nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Changelog and VERSION for release.

Browse Source 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2020-08-18 09:09:10 -04:00
parent d387e79989
commit bdb9ffd00e
2 changed files with 217 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

216
Changelog
View File

@ -1,3 +1,219 @@
* Tue Aug 18 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200818
Alexander Miroshnichenko (2):
openvpn: more versatile file context regex for ipp.txt
openvpn: update file context regex for ipp.txt
Chris PeBenito (153):
Makefile: Warn if policy.xml xmllint check does not run.
networkmanager: Fix interface commenting.
Makefile: Remove shell brace expansion in ctags target.
dbus: Rename tunable to dbus_pass_tuntap_fd.
spamassassin: Move systemd interfaces.
spamassassin: Rename systemd interfaces.
spamassassin: Add missing class requires in systemd interfaces.
spamassassin: Remove unnecessary brackets in type alias.
pulseaudio: Drop call to nonexistant interface.
genhomedircon: Drop Python 2 compatibility code.
systemd: Merge generator domains.
.travis.yml: Add CI tests with no unconfined.
Rename "pid" interfaces to "runtime" interfaces.
Update callers for "pid" to "runtime" interface rename.
Move user definitions to the right place during compilation.
Makefile: Give a value to build options so they can be used in ifelse.
init: Revise init_startstop_service() build option blocks.
kernel: Drop unlabeled_t as a files_mountpoint().
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
files: Restore mounton access to files_mounton_all_mountpoints().
filesystem: Create a filesystem image concept.
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
Bump module versions for release.
Christian Göttsche (29):
Rules: allow the usage of class sets in context_defaults
Correct estimate kernel version for polcap genfs_seclabel_symlinks
Makefile: generate temporary documentation files in separate directory
Ignore temporary documentation file directory in git
Override old all_interfaces.conf.tmp file
samba: fix wrong interface context smbd_runtime_t
chromium: drop dead conditional block
example: use module name matching file name
consolesetup: drop unused requires
unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()
portage: drop bizarre conditional TODO blocks
init/systemd: move systemd_manage_all_units to init_manage_all_units
tpm2: small fixes
files/logging: move var_run_t filecontext to defining module
files/miscfiles: move usr_t filecontext to defining module
chromium/libraries: move lib_t filecontext to defining module
apache: use correct content types in apache_manage_all_user_content()
can_exec(): move from misc_macros to misc_patterns
Makefile: remove obsolete .SUFFIXES
Makefile: add target build-interface-db
devices/storage: quote arguments to tunable_policy
apache: quote gen_tunable name argument
Correct some misspellings
Fix several misspellings
whitespace cleanup
travis-ci: add SELint
work on SELint issues
files/modutils: unify modules_object_t usage into files module
travis: resolve Linter tags
Daniel Burgener (10):
Add dnl to end of interface declaration. This reduces the number of blank
lines in intermediate files and matches the way templates are defined.
Allow systemd-coredump to stat mountpoints.
Change incorrect template definitions into interface definitions
Add divert to generated_definitions creation, and fix all_interfaces.conf
divert creation.
Fix mismatches between object class and permission macro.
Switch pipe reading on domtrans to inherited only
Simplify collection of ssh rules to domtrans_pattern macro
Fix a few places where command line applications were only granted one of
tty or pty permissions and could be used from either
Remove the second copy of a permission in instances where the exact same
permission is repeated twice in a row
Remove out of date "hack" from stunnel. The underlying problem needing a
require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Dave Sugar (8):
Add interface to read/write /dev/ipmi
Update labeling in /dev/
Setup generic generator attribute and change generator types.
fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026
Setup domain for tpm2_* binaries
Interfaces needed to support IMA/EVM keys
Resolve neverallow failure introduced in #273
Interfaces for tpm2
David Sommerseth (1):
dbus: Add tunable - dbus_can_pass_tuntap_fd
Florian Schmidt (1):
corenetwork: fix winshadow port number
Guido Trentalancia (5):
This patch improves a previous commit by restricting down the permissions
to write the wireless device in order to prevent a possible Denial of
Service (DoS) attack from an unprivileged process bringing down the
wireless interfaces.
mozilla: add watch perms
wm: add watch perms
getty: add watch perms
userdomain: add watch perms
Laurent Bigonville (5):
Add an interface to allow the specified domain to mmap the general network
configuration files
Add policy for apt-cacher-ng
Add policy for acngtool
Label bluetooth daemon as bluetooth_exec_t
Label /usr/libexec/packagekitd as apt_exec_t on debian
McSim85 (1):
add rule for the management socket file fixed comments from @bauen1
Nicolas Iooss (5):
Vagrantfile: remove older installed modules before "make install"
systemd: make systemd --user run generators without transition
systemd: allow sd-executor to manage its memfd files
devices: label /dev/sysdig0
sysnetwork: allow using "ip netns"
Russell Coker (2):
pulseaudio patch
latest ver of trivial mail server patch
Topi Miettinen (13):
Make raw memory access tunable
Add usbguard
Don't allow creating regular files in /dev
Python string fix
gennetfilter: generate nft tables with --nft
gennetfilter: handle port ranges
Allow systemd-networkd to handle ICMP and DHCP packets
gennetfilter: add rules for ICMP/ICMPv6 packets
wm: add KWin
Build and install Netfilter rules
bootloader: add rEFInd and systemd-boot
netutils: allow ping to send and receive ICMP packets
Remove unlabeled packet access
Vilgot (1):
Portage update
Vilgot Fredenberg (1):
Remove old exception
Yi Zhao (2):
Remove duplicated rules
xserver: allow xserver_t to connect to resmgrd
bauen1 (59):
logging: allow syslogd to remove stale socket file
systemd-user-runtime-dir: add required permissions
mozilla: allow firefox to use user namespaces for sandboxing
modutils: allow init to execute kmod with nnp
fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da
allow init_t access to own keyring
allow init_t to link kernel_t key
allow normal users to use 'systemd-run'
ssh: fix for debian wrapper script
bird: fixes for bird 2.0
apache: add nginx to policy
ntpd: fixes for systemd-timesyncd after linux 5.4
define lockdown class and access
dirmngr: allow to probe for tor
dirmngr: also requires access to /dev/urandom
dirmngr: ~/.gnupg/crls.d might not exist
application: applications can be executed from ssh without pty
systemd: allow regular users to run systemd-analyze
quota: allow quota to modify /aquota even if immutable
init: read default context during boot
lvm: create /etc/lvm/archive if it doesn't exist
corecommands: fix atrild label
systemd-fstab-generator needs to know about all mountpoints
semanage: create directories for new policies
dnsmasq: watch for new dns resolvers
init: allow systemd to setup mount namespaces
init: make initrc_t a init_domain to simplify the policy
init: allow systemd to activate journald-audit.socket
setrans: allow label translation for all domains.
files: add files_watch_etc_symlinks interface
init: watch /etc/localtime even if it's a symlink
corecommands: proper label for unattended-upgrades helpers
filesystem: pathcon for matching tracefs mount
lvm-activation-generator also needs to execute lvm
systemd: allow systemd-user-runtime-dir to do its job
init: fix init_manage_pid_symlinks to grant more than just create
permissions
init: replace call to init_domtrans_script
systemd-sysusers: add policy
allow most common permissions for systemd sandboxing options
terminal: cleanup term_create interfaces
logrotate.service sandbox required permissions
udev.service sandbox required permissions
systemd-timesyncd.service sandbox requried permissions
systemd-logind.service sandbox required permissions
init: fix systemd boot
postfix: add filetrans for sendmail and postfix for aliases db operations
systemd: fixed systemd_rfkill_t denial spam
thunderbird: label files under /tmp
init: systemd will run chkpwd to start user@1000
authlogin: unix_chkpwd is linked to libselinux
systemd: maintain /memfd:systemd-state
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
systemd: systemd --user add essential permissions
dpkg: dpkg scripts are part of dpkg and therefor also an application
domain
gpg: don't allow gpg-agent to read /proc/kcore
corecommands: correct label for debian ssh-agent helper script
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
Remove the ada module, it is unecessary and not touched since ~2008
dpkg: domaintrans to sysusers if necessary
* Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229 * Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229
Alexander Miroshnichenko (1): Alexander Miroshnichenko (1):
Add knot module Add knot module

2
VERSION
View File

@ -1 +1 @@
2.20200229 2.20200818