1 |
commit: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Feb 3 13:38:27 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:15:10 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b |
7 |
|
8 |
Update Changelog and VERSION for release 2.20210203. |
9 |
|
10 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
14 |
VERSION | 2 +- |
15 |
2 files changed, 194 insertions(+), 1 deletion(-) |
16 |
|
17 |
diff --git a/Changelog b/Changelog |
18 |
index 59037863..50cd31fc 100644 |
19 |
--- a/Changelog |
20 |
+++ b/Changelog |
21 |
@@ -1,3 +1,196 @@ |
22 |
+* Wed Feb 03 2021 Chris PeBenito <pebenito@××××.org> - 2.20210203 |
23 |
+(GalaxyMaster) (1): |
24 |
+ added policy for systemd-socket-proxyd |
25 |
+ |
26 |
+0xC0ncord (1): |
27 |
+ userdomain, xserver: move xdg rules to userdom_xdg_user_template |
28 |
+ |
29 |
+Anthony PERARD (1): |
30 |
+ xen: Allow xenstored to map /proc/xen/xsd_kva |
31 |
+ |
32 |
+Antoine Tenart (15): |
33 |
+ udev: allow udevadm to retrieve xattrs |
34 |
+ locallogin: allow login to get attributes of procfs |
35 |
+ logging: allow systemd-journal to write messages to the audit socket |
36 |
+ sysnetwork: allow to read network configuration files |
37 |
+ dbus: add two interfaces to allow reading from directories and named |
38 |
+ sockets |
39 |
+ dbus: allow clients to list runtime dirs and named sockets |
40 |
+ systemd: add extra systemd_generator_t rules |
41 |
+ systemd: allow systemd-hwdb to search init runtime directories |
42 |
+ systemd: allow systemd-network to get attributes of fs |
43 |
+ systemd: allow systemd-resolve to read in tmpfs |
44 |
+ corecommands: add entry for Busybox shell |
45 |
+ systemd: allow systemd-getty-generator to read and write unallocated ttys |
46 |
+ systemd: allow systemd-network to list the runtime directory |
47 |
+ ntp: allow systemd-timesyn to watch dbus objects |
48 |
+ ntp: allow systemd-timesyn to setfscreate |
49 |
+ |
50 |
+Chris PeBenito (117): |
51 |
+ Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into |
52 |
+ jpds-acpid_shutdown |
53 |
+ .travis.yml: Point selint at only the policy dir. |
54 |
+ corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module |
55 |
+ version bump. |
56 |
+ systemd: Move systemd-pstore block up in alphabetical order. |
57 |
+ Switch to GitHub actions for CI actions. |
58 |
+ systemd: Whitespace changes. |
59 |
+ systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to |
60 |
+ systemd_stream_connect_socket_proxyd(). |
61 |
+ Drop criteria on github actions. |
62 |
+ userdomain: Fix error in calling userdom_xdg_user_template(). |
63 |
+ systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. |
64 |
+ Makefile: Add -E to setfiles labeling targets. |
65 |
+ udev: Drop udev_tbl_t. |
66 |
+ udev: Systemd 246 merged udev and udevadm executables. |
67 |
+ devicekit: Udisks uses udevadm, it does not exec udev. |
68 |
+ Remove modules for programs that are deprecated or no longer supported. |
69 |
+ chromium: Whitespace changes. |
70 |
+ chromium: Move naclhelper lines. |
71 |
+ certbot: Whitespace changes. |
72 |
+ certbot: Drop aliases since they have never had the old names in |
73 |
+ refpolicy. |
74 |
+ certbot: Reorder fc lines. |
75 |
+ miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. |
76 |
+ userdomain: Move lines. |
77 |
+ certbot: Fix lint issues. |
78 |
+ memlockd: Move lines. |
79 |
+ memlockd: Whitespace fixes. |
80 |
+ memlockd: Fix lint issue. |
81 |
+ file_patterns.spt: Add a mmap_manage_files_pattern(). |
82 |
+ apache, mysql, postgrey, samba, squid: Apply new |
83 |
+ mmap_manage_files_pattern(). |
84 |
+ devicekit, jabber, samba: Move lines. |
85 |
+ cron: Make backup call for system_cronjob_t optional. |
86 |
+ samba: Fix samba_runtime_t alias use. |
87 |
+ samba: Move service interface definitions. |
88 |
+ sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba |
89 |
+ block. |
90 |
+ samba: Add missing userspace class requirements in unit interfaces. |
91 |
+ apache: Fix lint error. |
92 |
+ apache: Really fix lint error. |
93 |
+ aptcacher: Drop broken config interfaces. |
94 |
+ samba: Fix lint error. |
95 |
+ 0xC0ncord/feature/sudodomain_http_connect_boolean |
96 |
+ 0xC0ncord/bugfix/systemd_system_custom_unit_fc |
97 |
+ dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. |
98 |
+ apt, bootloader: Move lines. |
99 |
+ systemd: Move lines. |
100 |
+ systemd: Fix lint errors. |
101 |
+ systemd: Rename systemd_use_machined_devpts(). |
102 |
+ Bump module versions for release. |
103 |
+ |
104 |
+Christian Göttsche (16): |
105 |
+ postfixpolicyd: split multi-class rule |
106 |
+ init/systemd: allow systemd to map the SELinux status page |
107 |
+ selinux: add selinux_use_status_page and deprecate |
108 |
+ selinux_map_security_files |
109 |
+ genhomedircon: drop backwards compatibility section |
110 |
+ genhomedircon: require match for home directory name |
111 |
+ genhomedircon: drop unused functions |
112 |
+ genhomedircon: generate file contexts for %{USERNAME} and %{USERID} |
113 |
+ genhomedircon: misc pylint cleanup |
114 |
+ genhomedircon: improve error messages for min uid search |
115 |
+ Rules.monolithic: ignore version mismatch |
116 |
+ gitignore: ignore monolithic generated files |
117 |
+ Preset OUTPUT_POLICY to 32 |
118 |
+ Rules.monolithic: do not suppress load_policy warning messages |
119 |
+ Rules.monolithic: tweak checkpolicy arguments |
120 |
+ Rules.monolithic: drop dead variable |
121 |
+ Rules.monolithic: add missing phony declarations |
122 |
+ |
123 |
+Daniel Burgener (4): |
124 |
+ Allow init to mount over the system bus |
125 |
+ Allow systemd-ask-password to watch files |
126 |
+ Use self keyword when an AV rule source type matches destination |
127 |
+ Fix typo in comment |
128 |
+ |
129 |
+Dannick Pomerleau (1): |
130 |
+ access_vectors: Add new capabilities to cap2 |
131 |
+ |
132 |
+Dave Sugar (9): |
133 |
+ Looks like this got dropped in pull request #294 |
134 |
+ Allow snmpd to read hwdata |
135 |
+ Updates for corosync to work in enforcing |
136 |
+ To get pacemaker working in enforcing |
137 |
+ pacemaker systemd permissions |
138 |
+ Allow pacemaker to map/read/write corosync shared memory files |
139 |
+ Allow systemd-modules-load to search kernel keys |
140 |
+ pcs_snmpd_agent_t fix denials to allow it to read needed queues |
141 |
+ Work with xdg module disabled |
142 |
+ |
143 |
+David Schadlich (1): |
144 |
+ add policy for pcs_snmp_agent |
145 |
+ |
146 |
+Deepak Rawat (1): |
147 |
+ Add selinux-policy for systemd-pstore service |
148 |
+ |
149 |
+Dominick Grift (1): |
150 |
+ bind: add a few fc specs for unbound |
151 |
+ |
152 |
+Guido Trentalancia (1): |
153 |
+ Add LVM module permissions needed to open cryptsetup devices. |
154 |
+ |
155 |
+Jason Zaman (5): |
156 |
+ userdomain: Add watch on home dirs |
157 |
+ getty: allow watching file /run/agetty.reload |
158 |
+ Add transition on gentoo init_t to openrc |
159 |
+ init: upstream fcontexts from gentoo policy |
160 |
+ systemd: make remaining dbus_* optional |
161 |
+ |
162 |
+Jonathan Davies (8): |
163 |
+ acpi.te: Allow acpid_t to shutdown the system - this is required to handle |
164 |
+ shutdown calls from libvirt. Fixes #298. |
165 |
+ acpi.te: Removed unnecessary init_write_initctl(). |
166 |
+ userdomain.if: Marked usbguard user modify tunable as optional so usbguard |
167 |
+ may be excluded. |
168 |
+ portage: Added /var/cache/distfiles path. |
169 |
+ init: Added fcontext for openrc-init. |
170 |
+ init: Added fcontext for openrc-shutdown. |
171 |
+ apps/screen.fc: Added fcontext for tmux xdg directory. |
172 |
+ apps/screen.te: Allow screen to search xdg directories. |
173 |
+ |
174 |
+Kenton Groombridge (11): |
175 |
+ devices: add interface for IOCTL on input devices |
176 |
+ virt: add boolean to allow evdev passthrough |
177 |
+ stunnel: add log type and rules |
178 |
+ fail2ban: allow reading systemd journal |
179 |
+ spamassassin: add rspamd support and tunable |
180 |
+ apache: add interface for list dir perms on httpd content |
181 |
+ sudo: add tunable for HTTP connections |
182 |
+ init: label systemd units in /etc |
183 |
+ certbot: add support for acme.sh |
184 |
+ lvm: add lvm_tmpfs_t type and rules |
185 |
+ Various fixes |
186 |
+ |
187 |
+Peter Morrow (1): |
188 |
+ selinux: add selinux_get_all_booleans() interface |
189 |
+ |
190 |
+Richard Haines (1): |
191 |
+ Ensure correct monolithic binary policy is loaded |
192 |
+ |
193 |
+Russell Coker (11): |
194 |
+ base chrome/chromium patch fixed |
195 |
+ latest iteration of certbot policy as patch |
196 |
+ yet more strict patches fixed |
197 |
+ remove deprecated from 20190201 |
198 |
+ more Chrome stuff |
199 |
+ latest memlockd patch |
200 |
+ misc services patches with changes Dominick and Chris wanted |
201 |
+ misc network patches with Dominick's changes*2 |
202 |
+ new version of filetrans patch |
203 |
+ misc apps and admin patches |
204 |
+ machined |
205 |
+ |
206 |
+Yi Zhao (1): |
207 |
+ sysnet: allow dhcpcd to create socket file |
208 |
+ |
209 |
+bauen1 (4): |
210 |
+ systemd: private type for /run/systemd/userdb |
211 |
+ authlogin: connect to userdb |
212 |
+ systemd-logind: utilize nsswitch |
213 |
+ selint: fix S-010 |
214 |
+ |
215 |
* Tue Aug 18 2020 Chris PeBenito <pebenito@××××.org> - 2.20200818 |
216 |
Alexander Miroshnichenko (2): |
217 |
openvpn: more versatile file context regex for ipp.txt |
218 |
|
219 |
diff --git a/VERSION b/VERSION |
220 |
index dff6b732..d20cfcef 100644 |
221 |
--- a/VERSION |
222 |
+++ b/VERSION |
223 |
@@ -1 +1 @@ |
224 |
-2.20200818 |
225 |
+2.20210203 |