris PeBenito <pebenito@××××.org> - 2.20180701 |
256 |
Chris PeBenito (28): |
257 |
Enable cgroup_seclabel and nnp_nosuid_transition. |
258 |
|
259 |
diff --git a/VERSION b/VERSION |
260 |
index b40612cc..b93d30a8 100644 |
261 |
--- a/VERSION |
262 |
+++ b/VERSION |
263 |
@@ -1 +1 @@ |
264 |
-2.20180701 |
265 |
+2.20190201 |