Ubuntu
refpolicy-ubuntu package

Lucid SELinux Policy Update

Bug #568744 reported by Steve Lawrence on 2010-04-22

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	refpolicy-ubuntu (Ubuntu)	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-10.04
	Lucid	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-10.04
	selinux (Ubuntu)	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-10.04
	Lucid	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-10.04

Bug Description

Attached are two patches to update the SELinux policy for Ubuntu Lucid
Lynx.

The first patch applies to the repolicy-ubuntu package. This updates the
policy to the latest reference policy (2.20091117) and updates the
debian/patches to fix ubunutu specific policy issues. The majority of
the issues revolved around dbus starting various processes and ensuring
they transition to the correct domain.

The second patch applies to the selinux package. This adds two upstart
scripts to ensure that /var/run and /var/lock are relabeled once they
are mounted so they get the correct labels (var_run_t and var_lock_t
instead of tmpfs_t).

Related branches

lp:ubuntu/lucid/selinux

lp:ubuntu/lucid/refpolicy-ubuntu

Revision history for this message

Steve Lawrence (slawrence) wrote on 2010-04-22:

#1

refpolicy-ubuntu-update.patch Edit (1.2 MiB, text/plain)

Revision history for this message

Steve Lawrence (slawrence) wrote on 2010-04-22:

#2

selinux-labels.patch Edit (1.8 KiB, text/plain)

Kees Cook (kees) on 2010-04-23

summary:

- SELinux Policy Update
+ Lucid SELinux Policy Update

Revision history for this message

Kees Cook (kees) wrote on 2010-04-23:

#3

Great! I've updated the packaging for refpolicy-ubuntu to use the upstream bz2 file, and tweaked the selinux restorecon calls a little more. These changes make a large positive difference on the boot warnings now; down to just a handful instead of hundreds. Thanks!

Revision history for this message

Kees Cook (kees) wrote on 2010-04-23:

#4

Regression potential is low, since it doesn't actually work very well without these updates.

Changed in selinux (Ubuntu):
status:	New → Fix Committed
Changed in refpolicy-ubuntu (Ubuntu):
status:	New → Fix Committed
assignee:	nobody → Kees Cook (kees)
Changed in selinux (Ubuntu):
assignee:	nobody → Kees Cook (kees)
importance:	Undecided → Medium
Changed in refpolicy-ubuntu (Ubuntu):
importance:	Undecided → Medium
Changed in selinux (Ubuntu Lucid):
milestone:	none → ubuntu-10.04
Changed in refpolicy-ubuntu (Ubuntu Lucid):
milestone:	none → ubuntu-10.04

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-04-23:

#5

This bug was fixed in the package selinux - 1:0.9

---------------
selinux (1:0.9) lucid; urgency=low

* mounted-var{run,lock}.upstart, Makefile: add more restorecon
calls for tmpfs filesystems, thanks to Stephen Lawrence (LP: #568744).
-- Kees Cook <email address hidden> Thu, 22 Apr 2010 16:58:14 -0700

Changed in selinux (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-04-23:

#6

This bug was fixed in the package refpolicy-ubuntu - 0.2.20091117-0ubuntu1

---------------
refpolicy-ubuntu (0.2.20091117-0ubuntu1) lucid; urgency=low

  * New upstream release, converted to source format 3.
  * Updated Ubuntu-specific patches thanks to Steve Lawrence (LP: #568744).
  * Extracted Makefile change to debian/patches/bashisms.patch.
-- Kees Cook <email address hidden> Thu, 22 Apr 2010 17:10:43 -0700

Changed in refpolicy-ubuntu (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.