diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-03-17 09:21:02 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-03-17 09:21:02 +0100 |
commit | 2b5cfabb44b7bbd8e7870c5a424e0f561846afba (patch) | |
tree | 23adaf8eeb4e3205a75cf00ee4ac23e2d96a5778 /Changelog | |
parent | Whitespace fix in xserver.fc. (diff) | |
download | hardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.tar.gz hardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.tar.bz2 hardened-refpolicy-2b5cfabb44b7bbd8e7870c5a424e0f561846afba.zip |
Update Changelog and VERSION for release (by Chris PeBenito)
Diffstat (limited to 'Changelog')
-rw-r--r-- | Changelog | 424 |
1 files changed, 228 insertions, 196 deletions
@@ -1,218 +1,250 @@ -* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424 -Chris PeBenito (78): - Mcelog update from Guido Trentalancia. - Add bird contrib module from Dominick Grift. - Minor whitespace fix in udev.fc - Module version bump for udev binary location update from Sven Vermeulen. - clarify the file_contexts.subs_dist configuration file usage from Guido - Trentalancia +* Tue Mar 11 2014 Chris PeBenito <selinux@tresys.com> - 2.20140311 +Chris PeBenito (96): + Update contrib to pull in minidlna. + Remove general unlabeled packet usage. Update contrib. - Remove trailing / from paths - Module version bump for fc substitutions optimizations from Sven - Vermeulen. + Use python libselinux bindings to determine policy version. + Add MLS constraints for x_pointer and x_keyboard. + Add label for parted. + Fix support/policyvers.py not to error if building policy on a + SELinux-disabled system. + Module version bump for kerberos keytab changes for ssh from Dominick + Grift. + Module version bump for pstore filesystem support from Dominick Grift. + Module version bump for redis port from Dominick Grift. Update contrib. - Module version bump for /run/dhcpc directory creation by dhcp from Sven - Vermeulen. - Module version bump for fc fixes in devices module from Dominick Grift. + Add comment for setfiles using /dev/console when it needs to be relabeled. + Module version bump for xserver and selinuxutil updates from Dominick + Grift. + Module version bump for tmpfs associate to device_t from Dominick Grift. + Module version bump for syslog reading overcommit_memory from Dominick + Grift. + Module version bump for ethtool reading pm-powersave.lock from Dominick + Grift. + Module version bump for sysadm fix for git role usage from Dominick Grift. + Module version bump for lvm update from Dominick Grift. + Module version bump for fc fix in authlogin from Dominick Grift. + Module version bump for restricted x user template fix from Dominick + Grift. + Add comment for debian avahi-daemon-check-dns.sh usage by udev + Module version bump for udev Debian fixes from Dominick Grift. + Module version bump for selinuxfs location change from Dominick Grift. Update contrib. - Module version bump for /dev/mei type and label from Dominick Grift. - Module version bump for init_daemon_run_dirs usage from Sven Vermeulen. - Module version bump for lost+found labeling in /var/log from Guido - Trentalancia. - Module version bump for loop-control patch. - Turn off all tunables by default, from Guido Trentalancia. - Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH. - Module version bump for various changes from Sven Vermeulen. - Module version bump for ports update from Dominick Grift. - Module version bump for Debian file context updates from Laurent - Bigonville. + Module version bump for unconfined dbus fixes from Dominick Grift. + Whitespace fix in terminal.te. + Module version bump for virtio console from Dominick Grift. + Module version bump for init interface and corecommand fc from Dominick + Grift. + Module version bump for ping capabilities from Sven Vermeulen. + Module version bump for slim fc entries from Sven Vermeulen. + Module version bump for xdm dbus access from Dominick Grift. + Rearrange sysnet if blocks. + Module version bump for debian ifstate changes from Dominick Grift. + Module version bump for xserver console and fc fixes from Dominick Grift. + Module version bump for gdomap port from Dominick Grift. + Module version bumps for dhcpc leaked fds to hostname. + Module version bump for ssh server caps for Debian from Dominick Grift. + Move stray Debian rule in udev. + Update contrib + Module version bumps for Debian udev updates from Dominick Grift. + Module version bump for mount updates from Dominick Grift. + Silence symlink reading by setfiles since it doesn't follow symlinks + anyway. + Reorder dhcpc additions. + Module version bump for dhcpc fixes from Dominick Grift. + Add comments about new capabilities for syslogd_t. + Module version bumps for syslog-ng and semodule updates. Update contrib. + Module version bump for first batch of patches from Dominick Grift. Update contrib. - split kmod fc into two lines. - Module version bump for kmod fc from Laurent Bigonville. - Module version bump for cfengine fc change from Dominick Grift. - Module verision bump for Debian cert file fc update from Laurent + Rearrage userdom_delete_user_tmpfs_files() interface. + setrans: needs to be able to get attributes of selinuxfs, else fails to + start in Debian + Whitespace fix in fstools. + Add comment in policy for lvm sysfs write. + Module version bump for second lot of patches from Dominick Grift. + Whitespace fix in usermanage. + Whitespace fix in libraries. + Module version bump for patches from Dominick Grift. + Whitespace fix in init.te. + init: init_script_domain() allow system_r role the init script domain type + init: creates /run/utmp + Module version bump for 4 init patches from Dominick Grift. + Fix Debian compile issue. + Module version bump for 2 patches from Dominick Grift. + Module version bump for patch from Laurent Bigonville. + Update contrib. + Module version bump for patch from Laurent Bigonville. + Module version bump for xserver change from Dominick Grift. + Merge file_t into unlabeled_t, as they are security equivalent. + Update modules for file_t merge into unlabeled_t. + Make the QUIET build option apply to clean and bare targets. + Module version bump for direct initrc fixes from Dominick Grift. + Module version bump for module store labeling fixes from Laurent Bigonville. - Module version bump for ipsec net sysctls reading from Miroslav Grepl. - Module version bump for srvloc port definition from Dominick Grift. - Rename cachefiles_dev_t to cachefiles_device_t. - Module version bump for cachefiles core support. - Module version bump for changes from Dominick Grift and Sven Vermeulen. - Module version bump for modutils patch from Dominick Grift. - Module version bump for dhcp6 ports, from Russell Coker. - Rearrange new xserver interfaces. - Rename new xserver interfaces. - Module version bump for xserver interfaces from Dominick Grift. - Move kernel_stream_connect() declaration. - Module version bump for kernel_stream_connect() from Dominick Grift. - Rename logging_search_all_log_dirs to logging_search_all_logs - Module version bump for minor logging and sysnet changes from Sven - Vermeulen. - Module version bump for dovecot libs from Mika Pflueger. - Rearrange interfaces in files, clock, and udev. - Module version bump for interfaces used by virt from Dominick Grift. - Module version bump for arping setcap from Dominick Grift. - Rearrange devices interfaces. - Module version bump/contrib sync. - Rearrange lines. - Module version bump for user home content fixes from Dominick Grift. - Rearrange files interfaces. - Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen. + Remove ZFS symlink labeling. + Fix ZFS fc escaping in mount. + Rearrange ZFS fc entries. + Module version bump for ZFS tools fc entries from Matthew Thode. + Module version bump for unconfined transition to dpkg from Laurent + Bigonville. + Module version bump for logging fc patch from Laurent Bigonville. Update contrib. - Whitespace fix in miscfiles.fc. - Adjust man cache interface names. - Module version bump for man cache from Dominick Grift. - Module version bump for Debian ssh-keysign location from Laurent + Module version bump for pid file directory from Russell Coker/Laurent Bigonville. - Module version bump for userdomain portion of XDG updates from Dominick - Grift. - Module version bump for iptables fc entry from Sven Vermeulen and inn log - from Dominick Grift. - Module version bump for logging and tcpdump fixes from Sven Vermeulen. - Move mcs_constrained() impementation. - Module version bump for mcs_constrained from Dominick Grift. + Rename gpg_agent_connect to gpg_stream_connect_agent. + Rearrange gpg agent calls. + Module version bump for ssh use of gpg-agent from Luis Ressel. + Module version bump for files_dontaudit_list_var() interface from Luis + Ressel. + Move bin_t fc from couchdb to corecommands. Update contrib. - Module version bump from Debian changes from Laurent Bigonville. - Module version bump for zfs labeling from Matthew Thode. - Module version bump for misc updates from Sven Vermeulen. + Module version bump for sesh fc from Nicolas Iooss. + Move loop control interface definition. + Rename mount_read_mount_loopback() to mount_read_loopback_file(). + Module version bump for loopback file mounting fixes from Luis Ressel. + Fix read loopback file interface. + Update contrib. + Module version bump for bootloader fc fixes from Luis Ressel. Update contrib. - Module version bump for fixes from Dominick Grift. - Module version bump for Debian updates from Laurent Bigonville. - Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai. - Update contrib - Fix fc_sort.c warning uncovered by recent gcc - Module version bump for chfn fixes from Sven Vermeulen. - Add swapoff fc entry. - Add conntrack fc entry. Update contrib. - Update contrib - Archive old Changelog for log format change. Bump module versions for release. -Dominick Grift (40): - There can be more than a single watchdog interface - Fix a suspected typo - Intel® Active Management Technology - Declare a loop control device node type and label /dev/loop-control - accordingly - Declare port types for ports used by Fedora but use /etc/services for port - names rather than using fedora port names. If /etc/services does not - have a port name for a port used by Fedora, skip for now. - Remove var_log_t file context spec - svrloc port type declaration from slpd policy module - Declare a cachfiles device node type - Implement files_create_all_files_as() for cachefilesd - Restricted Xwindows user domains run windows managers in the windows - managers domain - Declare a cslistener port type for phpfpm - Changes to the sysnetwork policy module - Changes to the userdomain policy module - Changes to the bootloader policy module - Changes to the modutils policy module - Changes to the xserver policy module - Changes to various policy modules - Changes to the kernel policy module - For svirt_lxc_domain - For svirt_lxc_domain - For svirt_lxc_domain - For virtd lxc - For virtd_lxc - For virtd_lxc - For virtd lxc - For virtd lxc - For virtd - Arping needs setcap to cap_set_proc - For virtd - Changes to the user domain policy module - Samhain_admin() now requires a role for the role_transition from $1 to - initrc_t via samhain_initrc_exec_t - Changes to the user domain policy module - Label /var/cache/man with a private man cache type for mandb - Create a attribute user_home_content_type and assign it to all types that - are classified userdom_user_home_content() - These two attribute are unused - System logger creates innd log files with a named file transition - Implement mcs_constrained_type - Changes to the init policy module - Changes to the userdomain policy module - NSCD related changes in various policy modules +Dominick Grift (58): + The kerberos_keytab_template() template is deprecated: Breaks monolithic + built (out-of-scope) + Initial pstore support + Support redis port tcp,6379 + These regular expressions were not matched + Restorecon reads, and writes /dev/console before it is properly labeled + filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems + logging: syslog (rs:main Q:Reg) reading sysctl_vm files + (overcommit_memory) in Debian + sysnetwork: ethtool reads /run/pm-utils/locks/pm-powersave.lock + sysadm: Doesnt work with direct_initrc = y + lvm: lvm and udisks-lvm-pv-e read /run/udev/queue.bin + authlogin: Sudo file context specification did not catch paths (squash me) + userdomain: restricted xwindows user (squash me) + udev: This is specific to debian i think. Some how the + /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain + selinux: selinuxfs is now mounted under /sys/fs/selinux instead of + /selinux, so we need to allow domains that use selinuxfs to interface + with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux + Unconfined domains have unconfined access to all of dbus rather than only + system bus + Initial virtio console device + init: create init_use_inherited_script_ptys() for tmpreaper (Debian) + corecmd: avahi-daemon executes /usr/lib/avahi/avahi-daemon-check-dns.sh + xdm: is a system bus client and acquires service on the system bus xdm: + dbus chat with accounts-daemon + sysnetwork: Debian stores network interface configuration in /run/network + (ifstate), That directory is created by the /etc/init.d/networking + script. + xserver: catch /run/gdm3 + xserver: associate xconsole_device_t (/dev/xconsole) to device_t + (devtmpfs) + corenetwork: Declare gdomap port, tcp/udp:538 + hostname: do not audit attempts by hostname to read and write dhcpc udp + sockets (looks like a leaked fd) + ssh: Debian sshd is configured to use capabilities + udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and + compromises kernel + udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates + /run/avahi-daemon directory + mount: sets kernel thread priority mount: mount reads + /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount + points + sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not + audit attempts by ifconfig to read, and write dhcpc udp sockets (looks + like a leaked fd) + mount: fs_list_auto_mountpoint() is now redundant because autofs_t is + covered by files_list_all_mountpoints() + udev: this fc spec does not make sense, as there is no corresponding file + type transition for it + udev: the avahi dns check script run by udev in Debian chmods + /run/avahi-daemon + authlogin: unix_chkpwd traverses / on sysfs device on Debian + setrans: mcstransd reads filesystems file in /proc + udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf + fstools: hdparm append (what seems inherited from devicekit ) + /var/log/pm-powersave.log fstools: hdparm reads + /run/pm-utils/locks/pm-powersave.lock + sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i + was able to confirm the need for + networkmanager_manage_lib_files(dhcpc_t) since dhclient reads + /var/lib/NetworkManager/dhclient-eth0.conf + sysbnetwork: dhclient searches /var/lib/ntp + sshd/setrans: make respective init scripts create pid dirs with proper + contexts + kernel: cryptomgr_test (kernel_t) requests kernel to load + cryptd(__driver-ecb-aes-aesni + xserver: already allowed by auth_login_pgm_domain(xdm_t) + unconfined: Do not domain transition to xserver_t (unconfined_t is + xserver_unconfined) + userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients + These { read write } tty_device_t chr files on boot up in Debian + udev: udevd executable location changed + lvm: lvm writes read_ahead_kb + udev: in debian udevadm is located in /bin/udevadm + usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in + Debian + iptables: calls to firewalld interfaces from Fedora. The + firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. + libraries: for now i can only confirm mmap, might need to be changed to + bin_t later if it turns out to need execute_no_trans + users: calls pulseaudio_role() for restricted xwindows users and + staff_t/user_t + init: for a specified automatic role transition to work. the source role + must be allowed to change manually to the target role + init: this is a bug in debian where tmpfs is mounted on /run, and so early + on in the boot process init creates /run/utmp and /run/initctl in a + tmpfs directory (/) tmpfs + init: exim init script runs various helper apps that create and manage + /var/lib/exim4/config.autogenerated.tmp file + init: the gdomap and minissdpd init scripts read the respective environ + files in /etc/default. We need to give them a private type so that we + can give the gdomap_admin() and minissdpd_admin() access to it, but it + seems overengineering to create private environ types for these files + xserver: These are no longer needed + Change behavior of init_run_daemon() + Apply direct_initrc to unconfined_r:unconfined_t -Guido Trentalancia (1): - add lost+found filesystem labels to support NSA security guidelines +Laurent Bigonville (7): + Label /bin/fusermount like /usr/bin/fusermount + Allow udev to write in /etc/udev/rules.d + Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t + Allow unconfined users to transition to dpkg_t domain + Add fcontext for rsyslog pidfile + Add fcontext for sshd pidfile and directory used for privsep + Move the ifdef at the end of the declaration block -Laurent Bigonville (21): - Add Debian locations for GDM 3 - Add Debian location for udisks helpers - Add insmod_exec_t label for kmod executable - Add Debian location for PKI files - Add Debian location for ssh-keysign - Properly label all the ssh host keys - Allow udev_t domain to read files labeled as consolekit_var_run_t - authlogin.if: Add auth_create_pam_console_data_dirs and - auth_pid_filetrans_pam_var_console interfaces - Label /etc/rc.d/init.d/x11-common as xdm_exec_t - Drop /etc/rc.d/init.d/xfree86-common filecontext definition - Label /var/run/shm as tmpfs_t for Debian - Label /var/run/motd.dynamic as initrc_var_run_t - Label /var/run/initctl as initctl_t - udev.if: Call files_search_pid instead of files_search_var_lib in - udev_manage_pid_files - Label executables in /usr/lib/NetworkManager/ as bin_t - Add support for rsyslog - Label var_lock_t as a mountpoint - Add mount_var_run_t type and allow mount_t domain to manage the files and - directories - Add initrc_t to use block_suspend capability - Label executables under /usr/lib/gnome-settings-daemon/ as bin_t - Label nut drivers that are installed in /lib/nut on Debian as bin_t +Luis Ressel (10): + Conditionally allow ssh to use gpg-agent + kernel/files.if: Add files_dontaudit_list_var interface + kernel/devices.if: Add dev_rw_loop_control interface + system/mount.if: Add mount_read_mount_loopback interface + Allow mount_t usage of /dev/loop-control + Grant kernel_t necessary permissions for loopback mounts + Use xattr-labeling for squashfs. + Label fatsort as fsadm_exec_t. + Generalize grub2 pattern + Label grub2-install as bootloader_exec_t Matthew Thode (1): - Implement zfs support - -Mika Pflüger (2): - Debian locations of gvfs and kde4 libexec binaries in /usr/lib - Explicitly label dovecot libraries lib_t for debian - -Miroslav Grepl (1): - Allow ipsec to read kernel sysctl + Extending support for SELinux on ZFS -Paul Moore (1): - flask: add the attach_queue permission to the tun_socket object class +Nicolas Iooss (2): + Label /usr/lib/sudo/sesh as shell_exec_t + Create .gitignore -Russell Coker (1): - Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for - client control - -Sven Vermeulen (27): - New location for udevd binary - Use substititions for /usr/local/lib and /etc/init.d - DHCP client's hooks create /run/dhcpc directory - Introduce init_daemon_run_dir transformation - Use the init_daemon_run_dir interface for udev - Allow initrc_t to create run dirs for core modules - Puppet uses mount output for verification - Allow syslogd to create /var/lib/syslog and - /var/lib/misc/syslog-ng.persist - Gentoo's openrc does not require initrc_exec_t for runscripts anymore - Allow init scripts to read courier configuration - Allow search within postgresql var directory for the stream connect - interface - Introduce logging_getattr_all_logs interface - Introduce logging_search_all_log_dirs interface - Support flushing routing cache - Allow init to set attributes on device_t - Introduce files_manage_all_pids interface - Gentoo openrc migrates /var/run and /var/lock data to /run(/lock) - Update files_manage_generic_locks with directory permissions - Run ipset in iptables domain - tcpdump chroots into /var/lib/tcpdump - Remove generic log label for cron location - Postgresql 9.2 connects to its unix stream socket - lvscan creates the /run/lock/lvm directory if nonexisting (v2) - Allow syslogger to manage cron log files (v2) - Allow initrc_t to read stunnel configuration - Introduce exec-check interfaces for passwd binaries and useradd binaries - chfn_t reads in file context information and executes nscd +Sven Vermeulen (7): + Add trivnet1 port (8200) + Get grub2-install to work properly + Support named file transition for fixed_disk_device_t + Allow ping to get/set capabilities + Extend slim /var/run expression + Allow semodule to create symlink in semanage_store_t + Allow capabilities for syslog-ng * Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424 Chris PeBenito (78): |