Update Changelog and VERSION for release 2.20220520.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2022-05-20 09:33:17 -04:00
parent ed9e2c99ca
commit fdebaaca4b
2 changed files with 313 additions and 1 deletions

312
Changelog
View File

@ -1,3 +1,315 @@
* Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520
Björn Esser (1):
authlogin: add fcontext for tcb
Chris PeBenito (118):
0xC0ncord/bugfix/systemd-user-exec-apps-hookup
systemd, ssh, ntp: Read fips_enabled crypto sysctl.
systemd: Unit generator fixes.
systemd: Revise tmpfiles factory to allow writing all configs.
systemd: User runtime reads user cgroup files.
logging: Add audit_control for journald.
udev: Manage EFI variables.
ntp: Handle symlink to drift directory.
logging: Allow auditd to stat() dispatcher executables.
Drop module versioning.
tests.yml: Disable policy_module() selint checks.
systemd: Change journal file context to MLS system high.
Revert "users: remove MCS categories from default users"
systemd: Add systemd-homed and systemd-userdbd.
systemd, ssh: Crypto sysctl use.
systemd: Additional fixes for fs getattrs.
systemd: Updates for generators and kmod-static-nodes.service.
domain: Allow lockdown for all domains.
postfix, spamassassin: Fix missed type renames after alias removals.
cron, dbus, policykit, postfix: Minor style fixes.
Make hide_broken_symptoms unconditional.
puppet: Style fixes.
matrixd: Cleanups.
matrixd: SELint fixes.
mailmain: Fix check_fc_files issue.
mailmain: Fix SELint issues.
postfix: Move lines.
apache: Remove unnecessary require in apache_exec().
seusers: Remove sddm.
Add a vulnerability handling process.
Christian Goettsche (1):
check_fc_files: allow optional @ character
Christian Göttsche (11):
filesystem: add fs_use_trans for ramfs
Ignore umask on when installing headers
Revert "tests.yml: Disable policy_module() selint checks."
build.conf: bump policy version in comment
flask: add new kernel security classes
policy_capabilities: add ioctl_skip_cloexec
policy.dtd: more strict bool/tunable and infoflow validation
Makefile: invoke python with -bb
Rules.monolithic: add target to generate CIL policy
Makefile: use override for adding options
Rules.modular: add pure-load target
Dave Sugar (4):
Allow iscsid to request kernel module load
Allow iscsid to check fips_enabled
sshd: allow to run /usr/bin/fipscheck (to check fips state)
systemd: resolve error with systemd-sysctl
Fabrice Fontaine (2):
policy/modules/services/samba.te: make crack optional
policy/modules/services/wireguard.te: make iptables optional
Gao Xiang (1):
Add erofs as a SELinux capable file system
Henrik Grindal Bakken (1):
snmp: Fix typo in /var/net-snmp rule
Jonathan Davies (12):
chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access
net_admin capability, this is required for its `hwtimestamp` option,
which otherwise returns:
virt.te: Fixed typo in virtlogd_t virt_common_runtime_t
manage_files_pattern.
obfs4proxy: Added policy.
tor: Added interfaces and types for obfs4proxy support.
corenetwork.te.in: Added ntske port.
chronyd.te: Added support for bind/connect/recv/send NTS packets.
chronyd: Allow access to read certs.
obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
policy/*: Replaced rw_netlink_socket_perms with
create_netlink_socket_perms.
node_exporter: Added initial policy.
systemd.te: Added boolean for allowing dhcpd server packets.
systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
systemd_stream_connect_userdb().
Kenton Groombridge (174):
userdomain: add user exec domain attribute and interface
systemd: assign user exec attribute to systemd --user instances
systemd: add interface to support monitoring and output capturing of child
processes
wm: add user exec domain attribute to wm domains
ssh: add interface to execute and transition to ssh client
userdomain: add interface to allow mapping all user home content
git, roles: add policy for git client
apache, roles: use user exec domain attribute
screen, roles: use user exec domain attribute
git, roles: use user exec domain attribute
postgresql, roles: use user exec domain attribute
ssh, roles: use user exec domain attribute
sudo, roles: use user exec domain attribute
syncthing, roles: use user exec domain attribute
xscreensaver, roles: use user exec domain attribute
xserver, roles, various: use user exec domain attribute
authlogin, roles: use user exec domain attribute
bluetooth, roles: use user exec domain attribute
cdrecord, roles: use user exec domain attribute
chromium, roles: use user exec domain attribute
cron, roles: use user exec domain attribute
dirmngr, roles: use user exec domain attribute
evolution, roles: use user exec domain attribute
games, roles: use user exec domain attribute
gnome, roles: use user exec domain attribute
gpg, roles: use user exec domain attribute
irc, roles: use user exec domain attribute
java, roles: use user exec domain attribute
libmtp, roles: use user exec domain attribute
lpd, roles: use user exec domain attribute
mozilla, roles: use user exec domain attribute
mplayer, roles: use user exec domain attribute
mta, roles: use user exec domain attribute
openoffice, roles: use user exec domain attribute
pulseaudio, roles: use user exec domain attribute
pyzor, roles: use user exec domain attribute
razor, roles: use user exec domain attribute
rssh, roles: use user exec domain attribute
spamassassin, roles: use user exec domain attribute
su, roles: use user exec domain attribute
telepathy, roles: use user exec domain attribute
thunderbird, roles: use user exec domain attribute
tvtime, roles: use user exec domain attribute
uml, roles: use user exec domain attribute
userhelper, roles: use user exec domain attribute
vmware, roles: use user exec domain attribute
wireshark, roles: use user exec domain attribute
wm, roles: use user exec domain attribute
hadoop, roles: use user exec domain attribute
shutdown, roles: use user exec domain attribute
cryfs, roles: use user exec domain attribute
wine: use user exec domain attribute
mono: use user exec domain attribute
sudo: add tunable to control user exec domain access
su: add tunable to control user exec domain access
shutdown: add tunable to control user exec domain access
mpd, pulseaudio: split domtrans and client access
mcs: deprecate mcs overrides
mcs: restrict create, relabelto on mcs files
fs: add pseudofs attribute and interfaces
devices: make usbfs pseudofs instead of noxattrfs
git: fix typo in git hook exec access
dovecot, spamassassin: allow dovecot to execute spamc
mta, spamassassin: fixes for rspamd
certbot, various: allow various services to read certbot certs
usbguard, sysadm: misc fixes
ssh: fix for polyinstantiation
sysadm, systemd: fixes for systemd-networkd
asterisk: allow reading generic certs
bind: fixes for unbound
netutils: fix ping
policykit, systemd: allow policykit to watch systemd logins and sessions
spamassassin: fix file contexts for rspamd symlinks
mcs: add additional constraints to databases
mcs: constrain misc IPC objects
mcs: combine single-level object creation constraints
various: deprecate mcs override interfaces
corenet: make netlabel_peer_t mcs constrained
mcs: constrain context contain access
mcs: only constrain mcs_constrained_type for db accesses
guest, xguest: remove apache role access
wine: fix roleattribute statement
testing: accept '@' as a valid ending character in filecon checker
users: remove MCS categories from default users
various: remove various mcs ranged transitions
kernel: add various supporting interfaces for containers
kernel, rpc, systemd: deprecate kernel_mounton_proc
devices, kernel: deprecate dev_mounton_sysfs
devices: add interfaces to remount sysfs and device filesystems
init: add interface to run init bpf programs
systemd: add interface to dbus chat with systemd-machined
userdom: add interfaces to relabel generic user home content
init: add interface to setsched on init
init: allow systemd to renice all other domains
sysnetwork: add interfaces for /run/netns
container, virt: move svirt lxc domains to new container module
container: svirt_lxc_net_t is now container_t
container: fixup rules
container: add interface to identify container mountpoints
various: make various types a mountpoint for containers
container: add base attributes for containers and container engines
container: initial support for container engines
container, gpg, userdom: allow container engines to execute gpg
container: allow containers to use container ptys
container, mount: allow mount to getattr on container fs
various: various userns capability permissions
container: allow containers the chroot capability
container: allow containers various userns capabilities
container: allow containers to watch all container files
container, podman: initial support for podman
filesystem: add supporting FUSEFS interfaces
dbus: add supporting interfaces and rules for rootless podman
systemd: add private type for systemd user manager units
container: add role access templates
container, podman, systemd: initial support for rootless podman
container: add required admin rules
sysadm: allow container admin access
container: call podman access in container access
staff, unconfined: allow container user access
container: add policy for privileged containers
container: allow containers to read read-only container files
container: add tunable for containers to manage cgroups
container: add tunables for containers to use nfs and cifs
container: add tunable to allow engines to mounton non security
container, iptables: dontaudit iptables rw on /ptmx
xdg: add interface to search xdg data directories
container, podman: add policy for conmon
kernel: add filetrans interface for unlabeled dirs
container, docker: add initial support for docker
container: call docker access in container access
userdomain: add type for user bin files
systemd: allow systemd user managers to execute user bin files
systemd: use stream socket perms in systemd_user_app_status
systemd: add supporting interfaces for user daemons
rootlesskit: new policy module
container, docker, rootlesskit: add support for rootless docker
docker: call rootlesskit access in docker access
container: drop old commented rules
lxc_contexts: add ro_file and sandbox_lxc_process contexts
container: allow containers to getsession
docker: make rootlesskit optional
docker: add missing call to init_daemon_domain()
podman: add explicit range transition for conmon
init: split access for systemd runtime units
dbus: fixes for dbus-broker
dbus, policykit: add tunables for dbus-broker access
docker, podman: container units now have the runtime unit type
init: allow systemd to nnp_transition and nosuid_transition to daemon
domains
files, init: allow init to remount filesystems mounted on /boot
sudo: fixes for polyinstantiation
locallogin: fix for polyinstantiation
authlogin: dontaudit getcap chkpwd
systemd: various fixes
systemd: add support for systemd-resolved stubs
getty, locallogin: cgroup fixes
unconfined: fixes for bluetooth dbus chat and systemd
udev: allow udev to start the systemd system object
networkmanager: allow getting systemd system status
container, podman: allow podman to create and write config files
podman: allow system podman to interact with container transient units
podman: fix role associations
container, podman: allow containers to interact with conmon
podman: add rules for systemd container units
container, init: allow init to remount container filesystems
container: allow generic containers to read the vm_overcommit sysctl
container: add tunables to allow containers to access public content
container: add missing capabilities
container: also allow containers to watch public content
podman: allow podman to watch journal dirs
sysadm: allow sysadm to watch journal directories
git: add missing file contexts
udica-templates: initial commit of udica templates
makefile: add install target for udica templates
github: test install of udica templates
Laurent Bigonville (2):
docker: On debian dockerd and docker-proxy are in /usr/sbin
container: On Debian, runc is installed in /usr/sbin
Pedro (1):
File context for nginx cache files
Russell Coker (8):
remove aliases from 20210203
dontaudit net_admin without hide_broken_symptoms
puppet V3
matrixd-synapse policy V3
mailman3 V3
certbot V3
init dbus patch for GetDynamicUsers with systemd_use_nss() V2
new sddm V2
Vit Mojzis (1):
Improve error message on duplicate definition of interface
Yi Zhao (24):
rpc: remove obsolete comment line
secadm: allow secadm to read selinux policy
rpcbind: allow sysadm to run rpcinfo
samba: allow smbd_t to send and receive messages from avahi over dbus
rpc: add dac_read_search capability for rpcd_t
bluetooth: fixes for bluetoothd
avahi: allow avahi_t to watch /etc/avahi directory
udev: allow udev_t to watch udev_rules_t dir
rpc: allow rpc.mountd to list/watch NFS server directory
usermanage: do not audit attempts to getattr of proc for passwd_t and
useradd_t
selinuxutil: allow setfiles_t to read kernel sysctl
rngd: fixes for rngd
dbus: allow dbus-daemon to map SELinux status page
bind: fixes for bind
passwd: allow passwd to map SELinux status page
ipsec: fixes for strongswan
samba: fixes for smbd/nmbd
ntp: allow ntpd to set rlimit_memlock
ssh: do not audit attempts by ssh-keygen to read proc
acpid: allow acpid to watch the directories in /dev
bluetooth: allow bluetoothd to create alg_socket
systemd: allow systemd-hostnamed to read udev runtime files
su: allow su to map SELinux status page
modutils: allow kmod_t to write keys
* Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908 * Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908
Andreas Freimuth (2): Andreas Freimuth (2):
Prefer user_fonts_config_t over xdg_config_t Prefer user_fonts_config_t over xdg_config_t

View File

@ -1 +1 @@
2.20210908 2.20220520