|
| 1 | +* Mon Oct 02 2023 Chris PeBenito < [email protected]> - 2.20231002 |
| 2 | +Chris PeBenito (122): |
| 3 | + tests.yml: Pin ubuntu 20.04. |
| 4 | + tests.yml: Pin ubuntu 20.04. |
| 5 | + fstools: Move lines. |
| 6 | + munin: Move munin_rw_tcp_sockets() implementation. |
| 7 | + munin: Whitespace change. |
| 8 | + systemd: Tmpfilesd can correct seusers on files. |
| 9 | + iscsi: Read initiatorname.iscsi. |
| 10 | + lvm: Add fc entry for /etc/multipath/* |
| 11 | + sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() |
| 12 | + Define user_namespace object class. |
| 13 | + chromium: Allow user namespace creation. |
| 14 | + mozilla: Allow user namespace creation. |
| 15 | + systemd: Allow user namespace creation. |
| 16 | + container: Allow user namespace creation for all container engines. |
| 17 | + Update eg25manager.te |
| 18 | + switcheroo: Whitespace fix. |
| 19 | + unconfined: Keys are linkable by systemd. |
| 20 | + postgresql: Move lines |
| 21 | + Add append to rw and manage lnk_file permission sets for consistency. |
| 22 | + |
| 23 | +Christian Schneider (1): |
| 24 | + systemd-generator: systemd_generator_t load kernel modules used for e.g. |
| 25 | + zram-generator |
| 26 | + |
| 27 | +Corentin LABBE (20): |
| 28 | + udev: permit to read hwdb |
| 29 | + fstools: handle gentoo place for drivedb.h |
| 30 | + mount: dbus interface must be optional |
| 31 | + mcelog: add missing file context for triggers |
| 32 | + munin: add file context for common functions file |
| 33 | + rsyslog: add label for /var/empty/dev/log |
| 34 | + munin: disk-plugin: transition to fsadm |
| 35 | + munin: add fc for munin-node plugin state |
| 36 | + usermanage: permit groupadd to read kernel sysctl |
| 37 | + portage: Remove old binary location |
| 38 | + portage: add go/hg source control files |
| 39 | + portage: add new location for portage commands |
| 40 | + portage: add missing go/hg context in new distfiles location |
| 41 | + mandb: permit to read inherited cron files |
| 42 | + selinuxutil: do not audit load_policy trying to use portage ptys |
| 43 | + selinuxutil: permit run_init to read kernel sysctl |
| 44 | + portage: add misc mising rules |
| 45 | + smartmon: allow smartd to read fsadm_db_t files |
| 46 | + smartmon: add domain for update-smart-drivedb |
| 47 | + dovecot: add missing permissions |
| 48 | + |
| 49 | +Dave Sugar (21): |
| 50 | + rng-tools updated to 6.15 (on RHEL9) seeing the following denials: |
| 51 | + Allow local login to read /run/motd |
| 52 | + Label pwhistory_helper |
| 53 | + If domain can read system_dbusd_var_lib_t files, also allow symlinks |
| 54 | + systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. |
| 55 | + To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf |
| 56 | + Allow iceauth write to xsession log |
| 57 | + Allow system_dbusd_t to start/stop all units |
| 58 | + Updates for utempter |
| 59 | + Allow display manager to read hwdata |
| 60 | + Allow search xdm_var_run_t directories along with reading files. |
| 61 | + Solve issue with no keyboard/mouse on X login screen |
| 62 | + separate label for /etc/security/opasswd |
| 63 | + Fix some ssh agent denials |
| 64 | + For systemd-hostnamed service to run |
| 65 | + Allow rsyslog to drop capabilities |
| 66 | + /var/lib/sddm should be xdm_var_lib_t |
| 67 | + resolve lvm_t issues at shutdown with LUKS encrypted devices |
| 68 | + Allow all users to (optionally) send syslog messages |
| 69 | + Resolve some denials with colord |
| 70 | + separate domain for journalctl during init |
| 71 | + |
| 72 | +David Sommerseth (1): |
| 73 | + openvpn: Allow netlink genl |
| 74 | + |
| 75 | +Florian Schmidt (1): |
| 76 | + Add label and interfaces for kernel PSI files |
| 77 | + |
| 78 | +George Zenner (1): |
| 79 | + Signed-off-by: George Zenner < [email protected]> |
| 80 | + |
| 81 | +Grzegorz Filo (3): |
| 82 | + Shell functions used during boot by initrc_t shall be bin_t and defined in |
| 83 | + corecommands.fc |
| 84 | + Dir transition goes with dir create perms. |
| 85 | + Keep context of blkid file/dir when created by zpool. |
| 86 | + |
| 87 | +Guido Trentalancia (47): |
| 88 | + The pulseaudio daemon and client do not normally need to use the network |
| 89 | + for most computer systems that need to play and record audio. |
| 90 | + The kernel domain should be able to mounton runtime directories during |
| 91 | + switch_root, otherwise parts of the boot process might fail on some |
| 92 | + systems (for example, the udev daemon). |
| 93 | + The kernel domain should be able to mounton default directories during |
| 94 | + switch_root. |
| 95 | + The pulseaudio module should be able to read alsa library directories. |
| 96 | + Fix the pulseaudio module file transition for named sockets in tmp |
| 97 | + directories. |
| 98 | + Fix the dbus module so that automatic file type transitions are used not |
| 99 | + only for files and directories, but also for named sockets. |
| 100 | + Fix the dbus module so that temporary session named sockets can be read |
| 101 | + and written in the role template and by system and session bus clients. |
| 102 | + Update the dbus role template so that permissions to get the attributes of |
| 103 | + the proc filesystem are included. |
| 104 | + Let pulseaudio search debugfs directories, as currently done with other |
| 105 | + modules. |
| 106 | + Separate the tunable permissions to write xserver tmpfs files from the |
| 107 | + tunable permissions to write X server shared memory. |
| 108 | + Fix a security bug in the xserver module (interfaces) which was wrongly |
| 109 | + allowing an interface to bypass existing tunable policy logic related |
| 110 | + to X shared memory and xserver tmpfs files write permissions. |
| 111 | + Add missing permissions to execute binary files for the evolution_alarm_t |
| 112 | + domain. |
| 113 | + Add the permissions to manage the fonts cache (fontconfig) to the window |
| 114 | + manager role template. |
| 115 | + Add permissions to watch libraries directories to the userdomain login |
| 116 | + user template interface. |
| 117 | + Update the xscreensaver module in order to work with the latest version |
| 118 | + (tested with version 6.06). |
| 119 | + Include the X server tmpfs rw permissions in the X shared memory write |
| 120 | + access tunable policy under request from Christoper PeBenito. |
| 121 | + Revert the following commit (ability to read /usr files), as it is no |
| 122 | + longer needed, after the database file got its own label: |
| 123 | + Update the kernel module to remove misplaced or at least really obsolete |
| 124 | + permissions during kernel module loading. |
| 125 | + Introduce a new "logging_syslog_can_network" boolean and make the |
| 126 | + net_admin capability as well as all corenetwork permissions previously |
| 127 | + granted to the syslog daemon conditional upon such boolean being true. |
| 128 | + Let the openoffice domain manage fonts cache (fontconfig). |
| 129 | + Update the openoffice module so that it can create Unix stream sockets |
| 130 | + with its own label and use them both as a client and a server. |
| 131 | + Let mplayer to act as a dbus session bus client (needed by the vlc media |
| 132 | + player). |
| 133 | + Add permissions to read device sysctls to mplayer. |
| 134 | + Remove misplaced permission from mount interface mount_exec. |
| 135 | + Remove a vulnerability introduced by a logging interface which allows to |
| 136 | + execute log files. |
| 137 | + Improved wording for the new xserver tunable policy booleans introduced |
| 138 | + with the previous three commits. |
| 139 | + Fix another security bug companion of the one fixed in the following |
| 140 | + previous commit: |
| 141 | + Fix another security bug similar to the ones that have been recently fixed |
| 142 | + in the following two commits: |
| 143 | + Remove duplicate permissions in the xserver module |
| 144 | + xserver_restricted_role() interface. |
| 145 | + Dbus creates Unix domain sockets (in addition to listening on and |
| 146 | + connecting to them), so its policy module is modified accordingly. |
| 147 | + Remove a logging interface from the userdomain module since it has now |
| 148 | + been moved to the xscreensaver domain. |
| 149 | + Create a new specific file label for the random seed file saved before |
| 150 | + shutting down or rebooting the system and rework the interface needed |
| 151 | + to manage such file. |
| 152 | + Fix the shutdown policy in order to make use of the newly created file |
| 153 | + label and interface needed to manage the random seed file. |
| 154 | + Update the gpg module so that the application is able to fetch new keys |
| 155 | + from the network. |
| 156 | + Dbus creates Unix domain sockets not only for the system bus, but also for |
| 157 | + the session bus (in addition to connecting to them), so its policy |
| 158 | + module is modified accordingly. |
| 159 | + Update the gnome module so that the gconf daemon is able to create Unix |
| 160 | + domain sockets and accept or listen connections on them. |
| 161 | + Fix the recently introduced "logging_syslog_can_network" tunable policy, |
| 162 | + by including TCP/IP socket creation permissions. |
| 163 | + Introduce a new interface in the mta module to manage the mail transport |
| 164 | + agent configuration directories and files. |
| 165 | + Add new gpg interfaces for gpg_agent execution and to avoid auditing |
| 166 | + search operations on files and directories that are not strictly needed |
| 167 | + and might pose a security risk. |
| 168 | + Extend the scope of the "spamassassin_can_network" tunable policy boolean |
| 169 | + to all network access (except the relative dontaudit rules). |
| 170 | + Update the spamassassin module in order to better support the rules |
| 171 | + updating script; this achieved by employing two distinct domains for |
| 172 | + increased security and network isolation: a first domain is used for |
| 173 | + fetching the updated rules from the network and second domain is used |
| 174 | + for verifying the GPG signatures of the received rules. |
| 175 | + Under request from Christopher PeBenito, merge the two spamassassin rules |
| 176 | + updating SELinux domains introduced in the previous change in order to |
| 177 | + reduce the non-swappable kernel memory used by the policy. |
| 178 | + Introduce a new "dbus_can_network" boolean which controls whether or not |
| 179 | + the dbus daemon can act as a server over TCP/IP networks and defaults |
| 180 | + to false, as this is generally insecure, except when using the local |
| 181 | + loopback interface. |
| 182 | + Introduce two new booleans for the X server and X display manager domains |
| 183 | + which control whether or not the respective domains allow the TCP/IP |
| 184 | + server networking functionality. |
| 185 | + The X display manager uses an authentication mechanism based on an |
| 186 | + authorization file which is critical for X security. |
| 187 | + Merge branch 'main' into x_fixes_pr2 |
| 188 | + Let openoffice perform temporary file transitions and manage link files. |
| 189 | + |
| 190 | +Kenton Groombridge (68): |
| 191 | + corenet: add portcon for kubernetes |
| 192 | + kubernetes: initial policy module |
| 193 | + sysadm: allow running kubernetes |
| 194 | + crio: new policy module |
| 195 | + crio, kubernetes: allow k8s admins to run CRI-O |
| 196 | + container: add type for container plugins |
| 197 | + various: fixes for kubernetes |
| 198 | + kubernetes: add policy for kubectl |
| 199 | + various: fixes for kubernetes |
| 200 | + container, kernel: add tunable to allow spc to create NFS servers |
| 201 | + container: add tunable to allow containers to use huge pages |
| 202 | + container, kubernetes: add private type for generic container devices |
| 203 | + container: add tunable to use dri devices |
| 204 | + container, kubernetes: add rules for device plugins running as spc |
| 205 | + various: allow using glusterfs as backing storage for k8s |
| 206 | + container, miscfiles: transition to s0 for public content created by |
| 207 | + containers |
| 208 | + container: add tunable to allow spc to use tun-tap devices |
| 209 | + container: correct admin_pattern() usage |
| 210 | + systemd: add policy for systemd-pcrphase |
| 211 | + hddtemp: add missing rules for interactive usage |
| 212 | + netutils: minor fixes for nmap and traceroute |
| 213 | + container: add rules required for metallb BGP speakers |
| 214 | + filesystem, init: allow systemd to setattr on ramfs dirs |
| 215 | + logging: allow domains sending syslog messages to connect to kernel unix |
| 216 | + stream sockets |
| 217 | + init, sysadm: allow sysadm to manage systemd runtime units |
| 218 | + podman: allow podman to stop systemd transient units |
| 219 | + userdom: allow admin users to use tcpdiag netlink sockets |
| 220 | + container: allow container admins the sysadm capability in user namespaces |
| 221 | + postfix: allow postfix master to map data files |
| 222 | + sasl: add filecon for /etc/sasl2 keytab |
| 223 | + obj_perm_sets: add mmap_manage_file_perms |
| 224 | + various: use mmap_manage_file_perms |
| 225 | + postfix, sasl: allow postfix smtp daemon to read SASL keytab |
| 226 | + various: fixes for libvirtd and systemd-machined |
| 227 | + portage: label eix cache as portage_cache_t |
| 228 | + container: add missing filetrans and filecon for containerd/docker |
| 229 | + container, init, systemd: add policy for quadlet |
| 230 | + container: fixes for podman 4.4.0 |
| 231 | + container: fixes for podman run --log-driver=passthrough |
| 232 | + node_exporter: various fixes |
| 233 | + redis: add missing rules for runtime filetrans |
| 234 | + podman, selinux: move lines, add missing rules for --network=host |
| 235 | + netutils: fixes for iftop |
| 236 | + kernel, zfs: add filetrans for kernel creating zpool cache file |
| 237 | + zfs: allow sending signals to itself |
| 238 | + zfs: add runtime filetrans for dirs |
| 239 | + init: make init_runtime_t useable for systemd units |
| 240 | + various: make /etc/machine-id etc_runtime_t |
| 241 | + init, systemd: allow init to create userdb runtime symlinks |
| 242 | + init: allow initrc_t to getcap |
| 243 | + systemd: allow systemd-userdbd to getcap |
| 244 | + logging: allow systemd-journald to list cgroups |
| 245 | + fs, udev: allow systemd-udevd various cgroup perms |
| 246 | + logging, systemd: allow relabelfrom,relabelto on systemd journal files by |
| 247 | + systemd-journald |
| 248 | + files, systemd: allow systemd-tmpfiles to relabel config file symlinks |
| 249 | + systemd: add rules for systemd-zram-generator |
| 250 | + systemd: allow systemd-pcrphase to read generic certs |
| 251 | + fs, init: allow systemd-init to set the attributes of efivarfs files |
| 252 | + init: allow systemd-init to set the attributes of unallocated terminals |
| 253 | + systemd: allow systemd-resolved to bind to UDP port 5353 |
| 254 | + init: allow initrc_t to create netlink_kobject_uevent_sockets |
| 255 | + raid: allow mdadm to read udev runtime files |
| 256 | + raid: allow mdadm to create generic links in /dev/md |
| 257 | + fstools: allow fsadm to read utab |
| 258 | + glusterfs: allow glusterd to bind to all TCP unreserved ports |
| 259 | + kubernetes: allow kubelet to read etc runtime files |
| 260 | + chromium: allow chromium-naclhelper to create user namespaces |
| 261 | + container: rework capabilities |
| 262 | + |
| 263 | +Luca Boccassi (4): |
| 264 | + Set label systemd-oomd |
| 265 | + Add separate label for cgroup's memory.pressure files |
| 266 | + systemd: also allow to mounton memory.pressure |
| 267 | + systemd: allow daemons to access memory.pressure |
| 268 | + |
| 269 | +Mathieu Tortuyaux (1): |
| 270 | + container: fix cilium denial |
| 271 | + |
| 272 | +Oleksii Miroshko (1): |
| 273 | + Fix templates parsing in gentemplates.sh |
| 274 | + |
| 275 | +Pat Riehecky (1): |
| 276 | + container: set default context for local-path-provisioner |
| 277 | + |
| 278 | +Renato Caldas (1): |
| 279 | + kubernetes: allow kubelet to read /proc/sys/vm files. |
| 280 | + |
| 281 | +Russell Coker (23): |
| 282 | + This patch removes deprecated interfaces that were deprecated in the |
| 283 | + 20210203 release. I think that 2 years of support for a deprecated |
| 284 | + interface is enough and by the time we have the next release out it |
| 285 | + will probably be more than 2 years since 20210203. |
| 286 | + This patch removes deprecated interfaces that were deprecated in the |
| 287 | + 20210203 release. I think that 2 years of support for a deprecated |
| 288 | + interface is enough and by the time we have the next release out it |
| 289 | + will probably be more than 2 years since 20210203. |
| 290 | + eg25-manager (Debian package eg25-manager) is a daemon aimed at |
| 291 | + configuring and monitoring the Quectel EG25 modem on a running system. |
| 292 | + It is used on the PinePhone (Pro) and performs the following functions: |
| 293 | + * power on/off * startup configuration using AT commands * AGPS |
| 294 | + data upload * status monitoring (and restart if it becomes |
| 295 | + unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager |
| 296 | + iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus |
| 297 | + proxy Industrial I/O subsystem is intended to provide support for |
| 298 | + devices that in some sense are analog to digital or digital to analog |
| 299 | + convertors . Devices that fall into this category are: * ADCs * |
| 300 | + Accelerometers * Gyros * IMUs * Capacitance to Digital Converters |
| 301 | + (CDCs) * Pressure Sensors * Color, Light and Proximity Sensors * |
| 302 | + Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital |
| 303 | + Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain |
| 304 | + Amplifiers (VGA, PGA) |
| 305 | + Fixed dependency on unconfined_t |
| 306 | + Comment sysfs better |
| 307 | + Daemon to control authentication for Thunderbolt. |
| 308 | + Daemon to monitor memory pressure and notify applications and change … |
| 309 | + (#670) |
| 310 | + switcheroo is a daemon to manage discrete vs integrated GPU use for apps |
| 311 | + policy for power profiles daemon, used to change power settings |
| 312 | + some misc userdomain fixes |
| 313 | + debian motd.d directory (#689) |
| 314 | + policy for the Reliability Availability servicability daemon (#690) |
| 315 | + policy patches for anti-spam daemons (#698) |
| 316 | + Added tmpfs file type for postgresql Small mysql stuff including |
| 317 | + anon_inode |
| 318 | + small ntp and dns changes (#703) |
| 319 | + small network patches (#707) |
| 320 | + small storage changes (#706) |
| 321 | + allow jabbers to create sock file and allow matrixd to read sysfs (#705) |
| 322 | + small systemd patches (#708) |
| 323 | + misc small patches for cron policy (#701) |
| 324 | + mon.te patches as well as some fstools patches related to it (#697) |
| 325 | + misc small email changes (#704) |
| 326 | + |
| 327 | +Yi Zhao (8): |
| 328 | + systemd: add capability sys_resource to systemd_userdbd_t |
| 329 | + systemd: allow systemd-sysctl to search directories on ramfs |
| 330 | + systemd: allow systemd-resolved to search directories on tmpfs and ramfs |
| 331 | + mount: allow mount_t to get attributes for all directories |
| 332 | + loadkeys: do not audit attempts to get attributes for all directories |
| 333 | + systemd: allow systemd-networkd to create file in /run/systemd directory |
| 334 | + systemd: allow journalctl to create /var/lib/systemd/catalog |
| 335 | + bind: fix for named service |
| 336 | + |
| 337 | +freedom1b2830 (1): |
| 338 | + mplayer:vlc paths |
| 339 | + |
1 | 340 | * Tue Nov 01 2022 Chris PeBenito < [email protected]> - 2.20221101 |
2 | 341 | Chris PeBenito (46): |
3 | 342 | systemd: Drop systemd_detect_virt_t. |
|
0 commit comments