[gentoo-commits] proj/hardened-refpolicy:master commit in: /

["Jason Zaman" <perfinion@gentoo.org>]

commit:     a04001906d684a477ff1d0747bcdfe4270ac6d7f
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jun 18 18:02:16 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0400190

Update Changelog and VERSION for release 2.20250618.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 Changelog | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 105 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 0527405ac..5795df588 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,107 @@
+* Wed Jun 18 2025 Chris PeBenito <pebenito@ieee.org> - 2.20250618
+Antonio Enrico Russo (1):
+      Remove unneeded backticks from gen_tunable
+
+Benstone Zhang (1):
+      filesystem: support bcachefs
+
+Chris PeBenito (57):
+      lvm: Add fc entries for veritysetup.
+      bootloader: Chane efibootmgr from fsadm.
+      lldpad: Configure FW-LLDP on i40e NICs.
+      networkmanager: Watch systemd directories for nm-session-monitor.
+      systemd: Add log env to systemd-machine-id-setup.
+      validate-policy.yml: Change sechecker output to stdout and use tee to
+         collect the log.
+
+Clayton Casciato (15):
+      chronyd: fix dac_read_search denials
+      unconfined: fix oddjob security_compute_sid
+      firewalld: fix lib_t Python cache denial auditing
+      firewalld: fix firewalld_t firewalld_tmpfs_t exec
+      files, init: filetrans /run/machine-id etc_runtime_t
+      locallogin: dontaudit sulogin_t checkpoint_restore
+      locallogin: allow sulogin_t unconfined domtrans
+      locallogin: allow sulogin_t user_tty_device_t rw
+      oddjob: allow oddjob_mkhomedir_t privfd:fd use
+      oddjob: allow oddjob_mkhomedir_t user_terminals
+      systemd: allow systemd_generator_t use user ttys
+      files: add files_delete_var_chr_files interface
+      unconfined: allow firewalld_t unconfined_t:dbus send_msg
+      chronyd: allow chronyd_t kernel_t:system module_request
+      ssh: allow sshd_t kernel_t:system module_request
+
+Daniel Burgener (1):
+      Don't build the fc subs dist install path in the builtappfiles target
+
+Daniel De Graaf (1):
+      systemd: allow reading /dev/cpu/0/msr
+
+Dave Sugar (7):
+      Fix mislabeling of /etc/shadow
+      Module for ipmitool
+      Label snmp unit files
+      NNP transition interface for dmesg
+      Let modules-load.d call commands from modprobe.d
+      NNP transition interface for chronyc
+      fix building when dbus module is not enabled
+
+Guido Trentalancia (6):
+      Add the minimum set of additional permissions to the screen module, as
+         required to run version 5.
+      Revert db33386c014fce3890b0b3832a605bc5d1762d8c
+      Improve the style of the screen module by removing a recently added
+         unneeded interface.
+      Fix the file context definition for the screen utility executable file
+         according to the new install rules in place since at least version
+         4.5.1.
+      Since version 5.0.1 the screen utility also requires the
+         CAP_DAC_READ_SEARCH capability.
+      Add a comment in the xserver module about the need to read and write
+         xserver tmpfs files for the Qt library version 5 (boolean).
+
+Maciej Czarnecki (2):
+      Allow to specify module version
+      fixup! Allow to specify module version
+
+Nicolas PARLANT (4):
+      Add setcap to knotd / add knotc_initrc_domtrans
+      use init_use_script_ptys for knotc in initscript
+      sshd: label sshd-auth as sshd_exec_t #797
+
+Pat Riehecky (1):
+      Permit init_t to start a detached screen session
+
+Rahul Sandhu (1):
+      auditd: don't grant write as implied by manage_files_pattern for logs
+
+Russell Coker (15):
+      This patch removed the sysadmin capability from cups.  This is the one
+         change needed to dramatically reduce the potential damage from a
+         compromise of cupsd.
+      Policy for needrestart to run with minimum privs so it can't be exploited
+      Policy for the userspace feedback daemon for handsets, for vibration etc
+      Fix for thunderbolt, laben the run dir, dontaudit the net_admin capability
+         for the usual reasons, allow writing to sysfs for the force_power file,
+         and allow reading udev runtime files
+      New version of the kea PR with the order issues fixed
+      Made the changes requested
+      File contexts for new files for xdm/xserver
+      apt and aptcacher changes
+      Updates for recent versions of ntpd interacting with systemd
+      Some small phone related patches
+      fwupd-fixed-more (#928)
+      changed the order as requested
+      changed the netlink_route_socket operations to { create_socket_perms
+         nlmsg_write } as requested
+      networking (#937)
+      device (#939)
+
+Yi Zhao (2):
+      systemd: allow system --user to get attributes of nsfs inodes
+      systemd: allow systemd-hostnamed and systemd-rfkill to get attributes of
+         nsfs inodes
+
 * Thu Feb 13 2025 Chris PeBenito <pebenito@ieee.org> - 2.20250213
 Björn Esser (1):
       authlogin: fix regex for /etc/tcb

diff --git a/VERSION b/VERSION
index 22fcf3aad..e64e7b05d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20250213
+2.20250618