-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Changelog and VERSION for release 2.20221101.
Signed-off-by: Chris PeBenito <[email protected]>
- Loading branch information
Showing
2 changed files
with
205 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,207 @@ | ||
| * Tue Nov 01 2022 Chris PeBenito <[email protected]> - 2.20221101 | ||
| Chris PeBenito (46): | ||
| systemd: Drop systemd_detect_virt_t. | ||
| fstools: Handle resizes of the root filesystem. | ||
| mount: Get the attributes of all filesystems. | ||
| rpm: Add dnf and tdnf labeling. | ||
| logging: Change to systemd interface for tmpfilesd. | ||
| systemd: Remove systemd-run domain. | ||
| unconfined: Add missing capability2 perms. | ||
| lvm: Updates for multipath LVM. | ||
| locallogin: Use init file descriptors. | ||
| systemd: Misc fixes. | ||
| isns: Updates from testing. | ||
| container, docker: Fixes for containerd and kubernetes testing. | ||
| devices: Add type for SAS management devices. | ||
| devices: Add file context for /dev/vhost-vsock. | ||
| iptables: Ioctl cgroup dirs. | ||
| devices: Add type for infiniband devices. | ||
| storage: Add fc for /dev/ng*n* devices. | ||
| files: Add prerequisite access for files_mounton_non_security(). | ||
| files: Make etc_runtime_t a config file. | ||
| systemd: Fixes for coredumps in containers. | ||
| container: Allow container engines to connect to http cache ports. | ||
| container: Getattr generic device nodes. | ||
| application: Allow apps to use init fds. | ||
| systemd: Misc updates. | ||
| filesystem: Move ecryptfs interface definitions. | ||
| mcs: Add additional SysV IPC constraints. | ||
| mcs: Collapse constraints. | ||
| mcs: Add additional socket constraints. | ||
| mcs: Add missing process permission constraints. | ||
| mcs: Remove duplicate node_bind constraint. | ||
| mcs: Reorganize file. | ||
| mls: Add setsockcreate constraint. | ||
| systemd: Add interface for systemctl exec. | ||
| Add cloud-init. | ||
| hypervkvp: Port updated module from Fedora policy. | ||
| init: Add tunable for systemd to create all its mountpoints. | ||
| Run Ci tests in parallel. | ||
| Revise userspace and SELint versions in CI | ||
| fapolicyd: Fix selint issue. | ||
| tests.yml: Remove irrelevant comment. | ||
| Drop audit_access allows. | ||
| sympa: Move lines. | ||
| sympa: Drop module version. | ||
| sympa, mta, exim: Revise interfaces. | ||
| sympa, logging; Fix lint errors. | ||
| container: Add missing UDP node bind access on container engines. | ||
|
|
||
| Christian Göttsche (3): | ||
| Replace deprecated egrep usage | ||
| ci: update dependencies | ||
| ci: build SELint from source | ||
|
|
||
| Daniel Burgener (1): | ||
| Drop explicit calls to seutil and kernel module interfaces in broad files | ||
| interfaces | ||
|
|
||
| Dave Sugar (20): | ||
| ssh: allow ssh_keygen to read /usr/share/crypto-policies/ | ||
| chronyd: Allow to read fips_enabled sysctl | ||
| chronyd: allow chronyd to read /usr/share/crypto-policies | ||
| systemd: init_t creates systemd-logind 'linger' directory | ||
| systemd: systemd-update-done fix startup issue | ||
| usbguard: Allow to read fips_enabled sysctl | ||
| firewalld: read to read fips_enabled sysctl | ||
| firewalld: create netfilter socket | ||
| firewalld: allow to load kernel modules | ||
| firewalld: write tmpfs files | ||
| firewalld: firewalld-cmd uses dbus | ||
| tpm2-abrmd: allow to send syslog messages | ||
| domain: move kernel_read_crypto_sysctls to a common location | ||
| fapolicyd: Initial SELinux policy | ||
| networkmanager: allow watch etc_t and lib_t | ||
| firewalld: allow watch on firewalld files | ||
| Seeing long delay during shutdown saying: 'A stop job is running for | ||
| Restore /run/initramfs on shutdown' | ||
| fix: issue #550 - compile failed when DIRECT_INITRC=y | ||
| fapolicyd: fagenrules chgrp's the compiled.rules | ||
| Add 'DIRECT_INITRC' config to automated tests | ||
|
|
||
| Kenton Groombridge (95): | ||
| systemd: add separate type for user transient units | ||
| systemd: rename user runtime unit interfaces | ||
| docker, podman: use renamed user runtime unit status interface | ||
| systemd: rename status user mananger units interface | ||
| systemd: systemd-resolved is linked to libselinux | ||
| systemd: dontaudit systemd-generator getattr on all dirs | ||
| raid: allow mdadm to use user ptys | ||
| bootloader, files: allow bootloader to getattr on boot_t filesystems | ||
| matrixd: various fixes | ||
| container: add unconfined role | ||
| unconfined: use unconfined container role | ||
| podman: add interface to rangetrans when executing conmon | ||
| podman: rework conmon rules | ||
| podman: add file context for podman in /usr/libexec | ||
| container: rework combined role interfaces | ||
| podman: typealias podman_user_conmon_t to podman_conmon_user_t | ||
| fail2ban: allow fail2ban to getsched on its processes | ||
| modutils: allow kmod to write to kmsg | ||
| postfix: allow postfix-map to read certbot certs | ||
| postfix: allow postfix master to get the state of init | ||
| postfix: allow postfix master fsetid capability | ||
| bind: fixes for named working on dnssec files | ||
| sudo: allow sudo domains to create netlink selinux sockets | ||
| sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve | ||
| container: allow containers to manipulate own fds | ||
| container: allow container engines to manage tmp symlinks | ||
| ssh: add tunable to allow sshd to use remote port forwarding | ||
| systemd: minor fixes to systemd user domains | ||
| init, systemd: allow unpriv users to read the catalog | ||
| container: add separate type for container engine units | ||
| container, podman: allow podman to restart container units | ||
| spamassassin: add file context for rspamd log directory | ||
| term, init: allow systemd to watch and watch reads on unallocated ttys | ||
| certbot: various fixes | ||
| systemd: add file transition for systemd-networkd runtime | ||
| systemd: add missing file context for /run/systemd/network | ||
| systemd: add file contexts for systemd-network-generator | ||
| systemd, udev: allow udev to read systemd-networkd runtime | ||
| systemd: allow systemd-networkd to read init runtime files | ||
| podman: add alias for conmon executable | ||
| systemd: ensure connecting to resolved allows searching init runtime | ||
| ssh: allow sshd to run setfiles when polyinstantiation is enabled | ||
| sudo: allow sudo domains to access caller's /proc/pid/stat | ||
| container: add file contexts for docker home config | ||
| files, init: allow systemd to remount etc filesystems | ||
| systemd: allow systemd-logind to read localization | ||
| init: fix possible typo | ||
| corecmd: label dracut lib as bin_t | ||
| sudo: various fixes | ||
| udev: various fixes for udevadm | ||
| bootloader, init: various fixes for systemd-boot | ||
| systemd: allow systemd-generator to read etc runtime files | ||
| systemd: add interface to read userdb runtime files | ||
| logging: various fixes for auditctl | ||
| screen: add interface to dontaudit runtime sock file | ||
| systemd: dontaudit systemd-tmpfiles getattr on screen sock file | ||
| systemd: dontaudit systemd-tmpfiles getattr on all dirs | ||
| fstools: fixes for fsadm with nfs | ||
| various: fixes for nfs | ||
| init: dontaudit initrc creating /dev/console during initrd | ||
| storage: include chr_files in fixed_disk_dev interfaces | ||
| systemd: allow systemd-userdbd to search default contexts | ||
| logging, systemd: allow auditctl to list userdb runtime dirs | ||
| bootloader, userdom: minor fixes for systemd-boot | ||
| systemd: allow systemd-resolved to read generic certs | ||
| sysadm: allow sysadm to rw ipmi devices | ||
| zfs: initial policy module | ||
| fstools, mount: remove legacy zfs rules | ||
| files, mount: remove legacy ZFS file contexts | ||
| sysadm: allow admin access to zfs | ||
| kernel: allow kthreads to read and write the zpool cache | ||
| systemd, zfs: allow systemd-generator to read zfs config | ||
| udev: allow reading ZFS config | ||
| zfs: various fixes | ||
| mta: add support for nullmailer | ||
| devices: add interface to rw infiniband devices | ||
| xdg: add interface to dontaudit searching xdg data dirs | ||
| opensm: initial policy | ||
| sysadm: allow opensm access | ||
| corenet: add portcon for glusterfs | ||
| glusterfs: various fixes | ||
| glusterfs: add type for gluster bricks | ||
| mount: allow mounting glusterfs volumes | ||
| selinuxutil: allow semanage, setfiles to inherit gluster fds | ||
| glusterfs, selinuxutil: make modifying fcontexts a tunable | ||
| glusterfs: add type for glusterd hooks | ||
| usermanage: add file context for chpasswd in /usr/bin | ||
| node_exporter: add file context for node_exporter in /usr/bin | ||
| usbguard: add file context for usbguard in /usr/bin | ||
| init: add file context for systemd units in dracut modules | ||
| git: add file contexts for other git utilities | ||
| dbus, init, mount, rpc: minor fixes for mount.nfs | ||
| zfs: allow reading exports | ||
| systemd: allow systemd-generator to use dns resolution | ||
| rpc: allow rpc admins to rw nfsd fs | ||
|
|
||
| Pat Riehecky (2): | ||
| container: Boolean for ecryptfs | ||
| Clone `xguest_connect_network` for guest role | ||
|
|
||
| Russell Coker (1): | ||
| Sympa list server | ||
|
|
||
| Yi Zhao (16): | ||
| systemd: allow systemd user to watch /etc directories | ||
| logwatch: fixes for logwatch | ||
| postfix: allow postfix_local_t to search logwatch_cache_t | ||
| sysnetwork: allow systemd_networkd_t to read link file | ||
| logging: allow systemd-journal to manage syslogd_runtime_t sock_file | ||
| radius: fixes for freeradius | ||
| udev: allow udev_read_runtime_files to read link files | ||
| watchdog: allow watchdog to create /var/log/watchdog directory | ||
| systemd: allow systemd-resolved to manage link files | ||
| sysnetwork: fix privilege separation functionality of dhcpcd | ||
| sysnetwork: allow dhcpcd to send and receive messages from systemd | ||
| resolved | ||
| rpm: add label for dnf-automatic and dnf-3 | ||
| systemd: allow systemd-backlight to read kernel sysctl settings | ||
| systemd: allow systemd-rfkill to get attributes of all fs | ||
| systemd: allow systemd-hostnamed to read selinux configuration files | ||
| systemd: add capability sys_admin to systemd_generator_t | ||
|
|
||
| * Fri May 20 2022 Chris PeBenito <[email protected]> - 2.20220520 | ||
| Björn Esser (1): | ||
| authlogin: add fcontext for tcb | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 2.20220520 | ||
| 2.20221101 |