diff --git a/Changelog b/Changelog index 5fcca553b..4444be11d 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,251 @@ +* Tue Mar 11 2014 Chris PeBenito - 2.20140311 +Chris PeBenito (96): + Update contrib to pull in minidlna. + Remove general unlabeled packet usage. + Update contrib. + Use python libselinux bindings to determine policy version. + Add MLS constraints for x_pointer and x_keyboard. + Add label for parted. + Fix support/policyvers.py not to error if building policy on a + SELinux-disabled system. + Module version bump for kerberos keytab changes for ssh from Dominick + Grift. + Module version bump for pstore filesystem support from Dominick Grift. + Module version bump for redis port from Dominick Grift. + Update contrib. + Add comment for setfiles using /dev/console when it needs to be relabeled. + Module version bump for xserver and selinuxutil updates from Dominick + Grift. + Module version bump for tmpfs associate to device_t from Dominick Grift. + Module version bump for syslog reading overcommit_memory from Dominick + Grift. + Module version bump for ethtool reading pm-powersave.lock from Dominick + Grift. + Module version bump for sysadm fix for git role usage from Dominick Grift. + Module version bump for lvm update from Dominick Grift. + Module version bump for fc fix in authlogin from Dominick Grift. + Module version bump for restricted x user template fix from Dominick + Grift. + Add comment for debian avahi-daemon-check-dns.sh usage by udev + Module version bump for udev Debian fixes from Dominick Grift. + Module version bump for selinuxfs location change from Dominick Grift. + Update contrib. + Module version bump for unconfined dbus fixes from Dominick Grift. + Whitespace fix in terminal.te. + Module version bump for virtio console from Dominick Grift. + Module version bump for init interface and corecommand fc from Dominick + Grift. + Module version bump for ping capabilities from Sven Vermeulen. + Module version bump for slim fc entries from Sven Vermeulen. + Module version bump for xdm dbus access from Dominick Grift. + Rearrange sysnet if blocks. + Module version bump for debian ifstate changes from Dominick Grift. + Module version bump for xserver console and fc fixes from Dominick Grift. + Module version bump for gdomap port from Dominick Grift. + Module version bumps for dhcpc leaked fds to hostname. + Module version bump for ssh server caps for Debian from Dominick Grift. + Move stray Debian rule in udev. + Update contrib + Module version bumps for Debian udev updates from Dominick Grift. + Module version bump for mount updates from Dominick Grift. + Silence symlink reading by setfiles since it doesn't follow symlinks + anyway. + Reorder dhcpc additions. + Module version bump for dhcpc fixes from Dominick Grift. + Add comments about new capabilities for syslogd_t. + Module version bumps for syslog-ng and semodule updates. + Update contrib. + Module version bump for first batch of patches from Dominick Grift. + Update contrib. + Rearrage userdom_delete_user_tmpfs_files() interface. + setrans: needs to be able to get attributes of selinuxfs, else fails to + start in Debian + Whitespace fix in fstools. + Add comment in policy for lvm sysfs write. + Module version bump for second lot of patches from Dominick Grift. + Whitespace fix in usermanage. + Whitespace fix in libraries. + Module version bump for patches from Dominick Grift. + Whitespace fix in init.te. + init: init_script_domain() allow system_r role the init script domain type + init: creates /run/utmp + Module version bump for 4 init patches from Dominick Grift. + Fix Debian compile issue. + Module version bump for 2 patches from Dominick Grift. + Module version bump for patch from Laurent Bigonville. + Update contrib. + Module version bump for patch from Laurent Bigonville. + Module version bump for xserver change from Dominick Grift. + Merge file_t into unlabeled_t, as they are security equivalent. + Update modules for file_t merge into unlabeled_t. + Make the QUIET build option apply to clean and bare targets. + Module version bump for direct initrc fixes from Dominick Grift. + Module version bump for module store labeling fixes from Laurent + Bigonville. + Remove ZFS symlink labeling. + Fix ZFS fc escaping in mount. + Rearrange ZFS fc entries. + Module version bump for ZFS tools fc entries from Matthew Thode. + Module version bump for unconfined transition to dpkg from Laurent + Bigonville. + Module version bump for logging fc patch from Laurent Bigonville. + Update contrib. + Module version bump for pid file directory from Russell Coker/Laurent + Bigonville. + Rename gpg_agent_connect to gpg_stream_connect_agent. + Rearrange gpg agent calls. + Module version bump for ssh use of gpg-agent from Luis Ressel. + Module version bump for files_dontaudit_list_var() interface from Luis + Ressel. + Move bin_t fc from couchdb to corecommands. + Update contrib. + Module version bump for sesh fc from Nicolas Iooss. + Move loop control interface definition. + Rename mount_read_mount_loopback() to mount_read_loopback_file(). + Module version bump for loopback file mounting fixes from Luis Ressel. + Fix read loopback file interface. + Update contrib. + Module version bump for bootloader fc fixes from Luis Ressel. + Update contrib. + Update contrib. + Bump module versions for release. + +Dominick Grift (58): + The kerberos_keytab_template() template is deprecated: Breaks monolithic + built (out-of-scope) + Initial pstore support + Support redis port tcp,6379 + These regular expressions were not matched + Restorecon reads, and writes /dev/console before it is properly labeled + filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems + logging: syslog (rs:main Q:Reg) reading sysctl_vm files + (overcommit_memory) in Debian + sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock + sysadm: Doesnt work with direct_initrc = y + lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin + authlogin: Sudo file context specification did not catch paths (squash me) + userdomain: restricted xwindows user (squash me) + udev: This is specific to debian i think. Some how the + /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain + selinux: selinuxfs is now mounted under /sys/fs/selinux instead of + /selinux, so we need to allow domains that use selinuxfs to interface + with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux + Unconfined domains have unconfined access to all of dbus rather than only + system bus + Initial virtio console device + init: create init_use_inherited_script_ptys() for tmpreaper (Debian) + corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh + xdm: is a system bus client and acquires service on the system bus xdm: + dbus chat with accounts-daemon + sysnetwork: Debian stores network interface configuration in /run/network + (ifstate), That directory is created by the /etc/init.d/networking + script. + xserver: catch /run/gdm3 + xserver: associate xconsole_device_t (/dev/xconsole) to device_t + (devtmpfs) + corenetwork: Declare gdomap port, tcp/udp:538 + hostname: do not audit attempts by hostname to read and write dhcpc udp + sockets (looks like a leaked fd) + ssh: Debian sshd is configured to use capabilities + udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and + compromises kernel + udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates + /run/avahi-daemon directory + mount: sets kernel thread priority mount: mount reads + /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount + points + sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not + audit attempts by ifconfig to read, and write dhcpc udp sockets (looks + like a leaked fd) + mount: fs_list_auto_mountpoint() is now redundant because autofs_t is + covered by files_list_all_mountpoints() + udev: this fc spec does not make sense, as there is no corresponding file + type transition for it + udev: the avahi dns check script run by udev in Debian chmods + /run/avahi-daemon + authlogin: unix_chkpwd traverses / on sysfs device on Debian + setrans: mcstransd reads filesystems file in /proc + udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf + fstools: hdparm append (what seems inherited from devicekit ) + /var/log/pm-powersave.log fstools: hdparm reads + /run/pm-utils/locks/pm-powersave.lock + sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i + was able to confirm the need for + networkmanager_manage_lib_files(dhcpc_t) since dhclient reads + /var/lib/NetworkManager/dhclient-eth0.conf + sysbnetwork: dhclient searches /var/lib/ntp + sshd/setrans: make respective init scripts create pid dirs with proper + contexts + kernel: cryptomgr_test (kernel_t) requests kernel to load + cryptd(__driver-ecb-aes-aesni + xserver: already allowed by auth_login_pgm_domain(xdm_t) + unconfined: Do not domain transition to xserver_t (unconfined_t is + xserver_unconfined) + userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients + These { read write } tty_device_t chr files on boot up in Debian + udev: udevd executable location changed + lvm: lvm writes read_ahead_kb + udev: in debian udevadm is located in /bin/udevadm + usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in + Debian + iptables: calls to firewalld interfaces from Fedora. The + firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. + libraries: for now i can only confirm mmap, might need to be changed to + bin_t later if it turns out to need execute_no_trans + users: calls pulseaudio_role() for restricted xwindows users and + staff_t/user_t + init: for a specified automatic role transition to work. the source role + must be allowed to change manually to the target role + init: this is a bug in debian where tmpfs is mounted on /run, and so early + on in the boot process init creates /run/utmp and /run/initctl in a + tmpfs directory (/) tmpfs + init: exim init script runs various helper apps that create and manage + /var/lib/exim4/config.autogenerated.tmp file + init: the gdomap and minissdpd init scripts read the respective environ + files in /etc/default. We need to give them a private type so that we + can give the gdomap_admin() and minissdpd_admin() access to it, but it + seems overengineering to create private environ types for these files + xserver: These are no longer needed + Change behavior of init_run_daemon() + Apply direct_initrc to unconfined_r:unconfined_t + +Laurent Bigonville (7): + Label /bin/fusermount like /usr/bin/fusermount + Allow udev to write in /etc/udev/rules.d + Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t + Allow unconfined users to transition to dpkg_t domain + Add fcontext for rsyslog pidfile + Add fcontext for sshd pidfile and directory used for privsep + Move the ifdef at the end of the declaration block + +Luis Ressel (10): + Conditionally allow ssh to use gpg-agent + kernel/files.if: Add files_dontaudit_list_var interface + kernel/devices.if: Add dev_rw_loop_control interface + system/mount.if: Add mount_read_mount_loopback interface + Allow mount_t usage of /dev/loop-control + Grant kernel_t necessary permissions for loopback mounts + Use xattr-labeling for squashfs. + Label fatsort as fsadm_exec_t. + Generalize grub2 pattern + Label grub2-install as bootloader_exec_t + +Matthew Thode (1): + Extending support for SELinux on ZFS + +Nicolas Iooss (2): + Label /usr/lib/sudo/sesh as shell_exec_t + Create .gitignore + +Sven Vermeulen (7): + Add trivnet1 port (8200) + Get grub2-install to work properly + Support named file transition for fixed_disk_device_t + Allow ping to get/set capabilities + Extend slim /var/run expression + Allow semodule to create symlink in semanage_store_t + Allow capabilities for syslog-ng + * Wed Apr 24 2013 Chris PeBenito - 2.20130424 Chris PeBenito (78): Mcelog update from Guido Trentalancia. diff --git a/VERSION b/VERSION index d060af824..d2354ef7a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20130424 +2.20140311 diff --git a/policy/modules/contrib b/policy/modules/contrib index 403c088c9..a0c1fa505 160000 --- a/policy/modules/contrib +++ b/policy/modules/contrib @@ -1 +1 @@ -Subproject commit 403c088c90dc7b5c480e8e852c49c5fa59f1749d +Subproject commit a0c1fa505d7bb28468215b803615a9e42201568c