From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1725770-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 9B5581582EF
	for <garchives@archives.gentoo.org>; Sat, 08 Mar 2025 23:55:32 +0000 (UTC)
Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: relay-lists.gentoo.org@gentoo.org)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 627663430A0
	for <garchives@archives.gentoo.org>; Sat, 08 Mar 2025 23:55:32 +0000 (UTC)
Received: from bobolink.gentoo.org (localhost [127.0.0.1])
	by bobolink.gentoo.org (Postfix) with ESMTP id 8E7ED110472;
	Sat, 08 Mar 2025 23:55:07 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by bobolink.gentoo.org (Postfix) with ESMTPS id 84608110472
	for <gentoo-commits@lists.gentoo.org>; Sat, 08 Mar 2025 23:55:07 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 3917833BE12
	for <gentoo-commits@lists.gentoo.org>; Sat, 08 Mar 2025 23:55:07 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C65A428AE
	for <gentoo-commits@lists.gentoo.org>; Sat, 08 Mar 2025 23:55:04 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1741474868.b2be5a0bf0017b0189a0c9870880ae4f0ba674aa.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: Changelog VERSION
X-VCS-Directories: /
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: b2be5a0bf0017b0189a0c9870880ae4f0ba674aa
X-VCS-Branch: master
Date: Sat, 08 Mar 2025 23:55:04 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: e50ab8f3-05e5-49f4-b205-6bae652e1694
X-Archives-Hash: 24ac38c4c82e5771fce27d8a9feb57ef

commit:     b2be5a0bf0017b0189a0c9870880ae4f0ba674aa
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 13 13:42:37 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2be5a0b

Update Changelog and VERSION for release 2.20250213.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 Changelog | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 1e9edc872..0527405ac 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,116 @@
+* Thu Feb 13 2025 Chris PeBenito <pebenito@ieee.org> - 2.20250213
+Björn Esser (1):
+      authlogin: fix regex for /etc/tcb
+
+Chris PeBenito (54):
+      Makefile: Build all appconfig files.
+      Add tool for validating contexts in appconfig files.
+      userhelper_context: Fix invalid context.
+      lxc_contexts: Fix invalid contexts in standard version.
+      validate-appconfig.py: Add default_type and failsafe_context validation.
+      validate-appconfig.py: Add default_contexts validation.
+      xserver: Fix xdm seuser role association.
+      build-policy.yml: Add setools to policy builds for appconfig validation.
+      validate-appconfig.py: Add GitHub actions logging.
+      users: Move unconfined_u definition to unconfined module.
+      guest/xguest: Add seusers.
+      INSTALL: Update dependencies.
+      build-userspace/setools.yml: Cache built userspace.
+      systemd: Fix systemd_write_notify_socket().
+      Revert "systemd: Fix systemd_write_notify_socket()."
+      systemd: Fix systemd_write_notify_socket().
+      init: Move common rules out of daemon/system interfaces.
+
+Christian Göttsche (17):
+      unconfined: permit io_uring access
+      userdomain: include map in userdom_manage_user_home_content_files()
+      systemd: permit ssh generator to request vsock module
+      locallogin: permit login process to signal itself
+      ssh: label sshd-session helper on Debian
+      kernel: create /dev/vsock with correct context
+      Reorder permissions to please SELint
+      bootloader: get scheduling information
+      Fix typos
+      policy_capabilities: add stub for userspace_initial_context
+      validate-appconfig: replace tab indentation by spaces
+      check_fc_files: support trailing optional version number
+      Build appconfig files in default target
+      systemd: permit sd-sysuser access to admin terminal
+      github: add codespell check
+      systemd: permit sysusers to create /etc/group
+      systemd: getattr namespace files
+
+Dave Sugar (12):
+      Fix complaints in STIG about unlabeled device files
+      Make quemu optional in virt
+      Make mta optional in container policy
+      Changes to support python 3.9 (RHEL9)
+      Setup sudo log file type
+      Need search perms on cert_t/tls_privkey_t when using private types
+      Communicate with locale via dbus
+      mozilla adds .mozilla directory to /etc/skel which useradd tries to copy
+      Add support for open-vm-tools
+      If mta module is not installed useradd fails to create mailbox files
+      label jspawnhelper bin_t
+      Allow fapolicyd to watch /run/netns directory
+
+Hans-Christian Noren Egtvedt (1):
+      devices: add more video4linux related devices as v4l_device_t
+
+Henrik Grindal Bakken (1):
+      cron: Remove too greedy file context grab
+
+Nicolas PARLANT (2):
+      files context : few fixes for merged-usr distro_gentoo
+      fixdep dbus
+
+Rahul Sandhu (23):
+      systemd_stream_connect_homed: new interface to access account info
+      locallogin: allow talking to systemd-homed user record APIs
+      systemd_homed_t, systemd_homework_t: allow reading of /etc/machine-id
+      systemd-homed: label LUKS home images as systemd_homed_storage_t
+      authlogin: connect to homed
+      systemd_homed_runtime_work_dir_t: new type for systemd-homed workdir
+      lvm_manage_runtime_dirs: new interface for managing LVM runtime dirs
+      systemd_homework_t: allow managing of lvm_runtime_t files and dirs
+      systemd_homed_record_t: new type for user records
+      systemd_stream_connect_homed: make use of stream_connect_pattern
+      systemd-homed: make lvm related policy optional
+      systemd-homework: reformat *_files_pattern block
+      systemd-homed: use files_read_etc_runtime_files to read machine-id
+      systemd-homed: fix filecontexts for systemd_home_storage_t objects
+      systemd_stream_connect_homed: genrequire systemd_userdbd_runtime_t
+      systemd-homework: move optional policy to end of block
+      authlogin: connect to nsresourced
+      systemd: appropriately label /run/log/systemd as systemd_log_t
+      bootloader_t: allow getattr for autofs_t
+      systemd-logind: allow getattr for autofs_t for get bootloader
+      bootloader_t: use fs_list_auto_mountpoints for autofs_t:dir
+      NetworkManager: add /usr/lib/NetworkManager/dispatcher.d to filecon
+      systemd: allow getattr of namespace files for more components
+
+Stephen Smalley (1):
+      add netlink_xperm policy capability and nlmsg permission definitions
+
+Tianjia Zhang (9):
+      secadm: remove duplicate policies
+      userdomain: allow grant mac_admin capability to security admin
+      lvm: allow to grant capability and create alg_socket
+      mount: allow mount_t to readwrite fifo file
+      authlogin: allow unix_chkpwd to run
+      usermanage: grant passwd_t dac_read_search capability
+      tpm2: add correct fcontext for tpm2 tools
+      tpm2: allow tpm-abrmd to access urandom
+      tpm2: Add the necessary policy to run tpm2 tools
+
+Yi Zhao (3):
+      systemd: allow more components to get attributes of nsfs inodes
+      systemd: allow systemd-resolve to watch /run/systemd dir
+      ntp: allow systemd-timesyncd to watch /run/systemd dir
+
+lquidfire (1):
+      Add is a policy for the ARC milter
+
 * Mon Sep 16 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240916
 Amisha Jain (1):
       Sepolicy changes for bluez to access uhid

diff --git a/VERSION b/VERSION
index 3cbd6b36e..22fcf3aad 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20240916
+2.20250213