summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2014-03-17 09:21:02 +0100
committerSven Vermeulen <sven.vermeulen@siphos.be>2014-03-17 09:21:02 +0100
commit2b5cfabb44b7bbd8e7870c5a424e0f561846afba (patch)
tree23adaf8eeb4e3205a75cf00ee4ac23e2d96a5778 /Changelog
parentWhitespace fix in xserver.fc. (diff)
downloadhardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.tar.gz
hardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.tar.bz2
hardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.zip
Update Changelog and VERSION for release (by Chris PeBenito)
Diffstat (limited to 'Changelog')
-rw-r--r--Changelog424
1 files changed, 228 insertions, 196 deletions
diff --git a/Changelog b/Changelog
index 85be207ce..4444be11d 100644
--- a/Changelog
+++ b/Changelog
@@ -1,218 +1,250 @@
-* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
-Chris PeBenito (78):
- Mcelog update from Guido Trentalancia.
- Add bird contrib module from Dominick Grift.
- Minor whitespace fix in udev.fc
- Module version bump for udev binary location update from Sven Vermeulen.
- clarify the file_contexts.subs_dist configuration file usage from Guido
- Trentalancia
+* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311
+Chris PeBenito (96):
+ Update contrib to pull in minidlna.
+ Remove general unlabeled packet usage.
Update contrib.
- Remove trailing / from paths
- Module version bump for fc substitutions optimizations from Sven
- Vermeulen.
+ Use python libselinux bindings to determine policy version.
+ Add MLS constraints for x_pointer and x_keyboard.
+ Add label for parted.
+ Fix support/policyvers.py not to error if building policy on a
+ SELinux-disabled system.
+ Module version bump for kerberos keytab changes for ssh from Dominick
+ Grift.
+ Module version bump for pstore filesystem support from Dominick Grift.
+ Module version bump for redis port from Dominick Grift.
Update contrib.
- Module version bump for /run/dhcpc directory creation by dhcp from Sven
- Vermeulen.
- Module version bump for fc fixes in devices module from Dominick Grift.
+ Add comment for setfiles using /dev/console when it needs to be relabeled.
+ Module version bump for xserver and selinuxutil updates from Dominick
+ Grift.
+ Module version bump for tmpfs associate to device_t from Dominick Grift.
+ Module version bump for syslog reading overcommit_memory from Dominick
+ Grift.
+ Module version bump for ethtool reading pm-powersave.lock from Dominick
+ Grift.
+ Module version bump for sysadm fix for git role usage from Dominick Grift.
+ Module version bump for lvm update from Dominick Grift.
+ Module version bump for fc fix in authlogin from Dominick Grift.
+ Module version bump for restricted x user template fix from Dominick
+ Grift.
+ Add comment for debian avahi-daemon-check-dns.sh usage by udev
+ Module version bump for udev Debian fixes from Dominick Grift.
+ Module version bump for selinuxfs location change from Dominick Grift.
Update contrib.
- Module version bump for /dev/mei type and label from Dominick Grift.
- Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
- Module version bump for lost+found labeling in /var/log from Guido
- Trentalancia.
- Module version bump for loop-control patch.
- Turn off all tunables by default, from Guido Trentalancia.
- Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
- Module version bump for various changes from Sven Vermeulen.
- Module version bump for ports update from Dominick Grift.
- Module version bump for Debian file context updates from Laurent
- Bigonville.
+ Module version bump for unconfined dbus fixes from Dominick Grift.
+ Whitespace fix in terminal.te.
+ Module version bump for virtio console from Dominick Grift.
+ Module version bump for init interface and corecommand fc from Dominick
+ Grift.
+ Module version bump for ping capabilities from Sven Vermeulen.
+ Module version bump for slim fc entries from Sven Vermeulen.
+ Module version bump for xdm dbus access from Dominick Grift.
+ Rearrange sysnet if blocks.
+ Module version bump for debian ifstate changes from Dominick Grift.
+ Module version bump for xserver console and fc fixes from Dominick Grift.
+ Module version bump for gdomap port from Dominick Grift.
+ Module version bumps for dhcpc leaked fds to hostname.
+ Module version bump for ssh server caps for Debian from Dominick Grift.
+ Move stray Debian rule in udev.
+ Update contrib
+ Module version bumps for Debian udev updates from Dominick Grift.
+ Module version bump for mount updates from Dominick Grift.
+ Silence symlink reading by setfiles since it doesn't follow symlinks
+ anyway.
+ Reorder dhcpc additions.
+ Module version bump for dhcpc fixes from Dominick Grift.
+ Add comments about new capabilities for syslogd_t.
+ Module version bumps for syslog-ng and semodule updates.
Update contrib.
+ Module version bump for first batch of patches from Dominick Grift.
Update contrib.
- split kmod fc into two lines.
- Module version bump for kmod fc from Laurent Bigonville.
- Module version bump for cfengine fc change from Dominick Grift.
- Module verision bump for Debian cert file fc update from Laurent
+ Rearrage userdom_delete_user_tmpfs_files() interface.
+ setrans: needs to be able to get attributes of selinuxfs, else fails to
+ start in Debian
+ Whitespace fix in fstools.
+ Add comment in policy for lvm sysfs write.
+ Module version bump for second lot of patches from Dominick Grift.
+ Whitespace fix in usermanage.
+ Whitespace fix in libraries.
+ Module version bump for patches from Dominick Grift.
+ Whitespace fix in init.te.
+ init: init_script_domain() allow system_r role the init script domain type
+ init: creates /run/utmp
+ Module version bump for 4 init patches from Dominick Grift.
+ Fix Debian compile issue.
+ Module version bump for 2 patches from Dominick Grift.
+ Module version bump for patch from Laurent Bigonville.
+ Update contrib.
+ Module version bump for patch from Laurent Bigonville.
+ Module version bump for xserver change from Dominick Grift.
+ Merge file_t into unlabeled_t, as they are security equivalent.
+ Update modules for file_t merge into unlabeled_t.
+ Make the QUIET build option apply to clean and bare targets.
+ Module version bump for direct initrc fixes from Dominick Grift.
+ Module version bump for module store labeling fixes from Laurent
Bigonville.
- Module version bump for ipsec net sysctls reading from Miroslav Grepl.
- Module version bump for srvloc port definition from Dominick Grift.
- Rename cachefiles_dev_t to cachefiles_device_t.
- Module version bump for cachefiles core support.
- Module version bump for changes from Dominick Grift and Sven Vermeulen.
- Module version bump for modutils patch from Dominick Grift.
- Module version bump for dhcp6 ports, from Russell Coker.
- Rearrange new xserver interfaces.
- Rename new xserver interfaces.
- Module version bump for xserver interfaces from Dominick Grift.
- Move kernel_stream_connect() declaration.
- Module version bump for kernel_stream_connect() from Dominick Grift.
- Rename logging_search_all_log_dirs to logging_search_all_logs
- Module version bump for minor logging and sysnet changes from Sven
- Vermeulen.
- Module version bump for dovecot libs from Mika Pflueger.
- Rearrange interfaces in files, clock, and udev.
- Module version bump for interfaces used by virt from Dominick Grift.
- Module version bump for arping setcap from Dominick Grift.
- Rearrange devices interfaces.
- Module version bump/contrib sync.
- Rearrange lines.
- Module version bump for user home content fixes from Dominick Grift.
- Rearrange files interfaces.
- Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+ Remove ZFS symlink labeling.
+ Fix ZFS fc escaping in mount.
+ Rearrange ZFS fc entries.
+ Module version bump for ZFS tools fc entries from Matthew Thode.
+ Module version bump for unconfined transition to dpkg from Laurent
+ Bigonville.
+ Module version bump for logging fc patch from Laurent Bigonville.
Update contrib.
- Whitespace fix in miscfiles.fc.
- Adjust man cache interface names.
- Module version bump for man cache from Dominick Grift.
- Module version bump for Debian ssh-keysign location from Laurent
+ Module version bump for pid file directory from Russell Coker/Laurent
Bigonville.
- Module version bump for userdomain portion of XDG updates from Dominick
- Grift.
- Module version bump for iptables fc entry from Sven Vermeulen and inn log
- from Dominick Grift.
- Module version bump for logging and tcpdump fixes from Sven Vermeulen.
- Move mcs_constrained() impementation.
- Module version bump for mcs_constrained from Dominick Grift.
+ Rename gpg_agent_connect to gpg_stream_connect_agent.
+ Rearrange gpg agent calls.
+ Module version bump for ssh use of gpg-agent from Luis Ressel.
+ Module version bump for files_dontaudit_list_var() interface from Luis
+ Ressel.
+ Move bin_t fc from couchdb to corecommands.
Update contrib.
- Module version bump from Debian changes from Laurent Bigonville.
- Module version bump for zfs labeling from Matthew Thode.
- Module version bump for misc updates from Sven Vermeulen.
+ Module version bump for sesh fc from Nicolas Iooss.
+ Move loop control interface definition.
+ Rename mount_read_mount_loopback() to mount_read_loopback_file().
+ Module version bump for loopback file mounting fixes from Luis Ressel.
+ Fix read loopback file interface.
+ Update contrib.
+ Module version bump for bootloader fc fixes from Luis Ressel.
Update contrib.
- Module version bump for fixes from Dominick Grift.
- Module version bump for Debian updates from Laurent Bigonville.
- Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
- Update contrib
- Fix fc_sort.c warning uncovered by recent gcc
- Module version bump for chfn fixes from Sven Vermeulen.
- Add swapoff fc entry.
- Add conntrack fc entry.
Update contrib.
- Update contrib
- Archive old Changelog for log format change.
Bump module versions for release.
-Dominick Grift (40):
- There can be more than a single watchdog interface
- Fix a suspected typo
- Intel® Active Management Technology
- Declare a loop control device node type and label /dev/loop-control
- accordingly
- Declare port types for ports used by Fedora but use /etc/services for port
- names rather than using fedora port names. If /etc/services does not
- have a port name for a port used by Fedora, skip for now.
- Remove var_log_t file context spec
- svrloc port type declaration from slpd policy module
- Declare a cachfiles device node type
- Implement files_create_all_files_as() for cachefilesd
- Restricted Xwindows user domains run windows managers in the windows
- managers domain
- Declare a cslistener port type for phpfpm
- Changes to the sysnetwork policy module
- Changes to the userdomain policy module
- Changes to the bootloader policy module
- Changes to the modutils policy module
- Changes to the xserver policy module
- Changes to various policy modules
- Changes to the kernel policy module
- For svirt_lxc_domain
- For svirt_lxc_domain
- For svirt_lxc_domain
- For virtd lxc
- For virtd_lxc
- For virtd_lxc
- For virtd lxc
- For virtd lxc
- For virtd
- Arping needs setcap to cap_set_proc
- For virtd
- Changes to the user domain policy module
- Samhain_admin() now requires a role for the role_transition from $1 to
- initrc_t via samhain_initrc_exec_t
- Changes to the user domain policy module
- Label /var/cache/man with a private man cache type for mandb
- Create a attribute user_home_content_type and assign it to all types that
- are classified userdom_user_home_content()
- These two attribute are unused
- System logger creates innd log files with a named file transition
- Implement mcs_constrained_type
- Changes to the init policy module
- Changes to the userdomain policy module
- NSCD related changes in various policy modules
+Dominick Grift (58):
+ The kerberos_keytab_template() template is deprecated: Breaks monolithic
+ built (out-of-scope)
+ Initial pstore support
+ Support redis port tcp,6379
+ These regular expressions were not matched
+ Restorecon reads, and writes /dev/console before it is properly labeled
+ filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
+ logging: syslog (rs:main Q:Reg) reading sysctl_vm files
+ (overcommit_memory) in Debian
+ sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock
+ sysadm: Doesnt work with direct_initrc = y
+ lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin
+ authlogin: Sudo file context specification did not catch paths (squash me)
+ userdomain: restricted xwindows user (squash me)
+ udev: This is specific to debian i think. Some how the
+ /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
+ selinux: selinuxfs is now mounted under /sys/fs/selinux instead of
+ /selinux, so we need to allow domains that use selinuxfs to interface
+ with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux
+ Unconfined domains have unconfined access to all of dbus rather than only
+ system bus
+ Initial virtio console device
+ init: create init_use_inherited_script_ptys() for tmpreaper (Debian)
+ corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh
+ xdm: is a system bus client and acquires service on the system bus xdm:
+ dbus chat with accounts-daemon
+ sysnetwork: Debian stores network interface configuration in /run/network
+ (ifstate), That directory is created by the /etc/init.d/networking
+ script.
+ xserver: catch /run/gdm3
+ xserver: associate xconsole_device_t (/dev/xconsole) to device_t
+ (devtmpfs)
+ corenetwork: Declare gdomap port, tcp/udp:538
+ hostname: do not audit attempts by hostname to read and write dhcpc udp
+ sockets (looks like a leaked fd)
+ ssh: Debian sshd is configured to use capabilities
+ udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and
+ compromises kernel
+ udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates
+ /run/avahi-daemon directory
+ mount: sets kernel thread priority mount: mount reads
+ /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount
+ points
+ sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not
+ audit attempts by ifconfig to read, and write dhcpc udp sockets (looks
+ like a leaked fd)
+ mount: fs_list_auto_mountpoint() is now redundant because autofs_t is
+ covered by files_list_all_mountpoints()
+ udev: this fc spec does not make sense, as there is no corresponding file
+ type transition for it
+ udev: the avahi dns check script run by udev in Debian chmods
+ /run/avahi-daemon
+ authlogin: unix_chkpwd traverses / on sysfs device on Debian
+ setrans: mcstransd reads filesystems file in /proc
+ udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
+ fstools: hdparm append (what seems inherited from devicekit )
+ /var/log/pm-powersave.log fstools: hdparm reads
+ /run/pm-utils/locks/pm-powersave.lock
+ sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i
+ was able to confirm the need for
+ networkmanager_manage_lib_files(dhcpc_t) since dhclient reads
+ /var/lib/NetworkManager/dhclient-eth0.conf
+ sysbnetwork: dhclient searches /var/lib/ntp
+ sshd/setrans: make respective init scripts create pid dirs with proper
+ contexts
+ kernel: cryptomgr_test (kernel_t) requests kernel to load
+ cryptd(__driver-ecb-aes-aesni
+ xserver: already allowed by auth_login_pgm_domain(xdm_t)
+ unconfined: Do not domain transition to xserver_t (unconfined_t is
+ xserver_unconfined)
+ userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
+ These { read write } tty_device_t chr files on boot up in Debian
+ udev: udevd executable location changed
+ lvm: lvm writes read_ahead_kb
+ udev: in debian udevadm is located in /bin/udevadm
+ usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in
+ Debian
+ iptables: calls to firewalld interfaces from Fedora. The
+ firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
+ libraries: for now i can only confirm mmap, might need to be changed to
+ bin_t later if it turns out to need execute_no_trans
+ users: calls pulseaudio_role() for restricted xwindows users and
+ staff_t/user_t
+ init: for a specified automatic role transition to work. the source role
+ must be allowed to change manually to the target role
+ init: this is a bug in debian where tmpfs is mounted on /run, and so early
+ on in the boot process init creates /run/utmp and /run/initctl in a
+ tmpfs directory (/) tmpfs
+ init: exim init script runs various helper apps that create and manage
+ /var/lib/exim4/config.autogenerated.tmp file
+ init: the gdomap and minissdpd init scripts read the respective environ
+ files in /etc/default. We need to give them a private type so that we
+ can give the gdomap_admin() and minissdpd_admin() access to it, but it
+ seems overengineering to create private environ types for these files
+ xserver: These are no longer needed
+ Change behavior of init_run_daemon()
+ Apply direct_initrc to unconfined_r:unconfined_t
-Guido Trentalancia (1):
- add lost+found filesystem labels to support NSA security guidelines
+Laurent Bigonville (7):
+ Label /bin/fusermount like /usr/bin/fusermount
+ Allow udev to write in /etc/udev/rules.d
+ Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t
+ Allow unconfined users to transition to dpkg_t domain
+ Add fcontext for rsyslog pidfile
+ Add fcontext for sshd pidfile and directory used for privsep
+ Move the ifdef at the end of the declaration block
-Laurent Bigonville (21):
- Add Debian locations for GDM 3
- Add Debian location for udisks helpers
- Add insmod_exec_t label for kmod executable
- Add Debian location for PKI files
- Add Debian location for ssh-keysign
- Properly label all the ssh host keys
- Allow udev_t domain to read files labeled as consolekit_var_run_t
- authlogin.if: Add auth_create_pam_console_data_dirs and
- auth_pid_filetrans_pam_var_console interfaces
- Label /etc/rc.d/init.d/x11-common as xdm_exec_t
- Drop /etc/rc.d/init.d/xfree86-common filecontext definition
- Label /var/run/shm as tmpfs_t for Debian
- Label /var/run/motd.dynamic as initrc_var_run_t
- Label /var/run/initctl as initctl_t
- udev.if: Call files_search_pid instead of files_search_var_lib in
- udev_manage_pid_files
- Label executables in /usr/lib/NetworkManager/ as bin_t
- Add support for rsyslog
- Label var_lock_t as a mountpoint
- Add mount_var_run_t type and allow mount_t domain to manage the files and
- directories
- Add initrc_t to use block_suspend capability
- Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
- Label nut drivers that are installed in /lib/nut on Debian as bin_t
+Luis Ressel (10):
+ Conditionally allow ssh to use gpg-agent
+ kernel/files.if: Add files_dontaudit_list_var interface
+ kernel/devices.if: Add dev_rw_loop_control interface
+ system/mount.if: Add mount_read_mount_loopback interface
+ Allow mount_t usage of /dev/loop-control
+ Grant kernel_t necessary permissions for loopback mounts
+ Use xattr-labeling for squashfs.
+ Label fatsort as fsadm_exec_t.
+ Generalize grub2 pattern
+ Label grub2-install as bootloader_exec_t
Matthew Thode (1):
- Implement zfs support
-
-Mika Pflüger (2):
- Debian locations of gvfs and kde4 libexec binaries in /usr/lib
- Explicitly label dovecot libraries lib_t for debian
-
-Miroslav Grepl (1):
- Allow ipsec to read kernel sysctl
+ Extending support for SELinux on ZFS
-Paul Moore (1):
- flask: add the attach_queue permission to the tun_socket object class
+Nicolas Iooss (2):
+ Label /usr/lib/sudo/sesh as shell_exec_t
+ Create .gitignore
-Russell Coker (1):
- Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
- client control
-
-Sven Vermeulen (27):
- New location for udevd binary
- Use substititions for /usr/local/lib and /etc/init.d
- DHCP client's hooks create /run/dhcpc directory
- Introduce init_daemon_run_dir transformation
- Use the init_daemon_run_dir interface for udev
- Allow initrc_t to create run dirs for core modules
- Puppet uses mount output for verification
- Allow syslogd to create /var/lib/syslog and
- /var/lib/misc/syslog-ng.persist
- Gentoo's openrc does not require initrc_exec_t for runscripts anymore
- Allow init scripts to read courier configuration
- Allow search within postgresql var directory for the stream connect
- interface
- Introduce logging_getattr_all_logs interface
- Introduce logging_search_all_log_dirs interface
- Support flushing routing cache
- Allow init to set attributes on device_t
- Introduce files_manage_all_pids interface
- Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
- Update files_manage_generic_locks with directory permissions
- Run ipset in iptables domain
- tcpdump chroots into /var/lib/tcpdump
- Remove generic log label for cron location
- Postgresql 9.2 connects to its unix stream socket
- lvscan creates the /run/lock/lvm directory if nonexisting (v2)
- Allow syslogger to manage cron log files (v2)
- Allow initrc_t to read stunnel configuration
- Introduce exec-check interfaces for passwd binaries and useradd binaries
- chfn_t reads in file context information and executes nscd
+Sven Vermeulen (7):
+ Add trivnet1 port (8200)
+ Get grub2-install to work properly
+ Support named file transition for fixed_disk_device_t
+ Allow ping to get/set capabilities
+ Extend slim /var/run expression
+ Allow semodule to create symlink in semanage_store_t
+ Allow capabilities for syslog-ng
* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
Chris PeBenito (78):