diff --git a/Changelog b/Changelog index fc2635ba2..7334e4989 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,315 @@ +* Fri May 20 2022 Chris PeBenito - 2.20220520 +Björn Esser (1): + authlogin: add fcontext for tcb + +Chris PeBenito (118): + 0xC0ncord/bugfix/systemd-user-exec-apps-hookup + systemd, ssh, ntp: Read fips_enabled crypto sysctl. + systemd: Unit generator fixes. + systemd: Revise tmpfiles factory to allow writing all configs. + systemd: User runtime reads user cgroup files. + logging: Add audit_control for journald. + udev: Manage EFI variables. + ntp: Handle symlink to drift directory. + logging: Allow auditd to stat() dispatcher executables. + Drop module versioning. + tests.yml: Disable policy_module() selint checks. + systemd: Change journal file context to MLS system high. + Revert "users: remove MCS categories from default users" + systemd: Add systemd-homed and systemd-userdbd. + systemd, ssh: Crypto sysctl use. + systemd: Additional fixes for fs getattrs. + systemd: Updates for generators and kmod-static-nodes.service. + domain: Allow lockdown for all domains. + postfix, spamassassin: Fix missed type renames after alias removals. + cron, dbus, policykit, postfix: Minor style fixes. + Make hide_broken_symptoms unconditional. + puppet: Style fixes. + matrixd: Cleanups. + matrixd: SELint fixes. + mailmain: Fix check_fc_files issue. + mailmain: Fix SELint issues. + postfix: Move lines. + apache: Remove unnecessary require in apache_exec(). + seusers: Remove sddm. + Add a vulnerability handling process. + +Christian Goettsche (1): + check_fc_files: allow optional @ character + +Christian Göttsche (11): + filesystem: add fs_use_trans for ramfs + Ignore umask on when installing headers + Revert "tests.yml: Disable policy_module() selint checks." + build.conf: bump policy version in comment + flask: add new kernel security classes + policy_capabilities: add ioctl_skip_cloexec + policy.dtd: more strict bool/tunable and infoflow validation + Makefile: invoke python with -bb + Rules.monolithic: add target to generate CIL policy + Makefile: use override for adding options + Rules.modular: add pure-load target + +Dave Sugar (4): + Allow iscsid to request kernel module load + Allow iscsid to check fips_enabled + sshd: allow to run /usr/bin/fipscheck (to check fips state) + systemd: resolve error with systemd-sysctl + +Fabrice Fontaine (2): + policy/modules/services/samba.te: make crack optional + policy/modules/services/wireguard.te: make iptables optional + +Gao Xiang (1): + Add erofs as a SELinux capable file system + +Henrik Grindal Bakken (1): + snmp: Fix typo in /var/net-snmp rule + +Jonathan Davies (12): + chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access + net_admin capability, this is required for its `hwtimestamp` option, + which otherwise returns: + virt.te: Fixed typo in virtlogd_t virt_common_runtime_t + manage_files_pattern. + obfs4proxy: Added policy. + tor: Added interfaces and types for obfs4proxy support. + corenetwork.te.in: Added ntske port. + chronyd.te: Added support for bind/connect/recv/send NTS packets. + chronyd: Allow access to read certs. + obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms. + policy/*: Replaced rw_netlink_socket_perms with + create_netlink_socket_perms. + node_exporter: Added initial policy. + systemd.te: Added boolean for allowing dhcpd server packets. + systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in + systemd_stream_connect_userdb(). + +Kenton Groombridge (174): + userdomain: add user exec domain attribute and interface + systemd: assign user exec attribute to systemd --user instances + systemd: add interface to support monitoring and output capturing of child + processes + wm: add user exec domain attribute to wm domains + ssh: add interface to execute and transition to ssh client + userdomain: add interface to allow mapping all user home content + git, roles: add policy for git client + apache, roles: use user exec domain attribute + screen, roles: use user exec domain attribute + git, roles: use user exec domain attribute + postgresql, roles: use user exec domain attribute + ssh, roles: use user exec domain attribute + sudo, roles: use user exec domain attribute + syncthing, roles: use user exec domain attribute + xscreensaver, roles: use user exec domain attribute + xserver, roles, various: use user exec domain attribute + authlogin, roles: use user exec domain attribute + bluetooth, roles: use user exec domain attribute + cdrecord, roles: use user exec domain attribute + chromium, roles: use user exec domain attribute + cron, roles: use user exec domain attribute + dirmngr, roles: use user exec domain attribute + evolution, roles: use user exec domain attribute + games, roles: use user exec domain attribute + gnome, roles: use user exec domain attribute + gpg, roles: use user exec domain attribute + irc, roles: use user exec domain attribute + java, roles: use user exec domain attribute + libmtp, roles: use user exec domain attribute + lpd, roles: use user exec domain attribute + mozilla, roles: use user exec domain attribute + mplayer, roles: use user exec domain attribute + mta, roles: use user exec domain attribute + openoffice, roles: use user exec domain attribute + pulseaudio, roles: use user exec domain attribute + pyzor, roles: use user exec domain attribute + razor, roles: use user exec domain attribute + rssh, roles: use user exec domain attribute + spamassassin, roles: use user exec domain attribute + su, roles: use user exec domain attribute + telepathy, roles: use user exec domain attribute + thunderbird, roles: use user exec domain attribute + tvtime, roles: use user exec domain attribute + uml, roles: use user exec domain attribute + userhelper, roles: use user exec domain attribute + vmware, roles: use user exec domain attribute + wireshark, roles: use user exec domain attribute + wm, roles: use user exec domain attribute + hadoop, roles: use user exec domain attribute + shutdown, roles: use user exec domain attribute + cryfs, roles: use user exec domain attribute + wine: use user exec domain attribute + mono: use user exec domain attribute + sudo: add tunable to control user exec domain access + su: add tunable to control user exec domain access + shutdown: add tunable to control user exec domain access + mpd, pulseaudio: split domtrans and client access + mcs: deprecate mcs overrides + mcs: restrict create, relabelto on mcs files + fs: add pseudofs attribute and interfaces + devices: make usbfs pseudofs instead of noxattrfs + git: fix typo in git hook exec access + dovecot, spamassassin: allow dovecot to execute spamc + mta, spamassassin: fixes for rspamd + certbot, various: allow various services to read certbot certs + usbguard, sysadm: misc fixes + ssh: fix for polyinstantiation + sysadm, systemd: fixes for systemd-networkd + asterisk: allow reading generic certs + bind: fixes for unbound + netutils: fix ping + policykit, systemd: allow policykit to watch systemd logins and sessions + spamassassin: fix file contexts for rspamd symlinks + mcs: add additional constraints to databases + mcs: constrain misc IPC objects + mcs: combine single-level object creation constraints + various: deprecate mcs override interfaces + corenet: make netlabel_peer_t mcs constrained + mcs: constrain context contain access + mcs: only constrain mcs_constrained_type for db accesses + guest, xguest: remove apache role access + wine: fix roleattribute statement + testing: accept '@' as a valid ending character in filecon checker + users: remove MCS categories from default users + various: remove various mcs ranged transitions + kernel: add various supporting interfaces for containers + kernel, rpc, systemd: deprecate kernel_mounton_proc + devices, kernel: deprecate dev_mounton_sysfs + devices: add interfaces to remount sysfs and device filesystems + init: add interface to run init bpf programs + systemd: add interface to dbus chat with systemd-machined + userdom: add interfaces to relabel generic user home content + init: add interface to setsched on init + init: allow systemd to renice all other domains + sysnetwork: add interfaces for /run/netns + container, virt: move svirt lxc domains to new container module + container: svirt_lxc_net_t is now container_t + container: fixup rules + container: add interface to identify container mountpoints + various: make various types a mountpoint for containers + container: add base attributes for containers and container engines + container: initial support for container engines + container, gpg, userdom: allow container engines to execute gpg + container: allow containers to use container ptys + container, mount: allow mount to getattr on container fs + various: various userns capability permissions + container: allow containers the chroot capability + container: allow containers various userns capabilities + container: allow containers to watch all container files + container, podman: initial support for podman + filesystem: add supporting FUSEFS interfaces + dbus: add supporting interfaces and rules for rootless podman + systemd: add private type for systemd user manager units + container: add role access templates + container, podman, systemd: initial support for rootless podman + container: add required admin rules + sysadm: allow container admin access + container: call podman access in container access + staff, unconfined: allow container user access + container: add policy for privileged containers + container: allow containers to read read-only container files + container: add tunable for containers to manage cgroups + container: add tunables for containers to use nfs and cifs + container: add tunable to allow engines to mounton non security + container, iptables: dontaudit iptables rw on /ptmx + xdg: add interface to search xdg data directories + container, podman: add policy for conmon + kernel: add filetrans interface for unlabeled dirs + container, docker: add initial support for docker + container: call docker access in container access + userdomain: add type for user bin files + systemd: allow systemd user managers to execute user bin files + systemd: use stream socket perms in systemd_user_app_status + systemd: add supporting interfaces for user daemons + rootlesskit: new policy module + container, docker, rootlesskit: add support for rootless docker + docker: call rootlesskit access in docker access + container: drop old commented rules + lxc_contexts: add ro_file and sandbox_lxc_process contexts + container: allow containers to getsession + docker: make rootlesskit optional + docker: add missing call to init_daemon_domain() + podman: add explicit range transition for conmon + init: split access for systemd runtime units + dbus: fixes for dbus-broker + dbus, policykit: add tunables for dbus-broker access + docker, podman: container units now have the runtime unit type + init: allow systemd to nnp_transition and nosuid_transition to daemon + domains + files, init: allow init to remount filesystems mounted on /boot + sudo: fixes for polyinstantiation + locallogin: fix for polyinstantiation + authlogin: dontaudit getcap chkpwd + systemd: various fixes + systemd: add support for systemd-resolved stubs + getty, locallogin: cgroup fixes + unconfined: fixes for bluetooth dbus chat and systemd + udev: allow udev to start the systemd system object + networkmanager: allow getting systemd system status + container, podman: allow podman to create and write config files + podman: allow system podman to interact with container transient units + podman: fix role associations + container, podman: allow containers to interact with conmon + podman: add rules for systemd container units + container, init: allow init to remount container filesystems + container: allow generic containers to read the vm_overcommit sysctl + container: add tunables to allow containers to access public content + container: add missing capabilities + container: also allow containers to watch public content + podman: allow podman to watch journal dirs + sysadm: allow sysadm to watch journal directories + git: add missing file contexts + udica-templates: initial commit of udica templates + makefile: add install target for udica templates + github: test install of udica templates + +Laurent Bigonville (2): + docker: On debian dockerd and docker-proxy are in /usr/sbin + container: On Debian, runc is installed in /usr/sbin + +Pedro (1): + File context for nginx cache files + +Russell Coker (8): + remove aliases from 20210203 + dontaudit net_admin without hide_broken_symptoms + puppet V3 + matrixd-synapse policy V3 + mailman3 V3 + certbot V3 + init dbus patch for GetDynamicUsers with systemd_use_nss() V2 + new sddm V2 + +Vit Mojzis (1): + Improve error message on duplicate definition of interface + +Yi Zhao (24): + rpc: remove obsolete comment line + secadm: allow secadm to read selinux policy + rpcbind: allow sysadm to run rpcinfo + samba: allow smbd_t to send and receive messages from avahi over dbus + rpc: add dac_read_search capability for rpcd_t + bluetooth: fixes for bluetoothd + avahi: allow avahi_t to watch /etc/avahi directory + udev: allow udev_t to watch udev_rules_t dir + rpc: allow rpc.mountd to list/watch NFS server directory + usermanage: do not audit attempts to getattr of proc for passwd_t and + useradd_t + selinuxutil: allow setfiles_t to read kernel sysctl + rngd: fixes for rngd + dbus: allow dbus-daemon to map SELinux status page + bind: fixes for bind + passwd: allow passwd to map SELinux status page + ipsec: fixes for strongswan + samba: fixes for smbd/nmbd + ntp: allow ntpd to set rlimit_memlock + ssh: do not audit attempts by ssh-keygen to read proc + acpid: allow acpid to watch the directories in /dev + bluetooth: allow bluetoothd to create alg_socket + systemd: allow systemd-hostnamed to read udev runtime files + su: allow su to map SELinux status page + modutils: allow kmod_t to write keys + * Wed Sep 08 2021 Chris PeBenito - 2.20210908 Andreas Freimuth (2): Prefer user_fonts_config_t over xdg_config_t diff --git a/VERSION b/VERSION index de757ebd2..b45db4e8f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20210908 +2.20220520