[gentoo-commits] proj/hardened-refpolicy:master commit in: /

["Jason Zaman" <perfinion@gentoo.org>]

commit:     0d0b3f0b2c0d84a7529175dc505af157f48de2f6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb  3 13:38:27 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:10 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b

Update Changelog and VERSION for release 2.20210203.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 194 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 59037863..50cd31fc 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,196 @@
+* Wed Feb 03 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210203
+(GalaxyMaster) (1):
+      added policy for systemd-socket-proxyd
+
+0xC0ncord (1):
+      userdomain, xserver: move xdg rules to userdom_xdg_user_template
+
+Anthony PERARD (1):
+      xen: Allow xenstored to map /proc/xen/xsd_kva
+
+Antoine Tenart (15):
+      udev: allow udevadm to retrieve xattrs
+      locallogin: allow login to get attributes of procfs
+      logging: allow systemd-journal to write messages to the audit socket
+      sysnetwork: allow to read network configuration files
+      dbus: add two interfaces to allow reading from directories and named
+         sockets
+      dbus: allow clients to list runtime dirs and named sockets
+      systemd: add extra systemd_generator_t rules
+      systemd: allow systemd-hwdb to search init runtime directories
+      systemd: allow systemd-network to get attributes of fs
+      systemd: allow systemd-resolve to read in tmpfs
+      corecommands: add entry for Busybox shell
+      systemd: allow systemd-getty-generator to read and write unallocated ttys
+      systemd: allow systemd-network to list the runtime directory
+      ntp: allow systemd-timesyn to watch dbus objects
+      ntp: allow systemd-timesyn to setfscreate
+
+Chris PeBenito (117):
+      Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into
+         jpds-acpid_shutdown
+      .travis.yml: Point selint at only the policy dir.
+      corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module
+         version bump.
+      systemd: Move systemd-pstore block up in alphabetical order.
+      Switch to GitHub actions for CI actions.
+      systemd: Whitespace changes.
+      systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to
+         systemd_stream_connect_socket_proxyd().
+      Drop criteria on github actions.
+      userdomain: Fix error in calling userdom_xdg_user_template().
+      systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
+      Makefile: Add -E to setfiles labeling targets.
+      udev: Drop udev_tbl_t.
+      udev: Systemd 246 merged udev and udevadm executables.
+      devicekit: Udisks uses udevadm, it does not exec udev.
+      Remove modules for programs that are deprecated or no longer supported.
+      chromium: Whitespace changes.
+      chromium: Move naclhelper lines.
+      certbot: Whitespace changes.
+      certbot: Drop aliases since they have never had the old names in
+         refpolicy.
+      certbot: Reorder fc lines.
+      miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
+      userdomain: Move lines.
+      certbot: Fix lint issues.
+      memlockd: Move lines.
+      memlockd: Whitespace fixes.
+      memlockd: Fix lint issue.
+      file_patterns.spt: Add a mmap_manage_files_pattern().
+      apache, mysql, postgrey, samba, squid: Apply new
+         mmap_manage_files_pattern().
+      devicekit, jabber, samba: Move lines.
+      cron: Make backup call for system_cronjob_t optional.
+      samba: Fix samba_runtime_t alias use.
+      samba: Move service interface definitions.
+      sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba
+         block.
+      samba: Add missing userspace class requirements in unit interfaces.
+      apache: Fix lint error.
+      apache: Really fix lint error.
+      aptcacher: Drop broken config interfaces.
+      samba: Fix lint error.
+         0xC0ncord/feature/sudodomain_http_connect_boolean
+         0xC0ncord/bugfix/systemd_system_custom_unit_fc
+      dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
+      apt, bootloader: Move lines.
+      systemd: Move lines.
+      systemd: Fix lint errors.
+      systemd: Rename systemd_use_machined_devpts().
+      Bump module versions for release.
+
+Christian Göttsche (16):
+      postfixpolicyd: split multi-class rule
+      init/systemd: allow systemd to map the SELinux status page
+      selinux: add selinux_use_status_page and deprecate
+         selinux_map_security_files
+      genhomedircon: drop backwards compatibility section
+      genhomedircon: require match for home directory name
+      genhomedircon: drop unused functions
+      genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
+      genhomedircon: misc pylint cleanup
+      genhomedircon: improve error messages for min uid search
+      Rules.monolithic: ignore version mismatch
+      gitignore: ignore monolithic generated files
+      Preset OUTPUT_POLICY to 32
+      Rules.monolithic: do not suppress load_policy warning messages
+      Rules.monolithic: tweak checkpolicy arguments
+      Rules.monolithic: drop dead variable
+      Rules.monolithic: add missing phony declarations
+
+Daniel Burgener (4):
+      Allow init to mount over the system bus
+      Allow systemd-ask-password to watch files
+      Use self keyword when an AV rule source type matches destination
+      Fix typo in comment
+
+Dannick Pomerleau (1):
+      access_vectors: Add new capabilities to cap2
+
+Dave Sugar (9):
+      Looks like this got dropped in pull request #294
+      Allow snmpd to read hwdata
+      Updates for corosync to work in enforcing
+      To get pacemaker working in enforcing
+      pacemaker systemd permissions
+      Allow pacemaker to map/read/write corosync shared memory files
+      Allow systemd-modules-load to search kernel keys
+      pcs_snmpd_agent_t fix denials to allow it to read needed queues
+      Work with xdg module disabled
+
+David Schadlich (1):
+      add policy for pcs_snmp_agent
+
+Deepak Rawat (1):
+      Add selinux-policy for systemd-pstore service
+
+Dominick Grift (1):
+      bind: add a few fc specs for unbound
+
+Guido Trentalancia (1):
+      Add LVM module permissions needed to open cryptsetup devices.
+
+Jason Zaman (5):
+      userdomain: Add watch on home dirs
+      getty: allow watching file /run/agetty.reload
+      Add transition on gentoo init_t to openrc
+      init: upstream fcontexts from gentoo policy
+      systemd: make remaining dbus_* optional
+
+Jonathan Davies (8):
+      acpi.te: Allow acpid_t to shutdown the system - this is required to handle
+         shutdown calls from libvirt. Fixes #298.
+      acpi.te: Removed unnecessary init_write_initctl().
+      userdomain.if: Marked usbguard user modify tunable as optional so usbguard
+         may be excluded.
+      portage: Added /var/cache/distfiles path.
+      init: Added fcontext for openrc-init.
+      init: Added fcontext for openrc-shutdown.
+      apps/screen.fc: Added fcontext for tmux xdg directory.
+      apps/screen.te: Allow screen to search xdg directories.
+
+Kenton Groombridge (11):
+      devices: add interface for IOCTL on input devices
+      virt: add boolean to allow evdev passthrough
+      stunnel: add log type and rules
+      fail2ban: allow reading systemd journal
+      spamassassin: add rspamd support and tunable
+      apache: add interface for list dir perms on httpd content
+      sudo: add tunable for HTTP connections
+      init: label systemd units in /etc
+      certbot: add support for acme.sh
+      lvm: add lvm_tmpfs_t type and rules
+      Various fixes
+
+Peter Morrow (1):
+      selinux: add selinux_get_all_booleans() interface
+
+Richard Haines (1):
+      Ensure correct monolithic binary policy is loaded
+
+Russell Coker (11):
+      base chrome/chromium patch fixed
+      latest iteration of certbot policy as patch
+      yet more strict patches fixed
+      remove deprecated from 20190201
+      more Chrome stuff
+      latest memlockd patch
+      misc services patches with changes Dominick and Chris wanted
+      misc network patches with Dominick's changes*2
+      new version of filetrans patch
+      misc apps and admin patches
+      machined
+
+Yi Zhao (1):
+      sysnet: allow dhcpcd to create socket file
+
+bauen1 (4):
+      systemd: private type for /run/systemd/userdb
+      authlogin: connect to userdb
+      systemd-logind: utilize nsswitch
+      selint: fix S-010
+
 * Tue Aug 18 2020 Chris PeBenito <pebenito@ieee.org> - 2.20200818
 Alexander Miroshnichenko (2):
       openvpn: more versatile file context regex for ipp.txt

diff --git a/VERSION b/VERSION
index dff6b732..d20cfcef 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20200818
+2.20210203