[gentoo-commits] proj/hardened-refpolicy:master commit in: / - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date:	Sun, 07 Feb 2021 03:21:21
Message-Id:	`1612646110.0d0b3f0b2c0d84a7529175dc505af157f48de2f6.perfinion@gentoo`

1

commit:     0d0b3f0b2c0d84a7529175dc505af157f48de2f6

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Wed Feb  3 13:38:27 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 21:15:10 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b

7

8

Update Changelog and VERSION for release 2.20210203.

9

10

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

14

 VERSION   |   2 +-

15

 2 files changed, 194 insertions(+), 1 deletion(-)

16

17

diff --git a/Changelog b/Changelog

18

index 59037863..50cd31fc 100644

19

--- a/Changelog

20

+++ b/Changelog

21

@@ -1,3 +1,196 @@

22

+* Wed Feb 03 2021 Chris PeBenito <pebenito@××××.org> - 2.20210203

23

+(GalaxyMaster) (1):

24

+      added policy for systemd-socket-proxyd

25

+

26

+0xC0ncord (1):

27

+      userdomain, xserver: move xdg rules to userdom_xdg_user_template

28

+

29

+Anthony PERARD (1):

30

+      xen: Allow xenstored to map /proc/xen/xsd_kva

31

+

32

+Antoine Tenart (15):

33

+      udev: allow udevadm to retrieve xattrs

34

+      locallogin: allow login to get attributes of procfs

35

+      logging: allow systemd-journal to write messages to the audit socket

36

+      sysnetwork: allow to read network configuration files

37

+      dbus: add two interfaces to allow reading from directories and named

38

+         sockets

39

+      dbus: allow clients to list runtime dirs and named sockets

40

+      systemd: add extra systemd_generator_t rules

41

+      systemd: allow systemd-hwdb to search init runtime directories

42

+      systemd: allow systemd-network to get attributes of fs

43

+      systemd: allow systemd-resolve to read in tmpfs

44

+      corecommands: add entry for Busybox shell

45

+      systemd: allow systemd-getty-generator to read and write unallocated ttys

46

+      systemd: allow systemd-network to list the runtime directory

47

+      ntp: allow systemd-timesyn to watch dbus objects

48

+      ntp: allow systemd-timesyn to setfscreate

49

+

50

+Chris PeBenito (117):

51

+      Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into

52

+         jpds-acpid_shutdown

53

+      .travis.yml: Point selint at only the policy dir.

54

+      corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module

55

+         version bump.

56

+      systemd: Move systemd-pstore block up in alphabetical order.

57

+      Switch to GitHub actions for CI actions.

58

+      systemd: Whitespace changes.

59

+      systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to

60

+         systemd_stream_connect_socket_proxyd().

61

+      Drop criteria on github actions.

62

+      userdomain: Fix error in calling userdom_xdg_user_template().

63

+      systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.

64

+      Makefile: Add -E to setfiles labeling targets.

65

+      udev: Drop udev_tbl_t.

66

+      udev: Systemd 246 merged udev and udevadm executables.

67

+      devicekit: Udisks uses udevadm, it does not exec udev.

68

+      Remove modules for programs that are deprecated or no longer supported.

69

+      chromium: Whitespace changes.

70

+      chromium: Move naclhelper lines.

71

+      certbot: Whitespace changes.

72

+      certbot: Drop aliases since they have never had the old names in

73

+         refpolicy.

74

+      certbot: Reorder fc lines.

75

+      miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.

76

+      userdomain: Move lines.

77

+      certbot: Fix lint issues.

78

+      memlockd: Move lines.

79

+      memlockd: Whitespace fixes.

80

+      memlockd: Fix lint issue.

81

+      file_patterns.spt: Add a mmap_manage_files_pattern().

82

+      apache, mysql, postgrey, samba, squid: Apply new

83

+         mmap_manage_files_pattern().

84

+      devicekit, jabber, samba: Move lines.

85

+      cron: Make backup call for system_cronjob_t optional.

86

+      samba: Fix samba_runtime_t alias use.

87

+      samba: Move service interface definitions.

88

+      sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba

89

+         block.

90

+      samba: Add missing userspace class requirements in unit interfaces.

91

+      apache: Fix lint error.

92

+      apache: Really fix lint error.

93

+      aptcacher: Drop broken config interfaces.

94

+      samba: Fix lint error.

95

+         0xC0ncord/feature/sudodomain_http_connect_boolean

96

+         0xC0ncord/bugfix/systemd_system_custom_unit_fc

97

+      dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.

98

+      apt, bootloader: Move lines.

99

+      systemd: Move lines.

100

+      systemd: Fix lint errors.

101

+      systemd: Rename systemd_use_machined_devpts().

102

+      Bump module versions for release.

103

+

104

+Christian Göttsche (16):

105

+      postfixpolicyd: split multi-class rule

106

+      init/systemd: allow systemd to map the SELinux status page

107

+      selinux: add selinux_use_status_page and deprecate

108

+         selinux_map_security_files

109

+      genhomedircon: drop backwards compatibility section

110

+      genhomedircon: require match for home directory name

111

+      genhomedircon: drop unused functions

112

+      genhomedircon: generate file contexts for %{USERNAME} and %{USERID}

113

+      genhomedircon: misc pylint cleanup

114

+      genhomedircon: improve error messages for min uid search

115

+      Rules.monolithic: ignore version mismatch

116

+      gitignore: ignore monolithic generated files

117

+      Preset OUTPUT_POLICY to 32

118

+      Rules.monolithic: do not suppress load_policy warning messages

119

+      Rules.monolithic: tweak checkpolicy arguments

120

+      Rules.monolithic: drop dead variable

121

+      Rules.monolithic: add missing phony declarations

122

+

123

+Daniel Burgener (4):

124

+      Allow init to mount over the system bus

125

+      Allow systemd-ask-password to watch files

126

+      Use self keyword when an AV rule source type matches destination

127

+      Fix typo in comment

128

+

129

+Dannick Pomerleau (1):

130

+      access_vectors: Add new capabilities to cap2

131

+

132

+Dave Sugar (9):

133

+      Looks like this got dropped in pull request #294

134

+      Allow snmpd to read hwdata

135

+      Updates for corosync to work in enforcing

136

+      To get pacemaker working in enforcing

137

+      pacemaker systemd permissions

138

+      Allow pacemaker to map/read/write corosync shared memory files

139

+      Allow systemd-modules-load to search kernel keys

140

+      pcs_snmpd_agent_t fix denials to allow it to read needed queues

141

+      Work with xdg module disabled

142

+

143

+David Schadlich (1):

144

+      add policy for pcs_snmp_agent

145

+

146

+Deepak Rawat (1):

147

+      Add selinux-policy for systemd-pstore service

148

+

149

+Dominick Grift (1):

150

+      bind: add a few fc specs for unbound

151

+

152

+Guido Trentalancia (1):

153

+      Add LVM module permissions needed to open cryptsetup devices.

154

+

155

+Jason Zaman (5):

156

+      userdomain: Add watch on home dirs

157

+      getty: allow watching file /run/agetty.reload

158

+      Add transition on gentoo init_t to openrc

159

+      init: upstream fcontexts from gentoo policy

160

+      systemd: make remaining dbus_* optional

161

+

162

+Jonathan Davies (8):

163

+      acpi.te: Allow acpid_t to shutdown the system - this is required to handle

164

+         shutdown calls from libvirt. Fixes #298.

165

+      acpi.te: Removed unnecessary init_write_initctl().

166

+      userdomain.if: Marked usbguard user modify tunable as optional so usbguard

167

+         may be excluded.

168

+      portage: Added /var/cache/distfiles path.

169

+      init: Added fcontext for openrc-init.

170

+      init: Added fcontext for openrc-shutdown.

171

+      apps/screen.fc: Added fcontext for tmux xdg directory.

172

+      apps/screen.te: Allow screen to search xdg directories.

173

+

174

+Kenton Groombridge (11):

175

+      devices: add interface for IOCTL on input devices

176

+      virt: add boolean to allow evdev passthrough

177

+      stunnel: add log type and rules

178

+      fail2ban: allow reading systemd journal

179

+      spamassassin: add rspamd support and tunable

180

+      apache: add interface for list dir perms on httpd content

181

+      sudo: add tunable for HTTP connections

182

+      init: label systemd units in /etc

183

+      certbot: add support for acme.sh

184

+      lvm: add lvm_tmpfs_t type and rules

185

+      Various fixes

186

+

187

+Peter Morrow (1):

188

+      selinux: add selinux_get_all_booleans() interface

189

+

190

+Richard Haines (1):

191

+      Ensure correct monolithic binary policy is loaded

192

+

193

+Russell Coker (11):

194

+      base chrome/chromium patch fixed

195

+      latest iteration of certbot policy as patch

196

+      yet more strict patches fixed

197

+      remove deprecated from 20190201

198

+      more Chrome stuff

199

+      latest memlockd patch

200

+      misc services patches with changes Dominick and Chris wanted

201

+      misc network patches with Dominick's changes*2

202

+      new version of filetrans patch

203

+      misc apps and admin patches

204

+      machined

205

+

206

+Yi Zhao (1):

207

+      sysnet: allow dhcpcd to create socket file

208

+

209

+bauen1 (4):

210

+      systemd: private type for /run/systemd/userdb

211

+      authlogin: connect to userdb

212

+      systemd-logind: utilize nsswitch

213

+      selint: fix S-010

214

+

215

 * Tue Aug 18 2020 Chris PeBenito <pebenito@××××.org> - 2.20200818

216

 Alexander Miroshnichenko (2):

217

       openvpn: more versatile file context regex for ipp.txt

218

219

diff --git a/VERSION b/VERSION

220

index dff6b732..d20cfcef 100644

221

--- a/VERSION

222

+++ b/VERSION

223

@@ -1 +1 @@

224

-2.20200818

225

+2.20210203

1	commit: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Wed Feb 3 13:38:27 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 21:15:10 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b
7
8	Update Changelog and VERSION for release 2.20210203.
9
10	Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	Changelog \| 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
14	VERSION \| 2 +-
15	2 files changed, 194 insertions(+), 1 deletion(-)
16
17	diff --git a/Changelog b/Changelog
18	index 59037863..50cd31fc 100644
19	--- a/Changelog
20	+++ b/Changelog
21	@@ -1,3 +1,196 @@
22	+* Wed Feb 03 2021 Chris PeBenito <pebenito@××××.org> - 2.20210203
23	+(GalaxyMaster) (1):
24	+ added policy for systemd-socket-proxyd
25	+
26	+0xC0ncord (1):
27	+ userdomain, xserver: move xdg rules to userdom_xdg_user_template
28	+
29	+Anthony PERARD (1):
30	+ xen: Allow xenstored to map /proc/xen/xsd_kva
31	+
32	+Antoine Tenart (15):
33	+ udev: allow udevadm to retrieve xattrs
34	+ locallogin: allow login to get attributes of procfs
35	+ logging: allow systemd-journal to write messages to the audit socket
36	+ sysnetwork: allow to read network configuration files
37	+ dbus: add two interfaces to allow reading from directories and named
38	+ sockets
39	+ dbus: allow clients to list runtime dirs and named sockets
40	+ systemd: add extra systemd_generator_t rules
41	+ systemd: allow systemd-hwdb to search init runtime directories
42	+ systemd: allow systemd-network to get attributes of fs
43	+ systemd: allow systemd-resolve to read in tmpfs
44	+ corecommands: add entry for Busybox shell
45	+ systemd: allow systemd-getty-generator to read and write unallocated ttys
46	+ systemd: allow systemd-network to list the runtime directory
47	+ ntp: allow systemd-timesyn to watch dbus objects
48	+ ntp: allow systemd-timesyn to setfscreate
49	+
50	+Chris PeBenito (117):
51	+ Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into
52	+ jpds-acpid_shutdown
53	+ .travis.yml: Point selint at only the policy dir.
54	+ corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module
55	+ version bump.
56	+ systemd: Move systemd-pstore block up in alphabetical order.
57	+ Switch to GitHub actions for CI actions.
58	+ systemd: Whitespace changes.
59	+ systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to
60	+ systemd_stream_connect_socket_proxyd().
61	+ Drop criteria on github actions.
62	+ userdomain: Fix error in calling userdom_xdg_user_template().
63	+ systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
64	+ Makefile: Add -E to setfiles labeling targets.
65	+ udev: Drop udev_tbl_t.
66	+ udev: Systemd 246 merged udev and udevadm executables.
67	+ devicekit: Udisks uses udevadm, it does not exec udev.
68	+ Remove modules for programs that are deprecated or no longer supported.
69	+ chromium: Whitespace changes.
70	+ chromium: Move naclhelper lines.
71	+ certbot: Whitespace changes.
72	+ certbot: Drop aliases since they have never had the old names in
73	+ refpolicy.
74	+ certbot: Reorder fc lines.
75	+ miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
76	+ userdomain: Move lines.
77	+ certbot: Fix lint issues.
78	+ memlockd: Move lines.
79	+ memlockd: Whitespace fixes.
80	+ memlockd: Fix lint issue.
81	+ file_patterns.spt: Add a mmap_manage_files_pattern().
82	+ apache, mysql, postgrey, samba, squid: Apply new
83	+ mmap_manage_files_pattern().
84	+ devicekit, jabber, samba: Move lines.
85	+ cron: Make backup call for system_cronjob_t optional.
86	+ samba: Fix samba_runtime_t alias use.
87	+ samba: Move service interface definitions.
88	+ sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba
89	+ block.
90	+ samba: Add missing userspace class requirements in unit interfaces.
91	+ apache: Fix lint error.
92	+ apache: Really fix lint error.
93	+ aptcacher: Drop broken config interfaces.
94	+ samba: Fix lint error.
95	+ 0xC0ncord/feature/sudodomain_http_connect_boolean
96	+ 0xC0ncord/bugfix/systemd_system_custom_unit_fc
97	+ dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
98	+ apt, bootloader: Move lines.
99	+ systemd: Move lines.
100	+ systemd: Fix lint errors.
101	+ systemd: Rename systemd_use_machined_devpts().
102	+ Bump module versions for release.
103	+
104	+Christian Göttsche (16):
105	+ postfixpolicyd: split multi-class rule
106	+ init/systemd: allow systemd to map the SELinux status page
107	+ selinux: add selinux_use_status_page and deprecate
108	+ selinux_map_security_files
109	+ genhomedircon: drop backwards compatibility section
110	+ genhomedircon: require match for home directory name
111	+ genhomedircon: drop unused functions
112	+ genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
113	+ genhomedircon: misc pylint cleanup
114	+ genhomedircon: improve error messages for min uid search
115	+ Rules.monolithic: ignore version mismatch
116	+ gitignore: ignore monolithic generated files
117	+ Preset OUTPUT_POLICY to 32
118	+ Rules.monolithic: do not suppress load_policy warning messages
119	+ Rules.monolithic: tweak checkpolicy arguments
120	+ Rules.monolithic: drop dead variable
121	+ Rules.monolithic: add missing phony declarations
122	+
123	+Daniel Burgener (4):
124	+ Allow init to mount over the system bus
125	+ Allow systemd-ask-password to watch files
126	+ Use self keyword when an AV rule source type matches destination
127	+ Fix typo in comment
128	+
129	+Dannick Pomerleau (1):
130	+ access_vectors: Add new capabilities to cap2
131	+
132	+Dave Sugar (9):
133	+ Looks like this got dropped in pull request #294
134	+ Allow snmpd to read hwdata
135	+ Updates for corosync to work in enforcing
136	+ To get pacemaker working in enforcing
137	+ pacemaker systemd permissions
138	+ Allow pacemaker to map/read/write corosync shared memory files
139	+ Allow systemd-modules-load to search kernel keys
140	+ pcs_snmpd_agent_t fix denials to allow it to read needed queues
141	+ Work with xdg module disabled
142	+
143	+David Schadlich (1):
144	+ add policy for pcs_snmp_agent
145	+
146	+Deepak Rawat (1):
147	+ Add selinux-policy for systemd-pstore service
148	+
149	+Dominick Grift (1):
150	+ bind: add a few fc specs for unbound
151	+
152	+Guido Trentalancia (1):
153	+ Add LVM module permissions needed to open cryptsetup devices.
154	+
155	+Jason Zaman (5):
156	+ userdomain: Add watch on home dirs
157	+ getty: allow watching file /run/agetty.reload
158	+ Add transition on gentoo init_t to openrc
159	+ init: upstream fcontexts from gentoo policy
160	+ systemd: make remaining dbus_* optional
161	+
162	+Jonathan Davies (8):
163	+ acpi.te: Allow acpid_t to shutdown the system - this is required to handle
164	+ shutdown calls from libvirt. Fixes #298.
165	+ acpi.te: Removed unnecessary init_write_initctl().
166	+ userdomain.if: Marked usbguard user modify tunable as optional so usbguard
167	+ may be excluded.
168	+ portage: Added /var/cache/distfiles path.
169	+ init: Added fcontext for openrc-init.
170	+ init: Added fcontext for openrc-shutdown.
171	+ apps/screen.fc: Added fcontext for tmux xdg directory.
172	+ apps/screen.te: Allow screen to search xdg directories.
173	+
174	+Kenton Groombridge (11):
175	+ devices: add interface for IOCTL on input devices
176	+ virt: add boolean to allow evdev passthrough
177	+ stunnel: add log type and rules
178	+ fail2ban: allow reading systemd journal
179	+ spamassassin: add rspamd support and tunable
180	+ apache: add interface for list dir perms on httpd content
181	+ sudo: add tunable for HTTP connections
182	+ init: label systemd units in /etc
183	+ certbot: add support for acme.sh
184	+ lvm: add lvm_tmpfs_t type and rules
185	+ Various fixes
186	+
187	+Peter Morrow (1):
188	+ selinux: add selinux_get_all_booleans() interface
189	+
190	+Richard Haines (1):
191	+ Ensure correct monolithic binary policy is loaded
192	+
193	+Russell Coker (11):
194	+ base chrome/chromium patch fixed
195	+ latest iteration of certbot policy as patch
196	+ yet more strict patches fixed
197	+ remove deprecated from 20190201
198	+ more Chrome stuff
199	+ latest memlockd patch
200	+ misc services patches with changes Dominick and Chris wanted
201	+ misc network patches with Dominick's changes*2
202	+ new version of filetrans patch
203	+ misc apps and admin patches
204	+ machined
205	+
206	+Yi Zhao (1):
207	+ sysnet: allow dhcpcd to create socket file
208	+
209	+bauen1 (4):
210	+ systemd: private type for /run/systemd/userdb
211	+ authlogin: connect to userdb
212	+ systemd-logind: utilize nsswitch
213	+ selint: fix S-010
214	+
215	* Tue Aug 18 2020 Chris PeBenito <pebenito@××××.org> - 2.20200818
216	Alexander Miroshnichenko (2):
217	openvpn: more versatile file context regex for ipp.txt
218
219	diff --git a/VERSION b/VERSION
220	index dff6b732..d20cfcef 100644
221	--- a/VERSION
222	+++ b/VERSION
223	@@ -1 +1 @@
224	-2.20200818
225	+2.20210203

Gentoo Archives: gentoo-commits