diff options
| -rw-r--r-- | Changelog | 235 | ||||
| -rw-r--r-- | VERSION | 2 |
2 files changed, 236 insertions, 1 deletions
@@ -1,3 +1,238 @@ +* Sat Feb 29 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200229 +Alexander Miroshnichenko (1): + Add knot module + +Chris PeBenito (174): + knot: Whitespace changes. + knot: Move lines. + devices, storage: Add fc entries for mtd char devices and ndctl devices. + devices: Add types for trusted execution environment interfaces. + ulogd: Rename ulogd_var_run_t to ulogd_runtime_t. + INSTALL: Fix build requirements. + fishilico/systemd-read-netlink_kobject_uevent_socket + Rename *_var_run_t types to *_runtime_t. + Reorder declarations based on *_runtime_t renaming. + Remove old aliases. + fishilico/filesystem-fs_rw_cgroup_files-follow-symlink + fc_sort.py: Use "==" for comparing integers. + xserver: Remove duplicate colord rule. + xserver: Move XDM dbus chats under main dbus optional. + Move open, audit_access, and execmod to file common. + Add file and filesystem watch access vectors. + Fix file common ordering and kernel version from previous commit. + init: Whitespace change. + unconfined: Add namespaced capabilities. + unconfined: Fix systemd --user rule. + Remove incorrect usages of "is" operator from Python scripts. + logging: Reorder lines. + systemd: Logind removes /run/user/* user temp files. + unconfined: Add watch permission for files. + systemd: Add filesystem watches. + dbus: Add directory watches. + udev: Watch devices. + init: Revise systemd bind mounts. + Add perf_event access vectors. + systemd: Whitespace fix. + logging: Whitespace fix. + Bump module versions for release. + +Christian Göttsche (6): + fix Makefile for policy-module directories with same ending + segenxml.py: fix format usage in warning message + travis: force the use of python3.5 + travis: run check_fc_files linter with python 3.7 + re-implement fc_sort in python + Add genfs_seclabel_symlinks policy capability + +Daniel Burgener (4): + Add requires to interfaces that reference types or attributes without + requiring them + Remove uneeded types from interfaces where types were added + Fix situations where require blocks in interfaces listed types not + actually referenced by that interface + Remove unneeded semicolons after interface and macro calls + +Dominick Grift (2): + domain: unconfined access to bpf + Remove shell automatic domain transitions to unconfined_t from various pam + login programs + +Guido Trentalancia (4): + Update the pulseaudio application module with a few user domain file read + and management permissions. + Allow userdomain to read and write the wireless devices (for example for + querying their state, enabling and/or disabling them using userspace + tools such as "rfkill" from util-linux). + Add an interface to allow watch permission on generic device directories. + Allow pulseaudio to watch generic device directories. + +Jason Zaman (16): + udev: Allow udevadm access to udev_tbl_t + xserver: ICEauthority can be in /run/user + devicekit: udisks needs access to /run/mount/utab.lock + dirmngr: accept unix stream socket + chromium: allow dbus chat to inhibit power + virt: Add unix socket for virtlogd/virtlockd + virt: allow lvm_control access + fstools: add zfs-auto-snapshot + udev: Add watch perms + accountsd: Add watch perms + cron: watch cron spool + colord: add watch perms + policykit devicekit: Add watch perms + dbus: add watch perms + chromium: watch etc dirs + gpg: add watch perms for agent + +Laurent Bigonville (9): + Makefile: Avoid regenerating the iftemplates at everyrun + Allow systemd_modules_load_t to module_request and map modules_object_t + files + Allow udevadm to read files in /run/udev/data + Allow udevadm_t to use dac_read_search capability + Allow the systemd dbus-daemon to talk to systemd + Allow geoclue to log in syslog + Allow realmd_t to read localization files + Allow alsa_t to create alsa_runtime_t file as well + Allow alsa_t to set scheduling priority and send signal to itself + +Luca Boccassi (2): + journald: allow to remove /run/log/journal + logging: add interface to start/stop syslog units + +Nicolas Iooss (75): + ulogd: add Debian's log directory + ulogd: allow creating a netlink-netfilter socket + ulogd: allow starting on a Debian system + entropyd: label the unit file of haveged + entropyd: allow haveged to create a Unix socket to received commands + ulogd: fix pattern for /run/ulog directory + monit: use s0 instead of s9 + java: reduce the scope of the pattern in for java entry points + libraries: match a digit in Adobe Reader directories + drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd + rpcbind: remove redundant file context for /run/rpc.statd.pid + files: reduce the scope of the pattern matching /usr/include + Remove unescaped single dot from the policy + Fix use of buggy pattern (.*)? + libraries: drop a pattern specific to Python 2.4 + systemd: introduce an interface for services using PrivateDevices=yes + Vagrantfile: upgrade VM to Fedora 30 + Allow Debian to generate a dynamic motd when users log in + entropyd: haveged service uses PrivateDevices=yes + Check the .fc files for common typos + corecommands: no longer use \d + libraries: fix some misspellings in patterns + java: remove unnecessary parentheses in pattern + cups: add a slash to match /opt/brother/Printers/ + Vagrantfile: build and install refpolicy on Fedora VM + Vagrantfile: add a Debian virtual machine + ntp: allow systemd-timesyncd to read network status + cups: use ([^/]+/)? to match a subdirectory of CUPS configuration + portage: really make consoletype module optional + Label programs in /usr/bin like /usr/sbin + apt: allow transition from apt_t to dpkg_t with NNP + apt: allow preventing shutdown by calling a systemd-logind D-Bus method + authlogin: label utempter correctly on Debian + irc: add WeeChat policy + systemd: allow systemd --user to receive messages from + netlink_kobject_uevent_socket + Add a policy module for WireGuard VPN + modutils: allow depmod to read /boot/System.map + modutils: allow depmod and modprobe to use the I/O provided by apt + systemd: allow systemd-modules-load.service to read sysfs + sudo: allow using use_pty flag + Allow using /([^/]+/)? and (/[^/]+)?/ in patterns + ulogd: adjust policy for Debian + bitlbee: allow using GetDynamicUser on Debian + chromium: remove distro-specific ifdef + systemd-networkd: allow creating a generic netlink socket + systemd-networkd: allow communicating with hostnamed + sudo: allow transmitting SIGWINCH to its child + sudo: allow using CAP_KILL for SIGWINCH + systemd: allow detecting Windows Subsystem for Linux + systemd: allow more accesses to systemd --user + systemd: remove unnecessary init_write_runtime_socket() + .travis.yml: update distro to Ubuntu 18.04 LTS (Bionic Beaver) + filesystem: allow following symlinks with fs_rw_cgroup_files() + systemd: allow user environment helpers to communicate with systemd --user + .travis.yml: check the .fc files in CI + systemd: make the kernel spawn systemd-coredump with a context transition + gpg: allow gpg-agent to read crypto.fips_enabled sysctl + testing/check_fc_files: allow @ character in file context patterns + mount: allow callers of mount to search /usr/bin + sysadm: allow using hostnamectl + init: allow systemd to mount over /dev/kmsg and /proc/kmsg + Add policy for CryFS, encfs and gocryptfs + Vagrantfile: fix configuration + Vagrantfile: remove sudo + Vagrantfile: add a specific SELinux policy module + systemd: allow reading options from EFI variable SystemdOptions + virt: allow more accesses to libvirt_leaseshelper + systemd-logind: allow using BootLoaderEntries DBUS property + storage: introduce storage_raw_read_fixed_disk_cond + Vagrantfile: allow unconfined and sysadm SSH login + Vagrant: allow VirtualBox provisionning to use dhclient and ip + Associate role unconfined_r to wine_t + systemd: add an interface to use nss-systemd + usermanage: allow groupadd to lookup dynamic users from systemd + mount: label fusermount3 like fusermount + +Peter Morrow (1): + systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in + sysfs + +Petr Lautrbach (1): + newrole: allow newrole to use setcap to drop capabilities + +Stephen Smalley (4): + access_vectors: Remove unused permissions + access_vectors: Remove entrypoint and execute_no_trans from chr_file + access_vectors: remove flow_in and flow_out permissions from packet class + Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes + +Sugar, David (13): + grant rpm permission to map rpm_var_lib_t + grant permission for rpm to write to audit log + grant rpm permissions to map locale_t + Allow rpm to map file contexts + Allow rpm scripts to alter systemd services + grant rpm_t permission to map security_t + Module for tpm2 + Add missing gen_require for init_t in init_script_domain + resolve syslog imuxsock denial + Add interface to read efivarfs_t directory + Fix indent to match the rest of the file (space -> tab) + Allow systemd to getattr all files + audit daemon can halt system, allow this to happen. + +Topi Miettinen (2): + Consider jitterentropy to belong to entropyd family + Consider iwd equivalent to NetworkManager etc. + +Vilgot Fredenberg (1): + Remove obsolete gentoo specific rule + +bauen1 (16): + fix: sudo can't determine default type for sysadm_r + fix ifupdown2 executable mislabeled as lib_t + added bpf_t filesystem label + netutils: allow mtr to communicate with mtr-packet + kernel/corecommands: fix the label of xfce4 helpers (on debian) + systemd: remove whitespace + init: add interfaces for managing /run/systemd + systemd: add policy for systemd-fstab-generator + udev: remove console-setup + consolesetup: add policy for console-setup + udev: run consolesetup + loadkeys: remove redundant ifdef + init: split init_create_pid_files interface + ntp: watch systemd networkd runtime dirs This is required for correct + function after linux 5.4 + systemd-user-runtime-dir: add policy + sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to + fifo_files inherited from domains allowed to change role to sysadm_r. + * Sun Jun 09 2019 Chris PeBenito <pebenito@ieee.org> - 2.20190609 Chris PeBenito (70): systemd: Module version bump. @@ -1 +1 @@ -2.20190609 +2.20200229 |