From bdb9ffd00e38723c65d0e260261899533a059676 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 18 Aug 2020 09:09:10 -0400 Subject: [PATCH] Update Changelog and VERSION for release. Signed-off-by: Chris PeBenito --- Changelog | 216 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 217 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index a5ba6ca6c..590378632 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,219 @@ +* Tue Aug 18 2020 Chris PeBenito - 2.20200818 +Alexander Miroshnichenko (2): + openvpn: more versatile file context regex for ipp.txt + openvpn: update file context regex for ipp.txt + +Chris PeBenito (153): + Makefile: Warn if policy.xml xmllint check does not run. + networkmanager: Fix interface commenting. + Makefile: Remove shell brace expansion in ctags target. + dbus: Rename tunable to dbus_pass_tuntap_fd. + spamassassin: Move systemd interfaces. + spamassassin: Rename systemd interfaces. + spamassassin: Add missing class requires in systemd interfaces. + spamassassin: Remove unnecessary brackets in type alias. + pulseaudio: Drop call to nonexistant interface. + genhomedircon: Drop Python 2 compatibility code. + systemd: Merge generator domains. + .travis.yml: Add CI tests with no unconfined. + Rename "pid" interfaces to "runtime" interfaces. + Update callers for "pid" to "runtime" interface rename. + Move user definitions to the right place during compilation. + Makefile: Give a value to build options so they can be used in ifelse. + init: Revise init_startstop_service() build option blocks. + kernel: Drop unlabeled_t as a files_mountpoint(). + selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. + files: Restore mounton access to files_mounton_all_mountpoints(). + filesystem: Create a filesystem image concept. + kernel, fstools, lvm, mount: Update to use filesystem image interfaces. + Bump module versions for release. + +Christian Göttsche (29): + Rules: allow the usage of class sets in context_defaults + Correct estimate kernel version for polcap genfs_seclabel_symlinks + Makefile: generate temporary documentation files in separate directory + Ignore temporary documentation file directory in git + Override old all_interfaces.conf.tmp file + samba: fix wrong interface context smbd_runtime_t + chromium: drop dead conditional block + example: use module name matching file name + consolesetup: drop unused requires + unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() + portage: drop bizarre conditional TODO blocks + init/systemd: move systemd_manage_all_units to init_manage_all_units + tpm2: small fixes + files/logging: move var_run_t filecontext to defining module + files/miscfiles: move usr_t filecontext to defining module + chromium/libraries: move lib_t filecontext to defining module + apache: use correct content types in apache_manage_all_user_content() + can_exec(): move from misc_macros to misc_patterns + Makefile: remove obsolete .SUFFIXES + Makefile: add target build-interface-db + devices/storage: quote arguments to tunable_policy + apache: quote gen_tunable name argument + Correct some misspellings + Fix several misspellings + whitespace cleanup + travis-ci: add SELint + work on SELint issues + files/modutils: unify modules_object_t usage into files module + travis: resolve Linter tags + +Daniel Burgener (10): + Add dnl to end of interface declaration. This reduces the number of blank + lines in intermediate files and matches the way templates are defined. + Allow systemd-coredump to stat mountpoints. + Change incorrect template definitions into interface definitions + Add divert to generated_definitions creation, and fix all_interfaces.conf + divert creation. + Fix mismatches between object class and permission macro. + Switch pipe reading on domtrans to inherited only + Simplify collection of ssh rules to domtrans_pattern macro + Fix a few places where command line applications were only granted one of + tty or pty permissions and could be used from either + Remove the second copy of a permission in instances where the exact same + permission is repeated twice in a row + Remove out of date "hack" from stunnel. The underlying problem needing a + require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port + would be an option now, but stunnel_t already has + corenet_tcp_bind_all_ports, so this access is redundant. + +Dave Sugar (8): + Add interface to read/write /dev/ipmi + Update labeling in /dev/ + Setup generic generator attribute and change generator types. + fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026 + Setup domain for tpm2_* binaries + Interfaces needed to support IMA/EVM keys + Resolve neverallow failure introduced in #273 + Interfaces for tpm2 + +David Sommerseth (1): + dbus: Add tunable - dbus_can_pass_tuntap_fd + +Florian Schmidt (1): + corenetwork: fix winshadow port number + +Guido Trentalancia (5): + This patch improves a previous commit by restricting down the permissions + to write the wireless device in order to prevent a possible Denial of + Service (DoS) attack from an unprivileged process bringing down the + wireless interfaces. + mozilla: add watch perms + wm: add watch perms + getty: add watch perms + userdomain: add watch perms + +Laurent Bigonville (5): + Add an interface to allow the specified domain to mmap the general network + configuration files + Add policy for apt-cacher-ng + Add policy for acngtool + Label bluetooth daemon as bluetooth_exec_t + Label /usr/libexec/packagekitd as apt_exec_t on debian + +McSim85 (1): + add rule for the management socket file fixed comments from @bauen1 + +Nicolas Iooss (5): + Vagrantfile: remove older installed modules before "make install" + systemd: make systemd --user run generators without transition + systemd: allow sd-executor to manage its memfd files + devices: label /dev/sysdig0 + sysnetwork: allow using "ip netns" + +Russell Coker (2): + pulseaudio patch + latest ver of trivial mail server patch + +Topi Miettinen (13): + Make raw memory access tunable + Add usbguard + Don't allow creating regular files in /dev + Python string fix + gennetfilter: generate nft tables with --nft + gennetfilter: handle port ranges + Allow systemd-networkd to handle ICMP and DHCP packets + gennetfilter: add rules for ICMP/ICMPv6 packets + wm: add KWin + Build and install Netfilter rules + bootloader: add rEFInd and systemd-boot + netutils: allow ping to send and receive ICMP packets + Remove unlabeled packet access + +Vilgot (1): + Portage update + +Vilgot Fredenberg (1): + Remove old exception + +Yi Zhao (2): + Remove duplicated rules + xserver: allow xserver_t to connect to resmgrd + +bauen1 (59): + logging: allow syslogd to remove stale socket file + systemd-user-runtime-dir: add required permissions + mozilla: allow firefox to use user namespaces for sandboxing + modutils: allow init to execute kmod with nnp + fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da + allow init_t access to own keyring + allow init_t to link kernel_t key + allow normal users to use 'systemd-run' + ssh: fix for debian wrapper script + bird: fixes for bird 2.0 + apache: add nginx to policy + ntpd: fixes for systemd-timesyncd after linux 5.4 + define lockdown class and access + dirmngr: allow to probe for tor + dirmngr: also requires access to /dev/urandom + dirmngr: ~/.gnupg/crls.d might not exist + application: applications can be executed from ssh without pty + systemd: allow regular users to run systemd-analyze + quota: allow quota to modify /aquota even if immutable + init: read default context during boot + lvm: create /etc/lvm/archive if it doesn't exist + corecommands: fix atrild label + systemd-fstab-generator needs to know about all mountpoints + semanage: create directories for new policies + dnsmasq: watch for new dns resolvers + init: allow systemd to setup mount namespaces + init: make initrc_t a init_domain to simplify the policy + init: allow systemd to activate journald-audit.socket + setrans: allow label translation for all domains. + files: add files_watch_etc_symlinks interface + init: watch /etc/localtime even if it's a symlink + corecommands: proper label for unattended-upgrades helpers + filesystem: pathcon for matching tracefs mount + lvm-activation-generator also needs to execute lvm + systemd: allow systemd-user-runtime-dir to do its job + init: fix init_manage_pid_symlinks to grant more than just create + permissions + init: replace call to init_domtrans_script + systemd-sysusers: add policy + allow most common permissions for systemd sandboxing options + terminal: cleanup term_create interfaces + logrotate.service sandbox required permissions + udev.service sandbox required permissions + systemd-timesyncd.service sandbox requried permissions + systemd-logind.service sandbox required permissions + init: fix systemd boot + postfix: add filetrans for sendmail and postfix for aliases db operations + systemd: fixed systemd_rfkill_t denial spam + thunderbird: label files under /tmp + init: systemd will run chkpwd to start user@1000 + authlogin: unix_chkpwd is linked to libselinux + systemd: maintain /memfd:systemd-state + dpkg: allow dpkg frontends to acquire lock by labeling it correctly + systemd: systemd --user add essential permissions + dpkg: dpkg scripts are part of dpkg and therefor also an application + domain + gpg: don't allow gpg-agent to read /proc/kcore + corecommands: correct label for debian ssh-agent helper script + systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp + Remove the ada module, it is unecessary and not touched since ~2008 + dpkg: domaintrans to sysusers if necessary + * Sat Feb 29 2020 Chris PeBenito - 2.20200229 Alexander Miroshnichenko (1): Add knot module diff --git a/VERSION b/VERSION index 9f31088da..dff6b7329 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20200229 +2.20200818