I just tagged DSSP2 v2.1. It has been just over three months since I moved the policy from Github and imported DSSP2 as v2.0. Some of the more notable changes since then are:
- Add policy needed to host DSSP2: Gitweb, git-http-backend, Confined Git shell, Git daemon.
- The RPM domain has been reworked. Is now more strict in particular when the unconfined module is disabled.
- Reworked sec_file and auth_file: Added support for conditional access, and removed direct access with shell. You can now only access these files with the appropriate API.
- Added support for fsnotify (Linux 5.4)
- Added initial support for audit_enable
- Did a lot of re-ordering of access vectors to deal with compatibility with legacy interfaces (Debian)
- DSSP2 works with Debian Buster/Sid (Minimal installation w/o printing server)
- Some initial work has been done to support “Split” libvirt. Libvirt is splitting into individual socket activatable components and that allows for privilege separation.
- DSSP2 works with Centos 8.0 (Minimal installation w/o printing server)
- Some work on making Fedora 31/Centos OS Workstation (Gnome) work. Currently should work for unconfined users, confined users are currently unsupported in the scenario.
- Support /var/run: After almost 10 years there is still just too much legacy referencing /var/run.
- Added various new modules
… And much more