|
| 1 | +* Thu Feb 13 2025 Chris PeBenito < [email protected]> - 2.20250213 |
| 2 | +Björn Esser (1): |
| 3 | + authlogin: fix regex for /etc/tcb |
| 4 | + |
| 5 | +Chris PeBenito (54): |
| 6 | + Makefile: Build all appconfig files. |
| 7 | + Add tool for validating contexts in appconfig files. |
| 8 | + userhelper_context: Fix invalid context. |
| 9 | + lxc_contexts: Fix invalid contexts in standard version. |
| 10 | + validate-appconfig.py: Add default_type and failsafe_context validation. |
| 11 | + validate-appconfig.py: Add default_contexts validation. |
| 12 | + xserver: Fix xdm seuser role association. |
| 13 | + build-policy.yml: Add setools to policy builds for appconfig validation. |
| 14 | + validate-appconfig.py: Add GitHub actions logging. |
| 15 | + users: Move unconfined_u definition to unconfined module. |
| 16 | + guest/xguest: Add seusers. |
| 17 | + INSTALL: Update dependencies. |
| 18 | + build-userspace/setools.yml: Cache built userspace. |
| 19 | + systemd: Fix systemd_write_notify_socket(). |
| 20 | + Revert "systemd: Fix systemd_write_notify_socket()." |
| 21 | + systemd: Fix systemd_write_notify_socket(). |
| 22 | + init: Move common rules out of daemon/system interfaces. |
| 23 | + |
| 24 | +Christian Göttsche (17): |
| 25 | + unconfined: permit io_uring access |
| 26 | + userdomain: include map in userdom_manage_user_home_content_files() |
| 27 | + systemd: permit ssh generator to request vsock module |
| 28 | + locallogin: permit login process to signal itself |
| 29 | + ssh: label sshd-session helper on Debian |
| 30 | + kernel: create /dev/vsock with correct context |
| 31 | + Reorder permissions to please SELint |
| 32 | + bootloader: get scheduling information |
| 33 | + Fix typos |
| 34 | + policy_capabilities: add stub for userspace_initial_context |
| 35 | + validate-appconfig: replace tab indentation by spaces |
| 36 | + check_fc_files: support trailing optional version number |
| 37 | + Build appconfig files in default target |
| 38 | + systemd: permit sd-sysuser access to admin terminal |
| 39 | + github: add codespell check |
| 40 | + systemd: permit sysusers to create /etc/group |
| 41 | + systemd: getattr namespace files |
| 42 | + |
| 43 | +Dave Sugar (12): |
| 44 | + Fix complaints in STIG about unlabeled device files |
| 45 | + Make quemu optional in virt |
| 46 | + Make mta optional in container policy |
| 47 | + Changes to support python 3.9 (RHEL9) |
| 48 | + Setup sudo log file type |
| 49 | + Need search perms on cert_t/tls_privkey_t when using private types |
| 50 | + Communicate with locale via dbus |
| 51 | + mozilla adds .mozilla directory to /etc/skel which useradd tries to copy |
| 52 | + Add support for open-vm-tools |
| 53 | + If mta module is not installed useradd fails to create mailbox files |
| 54 | + label jspawnhelper bin_t |
| 55 | + Allow fapolicyd to watch /run/netns directory |
| 56 | + |
| 57 | +Hans-Christian Noren Egtvedt (1): |
| 58 | + devices: add more video4linux related devices as v4l_device_t |
| 59 | + |
| 60 | +Henrik Grindal Bakken (1): |
| 61 | + cron: Remove too greedy file context grab |
| 62 | + |
| 63 | +Nicolas PARLANT (2): |
| 64 | + files context : few fixes for merged-usr distro_gentoo |
| 65 | + fixdep dbus |
| 66 | + |
| 67 | +Rahul Sandhu (23): |
| 68 | + systemd_stream_connect_homed: new interface to access account info |
| 69 | + locallogin: allow talking to systemd-homed user record APIs |
| 70 | + systemd_homed_t, systemd_homework_t: allow reading of /etc/machine-id |
| 71 | + systemd-homed: label LUKS home images as systemd_homed_storage_t |
| 72 | + authlogin: connect to homed |
| 73 | + systemd_homed_runtime_work_dir_t: new type for systemd-homed workdir |
| 74 | + lvm_manage_runtime_dirs: new interface for managing LVM runtime dirs |
| 75 | + systemd_homework_t: allow managing of lvm_runtime_t files and dirs |
| 76 | + systemd_homed_record_t: new type for user records |
| 77 | + systemd_stream_connect_homed: make use of stream_connect_pattern |
| 78 | + systemd-homed: make lvm related policy optional |
| 79 | + systemd-homework: reformat *_files_pattern block |
| 80 | + systemd-homed: use files_read_etc_runtime_files to read machine-id |
| 81 | + systemd-homed: fix filecontexts for systemd_home_storage_t objects |
| 82 | + systemd_stream_connect_homed: genrequire systemd_userdbd_runtime_t |
| 83 | + systemd-homework: move optional policy to end of block |
| 84 | + authlogin: connect to nsresourced |
| 85 | + systemd: appropriately label /run/log/systemd as systemd_log_t |
| 86 | + bootloader_t: allow getattr for autofs_t |
| 87 | + systemd-logind: allow getattr for autofs_t for get bootloader |
| 88 | + bootloader_t: use fs_list_auto_mountpoints for autofs_t:dir |
| 89 | + NetworkManager: add /usr/lib/NetworkManager/dispatcher.d to filecon |
| 90 | + systemd: allow getattr of namespace files for more components |
| 91 | + |
| 92 | +Stephen Smalley (1): |
| 93 | + add netlink_xperm policy capability and nlmsg permission definitions |
| 94 | + |
| 95 | +Tianjia Zhang (9): |
| 96 | + secadm: remove duplicate policies |
| 97 | + userdomain: allow grant mac_admin capability to security admin |
| 98 | + lvm: allow to grant capability and create alg_socket |
| 99 | + mount: allow mount_t to readwrite fifo file |
| 100 | + authlogin: allow unix_chkpwd to run |
| 101 | + usermanage: grant passwd_t dac_read_search capability |
| 102 | + tpm2: add correct fcontext for tpm2 tools |
| 103 | + tpm2: allow tpm-abrmd to access urandom |
| 104 | + tpm2: Add the necessary policy to run tpm2 tools |
| 105 | + |
| 106 | +Yi Zhao (3): |
| 107 | + systemd: allow more components to get attributes of nsfs inodes |
| 108 | + systemd: allow systemd-resolve to watch /run/systemd dir |
| 109 | + ntp: allow systemd-timesyncd to watch /run/systemd dir |
| 110 | + |
| 111 | +lquidfire (1): |
| 112 | + Add is a policy for the ARC milter |
| 113 | + |
1 | 114 | * Mon Sep 16 2024 Chris PeBenito < [email protected]> - 2.20240916 |
2 | 115 | Amisha Jain (1): |
3 | 116 | Sepolicy changes for bluez to access uhid |
|
0 commit comments