Skip to content

2.3.6

Choose a tag to compare

View all tags
@dmulder dmulder released this 27 Feb 22:34
· 831 commits to main since this release
2.3.6
28d3786
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

Highlights

  • Intune Custom Compliance is now supported (no longer experimental).
    Custom Compliance enforcement is now applied by default, with significant reliability and compatibility improvements.
  • Improved security policy integration across distributions (notably SELinux behavior and Debian/RPM packaging lifecycle handling).
  • Multiple reliability fixes for TPM-backed credentials, PAM flows, daemon/client communication, and SSO broker compatibility.

Intune / Compliance

  • Promoted Intune Custom Compliance from experimental to supported/default behavior.
  • Improved compliance script execution compatibility:
    • supports CSE payloads without shebangs (and handles binary payloads safely),
    • tolerates non-zero script exits and uses output-based handling,
    • normalizes line endings,
    • avoids unnecessary writable permissions on generated scripts.
  • Fixed policy evaluation logic for distro-version requirements by grouping relevant policy sets and marking non-applicable checks correctly.
  • Added additional policy debug logging to aid enrollment/compliance troubleshooting.
  • Closed custom compliance script handles before execution to avoid execution edge cases.

Authentication, PAM, and TPM

  • Fixed TPM probing to check hardware availability, not only configuration.
  • Improved TPM provisioning/upgrade flow:
    • orders HSM PIN init after systemd-tpm2-setup,
    • upgrades non-TPM-bound credentials on boot,
    • self-provisions SRK when system setup didn’t run.
  • Fixed PIN change behavior for non-passwordless accounts.
  • Fixed Debian PAM password stack behavior so local users continue to pam_unix correctly.
  • Updated libhimmelblau to address an auth issue involving unique_name + upn token fields.

Daemon, Client Sync, and Logging

  • Improved client/daemon resilience:
    • retries WouldBlock/TimedOut instead of failing immediately,
    • uses shorter per-read timeouts for long daemon operations,
    • handles task connection errors without cascading failures.
  • Reduced noisy logs:
    • downgraded expected disconnect/socket-missing cases from error to debug,
    • avoided exposing username/uid in logs.

Security Policy / SELinux

  • Fixed SELinux domain transitions so daemons run in dedicated domains (instead of init_t fallback behavior).
  • Added comprehensive permissions for dedicated Himmelblau daemon domains.
  • Backported SELinux policy improvements and included openSUSE Tumbleweed-specific policy application/restart sequencing fixes.

Packaging and Upgrade/Uninstall Behavior

  • Added/updated prerm/postrm handling for cleaner service disable/stop on removal.
  • Full uninstall now removes Himmelblau caches/state and Entra AccountsService entries (while preserving data on upgrade paths).
  • Debian packaging robustness improvements:
    • do not fail package removal if AppArmor patch rollback fails,
    • run pam-auth-update when removing PAM library entries,
    • stop removing user-managed files in /etc/systemd/system,
    • add Conflicts/Provides handling for linux-entra-sso and microsoft-identity-broker.
  • Added CacheDirectory=nss-himmelblau for himmelblaud-tasks.service startup reliability.

SSO / Broker Compatibility

  • Broker now returns passwordExpiry in account responses for better compatibility with linux-entra-sso and sso-mib.
    Dependency and Tooling Updates
  • Refreshed Rust dependencies (including grouped cargo updates), clippy/vetting updates, and supporting packaging/build script adjustments.

Full Changelog: 2.3.5...2.3.6

Contributors

dmulder
Assets 2
Loading