RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update Changelog and VERSION for release. 

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2020-02-29 16:54:39 -05:00
parent b2f72e833b
commit 3039bde79c
2 changed files with 236 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

235
Changelog
View File

@ -1,3 +1,238 @@
* Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229
Alexander Miroshnichenko (1):
Add knot module
Chris PeBenito (174):
knot: Whitespace changes.
knot: Move lines.
devices, storage: Add fc entries for mtd char devices and ndctl devices.
devices: Add types for trusted execution environment interfaces.
ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
INSTALL: Fix build requirements.
fishilico/systemd-read-netlink_kobject_uevent_socket
Rename *_var_run_t types to *_runtime_t.
Reorder declarations based on *_runtime_t renaming.
Remove old aliases.
fishilico/filesystem-fs_rw_cgroup_files-follow-symlink
fc_sort.py: Use "==" for comparing integers.
xserver: Remove duplicate colord rule.
xserver: Move XDM dbus chats under main dbus optional.
Move open, audit_access, and execmod to file common.
Add file and filesystem watch access vectors.
Fix file common ordering and kernel version from previous commit.
init: Whitespace change.
unconfined: Add namespaced capabilities.
unconfined: Fix systemd --user rule.
Remove incorrect usages of "is" operator from Python scripts.
logging: Reorder lines.
systemd: Logind removes /run/user/* user temp files.
unconfined: Add watch permission for files.
systemd: Add filesystem watches.
dbus: Add directory watches.
udev: Watch devices.
init: Revise systemd bind mounts.
Add perf_event access vectors.
systemd: Whitespace fix.
logging: Whitespace fix.
Bump module versions for release.
Christian Göttsche (6):
fix Makefile for policy-module directories with same ending
segenxml.py: fix format usage in warning message
travis: force the use of python3.5
travis: run check_fc_files linter with python 3.7
re-implement fc_sort in python
Add genfs_seclabel_symlinks policy capability
Daniel Burgener (4):
Add requires to interfaces that reference types or attributes without
requiring them
Remove uneeded types from interfaces where types were added
Fix situations where require blocks in interfaces listed types not
actually referenced by that interface
Remove unneeded semicolons after interface and macro calls
Dominick Grift (2):
domain: unconfined access to bpf
Remove shell automatic domain transitions to unconfined_t from various pam
login programs
Guido Trentalancia (4):
Update the pulseaudio application module with a few user domain file read
and management permissions.
Allow userdomain to read and write the wireless devices (for example for
querying their state, enabling and/or disabling them using userspace
tools such as "rfkill" from util-linux).
Add an interface to allow watch permission on generic device directories.
Allow pulseaudio to watch generic device directories.
Jason Zaman (16):
udev: Allow udevadm access to udev_tbl_t
xserver: ICEauthority can be in /run/user
devicekit: udisks needs access to /run/mount/utab.lock
dirmngr: accept unix stream socket
chromium: allow dbus chat to inhibit power
virt: Add unix socket for virtlogd/virtlockd
virt: allow lvm_control access
fstools: add zfs-auto-snapshot
udev: Add watch perms
accountsd: Add watch perms
cron: watch cron spool
colord: add watch perms
policykit devicekit: Add watch perms
dbus: add watch perms
chromium: watch etc dirs
gpg: add watch perms for agent
Laurent Bigonville (9):
Makefile: Avoid regenerating the iftemplates at everyrun
Allow systemd_modules_load_t to module_request and map modules_object_t
files
Allow udevadm to read files in /run/udev/data
Allow udevadm_t to use dac_read_search capability
Allow the systemd dbus-daemon to talk to systemd
Allow geoclue to log in syslog
Allow realmd_t to read localization files
Allow alsa_t to create alsa_runtime_t file as well
Allow alsa_t to set scheduling priority and send signal to itself
Luca Boccassi (2):
journald: allow to remove /run/log/journal
logging: add interface to start/stop syslog units
Nicolas Iooss (75):
ulogd: add Debian's log directory
ulogd: allow creating a netlink-netfilter socket
ulogd: allow starting on a Debian system
entropyd: label the unit file of haveged
entropyd: allow haveged to create a Unix socket to received commands
ulogd: fix pattern for /run/ulog directory
monit: use s0 instead of s9
java: reduce the scope of the pattern in for java entry points
libraries: match a digit in Adobe Reader directories
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
rpcbind: remove redundant file context for /run/rpc.statd.pid
files: reduce the scope of the pattern matching /usr/include
Remove unescaped single dot from the policy
Fix use of buggy pattern (.*)?
libraries: drop a pattern specific to Python 2.4
systemd: introduce an interface for services using PrivateDevices=yes
Vagrantfile: upgrade VM to Fedora 30
Allow Debian to generate a dynamic motd when users log in
entropyd: haveged service uses PrivateDevices=yes
Check the .fc files for common typos
corecommands: no longer use \d
libraries: fix some misspellings in patterns
java: remove unnecessary parentheses in pattern
cups: add a slash to match /opt/brother/Printers/
Vagrantfile: build and install refpolicy on Fedora VM
Vagrantfile: add a Debian virtual machine
ntp: allow systemd-timesyncd to read network status
cups: use ([^/]+/)? to match a subdirectory of CUPS configuration
portage: really make consoletype module optional
Label programs in /usr/bin like /usr/sbin
apt: allow transition from apt_t to dpkg_t with NNP
apt: allow preventing shutdown by calling a systemd-logind D-Bus method
authlogin: label utempter correctly on Debian
irc: add WeeChat policy
systemd: allow systemd --user to receive messages from
netlink_kobject_uevent_socket
Add a policy module for WireGuard VPN
modutils: allow depmod to read /boot/System.map
modutils: allow depmod and modprobe to use the I/O provided by apt
systemd: allow systemd-modules-load.service to read sysfs
sudo: allow using use_pty flag
Allow using /([^/]+/)? and (/[^/]+)?/ in patterns
ulogd: adjust policy for Debian
bitlbee: allow using GetDynamicUser on Debian
chromium: remove distro-specific ifdef
systemd-networkd: allow creating a generic netlink socket
systemd-networkd: allow communicating with hostnamed
sudo: allow transmitting SIGWINCH to its child
sudo: allow using CAP_KILL for SIGWINCH
systemd: allow detecting Windows Subsystem for Linux
systemd: allow more accesses to systemd --user
systemd: remove unnecessary init_write_runtime_socket()
.travis.yml: update distro to Ubuntu 18.04 LTS (Bionic Beaver)
filesystem: allow following symlinks with fs_rw_cgroup_files()
systemd: allow user environment helpers to communicate with systemd --user
.travis.yml: check the .fc files in CI
systemd: make the kernel spawn systemd-coredump with a context transition
gpg: allow gpg-agent to read crypto.fips_enabled sysctl
testing/check_fc_files: allow @ character in file context patterns
mount: allow callers of mount to search /usr/bin
sysadm: allow using hostnamectl
init: allow systemd to mount over /dev/kmsg and /proc/kmsg
Add policy for CryFS, encfs and gocryptfs
Vagrantfile: fix configuration
Vagrantfile: remove sudo
Vagrantfile: add a specific SELinux policy module
systemd: allow reading options from EFI variable SystemdOptions
virt: allow more accesses to libvirt_leaseshelper
systemd-logind: allow using BootLoaderEntries DBUS property
storage: introduce storage_raw_read_fixed_disk_cond
Vagrantfile: allow unconfined and sysadm SSH login
Vagrant: allow VirtualBox provisionning to use dhclient and ip
Associate role unconfined_r to wine_t
systemd: add an interface to use nss-systemd
usermanage: allow groupadd to lookup dynamic users from systemd
mount: label fusermount3 like fusermount
Peter Morrow (1):
systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in
sysfs
Petr Lautrbach (1):
newrole: allow newrole to use setcap to drop capabilities
Stephen Smalley (4):
access_vectors: Remove unused permissions
access_vectors: Remove entrypoint and execute_no_trans from chr_file
access_vectors: remove flow_in and flow_out permissions from packet class
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes
Sugar, David (13):
grant rpm permission to map rpm_var_lib_t
grant permission for rpm to write to audit log
grant rpm permissions to map locale_t
Allow rpm to map file contexts
Allow rpm scripts to alter systemd services
grant rpm_t permission to map security_t
Module for tpm2
Add missing gen_require for init_t in init_script_domain
resolve syslog imuxsock denial
Add interface to read efivarfs_t directory
Fix indent to match the rest of the file (space -> tab)
Allow systemd to getattr all files
audit daemon can halt system, allow this to happen.
Topi Miettinen (2):
Consider jitterentropy to belong to entropyd family
Consider iwd equivalent to NetworkManager etc.
Vilgot Fredenberg (1):
Remove obsolete gentoo specific rule
bauen1 (16):
fix: sudo can't determine default type for sysadm_r
fix ifupdown2 executable mislabeled as lib_t
added bpf_t filesystem label
netutils: allow mtr to communicate with mtr-packet
kernel/corecommands: fix the label of xfce4 helpers (on debian)
systemd: remove whitespace
init: add interfaces for managing /run/systemd
systemd: add policy for systemd-fstab-generator
udev: remove console-setup
consolesetup: add policy for console-setup
udev: run consolesetup
loadkeys: remove redundant ifdef
init: split init_create_pid_files interface
ntp: watch systemd networkd runtime dirs This is required for correct
function after linux 5.4
systemd-user-runtime-dir: add policy
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to
fifo_files inherited from domains allowed to change role to sysadm_r.
* Sun Jun 09 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190609
Chris PeBenito (70):
systemd: Module version bump.

2
VERSION
View File

@ -1 +1 @@
2.20190609
2.20200229