|
| 1 | +* Tue Sep 23 2025 Chris PeBenito < [email protected]> - 2.20250923 |
| 2 | +Antonio Enrico Russo (4): |
| 3 | + Remove redundancies |
| 4 | + ssh: allow ProxyJump |
| 5 | + ssh: allow connection to any port |
| 6 | + gpg: follow links when connecting to agent |
| 7 | + |
| 8 | +Chris PeBenito (56): |
| 9 | + unconfined: Promote anon_inode access to full access. |
| 10 | + cloudinit: Add container engine admin access. |
| 11 | + container: Add full watch permissions for container files. |
| 12 | + systemd: Add syslog access to systemd-notify. |
| 13 | + check_fc_files.py: Add additional optional pattern reduction. |
| 14 | + filesystem: Drop reiserfs genfscon. |
| 15 | + fstools: Remove noted reiserfs rules and file contexts. |
| 16 | + cloudinit: Add sys_admin to set security.sehash. |
| 17 | + sysnetwork: Silence sys_admin denials. |
| 18 | + filesystem: Add labeling for pidfs. |
| 19 | + filesystem: Fix pidfs typo. Change to task SID. |
| 20 | + |
| 21 | +Christian Göttsche (2): |
| 22 | + build: drop obsolete setfiles option |
| 23 | + policy_capabilities: add netif_wildcard and genfs_seclabel_wildcard |
| 24 | + |
| 25 | +Clayton Casciato (3): |
| 26 | + ssh: allow sshd_t userdomain:key search |
| 27 | + dbus: allow system_dbusd_t unconfined_t:fd use |
| 28 | + systemd: allow systemd_logind_t unconfined_t:fd use |
| 29 | + |
| 30 | +Daniel Burgener (1): |
| 31 | + Include read permission in rw_dirs_pattern |
| 32 | + |
| 33 | +Dave Sugar (1): |
| 34 | + fix: when using timedatectl to set system time |
| 35 | + |
| 36 | +Dāvis (1): |
| 37 | + Support Postfix aliases.lmdb |
| 38 | + |
| 39 | +Guido Trentalancia (4): |
| 40 | + Add the new firmware_load permission. |
| 41 | + Let the kernel load firmware files during boot. |
| 42 | + Do not audit kernel attempts to load firmware files with the kernel_t |
| 43 | + label. |
| 44 | + Add the remaining permissions recently added in the kernel for the system |
| 45 | + class. |
| 46 | + |
| 47 | +Kenton Groombridge (36): |
| 48 | + container: allow containers to getpgid |
| 49 | + container: allow spc to read netns files |
| 50 | + container, kubernetes: various fixes for hugetlbfs usage |
| 51 | + container, kubernetes: various fixes |
| 52 | + kanidm: initial policy |
| 53 | + authlogin: add tunable for nsswitch domains to connect to kanidm-unixd |
| 54 | + systemd: allow systemd-user-runtime-dir to connect to kanidm-unixd |
| 55 | + init: add tunable to allow mounton selinux config |
| 56 | + systemd: allow systemd-user-runtime-dir to list systemd-userdbd runtime |
| 57 | + dirs |
| 58 | + init: allow init to write inherited logind sessions |
| 59 | + sudo: allow locking user terminals |
| 60 | + sysadm, systemd: allow sysadmins to connect to systemd-networkd over unix |
| 61 | + stream sockets |
| 62 | + container, kernel: add tunable to allow NFS to relabel container files |
| 63 | + container: add tunable for spc to manage NFS mounts |
| 64 | + zfs: various fixes |
| 65 | + postgresql: various fixes |
| 66 | + iptables, podman, init: various container fixes |
| 67 | + container: allow spc to list unlabeled |
| 68 | + systemd: allow logind to read the state of user sessions |
| 69 | + container: rules for node exporter |
| 70 | + kubernetes: fixes for kubelet |
| 71 | + container: dontaudit request load module |
| 72 | + container: allow kvm containers to read network state |
| 73 | + kubernetes: fixes for kubeadm |
| 74 | + container: add tunable to execmod ro files |
| 75 | + postfix: allow smtpd to lock keytab files |
| 76 | + sysadm: allow inheriting fds from systemd |
| 77 | + container: add filecons for kubevirt |
| 78 | + matrixd: allow sending signals to itself |
| 79 | + sysadm: allow BPF debugging for container-related system domains |
| 80 | + container: promote some process perms to all containers |
| 81 | + container: demote execmem, execstack access |
| 82 | + container: allow spc to use sys_admin in userns |
| 83 | + various: make dbus optional |
| 84 | + container: mirror capabilities to userns perms |
| 85 | + systemd: allow users to run systemd-cgtop |
| 86 | + |
| 87 | +Marc Schiffbauer (14): |
| 88 | + modules: add new incus service module |
| 89 | + iptables: let nft dev_read_urand |
| 90 | + iptables: allow incus_stream_connect_daemon |
| 91 | + container: add incus/lxc specific file contexts |
| 92 | + container: add new container_init_t local policy |
| 93 | + qemu: add qemu_incus_managed tunable |
| 94 | + sysadm: allow incus_stream_connect_daemon |
| 95 | + dnsmasq: allow to be run by incus |
| 96 | + dnsmasq: make dnsmasq work with systemd-resolved |
| 97 | + zfs: allow connect to incus daemon |
| 98 | + modules: only whitespace fixes spotted while editing modules |
| 99 | + kernel: use mmap_read_files_pattern instead of read_files_pattern+allow |
| 100 | + kernel: fix for two minor typos |
| 101 | + incus: rm explicit fcontext for /usr/libexec/incus(/.*)? |
| 102 | + |
| 103 | +Michael Snook (1): |
| 104 | + rpm: allow cap_sys_admin for writing security xattrs |
| 105 | + |
| 106 | +Nicolas PARLANT (1): |
| 107 | + files context : fix multipath merged-usr |
| 108 | + |
| 109 | +Rahul Sandhu (6): |
| 110 | + portage: gatekeep portage_fetch_t accessing all ports behind a tunable |
| 111 | + seatd: new policy module |
| 112 | + shutdown_t: fix exec of /sbin/shutdown by /sbin/halt |
| 113 | + files: add a default file context spec for /proc |
| 114 | + portage: domtrans udevadm out into udevadm_t |
| 115 | + portage: allow executing systemctl for systemd.eclass |
| 116 | + |
| 117 | +Russell Coker (38): |
| 118 | + bootloader (#933) |
| 119 | + storage (#942) |
| 120 | + container (#938) |
| 121 | + newsystemd2 (#930) |
| 122 | + Patches for systemd_nspawn_t |
| 123 | + opensnitch daemon (#929) |
| 124 | + mail (#936) |
| 125 | + servers (#940) |
| 126 | + systemd-binfmt-coredump-generator (#946) |
| 127 | + some dpkg changes |
| 128 | + udev (#941) |
| 129 | + systemd-logind-nspawn-backlight (#945) |
| 130 | + systemd-machined-modules-passwd (#948) |
| 131 | + login (#943) |
| 132 | + user-bubblewrap (#952) |
| 133 | + systemd-rfkill-sessions-sysctl-sysusers-tmpfiles-userruntime (#950) |
| 134 | + systemd-hostnamed-locale-logind (#947) |
| 135 | + remove dupes (#963) |
| 136 | + This patch removes commented out interfaces and a commented out template. |
| 137 | + chromium (#965) |
| 138 | + Allow plymouth to read kernel messages and sysctls rw input devices, and |
| 139 | + signal init as well as some other small things. |
| 140 | + mon misc (#976) |
| 141 | + Fail2ban changes: |
| 142 | + apt (#987) |
| 143 | + acpi (#979) |
| 144 | + selinuxutil (#988) |
| 145 | + Some small fixes for the fingerprint daemon |
| 146 | + dbus (#980) |
| 147 | + xserver (#981) |
| 148 | + services (#986) |
| 149 | + systemd (#995) |
| 150 | + misc-kernel-system (#1003) |
| 151 | + strict2 (#1002) |
| 152 | + miscnetwork (#1004) |
| 153 | + justthefcerror (#1005) |
| 154 | + strict (#999) |
| 155 | + Some small patches for accountsd |
| 156 | + usbguard (#1023) |
| 157 | + |
| 158 | +Tobias Wiese (1): |
| 159 | + support/Makefile: don't remake *.fc and *.if files |
| 160 | + |
| 161 | +Yi Zhao (2): |
| 162 | + udev: allow udev_t to watch udev_runtime_t directory |
| 163 | + logging: update rules for audit |
| 164 | + |
1 | 165 | * Wed Jun 18 2025 Chris PeBenito < [email protected]> - 2.20250618 |
2 | 166 | Antonio Enrico Russo (1): |
3 | 167 | Remove unneeded backticks from gen_tunable |
|
0 commit comments