[gentoo-commits] proj/hardened-refpolicy:master commit in: / - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date:	Wed, 01 May 2013 18:23:21
Message-Id:	`1367432462.260446e8ef6b1f240c49482cfa7cf4f3041e14f8.SwifT@gentoo`

1

commit:     260446e8ef6b1f240c49482cfa7cf4f3041e14f8

2

Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>

3

AuthorDate: Wed Apr 24 20:14:52 2013 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed May  1 18:21:02 2013 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=260446e8

7

8

Update Changelog and VERSION for release.

9

10

---

11

 Changelog |  216 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

12

 VERSION   |    2 +-

13

 2 files changed, 217 insertions(+), 1 deletions(-)

14

15

diff --git a/Changelog b/Changelog

16

index 5fcca55..85be207 100644

17

--- a/Changelog

18

+++ b/Changelog

19

@@ -214,3 +214,219 @@ Sven Vermeulen (27):

20

       Introduce exec-check interfaces for passwd binaries and useradd binaries

21

       chfn_t reads in file context information and executes nscd

22

23

+* Wed Apr 24 2013 Chris PeBenito <selinux@××××××.com> - 2.20130424

24

+Chris PeBenito (78):

25

+      Mcelog update from Guido Trentalancia.

26

+      Add bird contrib module from Dominick Grift.

27

+      Minor whitespace fix in udev.fc

28

+      Module version bump for udev binary location update from Sven Vermeulen.

29

+      clarify the file_contexts.subs_dist configuration file usage from Guido

30

+         Trentalancia

31

+      Update contrib.

32

+      Remove trailing / from paths

33

+      Module version bump for fc substitutions optimizations from Sven

34

+         Vermeulen.

35

+      Update contrib.

36

+      Module version bump for /run/dhcpc directory creation by dhcp from Sven

37

+         Vermeulen.

38

+      Module version bump for fc fixes in devices module from Dominick Grift.

39

+      Update contrib.

40

+      Module version bump for /dev/mei type and label from Dominick Grift.

41

+      Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.

42

+      Module version bump for lost+found labeling in /var/log from Guido

43

+         Trentalancia.

44

+      Module version bump for loop-control patch.

45

+      Turn off all tunables by default, from Guido Trentalancia.

46

+      Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.

47

+      Module version bump for various changes from Sven Vermeulen.

48

+      Module version bump for ports update from Dominick Grift.

49

+      Module version bump for Debian file context updates from Laurent

50

+         Bigonville.

51

+      Update contrib.

52

+      Update contrib.

53

+      split kmod fc into two lines.

54

+      Module version bump for kmod fc from Laurent Bigonville.

55

+      Module version bump for cfengine fc change from Dominick Grift.

56

+      Module verision bump for Debian cert file fc update from Laurent

57

+         Bigonville.

58

+      Module version bump for ipsec net sysctls reading from Miroslav Grepl.

59

+      Module version bump for srvloc port definition from Dominick Grift.

60

+      Rename cachefiles_dev_t to cachefiles_device_t.

61

+      Module version bump for cachefiles core support.

62

+      Module version bump for changes from Dominick Grift and Sven Vermeulen.

63

+      Module version bump for modutils patch from Dominick Grift.

64

+      Module version bump for dhcp6 ports, from Russell Coker.

65

+      Rearrange new xserver interfaces.

66

+      Rename new xserver interfaces.

67

+      Module version bump for xserver interfaces from Dominick Grift.

68

+      Move kernel_stream_connect() declaration.

69

+      Module version bump for kernel_stream_connect() from Dominick Grift.

70

+      Rename logging_search_all_log_dirs to logging_search_all_logs

71

+      Module version bump for minor logging and sysnet changes from Sven

72

+         Vermeulen.

73

+      Module version bump for dovecot libs from Mika Pflueger.

74

+      Rearrange interfaces in files, clock, and udev.

75

+      Module version bump for interfaces used by virt from Dominick Grift.

76

+      Module version bump for arping setcap from Dominick Grift.

77

+      Rearrange devices interfaces.

78

+      Module version bump/contrib sync.

79

+      Rearrange lines.

80

+      Module version bump for user home content fixes from Dominick Grift.

81

+      Rearrange files interfaces.

82

+      Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.

83

+      Update contrib.

84

+      Whitespace fix in miscfiles.fc.

85

+      Adjust man cache interface names.

86

+      Module version bump for man cache from Dominick Grift.

87

+      Module version bump for Debian ssh-keysign location from Laurent

88

+         Bigonville.

89

+      Module version bump for userdomain portion of XDG updates from Dominick

90

+         Grift.

91

+      Module version bump for iptables fc entry from Sven Vermeulen and inn log

92

+         from Dominick Grift.

93

+      Module version bump for logging and tcpdump fixes from Sven Vermeulen.

94

+      Move mcs_constrained() impementation.

95

+      Module version bump for mcs_constrained from Dominick Grift.

96

+      Update contrib.

97

+      Module version bump from Debian changes from Laurent Bigonville.

98

+      Module version bump for zfs labeling from Matthew Thode.

99

+      Module version bump for misc updates from Sven Vermeulen.

100

+      Update contrib.

101

+      Module version bump for fixes from Dominick Grift.

102

+      Module version bump for Debian updates from Laurent Bigonville.

103

+      Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.

104

+      Update contrib

105

+      Fix fc_sort.c warning uncovered by recent gcc

106

+      Module version bump for chfn fixes from Sven Vermeulen.

107

+      Add swapoff fc entry.

108

+      Add conntrack fc entry.

109

+      Update contrib.

110

+      Update contrib

111

+      Archive old Changelog for log format change.

112

+      Bump module versions for release.

113

+

114

+Dominick Grift (40):

115

+      There can be more than a single watchdog interface

116

+      Fix a suspected typo

117

+      Intel® Active Management Technology

118

+      Declare a loop control device node type and label /dev/loop-control

119

+         accordingly

120

+      Declare port types for ports used by Fedora but use /etc/services for port

121

+         names rather than using fedora port names. If /etc/services does not

122

+         have a port name for a port used by Fedora, skip for now.

123

+      Remove var_log_t file context spec

124

+      svrloc port type declaration from slpd policy module

125

+      Declare a cachfiles device node type

126

+      Implement files_create_all_files_as() for cachefilesd

127

+      Restricted Xwindows user domains run windows managers in the windows

128

+         managers domain

129

+      Declare a cslistener port type for phpfpm

130

+      Changes to the sysnetwork policy module

131

+      Changes to the userdomain policy module

132

+      Changes to the bootloader policy module

133

+      Changes to the modutils policy module

134

+      Changes to the xserver policy module

135

+      Changes to various policy modules

136

+      Changes to the kernel policy module

137

+      For svirt_lxc_domain

138

+      For svirt_lxc_domain

139

+      For svirt_lxc_domain

140

+      For virtd lxc

141

+      For virtd_lxc

142

+      For virtd_lxc

143

+      For virtd lxc

144

+      For virtd lxc

145

+      For virtd

146

+      Arping needs setcap to cap_set_proc

147

+      For virtd

148

+      Changes to the user domain policy module

149

+      Samhain_admin() now requires a role for the role_transition from $1 to

150

+         initrc_t via samhain_initrc_exec_t

151

+      Changes to the user domain policy module

152

+      Label /var/cache/man with a private man cache type for mandb

153

+      Create a attribute user_home_content_type and assign it to all types that

154

+         are classified userdom_user_home_content()

155

+      These two attribute are unused

156

+      System logger creates innd log files with a named file transition

157

+      Implement mcs_constrained_type

158

+      Changes to the init policy module

159

+      Changes to the userdomain policy module

160

+      NSCD related changes in various policy modules

161

+

162

+Guido Trentalancia (1):

163

+      add lost+found filesystem labels to support NSA security guidelines

164

+

165

+Laurent Bigonville (21):

166

+      Add Debian locations for GDM 3

167

+      Add Debian location for udisks helpers

168

+      Add insmod_exec_t label for kmod executable

169

+      Add Debian location for PKI files

170

+      Add Debian location for ssh-keysign

171

+      Properly label all the ssh host keys

172

+      Allow udev_t domain to read files labeled as consolekit_var_run_t

173

+      authlogin.if: Add auth_create_pam_console_data_dirs and

174

+         auth_pid_filetrans_pam_var_console interfaces

175

+      Label /etc/rc.d/init.d/x11-common as xdm_exec_t

176

+      Drop /etc/rc.d/init.d/xfree86-common filecontext definition

177

+      Label /var/run/shm as tmpfs_t for Debian

178

+      Label /var/run/motd.dynamic as initrc_var_run_t

179

+      Label /var/run/initctl as initctl_t

180

+      udev.if: Call files_search_pid instead of files_search_var_lib in

181

+         udev_manage_pid_files

182

+      Label executables in /usr/lib/NetworkManager/ as bin_t

183

+      Add support for rsyslog

184

+      Label var_lock_t as a mountpoint

185

+      Add mount_var_run_t type and allow mount_t domain to manage the files and

186

+         directories

187

+      Add initrc_t to use block_suspend capability

188

+      Label executables under /usr/lib/gnome-settings-daemon/ as bin_t

189

+      Label nut drivers that are installed in /lib/nut on Debian as bin_t

190

+

191

+Matthew Thode (1):

192

+      Implement zfs support

193

+

194

+Mika Pflüger (2):

195

+      Debian locations of gvfs and kde4 libexec binaries in /usr/lib

196

+      Explicitly label dovecot libraries lib_t for debian

197

+

198

+Miroslav Grepl (1):

199

+      Allow ipsec to read kernel sysctl

200

+

201

+Paul Moore (1):

202

+      flask: add the attach_queue permission to the tun_socket object class

203

+

204

+Russell Coker (1):

205

+      Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for

206

+         client control

207

+

208

+Sven Vermeulen (27):

209

+      New location for udevd binary

210

+      Use substititions for /usr/local/lib and /etc/init.d

211

+      DHCP client's hooks create /run/dhcpc directory

212

+      Introduce init_daemon_run_dir transformation

213

+      Use the init_daemon_run_dir interface for udev

214

+      Allow initrc_t to create run dirs for core modules

215

+      Puppet uses mount output for verification

216

+      Allow syslogd to create /var/lib/syslog and

217

+         /var/lib/misc/syslog-ng.persist

218

+      Gentoo's openrc does not require initrc_exec_t for runscripts anymore

219

+      Allow init scripts to read courier configuration

220

+      Allow search within postgresql var directory for the stream connect

221

+         interface

222

+      Introduce logging_getattr_all_logs interface

223

+      Introduce logging_search_all_log_dirs interface

224

+      Support flushing routing cache

225

+      Allow init to set attributes on device_t

226

+      Introduce files_manage_all_pids interface

227

+      Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)

228

+      Update files_manage_generic_locks with directory permissions

229

+      Run ipset in iptables domain

230

+      tcpdump chroots into /var/lib/tcpdump

231

+      Remove generic log label for cron location

232

+      Postgresql 9.2 connects to its unix stream socket

233

+      lvscan creates the /run/lock/lvm directory if nonexisting (v2)

234

+      Allow syslogger to manage cron log files (v2)

235

+      Allow initrc_t to read stunnel configuration

236

+      Introduce exec-check interfaces for passwd binaries and useradd binaries

237

+      chfn_t reads in file context information and executes nscd

238

+

239

240

diff --git a/VERSION b/VERSION

241

index 37b3df8..d060af8 100644

242

--- a/VERSION

243

+++ b/VERSION

244

@@ -1 +1 @@

245

-2.20120725

246

+2.20130424

1	commit: 260446e8ef6b1f240c49482cfa7cf4f3041e14f8
2	Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
3	AuthorDate: Wed Apr 24 20:14:52 2013 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed May 1 18:21:02 2013 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=260446e8
7
8	Update Changelog and VERSION for release.
9
10	---
11	Changelog \| 216 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
12	VERSION \| 2 +-
13	2 files changed, 217 insertions(+), 1 deletions(-)
14
15	diff --git a/Changelog b/Changelog
16	index 5fcca55..85be207 100644
17	--- a/Changelog
18	+++ b/Changelog
19	@@ -214,3 +214,219 @@ Sven Vermeulen (27):
20	Introduce exec-check interfaces for passwd binaries and useradd binaries
21	chfn_t reads in file context information and executes nscd
22
23	+* Wed Apr 24 2013 Chris PeBenito <selinux@××××××.com> - 2.20130424
24	+Chris PeBenito (78):
25	+ Mcelog update from Guido Trentalancia.
26	+ Add bird contrib module from Dominick Grift.
27	+ Minor whitespace fix in udev.fc
28	+ Module version bump for udev binary location update from Sven Vermeulen.
29	+ clarify the file_contexts.subs_dist configuration file usage from Guido
30	+ Trentalancia
31	+ Update contrib.
32	+ Remove trailing / from paths
33	+ Module version bump for fc substitutions optimizations from Sven
34	+ Vermeulen.
35	+ Update contrib.
36	+ Module version bump for /run/dhcpc directory creation by dhcp from Sven
37	+ Vermeulen.
38	+ Module version bump for fc fixes in devices module from Dominick Grift.
39	+ Update contrib.
40	+ Module version bump for /dev/mei type and label from Dominick Grift.
41	+ Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
42	+ Module version bump for lost+found labeling in /var/log from Guido
43	+ Trentalancia.
44	+ Module version bump for loop-control patch.
45	+ Turn off all tunables by default, from Guido Trentalancia.
46	+ Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
47	+ Module version bump for various changes from Sven Vermeulen.
48	+ Module version bump for ports update from Dominick Grift.
49	+ Module version bump for Debian file context updates from Laurent
50	+ Bigonville.
51	+ Update contrib.
52	+ Update contrib.
53	+ split kmod fc into two lines.
54	+ Module version bump for kmod fc from Laurent Bigonville.
55	+ Module version bump for cfengine fc change from Dominick Grift.
56	+ Module verision bump for Debian cert file fc update from Laurent
57	+ Bigonville.
58	+ Module version bump for ipsec net sysctls reading from Miroslav Grepl.
59	+ Module version bump for srvloc port definition from Dominick Grift.
60	+ Rename cachefiles_dev_t to cachefiles_device_t.
61	+ Module version bump for cachefiles core support.
62	+ Module version bump for changes from Dominick Grift and Sven Vermeulen.
63	+ Module version bump for modutils patch from Dominick Grift.
64	+ Module version bump for dhcp6 ports, from Russell Coker.
65	+ Rearrange new xserver interfaces.
66	+ Rename new xserver interfaces.
67	+ Module version bump for xserver interfaces from Dominick Grift.
68	+ Move kernel_stream_connect() declaration.
69	+ Module version bump for kernel_stream_connect() from Dominick Grift.
70	+ Rename logging_search_all_log_dirs to logging_search_all_logs
71	+ Module version bump for minor logging and sysnet changes from Sven
72	+ Vermeulen.
73	+ Module version bump for dovecot libs from Mika Pflueger.
74	+ Rearrange interfaces in files, clock, and udev.
75	+ Module version bump for interfaces used by virt from Dominick Grift.
76	+ Module version bump for arping setcap from Dominick Grift.
77	+ Rearrange devices interfaces.
78	+ Module version bump/contrib sync.
79	+ Rearrange lines.
80	+ Module version bump for user home content fixes from Dominick Grift.
81	+ Rearrange files interfaces.
82	+ Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
83	+ Update contrib.
84	+ Whitespace fix in miscfiles.fc.
85	+ Adjust man cache interface names.
86	+ Module version bump for man cache from Dominick Grift.
87	+ Module version bump for Debian ssh-keysign location from Laurent
88	+ Bigonville.
89	+ Module version bump for userdomain portion of XDG updates from Dominick
90	+ Grift.
91	+ Module version bump for iptables fc entry from Sven Vermeulen and inn log
92	+ from Dominick Grift.
93	+ Module version bump for logging and tcpdump fixes from Sven Vermeulen.
94	+ Move mcs_constrained() impementation.
95	+ Module version bump for mcs_constrained from Dominick Grift.
96	+ Update contrib.
97	+ Module version bump from Debian changes from Laurent Bigonville.
98	+ Module version bump for zfs labeling from Matthew Thode.
99	+ Module version bump for misc updates from Sven Vermeulen.
100	+ Update contrib.
101	+ Module version bump for fixes from Dominick Grift.
102	+ Module version bump for Debian updates from Laurent Bigonville.
103	+ Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
104	+ Update contrib
105	+ Fix fc_sort.c warning uncovered by recent gcc
106	+ Module version bump for chfn fixes from Sven Vermeulen.
107	+ Add swapoff fc entry.
108	+ Add conntrack fc entry.
109	+ Update contrib.
110	+ Update contrib
111	+ Archive old Changelog for log format change.
112	+ Bump module versions for release.
113	+
114	+Dominick Grift (40):
115	+ There can be more than a single watchdog interface
116	+ Fix a suspected typo
117	+ Intel® Active Management Technology
118	+ Declare a loop control device node type and label /dev/loop-control
119	+ accordingly
120	+ Declare port types for ports used by Fedora but use /etc/services for port
121	+ names rather than using fedora port names. If /etc/services does not
122	+ have a port name for a port used by Fedora, skip for now.
123	+ Remove var_log_t file context spec
124	+ svrloc port type declaration from slpd policy module
125	+ Declare a cachfiles device node type
126	+ Implement files_create_all_files_as() for cachefilesd
127	+ Restricted Xwindows user domains run windows managers in the windows
128	+ managers domain
129	+ Declare a cslistener port type for phpfpm
130	+ Changes to the sysnetwork policy module
131	+ Changes to the userdomain policy module
132	+ Changes to the bootloader policy module
133	+ Changes to the modutils policy module
134	+ Changes to the xserver policy module
135	+ Changes to various policy modules
136	+ Changes to the kernel policy module
137	+ For svirt_lxc_domain
138	+ For svirt_lxc_domain
139	+ For svirt_lxc_domain
140	+ For virtd lxc
141	+ For virtd_lxc
142	+ For virtd_lxc
143	+ For virtd lxc
144	+ For virtd lxc
145	+ For virtd
146	+ Arping needs setcap to cap_set_proc
147	+ For virtd
148	+ Changes to the user domain policy module
149	+ Samhain_admin() now requires a role for the role_transition from $1 to
150	+ initrc_t via samhain_initrc_exec_t
151	+ Changes to the user domain policy module
152	+ Label /var/cache/man with a private man cache type for mandb
153	+ Create a attribute user_home_content_type and assign it to all types that
154	+ are classified userdom_user_home_content()
155	+ These two attribute are unused
156	+ System logger creates innd log files with a named file transition
157	+ Implement mcs_constrained_type
158	+ Changes to the init policy module
159	+ Changes to the userdomain policy module
160	+ NSCD related changes in various policy modules
161	+
162	+Guido Trentalancia (1):
163	+ add lost+found filesystem labels to support NSA security guidelines
164	+
165	+Laurent Bigonville (21):
166	+ Add Debian locations for GDM 3
167	+ Add Debian location for udisks helpers
168	+ Add insmod_exec_t label for kmod executable
169	+ Add Debian location for PKI files
170	+ Add Debian location for ssh-keysign
171	+ Properly label all the ssh host keys
172	+ Allow udev_t domain to read files labeled as consolekit_var_run_t
173	+ authlogin.if: Add auth_create_pam_console_data_dirs and
174	+ auth_pid_filetrans_pam_var_console interfaces
175	+ Label /etc/rc.d/init.d/x11-common as xdm_exec_t
176	+ Drop /etc/rc.d/init.d/xfree86-common filecontext definition
177	+ Label /var/run/shm as tmpfs_t for Debian
178	+ Label /var/run/motd.dynamic as initrc_var_run_t
179	+ Label /var/run/initctl as initctl_t
180	+ udev.if: Call files_search_pid instead of files_search_var_lib in
181	+ udev_manage_pid_files
182	+ Label executables in /usr/lib/NetworkManager/ as bin_t
183	+ Add support for rsyslog
184	+ Label var_lock_t as a mountpoint
185	+ Add mount_var_run_t type and allow mount_t domain to manage the files and
186	+ directories
187	+ Add initrc_t to use block_suspend capability
188	+ Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
189	+ Label nut drivers that are installed in /lib/nut on Debian as bin_t
190	+
191	+Matthew Thode (1):
192	+ Implement zfs support
193	+
194	+Mika Pflüger (2):
195	+ Debian locations of gvfs and kde4 libexec binaries in /usr/lib
196	+ Explicitly label dovecot libraries lib_t for debian
197	+
198	+Miroslav Grepl (1):
199	+ Allow ipsec to read kernel sysctl
200	+
201	+Paul Moore (1):
202	+ flask: add the attach_queue permission to the tun_socket object class
203	+
204	+Russell Coker (1):
205	+ Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
206	+ client control
207	+
208	+Sven Vermeulen (27):
209	+ New location for udevd binary
210	+ Use substititions for /usr/local/lib and /etc/init.d
211	+ DHCP client's hooks create /run/dhcpc directory
212	+ Introduce init_daemon_run_dir transformation
213	+ Use the init_daemon_run_dir interface for udev
214	+ Allow initrc_t to create run dirs for core modules
215	+ Puppet uses mount output for verification
216	+ Allow syslogd to create /var/lib/syslog and
217	+ /var/lib/misc/syslog-ng.persist
218	+ Gentoo's openrc does not require initrc_exec_t for runscripts anymore
219	+ Allow init scripts to read courier configuration
220	+ Allow search within postgresql var directory for the stream connect
221	+ interface
222	+ Introduce logging_getattr_all_logs interface
223	+ Introduce logging_search_all_log_dirs interface
224	+ Support flushing routing cache
225	+ Allow init to set attributes on device_t
226	+ Introduce files_manage_all_pids interface
227	+ Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
228	+ Update files_manage_generic_locks with directory permissions
229	+ Run ipset in iptables domain
230	+ tcpdump chroots into /var/lib/tcpdump
231	+ Remove generic log label for cron location
232	+ Postgresql 9.2 connects to its unix stream socket
233	+ lvscan creates the /run/lock/lvm directory if nonexisting (v2)
234	+ Allow syslogger to manage cron log files (v2)
235	+ Allow initrc_t to read stunnel configuration
236	+ Introduce exec-check interfaces for passwd binaries and useradd binaries
237	+ chfn_t reads in file context information and executes nscd
238	+
239
240	diff --git a/VERSION b/VERSION
241	index 37b3df8..d060af8 100644
242	--- a/VERSION
243	+++ b/VERSION
244	@@ -1 +1 @@
245	-2.20120725
246	+2.20130424

Gentoo Archives: gentoo-commits