From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CABFB13835A for ; Sun, 7 Feb 2021 03:21:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 20821E08EB; Sun, 7 Feb 2021 03:21:21 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ED91EE08EB for ; Sun, 7 Feb 2021 03:21:20 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D5A13343870 for ; Sun, 7 Feb 2021 03:21:19 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7627E46B for ; Sun, 7 Feb 2021 03:21:18 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612646110.0d0b3f0b2c0d84a7529175dc505af157f48de2f6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: Changelog VERSION X-VCS-Directories: / X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6 X-VCS-Branch: master Date: Sun, 7 Feb 2021 03:21:18 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: ba31680c-6f58-4ca7-9805-fc4363bb00d9 X-Archives-Hash: cba2fe5ffc18d8023155e8a5e6f42aa6 commit: 0d0b3f0b2c0d84a7529175dc505af157f48de2f6 Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 3 13:38:27 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:10 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d0b3f0b Update Changelog and VERSION for release 2.20210203. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> Changelog | 193 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 194 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 59037863..50cd31fc 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,196 @@ +* Wed Feb 03 2021 Chris PeBenito - 2.20210203 +(GalaxyMaster) (1): + added policy for systemd-socket-proxyd + +0xC0ncord (1): + userdomain, xserver: move xdg rules to userdom_xdg_user_template + +Anthony PERARD (1): + xen: Allow xenstored to map /proc/xen/xsd_kva + +Antoine Tenart (15): + udev: allow udevadm to retrieve xattrs + locallogin: allow login to get attributes of procfs + logging: allow systemd-journal to write messages to the audit socket + sysnetwork: allow to read network configuration files + dbus: add two interfaces to allow reading from directories and named + sockets + dbus: allow clients to list runtime dirs and named sockets + systemd: add extra systemd_generator_t rules + systemd: allow systemd-hwdb to search init runtime directories + systemd: allow systemd-network to get attributes of fs + systemd: allow systemd-resolve to read in tmpfs + corecommands: add entry for Busybox shell + systemd: allow systemd-getty-generator to read and write unallocated ttys + systemd: allow systemd-network to list the runtime directory + ntp: allow systemd-timesyn to watch dbus objects + ntp: allow systemd-timesyn to setfscreate + +Chris PeBenito (117): + Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into + jpds-acpid_shutdown + .travis.yml: Point selint at only the policy dir. + corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module + version bump. + systemd: Move systemd-pstore block up in alphabetical order. + Switch to GitHub actions for CI actions. + systemd: Whitespace changes. + systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to + systemd_stream_connect_socket_proxyd(). + Drop criteria on github actions. + userdomain: Fix error in calling userdom_xdg_user_template(). + systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. + Makefile: Add -E to setfiles labeling targets. + udev: Drop udev_tbl_t. + udev: Systemd 246 merged udev and udevadm executables. + devicekit: Udisks uses udevadm, it does not exec udev. + Remove modules for programs that are deprecated or no longer supported. + chromium: Whitespace changes. + chromium: Move naclhelper lines. + certbot: Whitespace changes. + certbot: Drop aliases since they have never had the old names in + refpolicy. + certbot: Reorder fc lines. + miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. + userdomain: Move lines. + certbot: Fix lint issues. + memlockd: Move lines. + memlockd: Whitespace fixes. + memlockd: Fix lint issue. + file_patterns.spt: Add a mmap_manage_files_pattern(). + apache, mysql, postgrey, samba, squid: Apply new + mmap_manage_files_pattern(). + devicekit, jabber, samba: Move lines. + cron: Make backup call for system_cronjob_t optional. + samba: Fix samba_runtime_t alias use. + samba: Move service interface definitions. + sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba + block. + samba: Add missing userspace class requirements in unit interfaces. + apache: Fix lint error. + apache: Really fix lint error. + aptcacher: Drop broken config interfaces. + samba: Fix lint error. + 0xC0ncord/feature/sudodomain_http_connect_boolean + 0xC0ncord/bugfix/systemd_system_custom_unit_fc + dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. + apt, bootloader: Move lines. + systemd: Move lines. + systemd: Fix lint errors. + systemd: Rename systemd_use_machined_devpts(). + Bump module versions for release. + +Christian Göttsche (16): + postfixpolicyd: split multi-class rule + init/systemd: allow systemd to map the SELinux status page + selinux: add selinux_use_status_page and deprecate + selinux_map_security_files + genhomedircon: drop backwards compatibility section + genhomedircon: require match for home directory name + genhomedircon: drop unused functions + genhomedircon: generate file contexts for %{USERNAME} and %{USERID} + genhomedircon: misc pylint cleanup + genhomedircon: improve error messages for min uid search + Rules.monolithic: ignore version mismatch + gitignore: ignore monolithic generated files + Preset OUTPUT_POLICY to 32 + Rules.monolithic: do not suppress load_policy warning messages + Rules.monolithic: tweak checkpolicy arguments + Rules.monolithic: drop dead variable + Rules.monolithic: add missing phony declarations + +Daniel Burgener (4): + Allow init to mount over the system bus + Allow systemd-ask-password to watch files + Use self keyword when an AV rule source type matches destination + Fix typo in comment + +Dannick Pomerleau (1): + access_vectors: Add new capabilities to cap2 + +Dave Sugar (9): + Looks like this got dropped in pull request #294 + Allow snmpd to read hwdata + Updates for corosync to work in enforcing + To get pacemaker working in enforcing + pacemaker systemd permissions + Allow pacemaker to map/read/write corosync shared memory files + Allow systemd-modules-load to search kernel keys + pcs_snmpd_agent_t fix denials to allow it to read needed queues + Work with xdg module disabled + +David Schadlich (1): + add policy for pcs_snmp_agent + +Deepak Rawat (1): + Add selinux-policy for systemd-pstore service + +Dominick Grift (1): + bind: add a few fc specs for unbound + +Guido Trentalancia (1): + Add LVM module permissions needed to open cryptsetup devices. + +Jason Zaman (5): + userdomain: Add watch on home dirs + getty: allow watching file /run/agetty.reload + Add transition on gentoo init_t to openrc + init: upstream fcontexts from gentoo policy + systemd: make remaining dbus_* optional + +Jonathan Davies (8): + acpi.te: Allow acpid_t to shutdown the system - this is required to handle + shutdown calls from libvirt. Fixes #298. + acpi.te: Removed unnecessary init_write_initctl(). + userdomain.if: Marked usbguard user modify tunable as optional so usbguard + may be excluded. + portage: Added /var/cache/distfiles path. + init: Added fcontext for openrc-init. + init: Added fcontext for openrc-shutdown. + apps/screen.fc: Added fcontext for tmux xdg directory. + apps/screen.te: Allow screen to search xdg directories. + +Kenton Groombridge (11): + devices: add interface for IOCTL on input devices + virt: add boolean to allow evdev passthrough + stunnel: add log type and rules + fail2ban: allow reading systemd journal + spamassassin: add rspamd support and tunable + apache: add interface for list dir perms on httpd content + sudo: add tunable for HTTP connections + init: label systemd units in /etc + certbot: add support for acme.sh + lvm: add lvm_tmpfs_t type and rules + Various fixes + +Peter Morrow (1): + selinux: add selinux_get_all_booleans() interface + +Richard Haines (1): + Ensure correct monolithic binary policy is loaded + +Russell Coker (11): + base chrome/chromium patch fixed + latest iteration of certbot policy as patch + yet more strict patches fixed + remove deprecated from 20190201 + more Chrome stuff + latest memlockd patch + misc services patches with changes Dominick and Chris wanted + misc network patches with Dominick's changes*2 + new version of filetrans patch + misc apps and admin patches + machined + +Yi Zhao (1): + sysnet: allow dhcpcd to create socket file + +bauen1 (4): + systemd: private type for /run/systemd/userdb + authlogin: connect to userdb + systemd-logind: utilize nsswitch + selint: fix S-010 + * Tue Aug 18 2020 Chris PeBenito - 2.20200818 Alexander Miroshnichenko (2): openvpn: more versatile file context regex for ipp.txt diff --git a/VERSION b/VERSION index dff6b732..d20cfcef 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20200818 +2.20210203