RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-02-02 21:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update Changelog and VERSION for release.

Browse Source
This commit is contained in:
Chris PeBenito 2014-03-11 08:16:57 -04:00
parent 10ff4d0fa3
commit a82a6a80a1
3 changed files with 250 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

248
Changelog
View File

@ -1,3 +1,251 @@
* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
Chris PeBenito (96):
Update contrib to pull in minidlna.
Remove general unlabeled packet usage.
Update contrib.
Use python libselinux bindings to determine policy version.
Add MLS constraints for x_pointer and x_keyboard.
Add label for parted.
Fix support/policyvers.py not to error if building policy on a
SELinux-disabled system.
Module version bump for kerberos keytab changes for ssh from Dominick
Grift.
Module version bump for pstore filesystem support from Dominick Grift.
Module version bump for redis port from Dominick Grift.
Update contrib.
Add comment for setfiles using /dev/console when it needs to be relabeled.
Module version bump for xserver and selinuxutil updates from Dominick
Grift.
Module version bump for tmpfs associate to device_t from Dominick Grift.
Module version bump for syslog reading overcommit_memory from Dominick
Grift.
Module version bump for ethtool reading pm-powersave.lock from Dominick
Grift.
Module version bump for sysadm fix for git role usage from Dominick Grift.
Module version bump for lvm update from Dominick Grift.
Module version bump for fc fix in authlogin from Dominick Grift.
Module version bump for restricted x user template fix from Dominick
Grift.
Add comment for debian avahi-daemon-check-dns.sh usage by udev
Module version bump for udev Debian fixes from Dominick Grift.
Module version bump for selinuxfs location change from Dominick Grift.
Update contrib.
Module version bump for unconfined dbus fixes from Dominick Grift.
Whitespace fix in terminal.te.
Module version bump for virtio console from Dominick Grift.
Module version bump for init interface and corecommand fc from Dominick
Grift.
Module version bump for ping capabilities from Sven Vermeulen.
Module version bump for slim fc entries from Sven Vermeulen.
Module version bump for xdm dbus access from Dominick Grift.
Rearrange sysnet if blocks.
Module version bump for debian ifstate changes from Dominick Grift.
Module version bump for xserver console and fc fixes from Dominick Grift.
Module version bump for gdomap port from Dominick Grift.
Module version bumps for dhcpc leaked fds to hostname.
Module version bump for ssh server caps for Debian from Dominick Grift.
Move stray Debian rule in udev.
Update contrib
Module version bumps for Debian udev updates from Dominick Grift.
Module version bump for mount updates from Dominick Grift.
Silence symlink reading by setfiles since it doesn't follow symlinks
anyway.
Reorder dhcpc additions.
Module version bump for dhcpc fixes from Dominick Grift.
Add comments about new capabilities for syslogd_t.
Module version bumps for syslog-ng and semodule updates.
Update contrib.
Module version bump for first batch of patches from Dominick Grift.
Update contrib.
Rearrage userdom_delete_user_tmpfs_files() interface.
setrans: needs to be able to get attributes of selinuxfs, else fails to
start in Debian
Whitespace fix in fstools.
Add comment in policy for lvm sysfs write.
Module version bump for second lot of patches from Dominick Grift.
Whitespace fix in usermanage.
Whitespace fix in libraries.
Module version bump for patches from Dominick Grift.
Whitespace fix in init.te.
init: init_script_domain() allow system_r role the init script domain type
init: creates /run/utmp
Module version bump for 4 init patches from Dominick Grift.
Fix Debian compile issue.
Module version bump for 2 patches from Dominick Grift.
Module version bump for patch from Laurent Bigonville.
Update contrib.
Module version bump for patch from Laurent Bigonville.
Module version bump for xserver change from Dominick Grift.
Merge file_t into unlabeled_t, as they are security equivalent.
Update modules for file_t merge into unlabeled_t.
Make the QUIET build option apply to clean and bare targets.
Module version bump for direct initrc fixes from Dominick Grift.
Module version bump for module store labeling fixes from Laurent
Bigonville.
Remove ZFS symlink labeling.
Fix ZFS fc escaping in mount.
Rearrange ZFS fc entries.
Module version bump for ZFS tools fc entries from Matthew Thode.
Module version bump for unconfined transition to dpkg from Laurent
Bigonville.
Module version bump for logging fc patch from Laurent Bigonville.
Update contrib.
Module version bump for pid file directory from Russell Coker/Laurent
Bigonville.
Rename gpg_agent_connect to gpg_stream_connect_agent.
Rearrange gpg agent calls.
Module version bump for ssh use of gpg-agent from Luis Ressel.
Module version bump for files_dontaudit_list_var() interface from Luis
Ressel.
Move bin_t fc from couchdb to corecommands.
Update contrib.
Module version bump for sesh fc from Nicolas Iooss.
Move loop control interface definition.
Rename mount_read_mount_loopback() to mount_read_loopback_file().
Module version bump for loopback file mounting fixes from Luis Ressel.
Fix read loopback file interface.
Update contrib.
Module version bump for bootloader fc fixes from Luis Ressel.
Update contrib.
Update contrib.
Bump module versions for release.
Dominick Grift (58):
The kerberos_keytab_template() template is deprecated: Breaks monolithic
built (out-of-scope)
Initial pstore support
Support redis port tcp,6379
These regular expressions were not matched
Restorecon reads, and writes /dev/console before it is properly labeled
filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
logging: syslog (rs:main Q:Reg) reading sysctl_vm files
(overcommit_memory) in Debian
sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
sysadm: Doesnt work with direct_initrc = y
lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin
authlogin: Sudo file context specification did not catch paths (squash me)
userdomain: restricted xwindows user (squash me)
udev: This is specific to debian i think. Some how the
/usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
selinux: selinuxfs is now mounted under /sys/fs/selinux instead of
/selinux, so we need to allow domains that use selinuxfs to interface
with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
Unconfined domains have unconfined access to all of dbus rather than only
system bus
Initial virtio console device
init: create init_use_inherited_script_ptys() for tmpreaper (Debian)
corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh
xdm: is a system bus client and acquires service on the system bus xdm:
dbus chat with accounts-daemon
sysnetwork: Debian stores network interface configuration in /run/network
(ifstate), That directory is created by the /etc/init.d/networking
script.
xserver: catch /run/gdm3
xserver: associate xconsole_device_t (/dev/xconsole) to device_t
(devtmpfs)
corenetwork: Declare gdomap port, tcp/udp:538
hostname: do not audit attempts by hostname to read and write dhcpc udp
sockets (looks like a leaked fd)
ssh: Debian sshd is configured to use capabilities
udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and
compromises kernel
udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates
/run/avahi-daemon directory
mount: sets kernel thread priority mount: mount reads
/lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount
points
sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not
audit attempts by ifconfig to read, and write dhcpc udp sockets (looks
like a leaked fd)
mount: fs_list_auto_mountpoint() is now redundant because autofs_t is
covered by files_list_all_mountpoints()
udev: this fc spec does not make sense, as there is no corresponding file
type transition for it
udev: the avahi dns check script run by udev in Debian chmods
/run/avahi-daemon
authlogin: unix_chkpwd traverses / on sysfs device on Debian
setrans: mcstransd reads filesystems file in /proc
udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
fstools: hdparm append (what seems inherited from devicekit )
/var/log/pm-powersave.log fstools: hdparm reads
/run/pm-utils/locks/pm-powersave.lock
sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i
was able to confirm the need for
networkmanager_manage_lib_files(dhcpc_t) since dhclient reads
/var/lib/NetworkManager/dhclient-eth0.conf
sysbnetwork: dhclient searches /var/lib/ntp
sshd/setrans: make respective init scripts create pid dirs with proper
contexts
kernel: cryptomgr_test (kernel_t) requests kernel to load
cryptd(__driver-ecb-aes-aesni
xserver: already allowed by auth_login_pgm_domain(xdm_t)
unconfined: Do not domain transition to xserver_t (unconfined_t is
xserver_unconfined)
userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
These { read write } tty_device_t chr files on boot up in Debian
udev: udevd executable location changed
lvm: lvm writes read_ahead_kb
udev: in debian udevadm is located in /bin/udevadm
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in
Debian
iptables: calls to firewalld interfaces from Fedora. The
firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
libraries: for now i can only confirm mmap, might need to be changed to
bin_t later if it turns out to need execute_no_trans
users: calls pulseaudio_role() for restricted xwindows users and
staff_t/user_t
init: for a specified automatic role transition to work. the source role
must be allowed to change manually to the target role
init: this is a bug in debian where tmpfs is mounted on /run, and so early
on in the boot process init creates /run/utmp and /run/initctl in a
tmpfs directory (/) tmpfs
init: exim init script runs various helper apps that create and manage
/var/lib/exim4/config.autogenerated.tmp file
init: the gdomap and minissdpd init scripts read the respective environ
files in /etc/default. We need to give them a private type so that we
can give the gdomap_admin() and minissdpd_admin() access to it, but it
seems overengineering to create private environ types for these files
xserver: These are no longer needed
Change behavior of init_run_daemon()
Apply direct_initrc to unconfined_r:unconfined_t
Laurent Bigonville (7):
Label /bin/fusermount like /usr/bin/fusermount
Allow udev to write in /etc/udev/rules.d
Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
Allow unconfined users to transition to dpkg_t domain
Add fcontext for rsyslog pidfile
Add fcontext for sshd pidfile and directory used for privsep
Move the ifdef at the end of the declaration block
Luis Ressel (10):
Conditionally allow ssh to use gpg-agent
kernel/files.if: Add files_dontaudit_list_var interface
kernel/devices.if: Add dev_rw_loop_control interface
system/mount.if: Add mount_read_mount_loopback interface
Allow mount_t usage of /dev/loop-control
Grant kernel_t necessary permissions for loopback mounts
Use xattr-labeling for squashfs.
Label fatsort as fsadm_exec_t.
Generalize grub2 pattern
Label grub2-install as bootloader_exec_t
Matthew Thode (1):
Extending support for SELinux on ZFS
Nicolas Iooss (2):
Label /usr/lib/sudo/sesh as shell_exec_t
Create .gitignore
Sven Vermeulen (7):
Add trivnet1 port (8200)
Get grub2-install to work properly
Support named file transition for fixed_disk_device_t
Allow ping to get/set capabilities
Extend slim /var/run expression
Allow semodule to create symlink in semanage_store_t
Allow capabilities for syslog-ng
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (78):
Mcelog update from Guido Trentalancia.

2
VERSION
View File

@ -1 +1 @@
2.20130424
2.20140311

2
policy/modules/contrib

@ -1 +1 @@
Subproject commit 403c088c90dc7b5c480e8e852c49c5fa59f1749d
Subproject commit a0c1fa505d7bb28468215b803615a9e42201568c