Update Changelog and VERSION for release.

Changelog

@@ -1,3 +1,189 @@
+* Wed Dec 03 2014 Chris PeBenito <selinux@tresys.com> - 2.20141203
+Artyom Smirnov (3):
+      New database object classes
+      Fixes for db_domain and db_exception
+      Renamed db_type to db_datatype, to avoid confusion with SELinux "type"
+
+Chris PeBenito (69):
+      Whitespace fix in postgresql.fc
+      Module version bump for postgresql fc entries from Luis Ressel.
+      Add symlink to contrib Changelog for easy reference.
+      Move lightdm line in xserver.fc.
+      Whitespace fix in xserver.fc.
+      Update contrib.
+      Module version bump for userdomain kernel symbol table fix from Nicolas
+         Iooss.
+      Module version bump for 2 Gentoo patches from Sven Vermeulen.
+      Update contrib.
+      Module version bump for 2 patch sets from Laurent Bigonville.
+      Update contrib.
+      Module version bump for gnome keyring fix from Laurent Bigonville.
+      Update contrib.
+      Module version bump for /sys/fs/selinux support from Sven Vermeulen.
+      Module version bump for fixes from Laurent Bigonville.
+      Update contrib.
+      Module version bumps for fc fixes from Nicolas Iooss.
+      Update contrib.
+      Add file for placing default_* statements.
+      Fix error in default_user example.
+      Module version bump for unconfined->lvm transition from Nicolas Iooss.
+      Need the __future__ import for python2 if using print().
+      Module version bump for ifconfig fc entry from Sven Vermeulen.
+      Module version bump for deprecated interface usage removal from Nicolas
+         Iooss.
+      Update contrib.
+      Module version bump for rcs2log and xserver updates from Sven Vermeulen.
+      Module version bump for shutdown transitions from Luis Ressel.
+      Remove firstboot_rw_t as FC5 has been gone for a long time.
+      Module version bump for firstboot_rw_t alias removal.
+      Module version bump for dropbox port from Sven Vermeulen.
+      Module version bump for unconfined syslog cap from Nicolas Iooss.
+      Always use the unknown permissions handling build option.
+      Merge pull request #1 from artyom-smirnov/master
+      Module version bump for zram fc entry from Jason Zaman.
+      Update contrib.
+      Module version bump for init_daemon_pid_file from Sven Vermeulen.
+      Move tumblerd fc entry
+      Module version bump for tumblerd fc entry from Jason Zaman.
+      Module version bump for libraries fc fix from Nicolas Iooss.
+      Update contrib.
+      Module version bump for fstools fc entries from Luis Ressel.
+      Module version bump for missing unlabeled interfaces from Sven Vermeulen.
+      Module version bump for ping rawip socket fix from Luis Ressel.
+      Module version bump for full IRC ports from Luis Ressel.
+      Move losetup addition in fstools.
+      Module version bump for losetup fixes from Luis Ressel.
+      Update contrib.
+      Module version bump for postgres fc revisions from Luis Ressel.
+      Module version bump for FUSE fix for mount from Luis Ressel.
+      Module version bump for misc fixes from Nicolas Iooss.
+      Move systemd fc entry.
+      Whitespace change in logging.fc.
+      Add comment for journald ring buffer reading.
+      Module version bumps for systemd/journald patches from Nicolas Iooss.
+      Update contrib.
+      /dev/log symlinks are not labeled devlog_t.
+      Module version bump for CIL fixes from Yuli Khodorkovskiy.
+      Drop RHEL4 and RHEL5 support.
+      Merge pull request #3 from bigon/arping
+      Merge pull request #4 from fishilico/minor-typo
+      Module version bump for Debian arping fc entries from Laurent Bigonville.
+      Add comment for iw generic netlink socket usage
+      Module version bump for /sbin/iw support from Nicolas Iooss.
+      Merge pull request #5 from bigon/audit_read
+      Update contrib.
+      Module version bump for misc fixes from Sven Vermeulen.
+      Update contrib.
+      Module version bump for module store move from Steve Lawrence.
+      Bump module versions for release.
+
+Elia Pinto (1):
+      Fix misspelling
+
+Jason Zaman (2):
+      File contexts for zram
+      File Context for tumbler
+
+Laurent Bigonville (14):
+      Properly label git-shell and other git commands for Debian
+      Label /usr/sbin/lightdm as xdm_exec_t
+      Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface
+      Associate the new xattrfs attribute to fs_t and some pseudo-fs
+      Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t
+      Add telepathy role for user_r and staff_r
+      Properly label the manpages installed by postgresql
+      Label /usr/local/share/ca-certificates(/.*)? as cert_t
+      Allow the xdm_t domain to enter all the gkeyringd ones
+      Label /etc/locale.alias as locale_t on Debian
+      Allow hugetlbfs_t to be associated to /dev
+      On Debian iputils-arping is installed in /usr/bin/arping
+      Debian also ship a different arping implementation
+      Add new audit_read access vector in capability2 class
+
+Luis Ressel (13):
+      Add two postgresql file contexts from gentoo policy
+      Allow init to execute shutdown
+      Allow xdm_t to transition to shutdown_t domain
+      Some of the fsadm tools can also be in /usr/sbin instead of /sbin
+      Label /usr/sbin/{add, del}part as fsadm_exec_t
+      Grant ping_t getattr on rawip_socket
+      kernel/corenetwork.te: Add all registered IRC ports
+      system/mount.if: Add mount_rw_loopback_files interface
+      system/fstools.if: Add fstools_use_fds interface
+      Add neccessary permissions for losetup
+      Only label administrative postgres commands as postgresql_exec_t
+      Also apply the new postgres labeling scheme on Debian
+      Grant mount permission to access /dev/fuse
+
+Nicolas Iooss (31):
+      Fix parallel build of the policy
+      fc_sort: fix typos in comments
+      fc_sort: initialize allocated memory to fix execution on an empty file
+      fc_sort: make outfile argument optional
+      userdomain: no longer allow unprivileged users to read kernel symbols
+      Label syslog-ng.pid as syslogd_var_run_t
+      filesystem: label cgroup symlinks
+      Label /usr/lib/getconf as bin_t
+      Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t
+      Make support/policyvers.py compatible with Python 3
+      Make unconfined user run lvm programs in confined domain
+      No longer use deprecated MLS interfaces
+      Allow unconfined domains to use syslog capability
+      Label /lib symlink as lib_t for every distro
+      Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/
+      Add ioctl and lock to manage_lnk_file_perms
+      Label (/var)?/tmp/systemd-private-.../tmp like /tmp
+      Fix typo in fs_getattr_all_fs description
+      Label systemd files in init module
+      Introduce init_search_run interface
+      Label systemd-journald files and directories
+      Support logging with /run/systemd/journal/dev-log
+      Allow journald to read the kernel ring buffer and to use /dev/kmsg
+      Allow journald to access to the state of all processes
+      Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
+      Fix minor typo in init.if
+      Label /sbin/iw as ifconfig_exec_t
+      Allow iw to create generic netlink sockets
+      Use create_netlink_socket_perms when allowing netlink socket creation
+      Update Python requirement in INSTALL
+      Create tmp directory when compiling a .mod.fc file in a modular way
+
+Steve Lawrence (1):
+      Update policy for selinux userspace moving the policy store to
+         /var/lib/selinux
+
+Sven Vermeulen (24):
+      Hide getattr denials upon sudo invocation
+      Support /sys/devices/system/cpu/online
+      The security_t file system can be at /sys/fs/selinux
+      Dontaudit access on security_t file system at /sys/fs/selinux
+      ifconfig can also be in /bin
+      xserver_t needs to ender dirs labeled xdm_var_run_t
+      Enable rcs2log location for all distributions
+      Add dropbox_port_t support
+      Support initrc_t generated pid files with file transition
+      Deprecate init_daemon_run_dir interface
+      Use init_daemon_pid_file instead of init_daemon_run_dir
+      Introduce kernel_delete_unlabeled_symlinks
+      Introduce kernel_delete_unlabeled_pipes
+      Introduce kernel_delete_unlabeled_sockets
+      Introduce kernel_delete_unlabeled_blk_files
+      Introduce kernel_delete_unlabeled_chr_files
+      Run grub(2)-mkconfig in bootloader domain
+      Add auth_pid_filetrans_pam_var_run
+      New sudo manages timestamp directory in /var/run/sudo
+      xfce4-notifyd is an executable
+      Mark f2fs as a SELinux capable file system
+      Add in LightDM contexts
+      Add gfisk and efibootmgr as fsadm_exec_t
+      Add /var/lib/racoon as runtime directory for ipsec
+
+Yuli Khodorkovskiy (1):
+      Remove duplicate role declarations
+
+cgarst (1):
+      Updating submodule URL to github
+
 * Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
 Chris PeBenito (96):
       Update contrib to pull in minidlna.

VERSION

@@ -1 +1 @@
-2.20140311
+2.20141203

policy/modules/contrib

@@ -1 +1 @@
-Subproject commit 0c39ebe156e192ed46e58cff3e5e802b0d935660
+Subproject commit f627e84f52f62f4872889987ee32c903c3b7dc96