diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2024-02-26 13:38:45 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:06:00 -0500 |
| commit | 1949397458a649cf876a4a758a28d65626ad2709 (patch) | |
| tree | d3586aa1f6f322e38e8cf723886722baffa4068a | |
| parent | libraries: drop space in empty line (diff) | |
| download | hardened-refpolicy-1949397458a649cf876a4a758a28d65626ad2709.tar.gz hardened-refpolicy-1949397458a649cf876a4a758a28d65626ad2709.tar.bz2 hardened-refpolicy-1949397458a649cf876a4a758a28d65626ad2709.zip | |
Update Changelog and VERSION for release 2.20240226.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | Changelog | 487 | ||||
| -rw-r--r-- | VERSION | 2 |
2 files changed, 488 insertions, 1 deletions
@@ -1,3 +1,490 @@ +* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226 +Chris PeBenito (174): + tests.yml: Pin ubuntu 20.04. + tests.yml: Pin ubuntu 20.04. + fstools: Move lines. + munin: Move munin_rw_tcp_sockets() implementation. + munin: Whitespace change. + systemd: Tmpfilesd can correct seusers on files. + iscsi: Read initiatorname.iscsi. + lvm: Add fc entry for /etc/multipath/* + sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() + Define user_namespace object class. + chromium: Allow user namespace creation. + mozilla: Allow user namespace creation. + systemd: Allow user namespace creation. + container: Allow user namespace creation for all container engines. + Update eg25manager.te + switcheroo: Whitespace fix. + unconfined: Keys are linkable by systemd. + postgresql: Move lines + Add append to rw and manage lnk_file permission sets for consistency. + domain: Manage own fds. + systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. + kernel: hv_utils shutdown on systemd systems. + Container: Minor fixes from interactive container use. + systemd: Minor coredump fixes. + rpm: Minor fixes + init: Allow nnp/nosuid transitions from systemd initrc_t. + selinuxutil: Semanage reads policy for export. + sysnetwork: ifconfig searches debugfs. + usermanage: Add sysctl access for groupadd to get number of groups. + files: Handle symlinks for /media and /srv. + cloudinit: Add support for installing RPMs and setting passwords. + kdump: Fixes from testing kdumpctl. + usermanage: Handle symlinks in /usr/share/cracklib. + unconfined: Add remaining watch_* permissions. + chronyd: Read /dev/urandom. + cloud-init: Allow use of sudo in runcmd. + cloud-init: Add systemd permissions. + cloud-init: Change udev rules + systemd: Updates for systemd-locale. + cloudinit: Add permissions derived from sysadm. + +Christian Göttsche (28): + git: add fcontext for default binary + init: only grant getattr in init_getattr_generic_units_files() + ci: bump SELint version to 1.5.0 + SELint userspace class tweaks + systemd: reorder optional block + devicedisk: reorder optional block + access_vectors: define io_uring { cmd } + support/genhomedircon: support usr prefixed paths + fix misc typos + Support multi-line interface calls + policy_capabilities: remove estimated from released versions + Rules.monolithic: pre-compile fcontexts on install + Rules.modular: use temporary file to not ignore error + Makefile: use sepolgen-ifgen-attr-helper from test toolchain + Makefile: set PYTHONPATH for test toolchain + virt: label qemu configuration directory + selinuxutil: setfiles updates + selinuxutil: ignore getattr proc in newrole + userdom: permit reading PSI as admin + fs: mark memory pressure type as file + systemd: binfmt updates + vnstatd: update + fs: add support for virtiofs + systemd: generator updates + udev: update + systemd: logind update + consolesetup: update + libraries: drop space in empty line + +Christian Schneider (1): + systemd-generator: systemd_generator_t load kernel modules used for e.g. + zram-generator + +Corentin LABBE (20): + udev: permit to read hwdb + fstools: handle gentoo place for drivedb.h + mount: dbus interface must be optional + mcelog: add missing file context for triggers + munin: add file context for common functions file + rsyslog: add label for /var/empty/dev/log + munin: disk-plugin: transition to fsadm + munin: add fc for munin-node plugin state + usermanage: permit groupadd to read kernel sysctl + portage: Remove old binary location + portage: add go/hg source control files + portage: add new location for portage commands + portage: add missing go/hg context in new distfiles location + mandb: permit to read inherited cron files + selinuxutil: do not audit load_policy trying to use portage ptys + selinuxutil: permit run_init to read kernel sysctl + portage: add misc mising rules + smartmon: allow smartd to read fsadm_db_t files + smartmon: add domain for update-smart-drivedb + dovecot: add missing permissions + +Dave Sugar (46): + rng-tools updated to 6.15 (on RHEL9) seeing the following denials: + Allow local login to read /run/motd + Label pwhistory_helper + If domain can read system_dbusd_var_lib_t files, also allow symlinks + systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. + To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf + Allow iceauth write to xsession log + Allow system_dbusd_t to start/stop all units + Updates for utempter + Allow display manager to read hwdata + Allow search xdm_var_run_t directories along with reading files. + Solve issue with no keyboard/mouse on X login screen + separate label for /etc/security/opasswd + Fix some ssh agent denials + For systemd-hostnamed service to run + Allow rsyslog to drop capabilities + /var/lib/sddm should be xdm_var_lib_t + resolve lvm_t issues at shutdown with LUKS encrypted devices + Allow all users to (optionally) send syslog messages + Resolve some denials with colord + separate domain for journalctl during init + Use interface that already exists. + Separate label for /run/systemd/notify (#710) + Changes needed for dbus-broker-launch + Allow dbus-broker-launch to execute in same domain + dbus changes + Firewalld need to relabel direct.xml file + xguest ues systemd --user + Needed to allow environment variable to process started (for cockpit) + SELinux policy for cockpit + Fix denial while cleaning up pidfile symlink + allow system --user to execute systemd-tmpfiles in + <user>_systemd_tmpfiles_t domain + cockpit ssh as user + Allow sudo dbus chat w/sysemd-logind + The L+ tmpfiles option needs to read the symlink + Signal during logout + This seems important for administrative access + This works instead of allow exec on user_tmpfs_t! + admin can read/write web socket + Allow key manipulation + Add dontaudit to quiet down a bit + Add watches + Additional access for systemctl + Denial during cockpit use + Fix password changing from cockpit login screen + Resolve error when cockpit initiate shutdown + +David Sommerseth (1): + openvpn: Allow netlink genl + +Fabrice Fontaine (1): + policy/modules/services/smartmon.te: make fstools optional + +Florian Schmidt (1): + Add label and interfaces for kernel PSI files + +George Zenner (1): + Signed-off-by: George Zenner <zen@pyl.onl> + +Grzegorz Filo (3): + Shell functions used during boot by initrc_t shall be bin_t and defined in + corecommands.fc + Dir transition goes with dir create perms. + Keep context of blkid file/dir when created by zpool. + +Guido Trentalancia (53): + The pulseaudio daemon and client do not normally need to use the network + for most computer systems that need to play and record audio. + The kernel domain should be able to mounton runtime directories during + switch_root, otherwise parts of the boot process might fail on some + systems (for example, the udev daemon). + The kernel domain should be able to mounton default directories during + switch_root. + The pulseaudio module should be able to read alsa library directories. + Fix the pulseaudio module file transition for named sockets in tmp + directories. + Fix the dbus module so that automatic file type transitions are used not + only for files and directories, but also for named sockets. + Fix the dbus module so that temporary session named sockets can be read + and written in the role template and by system and session bus clients. + Update the dbus role template so that permissions to get the attributes of + the proc filesystem are included. + Let pulseaudio search debugfs directories, as currently done with other + modules. + Separate the tunable permissions to write xserver tmpfs files from the + tunable permissions to write X server shared memory. + Fix a security bug in the xserver module (interfaces) which was wrongly + allowing an interface to bypass existing tunable policy logic related + to X shared memory and xserver tmpfs files write permissions. + Add missing permissions to execute binary files for the evolution_alarm_t + domain. + Add the permissions to manage the fonts cache (fontconfig) to the window + manager role template. + Add permissions to watch libraries directories to the userdomain login + user template interface. + Update the xscreensaver module in order to work with the latest version + (tested with version 6.06). + Include the X server tmpfs rw permissions in the X shared memory write + access tunable policy under request from Christoper PeBenito. + Revert the following commit (ability to read /usr files), as it is no + longer needed, after the database file got its own label: + Update the kernel module to remove misplaced or at least really obsolete + permissions during kernel module loading. + Introduce a new "logging_syslog_can_network" boolean and make the + net_admin capability as well as all corenetwork permissions previously + granted to the syslog daemon conditional upon such boolean being true. + Let the openoffice domain manage fonts cache (fontconfig). + Update the openoffice module so that it can create Unix stream sockets + with its own label and use them both as a client and a server. + Let mplayer to act as a dbus session bus client (needed by the vlc media + player). + Add permissions to read device sysctls to mplayer. + Remove misplaced permission from mount interface mount_exec. + Remove a vulnerability introduced by a logging interface which allows to + execute log files. + Improved wording for the new xserver tunable policy booleans introduced + with the previous three commits. + Fix another security bug companion of the one fixed in the following + previous commit: + Fix another security bug similar to the ones that have been recently fixed + in the following two commits: + Remove duplicate permissions in the xserver module + xserver_restricted_role() interface. + Dbus creates Unix domain sockets (in addition to listening on and + connecting to them), so its policy module is modified accordingly. + Remove a logging interface from the userdomain module since it has now + been moved to the xscreensaver domain. + Create a new specific file label for the random seed file saved before + shutting down or rebooting the system and rework the interface needed + to manage such file. + Fix the shutdown policy in order to make use of the newly created file + label and interface needed to manage the random seed file. + Update the gpg module so that the application is able to fetch new keys + from the network. + Dbus creates Unix domain sockets not only for the system bus, but also for + the session bus (in addition to connecting to them), so its policy + module is modified accordingly. + Update the gnome module so that the gconf daemon is able to create Unix + domain sockets and accept or listen connections on them. + Fix the recently introduced "logging_syslog_can_network" tunable policy, + by including TCP/IP socket creation permissions. + Introduce a new interface in the mta module to manage the mail transport + agent configuration directories and files. + Add new gpg interfaces for gpg_agent execution and to avoid auditing + search operations on files and directories that are not strictly needed + and might pose a security risk. + Extend the scope of the "spamassassin_can_network" tunable policy boolean + to all network access (except the relative dontaudit rules). + Update the spamassassin module in order to better support the rules + updating script; this achieved by employing two distinct domains for + increased security and network isolation: a first domain is used for + fetching the updated rules from the network and second domain is used + for verifying the GPG signatures of the received rules. + Under request from Christopher PeBenito, merge the two spamassassin rules + updating SELinux domains introduced in the previous change in order to + reduce the non-swappable kernel memory used by the policy. + Introduce a new "dbus_can_network" boolean which controls whether or not + the dbus daemon can act as a server over TCP/IP networks and defaults + to false, as this is generally insecure, except when using the local + loopback interface. + Introduce two new booleans for the X server and X display manager domains + which control whether or not the respective domains allow the TCP/IP + server networking functionality. + The X display manager uses an authentication mechanism based on an + authorization file which is critical for X security. + Merge branch 'main' into x_fixes_pr2 + Let openoffice perform temporary file transitions and manage link files. + Modify the gpg module so that gpg and the gpg_agent can manage + gpg_runtime_t socket files. + The LDAP server only needs to read generic certificate files, not manage + them. + Create new TLS Private Keys file contexts for the Apache HTTP server + according to the default locations: + Let the webadm role manage Private Keys and CSR for SSL Certificates used + by the HTTP daemon. + Let the certmonger module manage SSL Private Keys and CSR used for example + by the HTTP and/or Mail Transport daemons. + Additional file context fix for: + +Kai Meng (1): + devices:Add genfscon context for functionfs to mount + +Kenton Groombridge (106): + corenet: add portcon for kubernetes + kubernetes: initial policy module + sysadm: allow running kubernetes + crio: new policy module + crio, kubernetes: allow k8s admins to run CRI-O + container: add type for container plugins + various: fixes for kubernetes + kubernetes: add policy for kubectl + various: fixes for kubernetes + container, kernel: add tunable to allow spc to create NFS servers + container: add tunable to allow containers to use huge pages + container, kubernetes: add private type for generic container devices + container: add tunable to use dri devices + container, kubernetes: add rules for device plugins running as spc + various: allow using glusterfs as backing storage for k8s + container, miscfiles: transition to s0 for public content created by + containers + container: add tunable to allow spc to use tun-tap devices + container: correct admin_pattern() usage + systemd: add policy for systemd-pcrphase + hddtemp: add missing rules for interactive usage + netutils: minor fixes for nmap and traceroute + container: add rules required for metallb BGP speakers + filesystem, init: allow systemd to setattr on ramfs dirs + logging: allow domains sending syslog messages to connect to kernel unix + stream sockets + init, sysadm: allow sysadm to manage systemd runtime units + podman: allow podman to stop systemd transient units + userdom: allow admin users to use tcpdiag netlink sockets + container: allow container admins the sysadm capability in user namespaces + postfix: allow postfix master to map data files + sasl: add filecon for /etc/sasl2 keytab + obj_perm_sets: add mmap_manage_file_perms + various: use mmap_manage_file_perms + postfix, sasl: allow postfix smtp daemon to read SASL keytab + various: fixes for libvirtd and systemd-machined + portage: label eix cache as portage_cache_t + container: add missing filetrans and filecon for containerd/docker + container, init, systemd: add policy for quadlet + container: fixes for podman 4.4.0 + container: fixes for podman run --log-driver=passthrough + node_exporter: various fixes + redis: add missing rules for runtime filetrans + podman, selinux: move lines, add missing rules for --network=host + netutils: fixes for iftop + kernel, zfs: add filetrans for kernel creating zpool cache file + zfs: allow sending signals to itself + zfs: add runtime filetrans for dirs + init: make init_runtime_t useable for systemd units + various: make /etc/machine-id etc_runtime_t + init, systemd: allow init to create userdb runtime symlinks + init: allow initrc_t to getcap + systemd: allow systemd-userdbd to getcap + logging: allow systemd-journald to list cgroups + fs, udev: allow systemd-udevd various cgroup perms + logging, systemd: allow relabelfrom,relabelto on systemd journal files by + systemd-journald + files, systemd: allow systemd-tmpfiles to relabel config file symlinks + systemd: add rules for systemd-zram-generator + systemd: allow systemd-pcrphase to read generic certs + fs, init: allow systemd-init to set the attributes of efivarfs files + init: allow systemd-init to set the attributes of unallocated terminals + systemd: allow systemd-resolved to bind to UDP port 5353 + init: allow initrc_t to create netlink_kobject_uevent_sockets + raid: allow mdadm to read udev runtime files + raid: allow mdadm to create generic links in /dev/md + fstools: allow fsadm to read utab + glusterfs: allow glusterd to bind to all TCP unreserved ports + kubernetes: allow kubelet to read etc runtime files + chromium: allow chromium-naclhelper to create user namespaces + container: rework capabilities + container: allow watching FUSEFS dirs and files + glusterfs: add tunable to allow managing unlabeled files + sysadm: allow using networkctl + container: various fixes + container, kubernetes: add support for cilium + kubernetes: allow container engines to mount on DRI devices if enabled + init, systemd: label systemd-executor as init_exec_t + udev: allow reading kernel fs sysctls + init: allow all daemons to write to init runtime sockets + systemd: fixes for systemd-pcrphase + systemd: allow networkd to use netlink netfilter sockets + rpc: add filecon for /etc/exports.d + zed: allow managing /etc/exports.d/zfs.exports + zfs: dontaudit net_admin capability by zed + su: various fixes + kernel: allow delete and setattr on generic SCSI and USB devices + mount: make mount_runtime_t a kubernetes mountpoint + fstools: allow fsadm to ioctl cgroup dirs + fstools: allow reading container device blk files + container, kubernetes: add support for rook-ceph + kernel: dontaudit read fixed disk devices + container: add filecons for rook-ceph + init, systemd: allow systemd-pcrphase to write TPM measurements + systemd: add policy for systemd-machine-id-setup + container, kubernetes: allow kubernetes to use fuse-overlayfs + kubernetes: fix kubelet accounting + systemd: label systemd-pcrlock as systemd-pcrphase + zfs: allow zfs to write to exports + kernel: allow managing mouse devices + init: allow using system bus anon pidfs + systemd: label systemd-tpm2-setup as systemd-pcrphase + bootloader, init, udev: misc minor fixes + rpc: fix not labeling exports.d directory + dbus: allow the system bus to get the status of generic units + systemd: allow systemd generator to list exports + crio: allow reading container home content + container: allow spc to map kubernetes runtime files + kubernetes: allow kubelet to apply fsGroup to persistent volumes + +Luca Boccassi (4): + Set label systemd-oomd + Add separate label for cgroup's memory.pressure files + systemd: also allow to mounton memory.pressure + systemd: allow daemons to access memory.pressure + +Mathieu Tortuyaux (1): + container: fix cilium denial + +Oleksii Miroshko (1): + Fix templates parsing in gentemplates.sh + +Pat Riehecky (1): + container: set default context for local-path-provisioner + +Renato Caldas (1): + kubernetes: allow kubelet to read /proc/sys/vm files. + +Russell Coker (28): + This patch removes deprecated interfaces that were deprecated in the + 20210203 release. I think that 2 years of support for a deprecated + interface is enough and by the time we have the next release out it + will probably be more than 2 years since 20210203. + This patch removes deprecated interfaces that were deprecated in the + 20210203 release. I think that 2 years of support for a deprecated + interface is enough and by the time we have the next release out it + will probably be more than 2 years since 20210203. + eg25-manager (Debian package eg25-manager) is a daemon aimed at + configuring and monitoring the Quectel EG25 modem on a running system. + It is used on the PinePhone (Pro) and performs the following functions: + * power on/off * startup configuration using AT commands * AGPS + data upload * status monitoring (and restart if it becomes + unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager + iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus + proxy Industrial I/O subsystem is intended to provide support for + devices that in some sense are analog to digital or digital to analog + convertors . Devices that fall into this category are: * ADCs * + Accelerometers * Gyros * IMUs * Capacitance to Digital Converters + (CDCs) * Pressure Sensors * Color, Light and Proximity Sensors * + Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital + Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain + Amplifiers (VGA, PGA) + Fixed dependency on unconfined_t + Comment sysfs better + Daemon to control authentication for Thunderbolt. + Daemon to monitor memory pressure and notify applications and change … + (#670) + switcheroo is a daemon to manage discrete vs integrated GPU use for apps + policy for power profiles daemon, used to change power settings + some misc userdomain fixes + debian motd.d directory (#689) + policy for the Reliability Availability servicability daemon (#690) + policy patches for anti-spam daemons (#698) + Added tmpfs file type for postgresql Small mysql stuff including + anon_inode + small ntp and dns changes (#703) + small network patches (#707) + small storage changes (#706) + allow jabbers to create sock file and allow matrixd to read sysfs (#705) + small systemd patches (#708) + misc small patches for cron policy (#701) + mon.te patches as well as some fstools patches related to it (#697) + misc small email changes (#704) + https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ + Label checkarray as mdadm_exec_t, allow it to read/write temp files + inherited from cron, and dontaudit ps type operations from it + Changes to eg25manager and modemmanager needed for firmware upload on + pinephonepro + patches for nspawn policy (#721) + Simple patch for Brother printer drivers as described in: + https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/ + +Yi Zhao (15): + systemd: add capability sys_resource to systemd_userdbd_t + systemd: allow systemd-sysctl to search directories on ramfs + systemd: allow systemd-resolved to search directories on tmpfs and ramfs + mount: allow mount_t to get attributes for all directories + loadkeys: do not audit attempts to get attributes for all directories + systemd: allow systemd-networkd to create file in /run/systemd directory + systemd: allow journalctl to create /var/lib/systemd/catalog + bind: fix for named service + systemd: use init_daemon_domain instead of init_system_domain for + systemd-networkd and systemd-resolved + rpm: fixes for dnf + lvm: set context for /run/cryptsetup + container: set context for /run/crun + systemd: allow systemd-hostnamed to read machine-id and localization files + systemd: allow systemd-rfkill to getopt from uevent sockets + udev: fix for systemd-udevd + +freedom1b2830 (1): + mplayer:vlc paths + * Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101 Chris PeBenito (46): systemd: Drop systemd_detect_virt_t. @@ -1 +1 @@ -2.20221101 +2.20240226 |