-
Notifications
You must be signed in to change notification settings - Fork 5
/
Changelog
3103 lines (2892 loc) · 139 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
* Fri May 20 2022 Chris PeBenito <[email protected]> - 2.20220520
Björn Esser (1):
authlogin: add fcontext for tcb
Chris PeBenito (118):
0xC0ncord/bugfix/systemd-user-exec-apps-hookup
systemd, ssh, ntp: Read fips_enabled crypto sysctl.
systemd: Unit generator fixes.
systemd: Revise tmpfiles factory to allow writing all configs.
systemd: User runtime reads user cgroup files.
logging: Add audit_control for journald.
udev: Manage EFI variables.
ntp: Handle symlink to drift directory.
logging: Allow auditd to stat() dispatcher executables.
Drop module versioning.
tests.yml: Disable policy_module() selint checks.
systemd: Change journal file context to MLS system high.
Revert "users: remove MCS categories from default users"
systemd: Add systemd-homed and systemd-userdbd.
systemd, ssh: Crypto sysctl use.
systemd: Additional fixes for fs getattrs.
systemd: Updates for generators and kmod-static-nodes.service.
domain: Allow lockdown for all domains.
postfix, spamassassin: Fix missed type renames after alias removals.
cron, dbus, policykit, postfix: Minor style fixes.
Make hide_broken_symptoms unconditional.
puppet: Style fixes.
matrixd: Cleanups.
matrixd: SELint fixes.
mailmain: Fix check_fc_files issue.
mailmain: Fix SELint issues.
postfix: Move lines.
apache: Remove unnecessary require in apache_exec().
seusers: Remove sddm.
Add a vulnerability handling process.
Christian Goettsche (1):
check_fc_files: allow optional @ character
Christian Göttsche (11):
filesystem: add fs_use_trans for ramfs
Ignore umask on when installing headers
Revert "tests.yml: Disable policy_module() selint checks."
build.conf: bump policy version in comment
flask: add new kernel security classes
policy_capabilities: add ioctl_skip_cloexec
policy.dtd: more strict bool/tunable and infoflow validation
Makefile: invoke python with -bb
Rules.monolithic: add target to generate CIL policy
Makefile: use override for adding options
Rules.modular: add pure-load target
Dave Sugar (4):
Allow iscsid to request kernel module load
Allow iscsid to check fips_enabled
sshd: allow to run /usr/bin/fipscheck (to check fips state)
systemd: resolve error with systemd-sysctl
Fabrice Fontaine (2):
policy/modules/services/samba.te: make crack optional
policy/modules/services/wireguard.te: make iptables optional
Gao Xiang (1):
Add erofs as a SELinux capable file system
Henrik Grindal Bakken (1):
snmp: Fix typo in /var/net-snmp rule
Jonathan Davies (12):
chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access
net_admin capability, this is required for its `hwtimestamp` option,
which otherwise returns:
virt.te: Fixed typo in virtlogd_t virt_common_runtime_t
manage_files_pattern.
obfs4proxy: Added policy.
tor: Added interfaces and types for obfs4proxy support.
corenetwork.te.in: Added ntske port.
chronyd.te: Added support for bind/connect/recv/send NTS packets.
chronyd: Allow access to read certs.
obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
policy/*: Replaced rw_netlink_socket_perms with
create_netlink_socket_perms.
node_exporter: Added initial policy.
systemd.te: Added boolean for allowing dhcpd server packets.
systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
systemd_stream_connect_userdb().
Kenton Groombridge (174):
userdomain: add user exec domain attribute and interface
systemd: assign user exec attribute to systemd --user instances
systemd: add interface to support monitoring and output capturing of child
processes
wm: add user exec domain attribute to wm domains
ssh: add interface to execute and transition to ssh client
userdomain: add interface to allow mapping all user home content
git, roles: add policy for git client
apache, roles: use user exec domain attribute
screen, roles: use user exec domain attribute
git, roles: use user exec domain attribute
postgresql, roles: use user exec domain attribute
ssh, roles: use user exec domain attribute
sudo, roles: use user exec domain attribute
syncthing, roles: use user exec domain attribute
xscreensaver, roles: use user exec domain attribute
xserver, roles, various: use user exec domain attribute
authlogin, roles: use user exec domain attribute
bluetooth, roles: use user exec domain attribute
cdrecord, roles: use user exec domain attribute
chromium, roles: use user exec domain attribute
cron, roles: use user exec domain attribute
dirmngr, roles: use user exec domain attribute
evolution, roles: use user exec domain attribute
games, roles: use user exec domain attribute
gnome, roles: use user exec domain attribute
gpg, roles: use user exec domain attribute
irc, roles: use user exec domain attribute
java, roles: use user exec domain attribute
libmtp, roles: use user exec domain attribute
lpd, roles: use user exec domain attribute
mozilla, roles: use user exec domain attribute
mplayer, roles: use user exec domain attribute
mta, roles: use user exec domain attribute
openoffice, roles: use user exec domain attribute
pulseaudio, roles: use user exec domain attribute
pyzor, roles: use user exec domain attribute
razor, roles: use user exec domain attribute
rssh, roles: use user exec domain attribute
spamassassin, roles: use user exec domain attribute
su, roles: use user exec domain attribute
telepathy, roles: use user exec domain attribute
thunderbird, roles: use user exec domain attribute
tvtime, roles: use user exec domain attribute
uml, roles: use user exec domain attribute
userhelper, roles: use user exec domain attribute
vmware, roles: use user exec domain attribute
wireshark, roles: use user exec domain attribute
wm, roles: use user exec domain attribute
hadoop, roles: use user exec domain attribute
shutdown, roles: use user exec domain attribute
cryfs, roles: use user exec domain attribute
wine: use user exec domain attribute
mono: use user exec domain attribute
sudo: add tunable to control user exec domain access
su: add tunable to control user exec domain access
shutdown: add tunable to control user exec domain access
mpd, pulseaudio: split domtrans and client access
mcs: deprecate mcs overrides
mcs: restrict create, relabelto on mcs files
fs: add pseudofs attribute and interfaces
devices: make usbfs pseudofs instead of noxattrfs
git: fix typo in git hook exec access
dovecot, spamassassin: allow dovecot to execute spamc
mta, spamassassin: fixes for rspamd
certbot, various: allow various services to read certbot certs
usbguard, sysadm: misc fixes
ssh: fix for polyinstantiation
sysadm, systemd: fixes for systemd-networkd
asterisk: allow reading generic certs
bind: fixes for unbound
netutils: fix ping
policykit, systemd: allow policykit to watch systemd logins and sessions
spamassassin: fix file contexts for rspamd symlinks
mcs: add additional constraints to databases
mcs: constrain misc IPC objects
mcs: combine single-level object creation constraints
various: deprecate mcs override interfaces
corenet: make netlabel_peer_t mcs constrained
mcs: constrain context contain access
mcs: only constrain mcs_constrained_type for db accesses
guest, xguest: remove apache role access
wine: fix roleattribute statement
testing: accept '@' as a valid ending character in filecon checker
users: remove MCS categories from default users
various: remove various mcs ranged transitions
kernel: add various supporting interfaces for containers
kernel, rpc, systemd: deprecate kernel_mounton_proc
devices, kernel: deprecate dev_mounton_sysfs
devices: add interfaces to remount sysfs and device filesystems
init: add interface to run init bpf programs
systemd: add interface to dbus chat with systemd-machined
userdom: add interfaces to relabel generic user home content
init: add interface to setsched on init
init: allow systemd to renice all other domains
sysnetwork: add interfaces for /run/netns
container, virt: move svirt lxc domains to new container module
container: svirt_lxc_net_t is now container_t
container: fixup rules
container: add interface to identify container mountpoints
various: make various types a mountpoint for containers
container: add base attributes for containers and container engines
container: initial support for container engines
container, gpg, userdom: allow container engines to execute gpg
container: allow containers to use container ptys
container, mount: allow mount to getattr on container fs
various: various userns capability permissions
container: allow containers the chroot capability
container: allow containers various userns capabilities
container: allow containers to watch all container files
container, podman: initial support for podman
filesystem: add supporting FUSEFS interfaces
dbus: add supporting interfaces and rules for rootless podman
systemd: add private type for systemd user manager units
container: add role access templates
container, podman, systemd: initial support for rootless podman
container: add required admin rules
sysadm: allow container admin access
container: call podman access in container access
staff, unconfined: allow container user access
container: add policy for privileged containers
container: allow containers to read read-only container files
container: add tunable for containers to manage cgroups
container: add tunables for containers to use nfs and cifs
container: add tunable to allow engines to mounton non security
container, iptables: dontaudit iptables rw on /ptmx
xdg: add interface to search xdg data directories
container, podman: add policy for conmon
kernel: add filetrans interface for unlabeled dirs
container, docker: add initial support for docker
container: call docker access in container access
userdomain: add type for user bin files
systemd: allow systemd user managers to execute user bin files
systemd: use stream socket perms in systemd_user_app_status
systemd: add supporting interfaces for user daemons
rootlesskit: new policy module
container, docker, rootlesskit: add support for rootless docker
docker: call rootlesskit access in docker access
container: drop old commented rules
lxc_contexts: add ro_file and sandbox_lxc_process contexts
container: allow containers to getsession
docker: make rootlesskit optional
docker: add missing call to init_daemon_domain()
podman: add explicit range transition for conmon
init: split access for systemd runtime units
dbus: fixes for dbus-broker
dbus, policykit: add tunables for dbus-broker access
docker, podman: container units now have the runtime unit type
init: allow systemd to nnp_transition and nosuid_transition to daemon
domains
files, init: allow init to remount filesystems mounted on /boot
sudo: fixes for polyinstantiation
locallogin: fix for polyinstantiation
authlogin: dontaudit getcap chkpwd
systemd: various fixes
systemd: add support for systemd-resolved stubs
getty, locallogin: cgroup fixes
unconfined: fixes for bluetooth dbus chat and systemd
udev: allow udev to start the systemd system object
networkmanager: allow getting systemd system status
container, podman: allow podman to create and write config files
podman: allow system podman to interact with container transient units
podman: fix role associations
container, podman: allow containers to interact with conmon
podman: add rules for systemd container units
container, init: allow init to remount container filesystems
container: allow generic containers to read the vm_overcommit sysctl
container: add tunables to allow containers to access public content
container: add missing capabilities
container: also allow containers to watch public content
podman: allow podman to watch journal dirs
sysadm: allow sysadm to watch journal directories
git: add missing file contexts
udica-templates: initial commit of udica templates
makefile: add install target for udica templates
github: test install of udica templates
Laurent Bigonville (2):
docker: On debian dockerd and docker-proxy are in /usr/sbin
container: On Debian, runc is installed in /usr/sbin
Pedro (1):
File context for nginx cache files
Russell Coker (8):
remove aliases from 20210203
dontaudit net_admin without hide_broken_symptoms
puppet V3
matrixd-synapse policy V3
mailman3 V3
certbot V3
init dbus patch for GetDynamicUsers with systemd_use_nss() V2
new sddm V2
Vit Mojzis (1):
Improve error message on duplicate definition of interface
Yi Zhao (24):
rpc: remove obsolete comment line
secadm: allow secadm to read selinux policy
rpcbind: allow sysadm to run rpcinfo
samba: allow smbd_t to send and receive messages from avahi over dbus
rpc: add dac_read_search capability for rpcd_t
bluetooth: fixes for bluetoothd
avahi: allow avahi_t to watch /etc/avahi directory
udev: allow udev_t to watch udev_rules_t dir
rpc: allow rpc.mountd to list/watch NFS server directory
usermanage: do not audit attempts to getattr of proc for passwd_t and
useradd_t
selinuxutil: allow setfiles_t to read kernel sysctl
rngd: fixes for rngd
dbus: allow dbus-daemon to map SELinux status page
bind: fixes for bind
passwd: allow passwd to map SELinux status page
ipsec: fixes for strongswan
samba: fixes for smbd/nmbd
ntp: allow ntpd to set rlimit_memlock
ssh: do not audit attempts by ssh-keygen to read proc
acpid: allow acpid to watch the directories in /dev
bluetooth: allow bluetoothd to create alg_socket
systemd: allow systemd-hostnamed to read udev runtime files
su: allow su to map SELinux status page
modutils: allow kmod_t to write keys
* Wed Sep 08 2021 Chris PeBenito <[email protected]> - 2.20210908
Andreas Freimuth (2):
Prefer user_fonts_config_t over xdg_config_t
Set user_fonts_config_t for conf.d
Chris PeBenito (76):
rpc: Move lines.
selinux: Add a secure_mode_setbool Boolean.
Remove additional unused modules
Rules.modular/Rules.monolithic: Fix intdented labeling statement moves.
selinux: Change generic Boolean type to boolean_t.
selinux: Set regular file for labeled Booleans genfscons.
selinux: Add dontaudits when secure mode Booleans are enabled.
kernel: Add dontaudits when secure_mode_insmod is enabled.
authlogin: Add tunable for allowing shadow access on non-PAM systems.
authlogin: Remove redundant rule in auth_domtrans_chk_passwd().
Create stale.yml
stale.yml: Fix labels with spaces.
authlogin: Deprecate auth_domtrans_chk_passwd().
init: Add support for systemd StandardInputText.
.gitignore: Ignore vscode data dir.
.gitignore: Remove duplicate lines.
Revert "systemd.if minor fix"
systemd: Drop second parameter in systemd_tmpfilesd_managed().
staff, sysadm, unprivuser: Move lines.
xserver: Move fc lines.
radvd: Whitespace fix.
virt: Move lines.
Bump module versions for release.
Christian Göttsche (1):
Use correct interface or template declaration
Dave Sugar (2):
systemd.if minor fix
Resolve when building monolithic on RHEL7
Fabrice Fontaine (5):
policy/modules/services/minidlna.te: make xdg optional
policy/modules/services/ftp.te: make ssh optional
policy/modules/services/cvs.te: make inetd optional
policy/modules/services/ifplugd.te: make netutils optional
policy/modules/apps/wireshark.te: make xdg optional
Jonathan Davies (13):
staff.te: Allow staff access to the virt stream, needed for when the
sockets are access remotely over SSH.
logging.if: Added interfaces for watching all and audit logs.
roles: Added log watching permissions to secadm and sysadm.
irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to
connect to a SOCKS proxy.
screen.if: Added interface to allow executing sock file.
irc.te: Allowed client access to screen runtime sock file.
dmesg.te: Added files_read_etc_files() as some distros store terminfo
files in /etc/.
devices.fc: Added missing Xen character files.
sysadm.te: Allow sysadm_t to read/write Xen character devices so userspace
tooling works.
sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets()
radvd.te: Added corenet_sendrecv_icmp_packets().
dhcp.te: Added corenet_sendrecv_icmp_packets().
virt: Defined a virt_common_runtime_t type for the new common/system.token
file and added permissions to virtd_t and virtlogd_t.
Kenton Groombridge (36):
dovecot, postfix: add missing accesses
various: systemd user fixes and additional support
systemd, fail2ban: allow fail2ban to watch journal
fail2ban: allow reading vm overcommit sysctl
usbguard: various fixes
redis: allow reading certs
rngd: allow reading sysfs
getty: various fixes
modutils: allow kmod to read src_t symlinks
devices, userdomain: dontaudit userdomain setattr on null device nodes
spamassassin: allow rspamd to read network sysctls
redis: allow reading net and vm overcommit sysctls
devices, userdomain: dontaudit userdomain setattr on null device nodes
files, init, systemd: various fixes
ssh: allow ssh_keygen_t to read localization
devicekit: allow devicekit_disk_t to setsched
udev: various fixes
init: modify interface to allow reading all pipes
iptables: allow reading initrc pipes
wireguard: allow running iptables
bootloader, filesystem: various fixes for grub
mount: allow getattr on dos filesystems
init, mount: allow systemd to watch utab
init, systemd: allow logind to watch utmp
logging: allow auditd to use nsswitch
logging: allow auditd to getattr on audisp-remote binary
systemd: allow systemd-resolved to manage its own sock files
systemd: add policy for systemd-sysctl
init, udev: various fixes for systemd
udev: allow systemd-vconsole-setup to sys_tty_config
various: several dontaudits
sysadm, systemd: various fixes
authlogin: add new type for pwd.lock and others
init: allow systemd to rw shadow lock files
filesystem, init: allow systemd to create pstore dirs
bootloader, devices: dontaudit grub writing on legacy efi variables
Krzysztof Nowicki (15):
Fix interface naming convention (plural predicates)
Allow systemd to relabel startup-important directories
Allow execution of shell-scripted systemd generators
Also grant directory permissions in sysnet_manage_config
Allow use of systemd UNIX sockets created at initrd execution
Fix systemd-journal-flush service
Allow systemd-tmpfilesd populating of /var/lib/dbus
When using systemd_tmpfilesd_managed also grant directory permissions
Enable factory directory support in systemd-tmpfilesd
Allow systemd-tmpfilesd to relabel generic files inside /etc
Allow systemd-tmpfilesd to set attributes of /var/lock
Mark lvm_lock_t as systemd_tmpfilesd-managed
Allow systemd-tmpfilesd handle faillog directory
Fix setting-up sandbox environment for systemd-networkd
Allow systemd-tmpfilesd to access nsswitch information
Markus Linnala (13):
policy: init: there is no enabled_mls, it is enable_mls
policy: files: files_spool_filetrans: doc: change param from file to
file_type
policy devices: dev_filetrans: doc: change param from file to file_type
policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of
role_prefix
policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param
documentation
policy gpg: doc: add documents for all *filterans parameters
policy seunshare: seunshare_role: parameters usage partially mixed
policy kismet: kismer_role: parameter order mixed in kismet_run
policy: interfaces: doc: indent param blocks consistently
policy avahi: avahi_filetrans_pid: doc: add missing params
policy: xserver: xserver_dbus_chat: fix require
policy:ssh: ssh_server_template: fix require
policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service:
fix require
Russell Coker (1):
blkmapd
Xiongwei Song (1):
Add ubifs to filesystem policy
Yi Zhao (1):
roles: move dbus_role_template to userdom_common_user_template
* Wed Feb 03 2021 Chris PeBenito <[email protected]> - 2.20210203
(GalaxyMaster) (1):
added policy for systemd-socket-proxyd
0xC0ncord (1):
userdomain, xserver: move xdg rules to userdom_xdg_user_template
Anthony PERARD (1):
xen: Allow xenstored to map /proc/xen/xsd_kva
Antoine Tenart (15):
udev: allow udevadm to retrieve xattrs
locallogin: allow login to get attributes of procfs
logging: allow systemd-journal to write messages to the audit socket
sysnetwork: allow to read network configuration files
dbus: add two interfaces to allow reading from directories and named
sockets
dbus: allow clients to list runtime dirs and named sockets
systemd: add extra systemd_generator_t rules
systemd: allow systemd-hwdb to search init runtime directories
systemd: allow systemd-network to get attributes of fs
systemd: allow systemd-resolve to read in tmpfs
corecommands: add entry for Busybox shell
systemd: allow systemd-getty-generator to read and write unallocated ttys
systemd: allow systemd-network to list the runtime directory
ntp: allow systemd-timesyn to watch dbus objects
ntp: allow systemd-timesyn to setfscreate
Chris PeBenito (117):
Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into
jpds-acpid_shutdown
.travis.yml: Point selint at only the policy dir.
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module
version bump.
systemd: Move systemd-pstore block up in alphabetical order.
Switch to GitHub actions for CI actions.
systemd: Whitespace changes.
systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to
systemd_stream_connect_socket_proxyd().
Drop criteria on github actions.
userdomain: Fix error in calling userdom_xdg_user_template().
systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
Makefile: Add -E to setfiles labeling targets.
udev: Drop udev_tbl_t.
udev: Systemd 246 merged udev and udevadm executables.
devicekit: Udisks uses udevadm, it does not exec udev.
Remove modules for programs that are deprecated or no longer supported.
chromium: Whitespace changes.
chromium: Move naclhelper lines.
certbot: Whitespace changes.
certbot: Drop aliases since they have never had the old names in
refpolicy.
certbot: Reorder fc lines.
miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
userdomain: Move lines.
certbot: Fix lint issues.
memlockd: Move lines.
memlockd: Whitespace fixes.
memlockd: Fix lint issue.
file_patterns.spt: Add a mmap_manage_files_pattern().
apache, mysql, postgrey, samba, squid: Apply new
mmap_manage_files_pattern().
devicekit, jabber, samba: Move lines.
cron: Make backup call for system_cronjob_t optional.
samba: Fix samba_runtime_t alias use.
samba: Move service interface definitions.
sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba
block.
samba: Add missing userspace class requirements in unit interfaces.
apache: Fix lint error.
apache: Really fix lint error.
aptcacher: Drop broken config interfaces.
samba: Fix lint error.
0xC0ncord/feature/sudodomain_http_connect_boolean
0xC0ncord/bugfix/systemd_system_custom_unit_fc
dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
apt, bootloader: Move lines.
systemd: Move lines.
systemd: Fix lint errors.
systemd: Rename systemd_use_machined_devpts().
Bump module versions for release.
Christian Göttsche (16):
postfixpolicyd: split multi-class rule
init/systemd: allow systemd to map the SELinux status page
selinux: add selinux_use_status_page and deprecate
selinux_map_security_files
genhomedircon: drop backwards compatibility section
genhomedircon: require match for home directory name
genhomedircon: drop unused functions
genhomedircon: generate file contexts for %{USERNAME} and %{USERID}
genhomedircon: misc pylint cleanup
genhomedircon: improve error messages for min uid search
Rules.monolithic: ignore version mismatch
gitignore: ignore monolithic generated files
Preset OUTPUT_POLICY to 32
Rules.monolithic: do not suppress load_policy warning messages
Rules.monolithic: tweak checkpolicy arguments
Rules.monolithic: drop dead variable
Rules.monolithic: add missing phony declarations
Daniel Burgener (4):
Allow init to mount over the system bus
Allow systemd-ask-password to watch files
Use self keyword when an AV rule source type matches destination
Fix typo in comment
Dannick Pomerleau (1):
access_vectors: Add new capabilities to cap2
Dave Sugar (9):
Looks like this got dropped in pull request #294
Allow snmpd to read hwdata
Updates for corosync to work in enforcing
To get pacemaker working in enforcing
pacemaker systemd permissions
Allow pacemaker to map/read/write corosync shared memory files
Allow systemd-modules-load to search kernel keys
pcs_snmpd_agent_t fix denials to allow it to read needed queues
Work with xdg module disabled
David Schadlich (1):
add policy for pcs_snmp_agent
Deepak Rawat (1):
Add selinux-policy for systemd-pstore service
Dominick Grift (1):
bind: add a few fc specs for unbound
Guido Trentalancia (1):
Add LVM module permissions needed to open cryptsetup devices.
Jason Zaman (5):
userdomain: Add watch on home dirs
getty: allow watching file /run/agetty.reload
Add transition on gentoo init_t to openrc
init: upstream fcontexts from gentoo policy
systemd: make remaining dbus_* optional
Jonathan Davies (8):
acpi.te: Allow acpid_t to shutdown the system - this is required to handle
shutdown calls from libvirt. Fixes #298.
acpi.te: Removed unnecessary init_write_initctl().
userdomain.if: Marked usbguard user modify tunable as optional so usbguard
may be excluded.
portage: Added /var/cache/distfiles path.
init: Added fcontext for openrc-init.
init: Added fcontext for openrc-shutdown.
apps/screen.fc: Added fcontext for tmux xdg directory.
apps/screen.te: Allow screen to search xdg directories.
Kenton Groombridge (11):
devices: add interface for IOCTL on input devices
virt: add boolean to allow evdev passthrough
stunnel: add log type and rules
fail2ban: allow reading systemd journal
spamassassin: add rspamd support and tunable
apache: add interface for list dir perms on httpd content
sudo: add tunable for HTTP connections
init: label systemd units in /etc
certbot: add support for acme.sh
lvm: add lvm_tmpfs_t type and rules
Various fixes
Peter Morrow (1):
selinux: add selinux_get_all_booleans() interface
Richard Haines (1):
Ensure correct monolithic binary policy is loaded
Russell Coker (11):
base chrome/chromium patch fixed
latest iteration of certbot policy as patch
yet more strict patches fixed
remove deprecated from 20190201
more Chrome stuff
latest memlockd patch
misc services patches with changes Dominick and Chris wanted
misc network patches with Dominick's changes*2
new version of filetrans patch
misc apps and admin patches
machined
Yi Zhao (1):
sysnet: allow dhcpcd to create socket file
bauen1 (4):
systemd: private type for /run/systemd/userdb
authlogin: connect to userdb
systemd-logind: utilize nsswitch
selint: fix S-010
* Tue Aug 18 2020 Chris PeBenito <[email protected]> - 2.20200818
Alexander Miroshnichenko (2):
openvpn: more versatile file context regex for ipp.txt
openvpn: update file context regex for ipp.txt
Chris PeBenito (153):
Makefile: Warn if policy.xml xmllint check does not run.
networkmanager: Fix interface commenting.
Makefile: Remove shell brace expansion in ctags target.
dbus: Rename tunable to dbus_pass_tuntap_fd.
spamassassin: Move systemd interfaces.
spamassassin: Rename systemd interfaces.
spamassassin: Add missing class requires in systemd interfaces.
spamassassin: Remove unnecessary brackets in type alias.
pulseaudio: Drop call to nonexistant interface.
genhomedircon: Drop Python 2 compatibility code.
systemd: Merge generator domains.
.travis.yml: Add CI tests with no unconfined.
Rename "pid" interfaces to "runtime" interfaces.
Update callers for "pid" to "runtime" interface rename.
Move user definitions to the right place during compilation.
Makefile: Give a value to build options so they can be used in ifelse.
init: Revise init_startstop_service() build option blocks.
kernel: Drop unlabeled_t as a files_mountpoint().
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
files: Restore mounton access to files_mounton_all_mountpoints().
filesystem: Create a filesystem image concept.
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
Bump module versions for release.
Christian Göttsche (29):
Rules: allow the usage of class sets in context_defaults
Correct estimate kernel version for polcap genfs_seclabel_symlinks
Makefile: generate temporary documentation files in separate directory
Ignore temporary documentation file directory in git
Override old all_interfaces.conf.tmp file
samba: fix wrong interface context smbd_runtime_t
chromium: drop dead conditional block
example: use module name matching file name
consolesetup: drop unused requires
unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()
portage: drop bizarre conditional TODO blocks
init/systemd: move systemd_manage_all_units to init_manage_all_units
tpm2: small fixes
files/logging: move var_run_t filecontext to defining module
files/miscfiles: move usr_t filecontext to defining module
chromium/libraries: move lib_t filecontext to defining module
apache: use correct content types in apache_manage_all_user_content()
can_exec(): move from misc_macros to misc_patterns
Makefile: remove obsolete .SUFFIXES
Makefile: add target build-interface-db
devices/storage: quote arguments to tunable_policy
apache: quote gen_tunable name argument
Correct some misspellings
Fix several misspellings
whitespace cleanup
travis-ci: add SELint
work on SELint issues
files/modutils: unify modules_object_t usage into files module
travis: resolve Linter tags
Daniel Burgener (10):
Add dnl to end of interface declaration. This reduces the number of blank
lines in intermediate files and matches the way templates are defined.
Allow systemd-coredump to stat mountpoints.
Change incorrect template definitions into interface definitions
Add divert to generated_definitions creation, and fix all_interfaces.conf
divert creation.
Fix mismatches between object class and permission macro.
Switch pipe reading on domtrans to inherited only
Simplify collection of ssh rules to domtrans_pattern macro
Fix a few places where command line applications were only granted one of
tty or pty permissions and could be used from either
Remove the second copy of a permission in instances where the exact same
permission is repeated twice in a row
Remove out of date "hack" from stunnel. The underlying problem needing a
require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Dave Sugar (8):
Add interface to read/write /dev/ipmi
Update labeling in /dev/
Setup generic generator attribute and change generator types.
fix require from 5b78c1c86bedf322fa6a08e5d68e7e8a6b85f026
Setup domain for tpm2_* binaries
Interfaces needed to support IMA/EVM keys
Resolve neverallow failure introduced in #273
Interfaces for tpm2
David Sommerseth (1):
dbus: Add tunable - dbus_can_pass_tuntap_fd
Florian Schmidt (1):
corenetwork: fix winshadow port number
Guido Trentalancia (5):
This patch improves a previous commit by restricting down the permissions
to write the wireless device in order to prevent a possible Denial of
Service (DoS) attack from an unprivileged process bringing down the
wireless interfaces.
mozilla: add watch perms
wm: add watch perms
getty: add watch perms
userdomain: add watch perms
Laurent Bigonville (5):
Add an interface to allow the specified domain to mmap the general network
configuration files
Add policy for apt-cacher-ng
Add policy for acngtool
Label bluetooth daemon as bluetooth_exec_t
Label /usr/libexec/packagekitd as apt_exec_t on debian
McSim85 (1):
add rule for the management socket file fixed comments from @bauen1
Nicolas Iooss (5):
Vagrantfile: remove older installed modules before "make install"
systemd: make systemd --user run generators without transition
systemd: allow sd-executor to manage its memfd files
devices: label /dev/sysdig0
sysnetwork: allow using "ip netns"
Russell Coker (2):
pulseaudio patch
latest ver of trivial mail server patch
Topi Miettinen (13):
Make raw memory access tunable
Add usbguard
Don't allow creating regular files in /dev
Python string fix
gennetfilter: generate nft tables with --nft
gennetfilter: handle port ranges
Allow systemd-networkd to handle ICMP and DHCP packets
gennetfilter: add rules for ICMP/ICMPv6 packets
wm: add KWin
Build and install Netfilter rules
bootloader: add rEFInd and systemd-boot
netutils: allow ping to send and receive ICMP packets
Remove unlabeled packet access
Vilgot (1):
Portage update
Vilgot Fredenberg (1):
Remove old exception
Yi Zhao (2):
Remove duplicated rules
xserver: allow xserver_t to connect to resmgrd
bauen1 (59):
logging: allow syslogd to remove stale socket file
systemd-user-runtime-dir: add required permissions
mozilla: allow firefox to use user namespaces for sandboxing
modutils: allow init to execute kmod with nnp
fix unescaped dot introduced by 47b44a0fc720cecf6df576e274f610514203a5da
allow init_t access to own keyring
allow init_t to link kernel_t key
allow normal users to use 'systemd-run'
ssh: fix for debian wrapper script
bird: fixes for bird 2.0
apache: add nginx to policy
ntpd: fixes for systemd-timesyncd after linux 5.4
define lockdown class and access
dirmngr: allow to probe for tor
dirmngr: also requires access to /dev/urandom
dirmngr: ~/.gnupg/crls.d might not exist
application: applications can be executed from ssh without pty
systemd: allow regular users to run systemd-analyze
quota: allow quota to modify /aquota even if immutable
init: read default context during boot
lvm: create /etc/lvm/archive if it doesn't exist
corecommands: fix atrild label
systemd-fstab-generator needs to know about all mountpoints
semanage: create directories for new policies
dnsmasq: watch for new dns resolvers
init: allow systemd to setup mount namespaces
init: make initrc_t a init_domain to simplify the policy
init: allow systemd to activate journald-audit.socket
setrans: allow label translation for all domains.
files: add files_watch_etc_symlinks interface
init: watch /etc/localtime even if it's a symlink
corecommands: proper label for unattended-upgrades helpers
filesystem: pathcon for matching tracefs mount
lvm-activation-generator also needs to execute lvm
systemd: allow systemd-user-runtime-dir to do its job
init: fix init_manage_pid_symlinks to grant more than just create
permissions
init: replace call to init_domtrans_script
systemd-sysusers: add policy
allow most common permissions for systemd sandboxing options
terminal: cleanup term_create interfaces
logrotate.service sandbox required permissions
udev.service sandbox required permissions
systemd-timesyncd.service sandbox requried permissions
systemd-logind.service sandbox required permissions
init: fix systemd boot
postfix: add filetrans for sendmail and postfix for aliases db operations
systemd: fixed systemd_rfkill_t denial spam
thunderbird: label files under /tmp
init: systemd will run chkpwd to start user@1000
authlogin: unix_chkpwd is linked to libselinux
systemd: maintain /memfd:systemd-state
dpkg: allow dpkg frontends to acquire lock by labeling it correctly
systemd: systemd --user add essential permissions
dpkg: dpkg scripts are part of dpkg and therefor also an application
domain
gpg: don't allow gpg-agent to read /proc/kcore
corecommands: correct label for debian ssh-agent helper script
systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp
Remove the ada module, it is unecessary and not touched since ~2008
dpkg: domaintrans to sysusers if necessary
* Sat Feb 29 2020 Chris PeBenito <[email protected]> - 2.20200229
Alexander Miroshnichenko (1):
Add knot module
Chris PeBenito (174):
knot: Whitespace changes.
knot: Move lines.
devices, storage: Add fc entries for mtd char devices and ndctl devices.
devices: Add types for trusted execution environment interfaces.
ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
INSTALL: Fix build requirements.
fishilico/systemd-read-netlink_kobject_uevent_socket
Rename *_var_run_t types to *_runtime_t.
Reorder declarations based on *_runtime_t renaming.
Remove old aliases.
fishilico/filesystem-fs_rw_cgroup_files-follow-symlink
fc_sort.py: Use "==" for comparing integers.
xserver: Remove duplicate colord rule.
xserver: Move XDM dbus chats under main dbus optional.
Move open, audit_access, and execmod to file common.
Add file and filesystem watch access vectors.
Fix file common ordering and kernel version from previous commit.
init: Whitespace change.
unconfined: Add namespaced capabilities.
unconfined: Fix systemd --user rule.
Remove incorrect usages of "is" operator from Python scripts.
logging: Reorder lines.
systemd: Logind removes /run/user/* user temp files.
unconfined: Add watch permission for files.
systemd: Add filesystem watches.
dbus: Add directory watches.
udev: Watch devices.
init: Revise systemd bind mounts.
Add perf_event access vectors.
systemd: Whitespace fix.
logging: Whitespace fix.
Bump module versions for release.
Christian Göttsche (6):
fix Makefile for policy-module directories with same ending
segenxml.py: fix format usage in warning message
travis: force the use of python3.5
travis: run check_fc_files linter with python 3.7
re-implement fc_sort in python
Add genfs_seclabel_symlinks policy capability
Daniel Burgener (4):
Add requires to interfaces that reference types or attributes without
requiring them
Remove uneeded types from interfaces where types were added
Fix situations where require blocks in interfaces listed types not
actually referenced by that interface
Remove unneeded semicolons after interface and macro calls
Dominick Grift (2):
domain: unconfined access to bpf
Remove shell automatic domain transitions to unconfined_t from various pam
login programs
Guido Trentalancia (4):
Update the pulseaudio application module with a few user domain file read
and management permissions.
Allow userdomain to read and write the wireless devices (for example for
querying their state, enabling and/or disabling them using userspace
tools such as "rfkill" from util-linux).
Add an interface to allow watch permission on generic device directories.
Allow pulseaudio to watch generic device directories.
Jason Zaman (16):
udev: Allow udevadm access to udev_tbl_t
xserver: ICEauthority can be in /run/user
devicekit: udisks needs access to /run/mount/utab.lock
dirmngr: accept unix stream socket
chromium: allow dbus chat to inhibit power
virt: Add unix socket for virtlogd/virtlockd
virt: allow lvm_control access
fstools: add zfs-auto-snapshot
udev: Add watch perms
accountsd: Add watch perms
cron: watch cron spool
colord: add watch perms
policykit devicekit: Add watch perms
dbus: add watch perms
chromium: watch etc dirs
gpg: add watch perms for agent
Laurent Bigonville (9):
Makefile: Avoid regenerating the iftemplates at everyrun
Allow systemd_modules_load_t to module_request and map modules_object_t
files
Allow udevadm to read files in /run/udev/data
Allow udevadm_t to use dac_read_search capability
Allow the systemd dbus-daemon to talk to systemd
Allow geoclue to log in syslog
Allow realmd_t to read localization files
Allow alsa_t to create alsa_runtime_t file as well
Allow alsa_t to set scheduling priority and send signal to itself
Luca Boccassi (2):
journald: allow to remove /run/log/journal
logging: add interface to start/stop syslog units
Nicolas Iooss (75):
ulogd: add Debian's log directory
ulogd: allow creating a netlink-netfilter socket
ulogd: allow starting on a Debian system
entropyd: label the unit file of haveged
entropyd: allow haveged to create a Unix socket to received commands
ulogd: fix pattern for /run/ulog directory
monit: use s0 instead of s9
java: reduce the scope of the pattern in for java entry points
libraries: match a digit in Adobe Reader directories
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
rpcbind: remove redundant file context for /run/rpc.statd.pid
files: reduce the scope of the pattern matching /usr/include
Remove unescaped single dot from the policy
Fix use of buggy pattern (.*)?
libraries: drop a pattern specific to Python 2.4
systemd: introduce an interface for services using PrivateDevices=yes
Vagrantfile: upgrade VM to Fedora 30
Allow Debian to generate a dynamic motd when users log in
entropyd: haveged service uses PrivateDevices=yes
Check the .fc files for common typos
corecommands: no longer use \d
libraries: fix some misspellings in patterns
java: remove unnecessary parentheses in pattern
cups: add a slash to match /opt/brother/Printers/
Vagrantfile: build and install refpolicy on Fedora VM
Vagrantfile: add a Debian virtual machine
ntp: allow systemd-timesyncd to read network status
cups: use ([^/]+/)? to match a subdirectory of CUPS configuration
portage: really make consoletype module optional