commit: 1e9ecfc88b2f1567c523abe231864544edf9bf24 Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> AuthorDate: Wed Dec 3 18:37:38 2014 +0000 Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com> CommitDate: Wed Dec 3 20:32:15 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e9ecfc8
Update Changelog and VERSION for release. --- Changelog | 186 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 187 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 4444be1..1f53185 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,189 @@ +* Wed Dec 03 2014 Chris PeBenito <[email protected]> - 2.20141203 +Artyom Smirnov (3): + New database object classes + Fixes for db_domain and db_exception + Renamed db_type to db_datatype, to avoid confusion with SELinux "type" + +Chris PeBenito (69): + Whitespace fix in postgresql.fc + Module version bump for postgresql fc entries from Luis Ressel. + Add symlink to contrib Changelog for easy reference. + Move lightdm line in xserver.fc. + Whitespace fix in xserver.fc. + Update contrib. + Module version bump for userdomain kernel symbol table fix from Nicolas + Iooss. + Module version bump for 2 Gentoo patches from Sven Vermeulen. + Update contrib. + Module version bump for 2 patch sets from Laurent Bigonville. + Update contrib. + Module version bump for gnome keyring fix from Laurent Bigonville. + Update contrib. + Module version bump for /sys/fs/selinux support from Sven Vermeulen. + Module version bump for fixes from Laurent Bigonville. + Update contrib. + Module version bumps for fc fixes from Nicolas Iooss. + Update contrib. + Add file for placing default_* statements. + Fix error in default_user example. + Module version bump for unconfined->lvm transition from Nicolas Iooss. + Need the __future__ import for python2 if using print(). + Module version bump for ifconfig fc entry from Sven Vermeulen. + Module version bump for deprecated interface usage removal from Nicolas + Iooss. + Update contrib. + Module version bump for rcs2log and xserver updates from Sven Vermeulen. + Module version bump for shutdown transitions from Luis Ressel. + Remove firstboot_rw_t as FC5 has been gone for a long time. + Module version bump for firstboot_rw_t alias removal. + Module version bump for dropbox port from Sven Vermeulen. + Module version bump for unconfined syslog cap from Nicolas Iooss. + Always use the unknown permissions handling build option. + Merge pull request #1 from artyom-smirnov/master + Module version bump for zram fc entry from Jason Zaman. + Update contrib. + Module version bump for init_daemon_pid_file from Sven Vermeulen. + Move tumblerd fc entry + Module version bump for tumblerd fc entry from Jason Zaman. + Module version bump for libraries fc fix from Nicolas Iooss. + Update contrib. + Module version bump for fstools fc entries from Luis Ressel. + Module version bump for missing unlabeled interfaces from Sven Vermeulen. + Module version bump for ping rawip socket fix from Luis Ressel. + Module version bump for full IRC ports from Luis Ressel. + Move losetup addition in fstools. + Module version bump for losetup fixes from Luis Ressel. + Update contrib. + Module version bump for postgres fc revisions from Luis Ressel. + Module version bump for FUSE fix for mount from Luis Ressel. + Module version bump for misc fixes from Nicolas Iooss. + Move systemd fc entry. + Whitespace change in logging.fc. + Add comment for journald ring buffer reading. + Module version bumps for systemd/journald patches from Nicolas Iooss. + Update contrib. + /dev/log symlinks are not labeled devlog_t. + Module version bump for CIL fixes from Yuli Khodorkovskiy. + Drop RHEL4 and RHEL5 support. + Merge pull request #3 from bigon/arping + Merge pull request #4 from fishilico/minor-typo + Module version bump for Debian arping fc entries from Laurent Bigonville. + Add comment for iw generic netlink socket usage + Module version bump for /sbin/iw support from Nicolas Iooss. + Merge pull request #5 from bigon/audit_read + Update contrib. + Module version bump for misc fixes from Sven Vermeulen. + Update contrib. + Module version bump for module store move from Steve Lawrence. + Bump module versions for release. + +Elia Pinto (1): + Fix misspelling + +Jason Zaman (2): + File contexts for zram + File Context for tumbler + +Laurent Bigonville (14): + Properly label git-shell and other git commands for Debian + Label /usr/sbin/lightdm as xdm_exec_t + Create new xattrfs attribute and fs_getattr_all_xattr_fs() interface + Associate the new xattrfs attribute to fs_t and some pseudo-fs + Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t + Add telepathy role for user_r and staff_r + Properly label the manpages installed by postgresql + Label /usr/local/share/ca-certificates(/.*)? as cert_t + Allow the xdm_t domain to enter all the gkeyringd ones + Label /etc/locale.alias as locale_t on Debian + Allow hugetlbfs_t to be associated to /dev + On Debian iputils-arping is installed in /usr/bin/arping + Debian also ship a different arping implementation + Add new audit_read access vector in capability2 class + +Luis Ressel (13): + Add two postgresql file contexts from gentoo policy + Allow init to execute shutdown + Allow xdm_t to transition to shutdown_t domain + Some of the fsadm tools can also be in /usr/sbin instead of /sbin + Label /usr/sbin/{add, del}part as fsadm_exec_t + Grant ping_t getattr on rawip_socket + kernel/corenetwork.te: Add all registered IRC ports + system/mount.if: Add mount_rw_loopback_files interface + system/fstools.if: Add fstools_use_fds interface + Add neccessary permissions for losetup + Only label administrative postgres commands as postgresql_exec_t + Also apply the new postgres labeling scheme on Debian + Grant mount permission to access /dev/fuse + +Nicolas Iooss (31): + Fix parallel build of the policy + fc_sort: fix typos in comments + fc_sort: initialize allocated memory to fix execution on an empty file + fc_sort: make outfile argument optional + userdomain: no longer allow unprivileged users to read kernel symbols + Label syslog-ng.pid as syslogd_var_run_t + filesystem: label cgroup symlinks + Label /usr/lib/getconf as bin_t + Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t + Make support/policyvers.py compatible with Python 3 + Make unconfined user run lvm programs in confined domain + No longer use deprecated MLS interfaces + Allow unconfined domains to use syslog capability + Label /lib symlink as lib_t for every distro + Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ + Add ioctl and lock to manage_lnk_file_perms + Label (/var)?/tmp/systemd-private-.../tmp like /tmp + Fix typo in fs_getattr_all_fs description + Label systemd files in init module + Introduce init_search_run interface + Label systemd-journald files and directories + Support logging with /run/systemd/journal/dev-log + Allow journald to read the kernel ring buffer and to use /dev/kmsg + Allow journald to access to the state of all processes + Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t) + Fix minor typo in init.if + Label /sbin/iw as ifconfig_exec_t + Allow iw to create generic netlink sockets + Use create_netlink_socket_perms when allowing netlink socket creation + Update Python requirement in INSTALL + Create tmp directory when compiling a .mod.fc file in a modular way + +Steve Lawrence (1): + Update policy for selinux userspace moving the policy store to + /var/lib/selinux + +Sven Vermeulen (24): + Hide getattr denials upon sudo invocation + Support /sys/devices/system/cpu/online + The security_t file system can be at /sys/fs/selinux + Dontaudit access on security_t file system at /sys/fs/selinux + ifconfig can also be in /bin + xserver_t needs to ender dirs labeled xdm_var_run_t + Enable rcs2log location for all distributions + Add dropbox_port_t support + Support initrc_t generated pid files with file transition + Deprecate init_daemon_run_dir interface + Use init_daemon_pid_file instead of init_daemon_run_dir + Introduce kernel_delete_unlabeled_symlinks + Introduce kernel_delete_unlabeled_pipes + Introduce kernel_delete_unlabeled_sockets + Introduce kernel_delete_unlabeled_blk_files + Introduce kernel_delete_unlabeled_chr_files + Run grub(2)-mkconfig in bootloader domain + Add auth_pid_filetrans_pam_var_run + New sudo manages timestamp directory in /var/run/sudo + xfce4-notifyd is an executable + Mark f2fs as a SELinux capable file system + Add in LightDM contexts + Add gfisk and efibootmgr as fsadm_exec_t + Add /var/lib/racoon as runtime directory for ipsec + +Yuli Khodorkovskiy (1): + Remove duplicate role declarations + +cgarst (1): + Updating submodule URL to github + * Tue Mar 11 2014 Chris PeBenito <[email protected]> - 2.20140311 Chris PeBenito (96): Update contrib to pull in minidlna. diff --git a/VERSION b/VERSION index d2354ef..a9e4840 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.20140311 +2.20141203
