From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AEA9E158083 for ; Sun, 22 Sep 2024 00:03:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3A3D0E29E0; Sun, 22 Sep 2024 00:03:42 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1AE1AE29E0 for ; Sun, 22 Sep 2024 00:03:42 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F0A2B34317E for ; Sun, 22 Sep 2024 00:03:40 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0875E280F for ; Sun, 22 Sep 2024 00:03:37 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1726957710.eda98a3afa77322916144fbf27e290932d4495e8.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: Changelog VERSION X-VCS-Directories: / X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: eda98a3afa77322916144fbf27e290932d4495e8 X-VCS-Branch: master Date: Sun, 22 Sep 2024 00:03:37 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 62320e3f-2650-43ba-8a40-3bbebcba98a3 X-Archives-Hash: 57c81e119b23ffcb9fa6855e31e2c926 commit: eda98a3afa77322916144fbf27e290932d4495e8 Author: Chris PeBenito ieee org> AuthorDate: Mon Sep 16 17:52:00 2024 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 21 22:28:30 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eda98a3a Update Changelog and VERSION for release 2.20240916. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> Changelog | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 137 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index a1938b4f0..1e9edc872 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,139 @@ +* Mon Sep 16 2024 Chris PeBenito - 2.20240916 +Amisha Jain (1): + Sepolicy changes for bluez to access uhid + +Chris PeBenito (54): + uml: Remove excessive access from user domains on uml_exec_t. + cron: Use raw entrypoint rule for system_cronjob_t. + docker: Fix dockerc typo in container_engine_executable_file + minissdpd: Revoke kernel module loading permissions. + xen: Revoke kernel module loading permissions. + cups: Remove PTAL. + xen: Drop xend/xm stack. + certbot: Drop execmem. + cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. + tests.yml: Add sechecker testing. + systemd: Add basic systemd-analyze rules. + cloudinit: Add support for cloud-init-growpart. + filesystem/systemd: memory.pressure fixes. + init: Add homectl dbus access. + device: Move dev_rw_uhid definition. + devices: Change dev_rw_uhid() to use a policy pattern. + tests.yml: Divide into reusable workflows. + tests.yml: Add policy diff on PRs. + bluetooth: Move line. + +Christian Göttsche (4): + getty: grant checkpoint_restore + quote: read localization + systemd: allow notify client to stat socket + Makefile: drop duplicate quotes + +Dave Sugar (4): + Setup domain for dbus selinux interface + Update SOS report to work on RHEL9 + Need map perm for cockpit 300.4 + Additional permissions when fapolicyd.conf more strict + +Dmitry Sharshakov (1): + filesystem, devices: move gadgetfs to usbfs_t + +Grzegorz Filo (1): + files context for merged-usr profile on gentoo + +Guido Trentalancia (1): + Allow interactive user terminal output for the NetLabel management tool. + +Kenton Groombridge (46): + init: allow systemd to use sshd pidfds + fail2ban: allow reading net sysctls + dovecot: allow dovecot-auth to read SASL keytab + userdom: allow users to read user home dir symlinks + postgres: add a standalone execmem tunable + asterisk: allow binding to all unreserved UDP ports + bootloader: allow systemd-boot to manage EFI binaries + matrixd: add tunable for binding to all unreserved ports + container: allow system container engines to mmap runtime files + container: allow containers to getcap + systemd: allow systemd-sysctl to search tmpfs + container, podman: various fixes + container, crio, kubernetes: minor fixes + various: various fixes + systemd: allow systemd-logind to use sshd pidfds + sysnetwork: allow ifconfig to read usr files + postfix: allow smtpd to mmap SASL keytab files + sudo: allow systemd-logind to read cgroup state of sudo + su, sudo: allow sudo to signal all su domains + asterisk: allow watching spool dirs + dbus, init: add interface for pidfd usage + init: use pidfds from local login + haproxy: initial policy + sysadm: make haproxy admin + container: allow containers to execute tmpfs files + node_exporter: allow reading localization + netutils: allow ping to read net sysctls + postfix: allow postfix pipe to watch mail spool + asterisk: allow reading certbot lib + node_exporter: allow reading RPC sysctls + systemd: allow logind to use locallogin pidfds + sshd: label sshd-session as sshd_exec_t + iptables: allow reading usr files + podman: allow managing init runtime units + haproxy: allow interactive usage + kubernetes: allow kubelet to create unlabeled dirs + container: allow super privileged containers to manage BPF dirs + dbus: dontaudit session bus domains the netadmin capability + container, kubernetes: add supporting rules for kubevirt and multus + container: allow spc various rules for kubevirt + iptables: allow reading container engine tmp files + container: add container_kvm_t and supporting kubevirt rules + various: rules required for DV manipulation in kubevirt + testing: add container_kvm_t to net admin exempt list + container: allow reading generic certs + kubernetes: allow kubelet to connect all TCP ports + +Matt Sheets (1): + Allow systemd to pass down sig mask + +Naga Bhavani Akella (3): + Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix + stream sockets. + Setting bluetooth helper domain for bluetoothctl + Adding SE Policy rules to allow usage of unix stream sockets by dbus and + bluetooth contexts when Gatt notifications are turned on by remote. + +Raghavender Reddy Bujala (1): + Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets. + +Rick Alther (2): + fix: minor correction in MCS_CATS range comment + Set the type on /etc/machine-info to net_conf_t so hostnamectl can + manipulate it (CRUD) + +Yi Zhao (12): + sysnetwork: fixes for dhcpcd + newrole: allow newrole to search faillock runtime directory + selinuxutil: make policykit optional + userdomain: allow administrative user to get attributes of shadow history + file + systemd: make xdg optional + systemd: set context to systemd_networkd_var_lib_t for + /var/lib/systemd/network + systemd: allow systemd-networkd to manage sock files under + /run/systemd/netif + systemd: allow system --user to create netlink_route_socket + systemd: add policy for systemd-nsresourced + devices: add label vsock_device_t for /dev/vsock + systemd: fix policy for systemd-ssh-generator + systemd: allow systemd-hostnamed to read vsock device + +freedom1b2830 (2): + Reorder perms and classes + Reorder perms and classes + +nisbet-hubbard (1): + Update mysql.fc + * Mon Feb 26 2024 Chris PeBenito - 2.20240226 Chris PeBenito (174): tests.yml: Pin ubuntu 20.04. diff --git a/VERSION b/VERSION index 238b92fda..3cbd6b36e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20240226 +2.20240916