From 5343d319fc1bad555d05dfbcd09f9abd815e0879 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 6 Jan 2022 11:24:18 -0500 Subject: [PATCH] Update Changelog and VERSION for release 2.20220106. Signed-off-by: Chris PeBenito --- Changelog | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 169 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index fc2635ba23..beea1dbd00 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,171 @@ +* Thu Jan 06 2022 Chris PeBenito - 2.20220106 +Björn Esser (1): + authlogin: add fcontext for tcb + +Chris PeBenito (72): + 0xC0ncord/bugfix/systemd-user-exec-apps-hookup + systemd, ssh, ntp: Read fips_enabled crypto sysctl. + systemd: Unit generator fixes. + systemd: Revise tmpfiles factory to allow writing all configs. + systemd: User runtime reads user cgroup files. + logging: Add audit_control for journald. + udev: Manage EFI variables. + ntp: Handle symlink to drift directory. + logging: Allow auditd to stat() dispatcher executables. + Drop module versioning. + tests.yml: Disable policy_module() selint checks. + +Christian Goettsche (1): + check_fc_files: allow optional @ character + +Christian Göttsche (2): + filesystem: add fs_use_trans for ramfs + Ignore umask on when installing headers + +Dave Sugar (4): + Allow iscsid to request kernel module load + Allow iscsid to check fips_enabled + sshd: allow to run /usr/bin/fipscheck (to check fips state) + systemd: resolve error with systemd-sysctl + +Fabrice Fontaine (2): + policy/modules/services/samba.te: make crack optional + policy/modules/services/wireguard.te: make iptables optional + +Gao Xiang (1): + Add erofs as a SELinux capable file system + +Jonathan Davies (7): + chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access + net_admin capability, this is required for its `hwtimestamp` option, + which otherwise returns: + virt.te: Fixed typo in virtlogd_t virt_common_runtime_t + manage_files_pattern. + obfs4proxy: Added policy. + tor: Added interfaces and types for obfs4proxy support. + corenetwork.te.in: Added ntske port. + chronyd.te: Added support for bind/connect/recv/send NTS packets. + chronyd: Allow access to read certs. + +Kenton Groombridge (83): + userdomain: add user exec domain attribute and interface + systemd: assign user exec attribute to systemd --user instances + systemd: add interface to support monitoring and output capturing of child + processes + wm: add user exec domain attribute to wm domains + ssh: add interface to execute and transition to ssh client + userdomain: add interface to allow mapping all user home content + git, roles: add policy for git client + apache, roles: use user exec domain attribute + screen, roles: use user exec domain attribute + git, roles: use user exec domain attribute + postgresql, roles: use user exec domain attribute + ssh, roles: use user exec domain attribute + sudo, roles: use user exec domain attribute + syncthing, roles: use user exec domain attribute + xscreensaver, roles: use user exec domain attribute + xserver, roles, various: use user exec domain attribute + authlogin, roles: use user exec domain attribute + bluetooth, roles: use user exec domain attribute + cdrecord, roles: use user exec domain attribute + chromium, roles: use user exec domain attribute + cron, roles: use user exec domain attribute + dirmngr, roles: use user exec domain attribute + evolution, roles: use user exec domain attribute + games, roles: use user exec domain attribute + gnome, roles: use user exec domain attribute + gpg, roles: use user exec domain attribute + irc, roles: use user exec domain attribute + java, roles: use user exec domain attribute + libmtp, roles: use user exec domain attribute + lpd, roles: use user exec domain attribute + mozilla, roles: use user exec domain attribute + mplayer, roles: use user exec domain attribute + mta, roles: use user exec domain attribute + openoffice, roles: use user exec domain attribute + pulseaudio, roles: use user exec domain attribute + pyzor, roles: use user exec domain attribute + razor, roles: use user exec domain attribute + rssh, roles: use user exec domain attribute + spamassassin, roles: use user exec domain attribute + su, roles: use user exec domain attribute + telepathy, roles: use user exec domain attribute + thunderbird, roles: use user exec domain attribute + tvtime, roles: use user exec domain attribute + uml, roles: use user exec domain attribute + userhelper, roles: use user exec domain attribute + vmware, roles: use user exec domain attribute + wireshark, roles: use user exec domain attribute + wm, roles: use user exec domain attribute + hadoop, roles: use user exec domain attribute + shutdown, roles: use user exec domain attribute + cryfs, roles: use user exec domain attribute + wine: use user exec domain attribute + mono: use user exec domain attribute + sudo: add tunable to control user exec domain access + su: add tunable to control user exec domain access + shutdown: add tunable to control user exec domain access + mpd, pulseaudio: split domtrans and client access + mcs: deprecate mcs overrides + mcs: restrict create, relabelto on mcs files + fs: add pseudofs attribute and interfaces + devices: make usbfs pseudofs instead of noxattrfs + git: fix typo in git hook exec access + dovecot, spamassassin: allow dovecot to execute spamc + mta, spamassassin: fixes for rspamd + certbot, various: allow various services to read certbot certs + usbguard, sysadm: misc fixes + ssh: fix for polyinstantiation + sysadm, systemd: fixes for systemd-networkd + asterisk: allow reading generic certs + bind: fixes for unbound + netutils: fix ping + policykit, systemd: allow policykit to watch systemd logins and sessions + spamassassin: fix file contexts for rspamd symlinks + mcs: add additional constraints to databases + mcs: constrain misc IPC objects + mcs: combine single-level object creation constraints + various: deprecate mcs override interfaces + corenet: make netlabel_peer_t mcs constrained + mcs: constrain context contain access + mcs: only constrain mcs_constrained_type for db accesses + guest, xguest: remove apache role access + wine: fix roleattribute statement + testing: accept '@' as a valid ending character in filecon checker + +Pedro (1): + File context for nginx cache files + +Vit Mojzis (1): + Improve error message on duplicate definition of interface + +Yi Zhao (24): + rpc: remove obsolete comment line + secadm: allow secadm to read selinux policy + rpcbind: allow sysadm to run rpcinfo + samba: allow smbd_t to send and receive messages from avahi over dbus + rpc: add dac_read_search capability for rpcd_t + bluetooth: fixes for bluetoothd + avahi: allow avahi_t to watch /etc/avahi directory + udev: allow udev_t to watch udev_rules_t dir + rpc: allow rpc.mountd to list/watch NFS server directory + usermanage: do not audit attempts to getattr of proc for passwd_t and + useradd_t + selinuxutil: allow setfiles_t to read kernel sysctl + rngd: fixes for rngd + dbus: allow dbus-daemon to map SELinux status page + bind: fixes for bind + passwd: allow passwd to map SELinux status page + ipsec: fixes for strongswan + samba: fixes for smbd/nmbd + ntp: allow ntpd to set rlimit_memlock + ssh: do not audit attempts by ssh-keygen to read proc + acpid: allow acpid to watch the directories in /dev + bluetooth: allow bluetoothd to create alg_socket + systemd: allow systemd-hostnamed to read udev runtime files + su: allow su to map SELinux status page + modutils: allow kmod_t to write keys + * Wed Sep 08 2021 Chris PeBenito - 2.20210908 Andreas Freimuth (2): Prefer user_fonts_config_t over xdg_config_t diff --git a/VERSION b/VERSION index de757ebd28..068c13a804 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20210908 +2.20220106