Releases: SELinuxProject/refpolicy
Releases · SELinuxProject/refpolicy
2.20240916
RELEASE_2_20240916
This tag was signed with the committer’s verified signature.
pebenito
Chris PeBenito
Notable Changes
- Added sechecker configuration for GitHub CI actions.
- Cleaned up concerning permissions uncovered by sechecker
- Removed extremely deprecated domains in cups (ptal) and xen (xend/xm)
- Systemd updates up to v256
- Various container fixes
New Modules
- haproxy
Full Changelog
RELEASE_2_20240226...RELEASE_2_20240916
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20240916.tar.bz2 | a4e39072ac91bf092a08660b246a49f3e986ca2c16402a5b1fad3ae374e8d747 |
2.20240226
Notable Changes
- Many systemd updates up to v255.
- RPM and dnf fixes
- Tighten private key handling for Apache
- Many container and kubernetes improvements
- Add support for Cilium
- Update object class definitions up to io_uring:cmd.
- Add additional rules to cloud-init based on sysadm_t.
New Modules
- cockpit
Full Changelog
RELEASE_2_20231002...RELEASE_2_20240226
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20240226.tar.bz2 | 7ed41f4f45189b9ee9706da8ac357eccc103651b56daabaddb54c436e8117cf9 |
2.20231002
Notable Changes
- Several Gentoo fixes ported from Gentoo policy
- Fixes for containerd/docker
- Move excessive capabilities in container_t to tunables.
- Various systemd updates and fixes
- Updated object class/permission definitions for recent kernels
- Add support for systemd memory pressure notifications protocol
- Xscreensaver updates for their newest release
- Remove interfaces deprecated before 2021
- Add tunables to control network access in:
- *_dbusd_t
- pulseaudio_t
- spamc_t
- syslogd_t
- xdm_t
- xserver_t
New Modules/Domains
- crio
- eg25manager
- iiosensorproxy
- kubernetes
- lomemorymonitor
- powerprofiles
- rasdaemon
- switcheroo
- systemd-pcrphrase
- thunderbolt
Full Changelog: RELEASE_2_20221101...RELEASE_2_20231002
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20231002.tar.bz2 | c89cd3b2e5d99765cc24536fd8e76de83951ad23e05472350328b5a4f8bee410 |
2.20221101
Notable changes:
- Clean up MCS constraints and add missing checks for IPC and sockers.
- Many minor fixes across the policy.
New modules:
- cloud-init
- fapolicyd
- opensm
- sympa
- zfs
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20221101.tar.bz2 | 44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396 |
2.20220520
Notable changes:
- New support for containers using several container engines. Added udica templates.
- Defined new object classes: mctp_socket, anon_inode, io_uring
- Many minor fixes across the policy.
New modules:
- container
- docker
- matrixd
- node_exporter
- podman
- rootlesskit
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20220520.tar.bz2 | 0ce9771eab8771180c249baaf6e8c55dda383a2ddf94460588f9f16e5d32f1f7 |
2.20220106
Notable changes:
- Module versions were dropped. Policy module versions were removed in semodule many years ago, so they no longer serve a purpose in the policy. The
policy_module()macro still supports the version argument. If it is missing, a default version is set, to satisfy the policy syntax. - The MCS constraints changed to reflect the usage in systems, primarily for separating containers and VMs. To separate a domain by MCS it will now need to opt in using the
mcs_constrained()interface. - New support for grouping user domains and their surrogates, e.g.
user_tsurrogatesuser_wm_tanduser_systemd_t, such that allowing the user domain to domain transition to a child domain will be allowed for surrogate domains. See pull requests #365 and #381 for more information.
New module:
- obfs4proxy
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20220106.tar.bz2 | 965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6 |
2.20210908
Removed Modules:
- aiccu
- bcfg2
- callweaver
- ccs
- cipe
- clockspeed
- clogd
- cmirrord
- dcc
- denyhosts
- dspam
- ddcprobe
- howl
- imaze
- jockey
- ktalk
- lockdev
- mailscanner
- oav
- polipo
- pyicqt
- rgmanager
- rhcs
- ricci
Notable changes:
- Use
user_fonts_config_tin user font dirs, instead ofxdg_config_t. - Add a
secure_mode_booleanto disable boolean changing. Change generic booleans toboolean_t. - Drop second parameter of
systemd_tmpfilesd_managed(). - Add a new type for ICMP packets.
- Add support for the blkmapd RPC service.
- Set ubifs as an extended attribute handling filesystem.
- Many other minor rule fixes.
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20210908.tar.bz2 | 4d3140d9fbb91322f5de36d73959464ce1d8946dcd149e36fcaf60e92444e902 |
2.20210203
Added modules:
- certbot
- memlockd
Removed modules:
- consolekit
- dnssectrigger
- hal
- hotplug
- kdumpgui
- keyboardd
- kudzu
- pcmcia
- readahead
- rhgb
- roundup
- smoltclient
- speedtouch
- firewallgui
- gift
- podsleuth
- ptchown
- sambagui
- w3c
- xprint
- yam
Changes:
- ACPI shutdown fixes.
- Revised policy style based on suggestions from SELint.
- Add file context specs for unbound.
- Update systemd for SELinux status page use.
- Several corosync and pacemaker updates.
- Improve support for handling cryptsetup and veritysetup devices.
- Openrc Gentoo updates.
- Added support for systemd-socket-proxyd.
- Move XDG rules to userdomain.
- Add
-Eoption to setfiles commands - Dropped deprecated
udev_tbl_tsupport. - Chromium updates along with X server DRI.
- Removed interfaces deprecated 2018 or earlier.
- Add rspamd support in spamassassin
- Add support for
acme.shto certbot - Improvements to the monolithic build process
- Several other minor fixes.
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20210203.tar.bz2 | 48cbf2c63ff9003bef05e03c8d3cdddb4e8f63fef2a072ae51c987301f0b874d |
2.20200818
New modules:
- usbguard
- aptcacher
Changes:
- Renamed "pid" interfaces to "runtime" interfaces to match the *_var_run_t to *_runtime_t rename
- Merge systemd generator domains
- Several systemd updates
- Set value of build options to "true" so m4 ifelse can be used
- Revise relabeling access to prevent relabeling to unlabeled_t
- Makefile, Vagrant, and m4 improvements
- First pass of cleanups from SELint
- Clean up domains that had user tty or pty access but could be used from either
- Add various inotify watch permissions
- Add rules for apt-catcher-ng and acngtool
- Add support for generating nft tables to gennetfilter
- Many more minor fixes across the policy
Removals:
- Drop Python 2 compatibility code from genhomedircon.py
- Remove unlabeled packet access
- Remove ada module
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20200818.tar.bz2 | 1488f9b94060de28addbcb29fb8437ee0d75cba15e11280dd9dfa3e09986f57b |
2.20200229
This release includes several new modules:
- cryfs
- consolesetup
- knot
- tpm2
- wireguard
Changes:
- *_var_run_t types are renamed to *_runtime_t to remove the path from the type name
- Added inotify watch permissions defined and added to systemd and other common services
- Defined perf_event object class
- Reimplemented fc_sort in Python
- Added file contexts lint tool in Travis CI build
- Updated Vagrant tooling for refpolicy testing on Fedora and Debian VMs
- Added general interfaces for systemd bind mount points
- Many more minor fixes across the policy
Removals:
- Removed obsolete permissions
This release requires SELinux userspace 2.8 or higher and Python 3.4 to build.
| Name | SHA-256 SUM |
|---|---|
| refpolicy-2.20200229.tar.bz2 | dec854512ed00cd057408f330c2cea4de7a4405f7a147458f59c994bf578e4b0 |