Notable Changes

• Many systemd updates up to v255.
• RPM and dnf fixes
• Tighten private key handling for Apache
• Many container and kubernetes improvements
• Add support for Cilium
• Update object class definitions up to io_uring:cmd.
• Add additional rules to cloud-init based on sysadm_t.

New Modules

• cockpit

Full Changelog

RELEASE_2_20231002...RELEASE_2_20240226

Notable Changes

• Several Gentoo fixes ported from Gentoo policy
• Fixes for containerd/docker
• Move excessive capabilities in container_t to tunables.
• Various systemd updates and fixes
• Updated object class/permission definitions for recent kernels
• Add support for systemd memory pressure notifications protocol
• Xscreensaver updates for their newest release
• Remove interfaces deprecated before 2021
• Add tunables to control network access in:
  • *_dbusd_t
  • pulseaudio_t
  • spamc_t
  • syslogd_t
  • xdm_t
  • xserver_t

New Modules/Domains

• crio
• eg25manager
• iiosensorproxy
• kubernetes
• lomemorymonitor
• powerprofiles
• rasdaemon
• switcheroo
• systemd-pcrphrase
• thunderbolt

Full Changelog: RELEASE_2_20221101...RELEASE_2_20231002

Notable changes:

• Clean up MCS constraints and add missing checks for IPC and sockers.
• Many minor fixes across the policy.

New modules:

• cloud-init
• fapolicyd
• opensm
• sympa
• zfs

Notable changes:

• New support for containers using several container engines. Added udica templates.
• Defined new object classes: mctp_socket, anon_inode, io_uring
• Many minor fixes across the policy.

New modules:

• container
• docker
• matrixd
• node_exporter
• podman
• rootlesskit

Notable changes:

• Module versions were dropped. Policy module versions were removed in semodule many years ago, so they no longer serve a purpose in the policy. The policy_module() macro still supports the version argument. If it is missing, a default version is set, to satisfy the policy syntax.
• The MCS constraints changed to reflect the usage in systems, primarily for separating containers and VMs. To separate a domain by MCS it will now need to opt in using the mcs_constrained() interface.
• New support for grouping user domains and their surrogates, e.g. user_t surrogates user_wm_t and user_systemd_t, such that allowing the user domain to domain transition to a child domain will be allowed for surrogate domains. See pull requests #365 and #381 for more information.

New module:

• obfs4proxy

Removed Modules:

• aiccu
• bcfg2
• callweaver
• ccs
• cipe
• clockspeed
• clogd
• cmirrord
• dcc
• denyhosts
• dspam
• ddcprobe
• howl
• imaze
• jockey
• ktalk
• lockdev
• mailscanner
• oav
• polipo
• pyicqt
• rgmanager
• rhcs
• ricci

Notable changes:

• Use user_fonts_config_t in user font dirs, instead of xdg_config_t.
• Add a secure_mode_boolean to disable boolean changing. Change generic booleans to boolean_t.
• Drop second parameter of systemd_tmpfilesd_managed().
• Add a new type for ICMP packets.
• Add support for the blkmapd RPC service.
• Set ubifs as an extended attribute handling filesystem.
• Many other minor rule fixes.

Added modules:

• certbot
• memlockd

Removed modules:

• consolekit
• dnssectrigger
• hal
• hotplug
• kdumpgui
• keyboardd
• kudzu
• pcmcia
• readahead
• rhgb
• roundup
• smoltclient
• speedtouch
• firewallgui
• gift
• podsleuth
• ptchown
• sambagui
• w3c
• xprint
• yam

Changes:

• ACPI shutdown fixes.
• Revised policy style based on suggestions from SELint.
• Add file context specs for unbound.
• Update systemd for SELinux status page use.
• Several corosync and pacemaker updates.
• Improve support for handling cryptsetup and veritysetup devices.
• Openrc Gentoo updates.
• Added support for systemd-socket-proxyd.
• Move XDG rules to userdomain.
• Add -E option to setfiles commands
• Dropped deprecated udev_tbl_t support.
• Chromium updates along with X server DRI.
• Removed interfaces deprecated 2018 or earlier.
• Add rspamd support in spamassassin
• Add support for acme.sh to certbot
• Improvements to the monolithic build process
• Several other minor fixes.

New modules:

• usbguard
• aptcacher

Changes:

• Renamed "pid" interfaces to "runtime" interfaces to match the *_var_run_t to *_runtime_t rename
• Merge systemd generator domains
• Several systemd updates
• Set value of build options to "true" so m4 ifelse can be used
• Revise relabeling access to prevent relabeling to unlabeled_t
• Makefile, Vagrant, and m4 improvements
• First pass of cleanups from SELint
• Clean up domains that had user tty or pty access but could be used from either
• Add various inotify watch permissions
• Add rules for apt-catcher-ng and acngtool
• Add support for generating nft tables to gennetfilter
• Many more minor fixes across the policy

Removals:

• Drop Python 2 compatibility code from genhomedircon.py
• Remove unlabeled packet access
• Remove ada module

This release includes several new modules:

• cryfs
• consolesetup
• knot
• tpm2
• wireguard

Changes:

• *_var_run_t types are renamed to *_runtime_t to remove the path from the type name
• Added inotify watch permissions defined and added to systemd and other common services
• Defined perf_event object class
• Reimplemented fc_sort in Python
• Added file contexts lint tool in Travis CI build
• Updated Vagrant tooling for refpolicy testing on Fedora and Debian VMs
• Added general interfaces for systemd bind mount points
• Many more minor fixes across the policy

Removals:

• Removed obsolete permissions

This release requires SELinux userspace 2.8 or higher and Python 3.4 to build.

This release includes one new module (stubby) and several systemd updates, including initial support for systemd --user sessions.

This release requires SELinux userspace 2.8 or higher and Python 3 to build.

79 files changed, 1329 insertions, 191 deletions