-
Notifications
You must be signed in to change notification settings - Fork 144
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Changelog and VERSION for release.
Signed-off-by: Chris PeBenito <[email protected]>
- Loading branch information
Showing
2 changed files
with
217 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,219 @@ | ||
| * Tue Aug 18 2020 Chris PeBenito <[email protected]> - 2.20200818 | ||
| Alexander Miroshnichenko (2): | ||
| openvpn: more versatile file context regex for ipp.txt | ||
| openvpn: update file context regex for ipp.txt | ||
|
|
||
| Chris PeBenito (153): | ||
| Makefile: Warn if policy.xml xmllint check does not run. | ||
| networkmanager: Fix interface commenting. | ||
| Makefile: Remove shell brace expansion in ctags target. | ||
| dbus: Rename tunable to dbus_pass_tuntap_fd. | ||
| spamassassin: Move systemd interfaces. | ||
| spamassassin: Rename systemd interfaces. | ||
| spamassassin: Add missing class requires in systemd interfaces. | ||
| spamassassin: Remove unnecessary brackets in type alias. | ||
| pulseaudio: Drop call to nonexistant interface. | ||
| genhomedircon: Drop Python 2 compatibility code. | ||
| systemd: Merge generator domains. | ||
| .travis.yml: Add CI tests with no unconfined. | ||
| Rename "pid" interfaces to "runtime" interfaces. | ||
| Update callers for "pid" to "runtime" interface rename. | ||
| Move user definitions to the right place during compilation. | ||
| Makefile: Give a value to build options so they can be used in ifelse. | ||
| init: Revise init_startstop_service() build option blocks. | ||
| kernel: Drop unlabeled_t as a files_mountpoint(). | ||
| selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. | ||
| files: Restore mounton access to files_mounton_all_mountpoints(). | ||
| filesystem: Create a filesystem image concept. | ||
| kernel, fstools, lvm, mount: Update to use filesystem image interfaces. | ||
| Bump module versions for release. | ||
|
|
||
| Christian Göttsche (29): | ||
| Rules: allow the usage of class sets in context_defaults | ||
| Correct estimate kernel version for polcap genfs_seclabel_symlinks | ||
| Makefile: generate temporary documentation files in separate directory | ||
| Ignore temporary documentation file directory in git | ||
| Override old all_interfaces.conf.tmp file | ||
| samba: fix wrong interface context smbd_runtime_t | ||
| chromium: drop dead conditional block | ||
| example: use module name matching file name | ||
| consolesetup: drop unused requires | ||
| unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() | ||
| portage: drop bizarre conditional TODO blocks | ||
| init/systemd: move systemd_manage_all_units to init_manage_all_units | ||
| tpm2: small fixes | ||
| files/logging: move var_run_t filecontext to defining module | ||
| files/miscfiles: move usr_t filecontext to defining module | ||
| chromium/libraries: move lib_t filecontext to defining module | ||
| apache: use correct content types in apache_manage_all_user_content() | ||
| can_exec(): move from misc_macros to misc_patterns | ||
| Makefile: remove obsolete .SUFFIXES | ||
| Makefile: add target build-interface-db | ||
| devices/storage: quote arguments to tunable_policy | ||
| apache: quote gen_tunable name argument | ||
| Correct some misspellings | ||
| Fix several misspellings | ||
| whitespace cleanup | ||
| travis-ci: add SELint | ||
| work on SELint issues | ||
| files/modutils: unify modules_object_t usage into files module | ||
| travis: resolve Linter tags | ||
|
|
||
| Daniel Burgener (10): | ||
| Add dnl to end of interface declaration. This reduces the number of blank | ||
| lines in intermediate files and matches the way templates are defined. | ||
| Allow systemd-coredump to stat mountpoints. | ||
| Change incorrect template definitions into interface definitions | ||
| Add divert to generated_definitions creation, and fix all_interfaces.conf | ||
| divert creation. | ||
| Fix mismatches between object class and permission macro. | ||
| Switch pipe reading on domtrans to inherited only | ||
| Simplify collection of ssh rules to domtrans_pattern macro | ||
| Fix a few places where command line applications were only granted one of | ||
| tty or pty permissions and could be used from either | ||
| Remove the second copy of a permission in instances where the exact same | ||
| permission is repeated twice in a row | ||
| Remove out of date "hack" from stunnel. The underlying problem needing a | ||
| require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port | ||
| would be an option now, but stunnel_t already has | ||
| corenet_tcp_bind_all_ports, so this access is redundant. | ||
|
|
||
| Dave Sugar (8): | ||
| Add interface to read/write /dev/ipmi | ||
| Update labeling in /dev/ | ||
| Setup generic generator attribute and change generator types. | ||
| fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026 | ||
| Setup domain for tpm2_* binaries | ||
| Interfaces needed to support IMA/EVM keys | ||
| Resolve neverallow failure introduced in #273 | ||
| Interfaces for tpm2 | ||
|
|
||
| David Sommerseth (1): | ||
| dbus: Add tunable - dbus_can_pass_tuntap_fd | ||
|
|
||
| Florian Schmidt (1): | ||
| corenetwork: fix winshadow port number | ||
|
|
||
| Guido Trentalancia (5): | ||
| This patch improves a previous commit by restricting down the permissions | ||
| to write the wireless device in order to prevent a possible Denial of | ||
| Service (DoS) attack from an unprivileged process bringing down the | ||
| wireless interfaces. | ||
| mozilla: add watch perms | ||
| wm: add watch perms | ||
| getty: add watch perms | ||
| userdomain: add watch perms | ||
|
|
||
| Laurent Bigonville (5): | ||
| Add an interface to allow the specified domain to mmap the general network | ||
| configuration files | ||
| Add policy for apt-cacher-ng | ||
| Add policy for acngtool | ||
| Label bluetooth daemon as bluetooth_exec_t | ||
| Label /usr/libexec/packagekitd as apt_exec_t on debian | ||
|
|
||
| McSim85 (1): | ||
| add rule for the management socket file fixed comments from @bauen1 | ||
|
|
||
| Nicolas Iooss (5): | ||
| Vagrantfile: remove older installed modules before "make install" | ||
| systemd: make systemd --user run generators without transition | ||
| systemd: allow sd-executor to manage its memfd files | ||
| devices: label /dev/sysdig0 | ||
| sysnetwork: allow using "ip netns" | ||
|
|
||
| Russell Coker (2): | ||
| pulseaudio patch | ||
| latest ver of trivial mail server patch | ||
|
|
||
| Topi Miettinen (13): | ||
| Make raw memory access tunable | ||
| Add usbguard | ||
| Don't allow creating regular files in /dev | ||
| Python string fix | ||
| gennetfilter: generate nft tables with --nft | ||
| gennetfilter: handle port ranges | ||
| Allow systemd-networkd to handle ICMP and DHCP packets | ||
| gennetfilter: add rules for ICMP/ICMPv6 packets | ||
| wm: add KWin | ||
| Build and install Netfilter rules | ||
| bootloader: add rEFInd and systemd-boot | ||
| netutils: allow ping to send and receive ICMP packets | ||
| Remove unlabeled packet access | ||
|
|
||
| Vilgot (1): | ||
| Portage update | ||
|
|
||
| Vilgot Fredenberg (1): | ||
| Remove old exception | ||
|
|
||
| Yi Zhao (2): | ||
| Remove duplicated rules | ||
| xserver: allow xserver_t to connect to resmgrd | ||
|
|
||
| bauen1 (59): | ||
| logging: allow syslogd to remove stale socket file | ||
| systemd-user-runtime-dir: add required permissions | ||
| mozilla: allow firefox to use user namespaces for sandboxing | ||
| modutils: allow init to execute kmod with nnp | ||
| fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da | ||
| allow init_t access to own keyring | ||
| allow init_t to link kernel_t key | ||
| allow normal users to use 'systemd-run' | ||
| ssh: fix for debian wrapper script | ||
| bird: fixes for bird 2.0 | ||
| apache: add nginx to policy | ||
| ntpd: fixes for systemd-timesyncd after linux 5.4 | ||
| define lockdown class and access | ||
| dirmngr: allow to probe for tor | ||
| dirmngr: also requires access to /dev/urandom | ||
| dirmngr: ~/.gnupg/crls.d might not exist | ||
| application: applications can be executed from ssh without pty | ||
| systemd: allow regular users to run systemd-analyze | ||
| quota: allow quota to modify /aquota even if immutable | ||
| init: read default context during boot | ||
| lvm: create /etc/lvm/archive if it doesn't exist | ||
| corecommands: fix atrild label | ||
| systemd-fstab-generator needs to know about all mountpoints | ||
| semanage: create directories for new policies | ||
| dnsmasq: watch for new dns resolvers | ||
| init: allow systemd to setup mount namespaces | ||
| init: make initrc_t a init_domain to simplify the policy | ||
| init: allow systemd to activate journald-audit.socket | ||
| setrans: allow label translation for all domains. | ||
| files: add files_watch_etc_symlinks interface | ||
| init: watch /etc/localtime even if it's a symlink | ||
| corecommands: proper label for unattended-upgrades helpers | ||
| filesystem: pathcon for matching tracefs mount | ||
| lvm-activation-generator also needs to execute lvm | ||
| systemd: allow systemd-user-runtime-dir to do its job | ||
| init: fix init_manage_pid_symlinks to grant more than just create | ||
| permissions | ||
| init: replace call to init_domtrans_script | ||
| systemd-sysusers: add policy | ||
| allow most common permissions for systemd sandboxing options | ||
| terminal: cleanup term_create interfaces | ||
| logrotate.service sandbox required permissions | ||
| udev.service sandbox required permissions | ||
| systemd-timesyncd.service sandbox requried permissions | ||
| systemd-logind.service sandbox required permissions | ||
| init: fix systemd boot | ||
| postfix: add filetrans for sendmail and postfix for aliases db operations | ||
| systemd: fixed systemd_rfkill_t denial spam | ||
| thunderbird: label files under /tmp | ||
| init: systemd will run chkpwd to start user@1000 | ||
| authlogin: unix_chkpwd is linked to libselinux | ||
| systemd: maintain /memfd:systemd-state | ||
| dpkg: allow dpkg frontends to acquire lock by labeling it correctly | ||
| systemd: systemd --user add essential permissions | ||
| dpkg: dpkg scripts are part of dpkg and therefor also an application | ||
| domain | ||
| gpg: don't allow gpg-agent to read /proc/kcore | ||
| corecommands: correct label for debian ssh-agent helper script | ||
| systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp | ||
| Remove the ada module, it is unecessary and not touched since ~2008 | ||
| dpkg: domaintrans to sysusers if necessary | ||
|
|
||
| * Sat Feb 29 2020 Chris PeBenito <[email protected]> - 2.20200229 | ||
| Alexander Miroshnichenko (1): | ||
| Add knot module | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 2.20200229 | ||
| 2.20200818 |