|
| 1 | +* Tue Nov 01 2022 Chris PeBenito < [email protected]> - 2.20221101 |
| 2 | +Chris PeBenito (46): |
| 3 | + systemd: Drop systemd_detect_virt_t. |
| 4 | + fstools: Handle resizes of the root filesystem. |
| 5 | + mount: Get the attributes of all filesystems. |
| 6 | + rpm: Add dnf and tdnf labeling. |
| 7 | + logging: Change to systemd interface for tmpfilesd. |
| 8 | + systemd: Remove systemd-run domain. |
| 9 | + unconfined: Add missing capability2 perms. |
| 10 | + lvm: Updates for multipath LVM. |
| 11 | + locallogin: Use init file descriptors. |
| 12 | + systemd: Misc fixes. |
| 13 | + isns: Updates from testing. |
| 14 | + container, docker: Fixes for containerd and kubernetes testing. |
| 15 | + devices: Add type for SAS management devices. |
| 16 | + devices: Add file context for /dev/vhost-vsock. |
| 17 | + iptables: Ioctl cgroup dirs. |
| 18 | + devices: Add type for infiniband devices. |
| 19 | + storage: Add fc for /dev/ng*n* devices. |
| 20 | + files: Add prerequisite access for files_mounton_non_security(). |
| 21 | + files: Make etc_runtime_t a config file. |
| 22 | + systemd: Fixes for coredumps in containers. |
| 23 | + container: Allow container engines to connect to http cache ports. |
| 24 | + container: Getattr generic device nodes. |
| 25 | + application: Allow apps to use init fds. |
| 26 | + systemd: Misc updates. |
| 27 | + filesystem: Move ecryptfs interface definitions. |
| 28 | + mcs: Add additional SysV IPC constraints. |
| 29 | + mcs: Collapse constraints. |
| 30 | + mcs: Add additional socket constraints. |
| 31 | + mcs: Add missing process permission constraints. |
| 32 | + mcs: Remove duplicate node_bind constraint. |
| 33 | + mcs: Reorganize file. |
| 34 | + mls: Add setsockcreate constraint. |
| 35 | + systemd: Add interface for systemctl exec. |
| 36 | + Add cloud-init. |
| 37 | + hypervkvp: Port updated module from Fedora policy. |
| 38 | + init: Add tunable for systemd to create all its mountpoints. |
| 39 | + Run Ci tests in parallel. |
| 40 | + Revise userspace and SELint versions in CI |
| 41 | + fapolicyd: Fix selint issue. |
| 42 | + tests.yml: Remove irrelevant comment. |
| 43 | + Drop audit_access allows. |
| 44 | + sympa: Move lines. |
| 45 | + sympa: Drop module version. |
| 46 | + sympa, mta, exim: Revise interfaces. |
| 47 | + sympa, logging; Fix lint errors. |
| 48 | + container: Add missing UDP node bind access on container engines. |
| 49 | + |
| 50 | +Christian Göttsche (3): |
| 51 | + Replace deprecated egrep usage |
| 52 | + ci: update dependencies |
| 53 | + ci: build SELint from source |
| 54 | + |
| 55 | +Daniel Burgener (1): |
| 56 | + Drop explicit calls to seutil and kernel module interfaces in broad files |
| 57 | + interfaces |
| 58 | + |
| 59 | +Dave Sugar (20): |
| 60 | + ssh: allow ssh_keygen to read /usr/share/crypto-policies/ |
| 61 | + chronyd: Allow to read fips_enabled sysctl |
| 62 | + chronyd: allow chronyd to read /usr/share/crypto-policies |
| 63 | + systemd: init_t creates systemd-logind 'linger' directory |
| 64 | + systemd: systemd-update-done fix startup issue |
| 65 | + usbguard: Allow to read fips_enabled sysctl |
| 66 | + firewalld: read to read fips_enabled sysctl |
| 67 | + firewalld: create netfilter socket |
| 68 | + firewalld: allow to load kernel modules |
| 69 | + firewalld: write tmpfs files |
| 70 | + firewalld: firewalld-cmd uses dbus |
| 71 | + tpm2-abrmd: allow to send syslog messages |
| 72 | + domain: move kernel_read_crypto_sysctls to a common location |
| 73 | + fapolicyd: Initial SELinux policy |
| 74 | + networkmanager: allow watch etc_t and lib_t |
| 75 | + firewalld: allow watch on firewalld files |
| 76 | + Seeing long delay during shutdown saying: 'A stop job is running for |
| 77 | + Restore /run/initramfs on shutdown' |
| 78 | + fix: issue #550 - compile failed when DIRECT_INITRC=y |
| 79 | + fapolicyd: fagenrules chgrp's the compiled.rules |
| 80 | + Add 'DIRECT_INITRC' config to automated tests |
| 81 | + |
| 82 | +Kenton Groombridge (95): |
| 83 | + systemd: add separate type for user transient units |
| 84 | + systemd: rename user runtime unit interfaces |
| 85 | + docker, podman: use renamed user runtime unit status interface |
| 86 | + systemd: rename status user mananger units interface |
| 87 | + systemd: systemd-resolved is linked to libselinux |
| 88 | + systemd: dontaudit systemd-generator getattr on all dirs |
| 89 | + raid: allow mdadm to use user ptys |
| 90 | + bootloader, files: allow bootloader to getattr on boot_t filesystems |
| 91 | + matrixd: various fixes |
| 92 | + container: add unconfined role |
| 93 | + unconfined: use unconfined container role |
| 94 | + podman: add interface to rangetrans when executing conmon |
| 95 | + podman: rework conmon rules |
| 96 | + podman: add file context for podman in /usr/libexec |
| 97 | + container: rework combined role interfaces |
| 98 | + podman: typealias podman_user_conmon_t to podman_conmon_user_t |
| 99 | + fail2ban: allow fail2ban to getsched on its processes |
| 100 | + modutils: allow kmod to write to kmsg |
| 101 | + postfix: allow postfix-map to read certbot certs |
| 102 | + postfix: allow postfix master to get the state of init |
| 103 | + postfix: allow postfix master fsetid capability |
| 104 | + bind: fixes for named working on dnssec files |
| 105 | + sudo: allow sudo domains to create netlink selinux sockets |
| 106 | + sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve |
| 107 | + container: allow containers to manipulate own fds |
| 108 | + container: allow container engines to manage tmp symlinks |
| 109 | + ssh: add tunable to allow sshd to use remote port forwarding |
| 110 | + systemd: minor fixes to systemd user domains |
| 111 | + init, systemd: allow unpriv users to read the catalog |
| 112 | + container: add separate type for container engine units |
| 113 | + container, podman: allow podman to restart container units |
| 114 | + spamassassin: add file context for rspamd log directory |
| 115 | + term, init: allow systemd to watch and watch reads on unallocated ttys |
| 116 | + certbot: various fixes |
| 117 | + systemd: add file transition for systemd-networkd runtime |
| 118 | + systemd: add missing file context for /run/systemd/network |
| 119 | + systemd: add file contexts for systemd-network-generator |
| 120 | + systemd, udev: allow udev to read systemd-networkd runtime |
| 121 | + systemd: allow systemd-networkd to read init runtime files |
| 122 | + podman: add alias for conmon executable |
| 123 | + systemd: ensure connecting to resolved allows searching init runtime |
| 124 | + ssh: allow sshd to run setfiles when polyinstantiation is enabled |
| 125 | + sudo: allow sudo domains to access caller's /proc/pid/stat |
| 126 | + container: add file contexts for docker home config |
| 127 | + files, init: allow systemd to remount etc filesystems |
| 128 | + systemd: allow systemd-logind to read localization |
| 129 | + init: fix possible typo |
| 130 | + corecmd: label dracut lib as bin_t |
| 131 | + sudo: various fixes |
| 132 | + udev: various fixes for udevadm |
| 133 | + bootloader, init: various fixes for systemd-boot |
| 134 | + systemd: allow systemd-generator to read etc runtime files |
| 135 | + systemd: add interface to read userdb runtime files |
| 136 | + logging: various fixes for auditctl |
| 137 | + screen: add interface to dontaudit runtime sock file |
| 138 | + systemd: dontaudit systemd-tmpfiles getattr on screen sock file |
| 139 | + systemd: dontaudit systemd-tmpfiles getattr on all dirs |
| 140 | + fstools: fixes for fsadm with nfs |
| 141 | + various: fixes for nfs |
| 142 | + init: dontaudit initrc creating /dev/console during initrd |
| 143 | + storage: include chr_files in fixed_disk_dev interfaces |
| 144 | + systemd: allow systemd-userdbd to search default contexts |
| 145 | + logging, systemd: allow auditctl to list userdb runtime dirs |
| 146 | + bootloader, userdom: minor fixes for systemd-boot |
| 147 | + systemd: allow systemd-resolved to read generic certs |
| 148 | + sysadm: allow sysadm to rw ipmi devices |
| 149 | + zfs: initial policy module |
| 150 | + fstools, mount: remove legacy zfs rules |
| 151 | + files, mount: remove legacy ZFS file contexts |
| 152 | + sysadm: allow admin access to zfs |
| 153 | + kernel: allow kthreads to read and write the zpool cache |
| 154 | + systemd, zfs: allow systemd-generator to read zfs config |
| 155 | + udev: allow reading ZFS config |
| 156 | + zfs: various fixes |
| 157 | + mta: add support for nullmailer |
| 158 | + devices: add interface to rw infiniband devices |
| 159 | + xdg: add interface to dontaudit searching xdg data dirs |
| 160 | + opensm: initial policy |
| 161 | + sysadm: allow opensm access |
| 162 | + corenet: add portcon for glusterfs |
| 163 | + glusterfs: various fixes |
| 164 | + glusterfs: add type for gluster bricks |
| 165 | + mount: allow mounting glusterfs volumes |
| 166 | + selinuxutil: allow semanage, setfiles to inherit gluster fds |
| 167 | + glusterfs, selinuxutil: make modifying fcontexts a tunable |
| 168 | + glusterfs: add type for glusterd hooks |
| 169 | + usermanage: add file context for chpasswd in /usr/bin |
| 170 | + node_exporter: add file context for node_exporter in /usr/bin |
| 171 | + usbguard: add file context for usbguard in /usr/bin |
| 172 | + init: add file context for systemd units in dracut modules |
| 173 | + git: add file contexts for other git utilities |
| 174 | + dbus, init, mount, rpc: minor fixes for mount.nfs |
| 175 | + zfs: allow reading exports |
| 176 | + systemd: allow systemd-generator to use dns resolution |
| 177 | + rpc: allow rpc admins to rw nfsd fs |
| 178 | + |
| 179 | +Pat Riehecky (2): |
| 180 | + container: Boolean for ecryptfs |
| 181 | + Clone `xguest_connect_network` for guest role |
| 182 | + |
| 183 | +Russell Coker (1): |
| 184 | + Sympa list server |
| 185 | + |
| 186 | +Yi Zhao (16): |
| 187 | + systemd: allow systemd user to watch /etc directories |
| 188 | + logwatch: fixes for logwatch |
| 189 | + postfix: allow postfix_local_t to search logwatch_cache_t |
| 190 | + sysnetwork: allow systemd_networkd_t to read link file |
| 191 | + logging: allow systemd-journal to manage syslogd_runtime_t sock_file |
| 192 | + radius: fixes for freeradius |
| 193 | + udev: allow udev_read_runtime_files to read link files |
| 194 | + watchdog: allow watchdog to create /var/log/watchdog directory |
| 195 | + systemd: allow systemd-resolved to manage link files |
| 196 | + sysnetwork: fix privilege separation functionality of dhcpcd |
| 197 | + sysnetwork: allow dhcpcd to send and receive messages from systemd |
| 198 | + resolved |
| 199 | + rpm: add label for dnf-automatic and dnf-3 |
| 200 | + systemd: allow systemd-backlight to read kernel sysctl settings |
| 201 | + systemd: allow systemd-rfkill to get attributes of all fs |
| 202 | + systemd: allow systemd-hostnamed to read selinux configuration files |
| 203 | + systemd: add capability sys_admin to systemd_generator_t |
| 204 | + |
1 | 205 | * Fri May 20 2022 Chris PeBenito < [email protected]> - 2.20220520 |
2 | 206 | Björn Esser (1): |
3 | 207 | authlogin: add fcontext for tcb |
|
0 commit comments