diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2022-11-01 09:54:51 -0400 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2022-12-13 14:03:47 -0500 |
| commit | 9d66b5b513a17eb8414d767f00a521c0c07c66ea (patch) | |
| tree | 2a05d8642c3a985822dd43824e41d0bf88ca51d8 /Changelog | |
| parent | systemd: add capability sys_admin to systemd_generator_t (diff) | |
| download | hardened-refpolicy-9d66b5b513a17eb8414d767f00a521c0c07c66ea.tar.gz hardened-refpolicy-9d66b5b513a17eb8414d767f00a521c0c07c66ea.tar.bz2 hardened-refpolicy-9d66b5b513a17eb8414d767f00a521c0c07c66ea.zip | |
Update Changelog and VERSION for release 2.20221101.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'Changelog')
| -rw-r--r-- | Changelog | 204 |
1 files changed, 204 insertions, 0 deletions
@@ -1,3 +1,207 @@ +* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101 +Chris PeBenito (46): + systemd: Drop systemd_detect_virt_t. + fstools: Handle resizes of the root filesystem. + mount: Get the attributes of all filesystems. + rpm: Add dnf and tdnf labeling. + logging: Change to systemd interface for tmpfilesd. + systemd: Remove systemd-run domain. + unconfined: Add missing capability2 perms. + lvm: Updates for multipath LVM. + locallogin: Use init file descriptors. + systemd: Misc fixes. + isns: Updates from testing. + container, docker: Fixes for containerd and kubernetes testing. + devices: Add type for SAS management devices. + devices: Add file context for /dev/vhost-vsock. + iptables: Ioctl cgroup dirs. + devices: Add type for infiniband devices. + storage: Add fc for /dev/ng*n* devices. + files: Add prerequisite access for files_mounton_non_security(). + files: Make etc_runtime_t a config file. + systemd: Fixes for coredumps in containers. + container: Allow container engines to connect to http cache ports. + container: Getattr generic device nodes. + application: Allow apps to use init fds. + systemd: Misc updates. + filesystem: Move ecryptfs interface definitions. + mcs: Add additional SysV IPC constraints. + mcs: Collapse constraints. + mcs: Add additional socket constraints. + mcs: Add missing process permission constraints. + mcs: Remove duplicate node_bind constraint. + mcs: Reorganize file. + mls: Add setsockcreate constraint. + systemd: Add interface for systemctl exec. + Add cloud-init. + hypervkvp: Port updated module from Fedora policy. + init: Add tunable for systemd to create all its mountpoints. + Run Ci tests in parallel. + Revise userspace and SELint versions in CI + fapolicyd: Fix selint issue. + tests.yml: Remove irrelevant comment. + Drop audit_access allows. + sympa: Move lines. + sympa: Drop module version. + sympa, mta, exim: Revise interfaces. + sympa, logging; Fix lint errors. + container: Add missing UDP node bind access on container engines. + +Christian Göttsche (3): + Replace deprecated egrep usage + ci: update dependencies + ci: build SELint from source + +Daniel Burgener (1): + Drop explicit calls to seutil and kernel module interfaces in broad files + interfaces + +Dave Sugar (20): + ssh: allow ssh_keygen to read /usr/share/crypto-policies/ + chronyd: Allow to read fips_enabled sysctl + chronyd: allow chronyd to read /usr/share/crypto-policies + systemd: init_t creates systemd-logind 'linger' directory + systemd: systemd-update-done fix startup issue + usbguard: Allow to read fips_enabled sysctl + firewalld: read to read fips_enabled sysctl + firewalld: create netfilter socket + firewalld: allow to load kernel modules + firewalld: write tmpfs files + firewalld: firewalld-cmd uses dbus + tpm2-abrmd: allow to send syslog messages + domain: move kernel_read_crypto_sysctls to a common location + fapolicyd: Initial SELinux policy + networkmanager: allow watch etc_t and lib_t + firewalld: allow watch on firewalld files + Seeing long delay during shutdown saying: 'A stop job is running for + Restore /run/initramfs on shutdown' + fix: issue #550 - compile failed when DIRECT_INITRC=y + fapolicyd: fagenrules chgrp's the compiled.rules + Add 'DIRECT_INITRC' config to automated tests + +Kenton Groombridge (95): + systemd: add separate type for user transient units + systemd: rename user runtime unit interfaces + docker, podman: use renamed user runtime unit status interface + systemd: rename status user mananger units interface + systemd: systemd-resolved is linked to libselinux + systemd: dontaudit systemd-generator getattr on all dirs + raid: allow mdadm to use user ptys + bootloader, files: allow bootloader to getattr on boot_t filesystems + matrixd: various fixes + container: add unconfined role + unconfined: use unconfined container role + podman: add interface to rangetrans when executing conmon + podman: rework conmon rules + podman: add file context for podman in /usr/libexec + container: rework combined role interfaces + podman: typealias podman_user_conmon_t to podman_conmon_user_t + fail2ban: allow fail2ban to getsched on its processes + modutils: allow kmod to write to kmsg + postfix: allow postfix-map to read certbot certs + postfix: allow postfix master to get the state of init + postfix: allow postfix master fsetid capability + bind: fixes for named working on dnssec files + sudo: allow sudo domains to create netlink selinux sockets + sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve + container: allow containers to manipulate own fds + container: allow container engines to manage tmp symlinks + ssh: add tunable to allow sshd to use remote port forwarding + systemd: minor fixes to systemd user domains + init, systemd: allow unpriv users to read the catalog + container: add separate type for container engine units + container, podman: allow podman to restart container units + spamassassin: add file context for rspamd log directory + term, init: allow systemd to watch and watch reads on unallocated ttys + certbot: various fixes + systemd: add file transition for systemd-networkd runtime + systemd: add missing file context for /run/systemd/network + systemd: add file contexts for systemd-network-generator + systemd, udev: allow udev to read systemd-networkd runtime + systemd: allow systemd-networkd to read init runtime files + podman: add alias for conmon executable + systemd: ensure connecting to resolved allows searching init runtime + ssh: allow sshd to run setfiles when polyinstantiation is enabled + sudo: allow sudo domains to access caller's /proc/pid/stat + container: add file contexts for docker home config + files, init: allow systemd to remount etc filesystems + systemd: allow systemd-logind to read localization + init: fix possible typo + corecmd: label dracut lib as bin_t + sudo: various fixes + udev: various fixes for udevadm + bootloader, init: various fixes for systemd-boot + systemd: allow systemd-generator to read etc runtime files + systemd: add interface to read userdb runtime files + logging: various fixes for auditctl + screen: add interface to dontaudit runtime sock file + systemd: dontaudit systemd-tmpfiles getattr on screen sock file + systemd: dontaudit systemd-tmpfiles getattr on all dirs + fstools: fixes for fsadm with nfs + various: fixes for nfs + init: dontaudit initrc creating /dev/console during initrd + storage: include chr_files in fixed_disk_dev interfaces + systemd: allow systemd-userdbd to search default contexts + logging, systemd: allow auditctl to list userdb runtime dirs + bootloader, userdom: minor fixes for systemd-boot + systemd: allow systemd-resolved to read generic certs + sysadm: allow sysadm to rw ipmi devices + zfs: initial policy module + fstools, mount: remove legacy zfs rules + files, mount: remove legacy ZFS file contexts + sysadm: allow admin access to zfs + kernel: allow kthreads to read and write the zpool cache + systemd, zfs: allow systemd-generator to read zfs config + udev: allow reading ZFS config + zfs: various fixes + mta: add support for nullmailer + devices: add interface to rw infiniband devices + xdg: add interface to dontaudit searching xdg data dirs + opensm: initial policy + sysadm: allow opensm access + corenet: add portcon for glusterfs + glusterfs: various fixes + glusterfs: add type for gluster bricks + mount: allow mounting glusterfs volumes + selinuxutil: allow semanage, setfiles to inherit gluster fds + glusterfs, selinuxutil: make modifying fcontexts a tunable + glusterfs: add type for glusterd hooks + usermanage: add file context for chpasswd in /usr/bin + node_exporter: add file context for node_exporter in /usr/bin + usbguard: add file context for usbguard in /usr/bin + init: add file context for systemd units in dracut modules + git: add file contexts for other git utilities + dbus, init, mount, rpc: minor fixes for mount.nfs + zfs: allow reading exports + systemd: allow systemd-generator to use dns resolution + rpc: allow rpc admins to rw nfsd fs + +Pat Riehecky (2): + container: Boolean for ecryptfs + Clone `xguest_connect_network` for guest role + +Russell Coker (1): + Sympa list server + +Yi Zhao (16): + systemd: allow systemd user to watch /etc directories + logwatch: fixes for logwatch + postfix: allow postfix_local_t to search logwatch_cache_t + sysnetwork: allow systemd_networkd_t to read link file + logging: allow systemd-journal to manage syslogd_runtime_t sock_file + radius: fixes for freeradius + udev: allow udev_read_runtime_files to read link files + watchdog: allow watchdog to create /var/log/watchdog directory + systemd: allow systemd-resolved to manage link files + sysnetwork: fix privilege separation functionality of dhcpcd + sysnetwork: allow dhcpcd to send and receive messages from systemd + resolved + rpm: add label for dnf-automatic and dnf-3 + systemd: allow systemd-backlight to read kernel sysctl settings + systemd: allow systemd-rfkill to get attributes of all fs + systemd: allow systemd-hostnamed to read selinux configuration files + systemd: add capability sys_admin to systemd_generator_t + * Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520 Björn Esser (1): authlogin: add fcontext for tcb |