Update Changelog and VERSION for release 2.20220520.

pebenito · pebenito · commit fdebaaca4bc2 · 2022-05-20T09:33:17.000-04:00
Signed-off-by: Chris PeBenito &lt;pebenito@ieee.org&gt;
diff --git a/Changelog b/Changelog
@@ -1,3 +1,315 @@
+* Fri May 20 2022 Chris PeBenito <pebenito@ieee.org> - 2.20220520
+Björn Esser (1):
+      authlogin: add fcontext for tcb
+
+Chris PeBenito (118):
+         0xC0ncord/bugfix/systemd-user-exec-apps-hookup
+      systemd, ssh, ntp: Read fips_enabled crypto sysctl.
+      systemd: Unit generator fixes.
+      systemd: Revise tmpfiles factory to allow writing all configs.
+      systemd: User runtime reads user cgroup files.
+      logging: Add audit_control for journald.
+      udev: Manage EFI variables.
+      ntp: Handle symlink to drift directory.
+      logging: Allow auditd to stat() dispatcher executables.
+      Drop module versioning.
+      tests.yml: Disable policy_module() selint checks.
+      systemd: Change journal file context to MLS system high.
+      Revert "users: remove MCS categories from default users"
+      systemd: Add systemd-homed and systemd-userdbd.
+      systemd, ssh: Crypto sysctl use.
+      systemd: Additional fixes for fs getattrs.
+      systemd: Updates for generators and kmod-static-nodes.service.
+      domain: Allow lockdown for all domains.
+      postfix, spamassassin: Fix missed type renames after alias removals.
+      cron, dbus, policykit, postfix: Minor style fixes.
+      Make hide_broken_symptoms unconditional.
+      puppet: Style fixes.
+      matrixd: Cleanups.
+      matrixd: SELint fixes.
+      mailmain: Fix check_fc_files issue.
+      mailmain: Fix SELint issues.
+      postfix: Move lines.
+      apache: Remove unnecessary require in apache_exec().
+      seusers: Remove sddm.
+      Add a vulnerability handling process.
+
+Christian Goettsche (1):
+      check_fc_files: allow optional @ character
+
+Christian Göttsche (11):
+      filesystem: add fs_use_trans for ramfs
+      Ignore umask on when installing headers
+      Revert "tests.yml: Disable policy_module() selint checks."
+      build.conf: bump policy version in comment
+      flask: add new kernel security classes
+      policy_capabilities: add ioctl_skip_cloexec
+      policy.dtd: more strict bool/tunable and infoflow validation
+      Makefile: invoke python with -bb
+      Rules.monolithic: add target to generate CIL policy
+      Makefile: use override for adding options
+      Rules.modular: add pure-load target
+
+Dave Sugar (4):
+      Allow iscsid to request kernel module load
+      Allow iscsid to check fips_enabled
+      sshd: allow to run /usr/bin/fipscheck (to check fips state)
+      systemd: resolve error with systemd-sysctl
+
+Fabrice Fontaine (2):
+      policy/modules/services/samba.te: make crack optional
+      policy/modules/services/wireguard.te: make iptables optional
+
+Gao Xiang (1):
+      Add erofs as a SELinux capable file system
+
+Henrik Grindal Bakken (1):
+      snmp: Fix typo in /var/net-snmp rule
+
+Jonathan Davies (12):
+      chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access
+         net_admin capability, this is required for its `hwtimestamp` option,
+         which otherwise returns:
+      virt.te: Fixed typo in virtlogd_t virt_common_runtime_t
+         manage_files_pattern.
+      obfs4proxy: Added policy.
+      tor: Added interfaces and types for obfs4proxy support.
+      corenetwork.te.in: Added ntske port.
+      chronyd.te: Added support for bind/connect/recv/send NTS packets.
+      chronyd: Allow access to read certs.
+      obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
+      policy/*: Replaced rw_netlink_socket_perms with
+         create_netlink_socket_perms.
+      node_exporter: Added initial policy.
+      systemd.te: Added boolean for allowing dhcpd server packets.
+      systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in
+         systemd_stream_connect_userdb().
+
+Kenton Groombridge (174):
+      userdomain: add user exec domain attribute and interface
+      systemd: assign user exec attribute to systemd --user instances
+      systemd: add interface to support monitoring and output capturing of child
+         processes
+      wm: add user exec domain attribute to wm domains
+      ssh: add interface to execute and transition to ssh client
+      userdomain: add interface to allow mapping all user home content
+      git, roles: add policy for git client
+      apache, roles: use user exec domain attribute
+      screen, roles: use user exec domain attribute
+      git, roles: use user exec domain attribute
+      postgresql, roles: use user exec domain attribute
+      ssh, roles: use user exec domain attribute
+      sudo, roles: use user exec domain attribute
+      syncthing, roles: use user exec domain attribute
+      xscreensaver, roles: use user exec domain attribute
+      xserver, roles, various: use user exec domain attribute
+      authlogin, roles: use user exec domain attribute
+      bluetooth, roles: use user exec domain attribute
+      cdrecord, roles: use user exec domain attribute
+      chromium, roles: use user exec domain attribute
+      cron, roles: use user exec domain attribute
+      dirmngr, roles: use user exec domain attribute
+      evolution, roles: use user exec domain attribute
+      games, roles: use user exec domain attribute
+      gnome, roles: use user exec domain attribute
+      gpg, roles: use user exec domain attribute
+      irc, roles: use user exec domain attribute
+      java, roles: use user exec domain attribute
+      libmtp, roles: use user exec domain attribute
+      lpd, roles: use user exec domain attribute
+      mozilla, roles: use user exec domain attribute
+      mplayer, roles: use user exec domain attribute
+      mta, roles: use user exec domain attribute
+      openoffice, roles: use user exec domain attribute
+      pulseaudio, roles: use user exec domain attribute
+      pyzor, roles: use user exec domain attribute
+      razor, roles: use user exec domain attribute
+      rssh, roles: use user exec domain attribute
+      spamassassin, roles: use user exec domain attribute
+      su, roles: use user exec domain attribute
+      telepathy, roles: use user exec domain attribute
+      thunderbird, roles: use user exec domain attribute
+      tvtime, roles: use user exec domain attribute
+      uml, roles: use user exec domain attribute
+      userhelper, roles: use user exec domain attribute
+      vmware, roles: use user exec domain attribute
+      wireshark, roles: use user exec domain attribute
+      wm, roles: use user exec domain attribute
+      hadoop, roles: use user exec domain attribute
+      shutdown, roles: use user exec domain attribute
+      cryfs, roles: use user exec domain attribute
+      wine: use user exec domain attribute
+      mono: use user exec domain attribute
+      sudo: add tunable to control user exec domain access
+      su: add tunable to control user exec domain access
+      shutdown: add tunable to control user exec domain access
+      mpd, pulseaudio: split domtrans and client access
+      mcs: deprecate mcs overrides
+      mcs: restrict create, relabelto on mcs files
+      fs: add pseudofs attribute and interfaces
+      devices: make usbfs pseudofs instead of noxattrfs
+      git: fix typo in git hook exec access
+      dovecot, spamassassin: allow dovecot to execute spamc
+      mta, spamassassin: fixes for rspamd
+      certbot, various: allow various services to read certbot certs
+      usbguard, sysadm: misc fixes
+      ssh: fix for polyinstantiation
+      sysadm, systemd: fixes for systemd-networkd
+      asterisk: allow reading generic certs
+      bind: fixes for unbound
+      netutils: fix ping
+      policykit, systemd: allow policykit to watch systemd logins and sessions
+      spamassassin: fix file contexts for rspamd symlinks
+      mcs: add additional constraints to databases
+      mcs: constrain misc IPC objects
+      mcs: combine single-level object creation constraints
+      various: deprecate mcs override interfaces
+      corenet: make netlabel_peer_t mcs constrained
+      mcs: constrain context contain access
+      mcs: only constrain mcs_constrained_type for db accesses
+      guest, xguest: remove apache role access
+      wine: fix roleattribute statement
+      testing: accept '@' as a valid ending character in filecon checker
+      users: remove MCS categories from default users
+      various: remove various mcs ranged transitions
+      kernel: add various supporting interfaces for containers
+      kernel, rpc, systemd: deprecate kernel_mounton_proc
+      devices, kernel: deprecate dev_mounton_sysfs
+      devices: add interfaces to remount sysfs and device filesystems
+      init: add interface to run init bpf programs
+      systemd: add interface to dbus chat with systemd-machined
+      userdom: add interfaces to relabel generic user home content
+      init: add interface to setsched on init
+      init: allow systemd to renice all other domains
+      sysnetwork: add interfaces for /run/netns
+      container, virt: move svirt lxc domains to new container module
+      container: svirt_lxc_net_t is now container_t
+      container: fixup rules
+      container: add interface to identify container mountpoints
+      various: make various types a mountpoint for containers
+      container: add base attributes for containers and container engines
+      container: initial support for container engines
+      container, gpg, userdom: allow container engines to execute gpg
+      container: allow containers to use container ptys
+      container, mount: allow mount to getattr on container fs
+      various: various userns capability permissions
+      container: allow containers the chroot capability
+      container: allow containers various userns capabilities
+      container: allow containers to watch all container files
+      container, podman: initial support for podman
+      filesystem: add supporting FUSEFS interfaces
+      dbus: add supporting interfaces and rules for rootless podman
+      systemd: add private type for systemd user manager units
+      container: add role access templates
+      container, podman, systemd: initial support for rootless podman
+      container: add required admin rules
+      sysadm: allow container admin access
+      container: call podman access in container access
+      staff, unconfined: allow container user access
+      container: add policy for privileged containers
+      container: allow containers to read read-only container files
+      container: add tunable for containers to manage cgroups
+      container: add tunables for containers to use nfs and cifs
+      container: add tunable to allow engines to mounton non security
+      container, iptables: dontaudit iptables rw on /ptmx
+      xdg: add interface to search xdg data directories
+      container, podman: add policy for conmon
+      kernel: add filetrans interface for unlabeled dirs
+      container, docker: add initial support for docker
+      container: call docker access in container access
+      userdomain: add type for user bin files
+      systemd: allow systemd user managers to execute user bin files
+      systemd: use stream socket perms in systemd_user_app_status
+      systemd: add supporting interfaces for user daemons
+      rootlesskit: new policy module
+      container, docker, rootlesskit: add support for rootless docker
+      docker: call rootlesskit access in docker access
+      container: drop old commented rules
+      lxc_contexts: add ro_file and sandbox_lxc_process contexts
+      container: allow containers to getsession
+      docker: make rootlesskit optional
+      docker: add missing call to init_daemon_domain()
+      podman: add explicit range transition for conmon
+      init: split access for systemd runtime units
+      dbus: fixes for dbus-broker
+      dbus, policykit: add tunables for dbus-broker access
+      docker, podman: container units now have the runtime unit type
+      init: allow systemd to nnp_transition and nosuid_transition to daemon
+         domains
+      files, init: allow init to remount filesystems mounted on /boot
+      sudo: fixes for polyinstantiation
+      locallogin: fix for polyinstantiation
+      authlogin: dontaudit getcap chkpwd
+      systemd: various fixes
+      systemd: add support for systemd-resolved stubs
+      getty, locallogin: cgroup fixes
+      unconfined: fixes for bluetooth dbus chat and systemd
+      udev: allow udev to start the systemd system object
+      networkmanager: allow getting systemd system status
+      container, podman: allow podman to create and write config files
+      podman: allow system podman to interact with container transient units
+      podman: fix role associations
+      container, podman: allow containers to interact with conmon
+      podman: add rules for systemd container units
+      container, init: allow init to remount container filesystems
+      container: allow generic containers to read the vm_overcommit sysctl
+      container: add tunables to allow containers to access public content
+      container: add missing capabilities
+      container: also allow containers to watch public content
+      podman: allow podman to watch journal dirs
+      sysadm: allow sysadm to watch journal directories
+      git: add missing file contexts
+      udica-templates: initial commit of udica templates
+      makefile: add install target for udica templates
+      github: test install of udica templates
+
+Laurent Bigonville (2):
+      docker: On debian dockerd and docker-proxy are in /usr/sbin
+      container: On Debian, runc is installed in /usr/sbin
+
+Pedro (1):
+      File context for nginx cache files
+
+Russell Coker (8):
+      remove aliases from 20210203
+      dontaudit net_admin without hide_broken_symptoms
+      puppet V3
+      matrixd-synapse policy V3
+      mailman3 V3
+      certbot V3
+      init dbus patch for GetDynamicUsers with systemd_use_nss() V2
+      new sddm V2
+
+Vit Mojzis (1):
+      Improve error message on duplicate definition of interface
+
+Yi Zhao (24):
+      rpc: remove obsolete comment line
+      secadm: allow secadm to read selinux policy
+      rpcbind: allow sysadm to run rpcinfo
+      samba: allow smbd_t to send and receive messages from avahi over dbus
+      rpc: add dac_read_search capability for rpcd_t
+      bluetooth: fixes for bluetoothd
+      avahi: allow avahi_t to watch /etc/avahi directory
+      udev: allow udev_t to watch udev_rules_t dir
+      rpc: allow rpc.mountd to list/watch NFS server directory
+      usermanage: do not audit attempts to getattr of proc for passwd_t and
+         useradd_t
+      selinuxutil: allow setfiles_t to read kernel sysctl
+      rngd: fixes for rngd
+      dbus: allow dbus-daemon to map SELinux status page
+      bind: fixes for bind
+      passwd: allow passwd to map SELinux status page
+      ipsec: fixes for strongswan
+      samba: fixes for smbd/nmbd
+      ntp: allow ntpd to set rlimit_memlock
+      ssh: do not audit attempts by ssh-keygen to read proc
+      acpid: allow acpid to watch the directories in /dev
+      bluetooth: allow bluetoothd to create alg_socket
+      systemd: allow systemd-hostnamed to read udev runtime files
+      su: allow su to map SELinux status page
+      modutils: allow kmod_t to write keys
+
 * Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908
 Andreas Freimuth (2):
       Prefer user_fonts_config_t over xdg_config_t
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.20210908
+2.20220520
