Update Changelog and VERSION for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
parent
d387e79989
commit
bdb9ffd00e
216
Changelog
216
Changelog
@ -1,3 +1,219 @@
|
||||
* Tue Aug 18 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200818
|
||||
Alexander Miroshnichenko (2):
|
||||
openvpn: more versatile file context regex for ipp.txt
|
||||
openvpn: update file context regex for ipp.txt
|
||||
|
||||
Chris PeBenito (153):
|
||||
Makefile: Warn if policy.xml xmllint check does not run.
|
||||
networkmanager: Fix interface commenting.
|
||||
Makefile: Remove shell brace expansion in ctags target.
|
||||
dbus: Rename tunable to dbus_pass_tuntap_fd.
|
||||
spamassassin: Move systemd interfaces.
|
||||
spamassassin: Rename systemd interfaces.
|
||||
spamassassin: Add missing class requires in systemd interfaces.
|
||||
spamassassin: Remove unnecessary brackets in type alias.
|
||||
pulseaudio: Drop call to nonexistant interface.
|
||||
genhomedircon: Drop Python 2 compatibility code.
|
||||
systemd: Merge generator domains.
|
||||
.travis.yml: Add CI tests with no unconfined.
|
||||
Rename "pid" interfaces to "runtime" interfaces.
|
||||
Update callers for "pid" to "runtime" interface rename.
|
||||
Move user definitions to the right place during compilation.
|
||||
Makefile: Give a value to build options so they can be used in ifelse.
|
||||
init: Revise init_startstop_service() build option blocks.
|
||||
kernel: Drop unlabeled_t as a files_mountpoint().
|
||||
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
|
||||
files: Restore mounton access to files_mounton_all_mountpoints().
|
||||
filesystem: Create a filesystem image concept.
|
||||
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
|
||||
Bump module versions for release.
|
||||
|
||||
Christian Göttsche (29):
|
||||
Rules: allow the usage of class sets in context_defaults
|
||||
Correct estimate kernel version for polcap genfs_seclabel_symlinks
|
||||
Makefile: generate temporary documentation files in separate directory
|
||||
Ignore temporary documentation file directory in git
|
||||
Override old all_interfaces.conf.tmp file
|
||||
samba: fix wrong interface context smbd_runtime_t
|
||||
chromium: drop dead conditional block
|
||||
example: use module name matching file name
|
||||
consolesetup: drop unused requires
|
||||
unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()
|
||||
portage: drop bizarre conditional TODO blocks
|
||||
init/systemd: move systemd_manage_all_units to init_manage_all_units
|
||||
tpm2: small fixes
|
||||
files/logging: move var_run_t filecontext to defining module
|
||||
files/miscfiles: move usr_t filecontext to defining module
|
||||
chromium/libraries: move lib_t filecontext to defining module
|
||||
apache: use correct content types in apache_manage_all_user_content()
|
||||
can_exec(): move from misc_macros to misc_patterns
|
||||
Makefile: remove obsolete .SUFFIXES
|
||||
Makefile: add target build-interface-db
|
||||
devices/storage: quote arguments to tunable_policy
|
||||
apache: quote gen_tunable name argument
|
||||
Correct some misspellings
|
||||
Fix several misspellings
|
||||
whitespace cleanup
|
||||
travis-ci: add SELint
|
||||
work on SELint issues
|
||||
files/modutils: unify modules_object_t usage into files module
|
||||
travis: resolve Linter tags
|
||||
|
||||
Daniel Burgener (10):
|
||||
Add dnl to end of interface declaration. This reduces the number of blank
|
||||
lines in intermediate files and matches the way templates are defined.
|
||||
Allow systemd-coredump to stat mountpoints.
|
||||
Change incorrect template definitions into interface definitions
|
||||
Add divert to generated_definitions creation, and fix all_interfaces.conf
|
||||
divert creation.
|
||||
Fix mismatches between object class and permission macro.
|
||||
Switch pipe reading on domtrans to inherited only
|
||||
Simplify collection of ssh rules to domtrans_pattern macro
|
||||
Fix a few places where command line applications were only granted one of
|
||||
tty or pty permissions and could be used from either
|
||||
Remove the second copy of a permission in instances where the exact same
|
||||
permission is repeated twice in a row
|
||||
Remove out of date "hack" from stunnel. The underlying problem needing a
|
||||
require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
|
||||
would be an option now, but stunnel_t already has
|
||||
corenet_tcp_bind_all_ports, so this access is redundant.
|
||||
|
||||
Dave Sugar (8):
|
||||
Add interface to read/write /dev/ipmi
|
||||
Update labeling in /dev/
|
||||
Setup generic generator attribute and change generator types.
|
||||
fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026
|
||||
Setup domain for tpm2_* binaries
|
||||
Interfaces needed to support IMA/EVM keys
|
||||
Resolve neverallow failure introduced in #273
|
||||
Interfaces for tpm2
|
||||
|
||||
David Sommerseth (1):
|
||||
dbus: Add tunable - dbus_can_pass_tuntap_fd
|
||||
|
||||
Florian Schmidt (1):
|
||||
corenetwork: fix winshadow port number
|
||||
|
||||
Guido Trentalancia (5):
|
||||
This patch improves a previous commit by restricting down the permissions
|
||||
to write the wireless device in order to prevent a possible Denial of
|
||||
Service (DoS) attack from an unprivileged process bringing down the
|
||||
wireless interfaces.
|
||||
mozilla: add watch perms
|
||||
wm: add watch perms
|
||||
getty: add watch perms
|
||||
userdomain: add watch perms
|
||||
|
||||
Laurent Bigonville (5):
|
||||
Add an interface to allow the specified domain to mmap the general network
|
||||
configuration files
|
||||
Add policy for apt-cacher-ng
|
||||
Add policy for acngtool
|
||||
Label bluetooth daemon as bluetooth_exec_t
|
||||
Label /usr/libexec/packagekitd as apt_exec_t on debian
|
||||
|
||||
McSim85 (1):
|
||||
add rule for the management socket file fixed comments from @bauen1
|
||||
|
||||
Nicolas Iooss (5):
|
||||
Vagrantfile: remove older installed modules before "make install"
|
||||
systemd: make systemd --user run generators without transition
|
||||
systemd: allow sd-executor to manage its memfd files
|
||||
devices: label /dev/sysdig0
|
||||
sysnetwork: allow using "ip netns"
|
||||
|
||||
Russell Coker (2):
|
||||
pulseaudio patch
|
||||
latest ver of trivial mail server patch
|
||||
|
||||
Topi Miettinen (13):
|
||||
Make raw memory access tunable
|
||||
Add usbguard
|
||||
Don't allow creating regular files in /dev
|
||||
Python string fix
|
||||
gennetfilter: generate nft tables with --nft
|
||||
gennetfilter: handle port ranges
|
||||
Allow systemd-networkd to handle ICMP and DHCP packets
|
||||
gennetfilter: add rules for ICMP/ICMPv6 packets
|
||||
wm: add KWin
|
||||
Build and install Netfilter rules
|
||||
bootloader: add rEFInd and systemd-boot
|
||||
netutils: allow ping to send and receive ICMP packets
|
||||
Remove unlabeled packet access
|
||||
|
||||
Vilgot (1):
|
||||
Portage update
|
||||
|
||||
Vilgot Fredenberg (1):
|
||||
Remove old exception
|
||||
|
||||
Yi Zhao (2):
|
||||
Remove duplicated rules
|
||||
xserver: allow xserver_t to connect to resmgrd
|
||||
|
||||
bauen1 (59):
|
||||
logging: allow syslogd to remove stale socket file
|
||||
systemd-user-runtime-dir: add required permissions
|
||||
mozilla: allow firefox to use user namespaces for sandboxing
|
||||
modutils: allow init to execute kmod with nnp
|
||||
fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da
|
||||
allow init_t access to own keyring
|
||||
allow init_t to link kernel_t key
|
||||
allow normal users to use 'systemd-run'
|
||||
ssh: fix for debian wrapper script
|
||||
bird: fixes for bird 2.0
|
||||
apache: add nginx to policy
|
||||
ntpd: fixes for systemd-timesyncd after linux 5.4
|
||||
define lockdown class and access
|
||||
dirmngr: allow to probe for tor
|
||||
dirmngr: also requires access to /dev/urandom
|
||||
dirmngr: ~/.gnupg/crls.d might not exist
|
||||
application: applications can be executed from ssh without pty
|
||||
systemd: allow regular users to run systemd-analyze
|
||||
quota: allow quota to modify /aquota even if immutable
|
||||
init: read default context during boot
|
||||
lvm: create /etc/lvm/archive if it doesn't exist
|
||||
corecommands: fix atrild label
|
||||
systemd-fstab-generator needs to know about all mountpoints
|
||||
semanage: create directories for new policies
|
||||
dnsmasq: watch for new dns resolvers
|
||||
init: allow systemd to setup mount namespaces
|
||||
init: make initrc_t a init_domain to simplify the policy
|
||||
init: allow systemd to activate journald-audit.socket
|
||||
setrans: allow label translation for all domains.
|
||||
files: add files_watch_etc_symlinks interface
|
||||
init: watch /etc/localtime even if it's a symlink
|
||||
corecommands: proper label for unattended-upgrades helpers
|
||||
filesystem: pathcon for matching tracefs mount
|
||||
lvm-activation-generator also needs to execute lvm
|
||||
systemd: allow systemd-user-runtime-dir to do its job
|
||||
init: fix init_manage_pid_symlinks to grant more than just create
|
||||
permissions
|
||||
init: replace call to init_domtrans_script
|
||||
systemd-sysusers: add policy
|
||||
allow most common permissions for systemd sandboxing options
|
||||
terminal: cleanup term_create interfaces
|
||||
logrotate.service sandbox required permissions
|
||||
udev.service sandbox required permissions
|
||||
systemd-timesyncd.service sandbox requried permissions
|
||||
systemd-logind.service sandbox required permissions
|
||||
init: fix systemd boot
|
||||
postfix: add filetrans for sendmail and postfix for aliases db operations
|
||||
systemd: fixed systemd_rfkill_t denial spam
|
||||
thunderbird: label files under /tmp
|
||||
init: systemd will run chkpwd to start user@1000
|
||||
authlogin: unix_chkpwd is linked to libselinux
|
||||
systemd: maintain /memfd:systemd-state
|
||||
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
|
||||
systemd: systemd --user add essential permissions
|
||||
dpkg: dpkg scripts are part of dpkg and therefor also an application
|
||||
domain
|
||||
gpg: don't allow gpg-agent to read /proc/kcore
|
||||
corecommands: correct label for debian ssh-agent helper script
|
||||
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
|
||||
Remove the ada module, it is unecessary and not touched since ~2008
|
||||
dpkg: domaintrans to sysusers if necessary
|
||||
|
||||
* Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229
|
||||
Alexander Miroshnichenko (1):
|
||||
Add knot module
|
||||
|
Loading…
Reference in New Issue
Block a user