Update Changelog and VERSION for release 2.20240916.

Signed-off-by: Chris PeBenito <[email protected]>

Changelog

@@ -1,3 +1,139 @@
+* Mon Sep 16 2024 Chris PeBenito <[email protected]> - 2.20240916
+Amisha Jain (1):
+      Sepolicy changes for bluez to access uhid
+
+Chris PeBenito (54):
+      uml: Remove excessive access from user domains on uml_exec_t.
+      cron: Use raw entrypoint rule for system_cronjob_t.
+      docker: Fix dockerc typo in container_engine_executable_file
+      minissdpd: Revoke kernel module loading permissions.
+      xen: Revoke kernel module loading permissions.
+      cups: Remove PTAL.
+      xen: Drop xend/xm stack.
+      certbot: Drop execmem.
+      cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
+      tests.yml: Add sechecker testing.
+      systemd: Add basic systemd-analyze rules.
+      cloudinit: Add support for cloud-init-growpart.
+      filesystem/systemd: memory.pressure fixes.
+      init: Add homectl dbus access.
+      device: Move dev_rw_uhid definition.
+      devices: Change dev_rw_uhid() to use a policy pattern.
+      tests.yml: Divide into reusable workflows.
+      tests.yml: Add policy diff on PRs.
+      bluetooth: Move line.
+
+Christian Göttsche (4):
+      getty: grant checkpoint_restore
+      quote: read localization
+      systemd: allow notify client to stat socket
+      Makefile: drop duplicate quotes
+
+Dave Sugar (4):
+      Setup domain for dbus selinux interface
+      Update SOS report to work on RHEL9
+      Need map perm for cockpit 300.4
+      Additional permissions when fapolicyd.conf more strict
+
+Dmitry Sharshakov (1):
+      filesystem, devices: move gadgetfs to usbfs_t
+
+Grzegorz Filo (1):
+      files context for merged-usr profile on gentoo
+
+Guido Trentalancia (1):
+      Allow interactive user terminal output for the NetLabel management tool.
+
+Kenton Groombridge (46):
+      init: allow systemd to use sshd pidfds
+      fail2ban: allow reading net sysctls
+      dovecot: allow dovecot-auth to read SASL keytab
+      userdom: allow users to read user home dir symlinks
+      postgres: add a standalone execmem tunable
+      asterisk: allow binding to all unreserved UDP ports
+      bootloader: allow systemd-boot to manage EFI binaries
+      matrixd: add tunable for binding to all unreserved ports
+      container: allow system container engines to mmap runtime files
+      container: allow containers to getcap
+      systemd: allow systemd-sysctl to search tmpfs
+      container, podman: various fixes
+      container, crio, kubernetes: minor fixes
+      various: various fixes
+      systemd: allow systemd-logind to use sshd pidfds
+      sysnetwork: allow ifconfig to read usr files
+      postfix: allow smtpd to mmap SASL keytab files
+      sudo: allow systemd-logind to read cgroup state of sudo
+      su, sudo: allow sudo to signal all su domains
+      asterisk: allow watching spool dirs
+      dbus, init: add interface for pidfd usage
+      init: use pidfds from local login
+      haproxy: initial policy
+      sysadm: make haproxy admin
+      container: allow containers to execute tmpfs files
+      node_exporter: allow reading localization
+      netutils: allow ping to read net sysctls
+      postfix: allow postfix pipe to watch mail spool
+      asterisk: allow reading certbot lib
+      node_exporter: allow reading RPC sysctls
+      systemd: allow logind to use locallogin pidfds
+      sshd: label sshd-session as sshd_exec_t
+      iptables: allow reading usr files
+      podman: allow managing init runtime units
+      haproxy: allow interactive usage
+      kubernetes: allow kubelet to create unlabeled dirs
+      container: allow super privileged containers to manage BPF dirs
+      dbus: dontaudit session bus domains the netadmin capability
+      container, kubernetes: add supporting rules for kubevirt and multus
+      container: allow spc various rules for kubevirt
+      iptables: allow reading container engine tmp files
+      container: add container_kvm_t and supporting kubevirt rules
+      various: rules required for DV manipulation in kubevirt
+      testing: add container_kvm_t to net admin exempt list
+      container: allow reading generic certs
+      kubernetes: allow kubelet to connect all TCP ports
+
+Matt Sheets (1):
+      Allow systemd to pass down sig mask
+
+Naga Bhavani Akella (3):
+      Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix
+         stream sockets.
+      Setting bluetooth helper domain for bluetoothctl
+      Adding SE Policy rules to allow usage of unix stream sockets by dbus and
+         bluetooth contexts when Gatt notifications are turned on by remote.
+
+Raghavender Reddy Bujala (1):
+      Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
+
+Rick Alther (2):
+      fix: minor correction in MCS_CATS range comment
+      Set the type on /etc/machine-info to net_conf_t so hostnamectl can
+         manipulate it (CRUD)
+
+Yi Zhao (12):
+      sysnetwork: fixes for dhcpcd
+      newrole: allow newrole to search faillock runtime directory
+      selinuxutil: make policykit optional
+      userdomain: allow administrative user to get attributes of shadow history
+         file
+      systemd: make xdg optional
+      systemd: set context to systemd_networkd_var_lib_t for
+         /var/lib/systemd/network
+      systemd: allow systemd-networkd to manage sock files under
+         /run/systemd/netif
+      systemd: allow system --user to create netlink_route_socket
+      systemd: add policy for systemd-nsresourced
+      devices: add label vsock_device_t for /dev/vsock
+      systemd: fix policy for systemd-ssh-generator
+      systemd: allow systemd-hostnamed to read vsock device
+
+freedom1b2830 (2):
+      Reorder perms and classes
+      Reorder perms and classes
+
+nisbet-hubbard (1):
+      Update mysql.fc
+
 * Mon Feb 26 2024 Chris PeBenito <[email protected]> - 2.20240226
 Chris PeBenito (174):
       tests.yml: Pin ubuntu 20.04.

VERSION

@@ -1 +1 @@
-2.20240226
+2.20240916