nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Changelog and VERSION for release 2.20221101. 

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2022-11-01 09:54:51 -04:00
parent 89488a5b26
commit 03d486e306
2 changed files with 205 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
Changelog
View File

@ -1,3 +1,207 @@
* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.
fstools: Handle resizes of the root filesystem.
mount: Get the attributes of all filesystems.
rpm: Add dnf and tdnf labeling.
logging: Change to systemd interface for tmpfilesd.
systemd: Remove systemd-run domain.
unconfined: Add missing capability2 perms.
lvm: Updates for multipath LVM.
locallogin: Use init file descriptors.
systemd: Misc fixes.
isns: Updates from testing.
container, docker: Fixes for containerd and kubernetes testing.
devices: Add type for SAS management devices.
devices: Add file context for /dev/vhost-vsock.
iptables: Ioctl cgroup dirs.
devices: Add type for infiniband devices.
storage: Add fc for /dev/ng*n* devices.
files: Add prerequisite access for files_mounton_non_security().
files: Make etc_runtime_t a config file.
systemd: Fixes for coredumps in containers.
container: Allow container engines to connect to http cache ports.
container: Getattr generic device nodes.
application: Allow apps to use init fds.
systemd: Misc updates.
filesystem: Move ecryptfs interface definitions.
mcs: Add additional SysV IPC constraints.
mcs: Collapse constraints.
mcs: Add additional socket constraints.
mcs: Add missing process permission constraints.
mcs: Remove duplicate node_bind constraint.
mcs: Reorganize file.
mls: Add setsockcreate constraint.
systemd: Add interface for systemctl exec.
Add cloud-init.
hypervkvp: Port updated module from Fedora policy.
init: Add tunable for systemd to create all its mountpoints.
Run Ci tests in parallel.
Revise userspace and SELint versions in CI
fapolicyd: Fix selint issue.
tests.yml: Remove irrelevant comment.
Drop audit_access allows.
sympa: Move lines.
sympa: Drop module version.
sympa, mta, exim: Revise interfaces.
sympa, logging; Fix lint errors.
container: Add missing UDP node bind access on container engines.
Christian Göttsche (3):
Replace deprecated egrep usage
ci: update dependencies
ci: build SELint from source
Daniel Burgener (1):
Drop explicit calls to seutil and kernel module interfaces in broad files
interfaces
Dave Sugar (20):
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
chronyd: Allow to read fips_enabled sysctl
chronyd: allow chronyd to read /usr/share/crypto-policies
systemd: init_t creates systemd-logind 'linger' directory
systemd: systemd-update-done fix startup issue
usbguard: Allow to read fips_enabled sysctl
firewalld: read to read fips_enabled sysctl
firewalld: create netfilter socket
firewalld: allow to load kernel modules
firewalld: write tmpfs files
firewalld: firewalld-cmd uses dbus
tpm2-abrmd: allow to send syslog messages
domain: move kernel_read_crypto_sysctls to a common location
fapolicyd: Initial SELinux policy
networkmanager: allow watch etc_t and lib_t
firewalld: allow watch on firewalld files
Seeing long delay during shutdown saying: 'A stop job is running for
Restore /run/initramfs on shutdown'
fix: issue #550 - compile failed when DIRECT_INITRC=y
fapolicyd: fagenrules chgrp's the compiled.rules
Add 'DIRECT_INITRC' config to automated tests
Kenton Groombridge (95):
systemd: add separate type for user transient units
systemd: rename user runtime unit interfaces
docker, podman: use renamed user runtime unit status interface
systemd: rename status user mananger units interface
systemd: systemd-resolved is linked to libselinux
systemd: dontaudit systemd-generator getattr on all dirs
raid: allow mdadm to use user ptys
bootloader, files: allow bootloader to getattr on boot_t filesystems
matrixd: various fixes
container: add unconfined role
unconfined: use unconfined container role
podman: add interface to rangetrans when executing conmon
podman: rework conmon rules
podman: add file context for podman in /usr/libexec
container: rework combined role interfaces
podman: typealias podman_user_conmon_t to podman_conmon_user_t
fail2ban: allow fail2ban to getsched on its processes
modutils: allow kmod to write to kmsg
postfix: allow postfix-map to read certbot certs
postfix: allow postfix master to get the state of init
postfix: allow postfix master fsetid capability
bind: fixes for named working on dnssec files
sudo: allow sudo domains to create netlink selinux sockets
sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve
container: allow containers to manipulate own fds
container: allow container engines to manage tmp symlinks
ssh: add tunable to allow sshd to use remote port forwarding
systemd: minor fixes to systemd user domains
init, systemd: allow unpriv users to read the catalog
container: add separate type for container engine units
container, podman: allow podman to restart container units
spamassassin: add file context for rspamd log directory
term, init: allow systemd to watch and watch reads on unallocated ttys
certbot: various fixes
systemd: add file transition for systemd-networkd runtime
systemd: add missing file context for /run/systemd/network
systemd: add file contexts for systemd-network-generator
systemd, udev: allow udev to read systemd-networkd runtime
systemd: allow systemd-networkd to read init runtime files
podman: add alias for conmon executable
systemd: ensure connecting to resolved allows searching init runtime
ssh: allow sshd to run setfiles when polyinstantiation is enabled
sudo: allow sudo domains to access caller's /proc/pid/stat
container: add file contexts for docker home config
files, init: allow systemd to remount etc filesystems
systemd: allow systemd-logind to read localization
init: fix possible typo
corecmd: label dracut lib as bin_t
sudo: various fixes
udev: various fixes for udevadm
bootloader, init: various fixes for systemd-boot
systemd: allow systemd-generator to read etc runtime files
systemd: add interface to read userdb runtime files
logging: various fixes for auditctl
screen: add interface to dontaudit runtime sock file
systemd: dontaudit systemd-tmpfiles getattr on screen sock file
systemd: dontaudit systemd-tmpfiles getattr on all dirs
fstools: fixes for fsadm with nfs
various: fixes for nfs
init: dontaudit initrc creating /dev/console during initrd
storage: include chr_files in fixed_disk_dev interfaces
systemd: allow systemd-userdbd to search default contexts
logging, systemd: allow auditctl to list userdb runtime dirs
bootloader, userdom: minor fixes for systemd-boot
systemd: allow systemd-resolved to read generic certs
sysadm: allow sysadm to rw ipmi devices
zfs: initial policy module
fstools, mount: remove legacy zfs rules
files, mount: remove legacy ZFS file contexts
sysadm: allow admin access to zfs
kernel: allow kthreads to read and write the zpool cache
systemd, zfs: allow systemd-generator to read zfs config
udev: allow reading ZFS config
zfs: various fixes
mta: add support for nullmailer
devices: add interface to rw infiniband devices
xdg: add interface to dontaudit searching xdg data dirs
opensm: initial policy
sysadm: allow opensm access
corenet: add portcon for glusterfs
glusterfs: various fixes
glusterfs: add type for gluster bricks
mount: allow mounting glusterfs volumes
selinuxutil: allow semanage, setfiles to inherit gluster fds
glusterfs, selinuxutil: make modifying fcontexts a tunable
glusterfs: add type for glusterd hooks
usermanage: add file context for chpasswd in /usr/bin
node_exporter: add file context for node_exporter in /usr/bin
usbguard: add file context for usbguard in /usr/bin
init: add file context for systemd units in dracut modules
git: add file contexts for other git utilities
dbus, init, mount, rpc: minor fixes for mount.nfs
zfs: allow reading exports
systemd: allow systemd-generator to use dns resolution
rpc: allow rpc admins to rw nfsd fs
Pat Riehecky (2):
container: Boolean for ecryptfs
Clone `xguest_connect_network` for guest role
Russell Coker (1):
Sympa list server
Yi Zhao (16):
systemd: allow systemd user to watch /etc directories
logwatch: fixes for logwatch
postfix: allow postfix_local_t to search logwatch_cache_t
sysnetwork: allow systemd_networkd_t to read link file
logging: allow systemd-journal to manage syslogd_runtime_t sock_file
radius: fixes for freeradius
udev: allow udev_read_runtime_files to read link files
watchdog: allow watchdog to create /var/log/watchdog directory
systemd: allow systemd-resolved to manage link files
sysnetwork: fix privilege separation functionality of dhcpcd
sysnetwork: allow dhcpcd to send and receive messages from systemd
resolved
rpm: add label for dnf-automatic and dnf-3
systemd: allow systemd-backlight to read kernel sysctl settings
systemd: allow systemd-rfkill to get attributes of all fs
systemd: allow systemd-hostnamed to read selinux configuration files
systemd: add capability sys_admin to systemd_generator_t
* Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520 * Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520
Björn Esser (1): Björn Esser (1):
authlogin: add fcontext for tcb authlogin: add fcontext for tcb

2
VERSION
View File

@ -1 +1 @@
2.20220520 2.20221101