refpolicy 2:2.20140421-10 source package in Ubuntu
Changelog
refpolicy (2:2.20140421-10) unstable; urgency=medium
* Team upload.
[ Laurent Bigonville ]
* Fix the maintainer script to support the new policy store from libsemnage
2.4 (Closes: #805492)
* debian/gbp.conf: Sign tags by default (Closes: #781670)
* debian/control: Adjust and cleanup the {build-}dependencies (Closes:
#805496)
* debian/control: Bump Standards-Version to 3.9.8 (no further changes)
* debian/rules: Make the build reproducible (Closes: #778232)
* Remove deprecated system.users and local.users files
* debian/control: Update Homepage URL (Closes: #780934)
* debian/rules: Allow parallel build now that the build system is supporting
it, see #677689
* debian/policygentool: Remove string exceptions so the script is Python >=
2.6 compatible (Closes: #585355)
* Do not install semanage.read.LOCK, semanage.trans.LOCK and
file_contexts.local in /etc/selinux/* this is not needed anymore with the
new policy store.
* debian/control: Use https for the Vcs-* URL's to please lintian
* debian/watch: Fix watch file URL now that the project has moved to github
[ Russell Coker ]
* Allow init_t to manage init_var_run_t symlinks and self getsched
to relabel files and dirs to etc_runtime_t for /run/blkid
to read/write init_var_run_t fifos for /run/initctl
kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
sysctls)
* Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
filesystems
* Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
* Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
* Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
create it
* apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
* Allow apache to read sysctl_vm_t for overcommit_memory Allow
httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
files and directories for mod_pagespeed.
* Removed bogus .* in mailman file context that was breaking the regex
* Lots of mailman changes
* Allow system_mail_t read/write access to crond_tmp_t
* Allow postfix_pipe_t to write to postfix_public_t sockets
* Label /usr/share/mdadm/checkarray as bin_t
* Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
status
* Allow systemd_tmpfiles_t to create the cpu_device_t device
* Allow init_t to manage init_var_run_t links
* Allow groupadd_t the fsetid capability
* Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
dpkg_var_lib_t so dpkg-statoverride can do it's job
* Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
* Allow webalizer to read fonts and allow logrotate to manage
webaliser_usage_t files also allow it to be run by logrotate_t.
* Allow jabber to read ssl certs and give it full access to it's log files
Don't audit jabber running ps.
* Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
in log dir
* Allow webalizer to read usr_t and created webalizer_log_t for it's logs
* Made logging_log_filetrans and several other logging macros also allow
reading var_log_t links so a variety of sysadmin symlinks in /var/log
won't break things
* Allow postfix_policyd_t to execute bin_t, read urandom, and capability
chown.
New type postfix_policyd_tmp_t
* Added user_udp_server boolean
* Allow apt_t to manage dirs of type apt_var_cache_t
* Allow jabber to connect to the jabber_interserver_port_t TCP port
Closes: #697843
* Allow xm_t to create xen_lock_t files for creating the first Xen DomU
* Allow init_t to manage init_var_run_t for service file symlinks
* Add init_telinit(dpkg_script_t) for upgrading systemd
* Allow dpkg_script_t the setfcap capability for systemd postinst.
* Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
* Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
and have capability net_admin. Allow logrotate_systemctl_t to manage all
services.
* Give init_t the audit_read capability for systemd
* Allow iodined_t access to netlink_route_socket.
* add init_read_state(systemd_cgroups_t) and
init_read_state(systemd_tmpfiles_t) for /proc/1/environ
* Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
be some
sort of default location. /var/log is a better directory for this
* Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
* Allow mandb_t to get filesystem attributes
* Allow syslogd to rename and unlink init_var_run_t files for systemd
temporary files
* Allow ntpd_t to delete files for peerstats and loopstats
* Add correct file labels for squid3 and tunable for squid pinger raw net
access (default true)
* Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
xenstored unix sockets
* Allow qemu_t to read sysfs files for cpu online
* Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
* Allow xm_t (xl program) to create and rename xend_var_log_t files, read
kernel images, execute qemu, and inherit fds from sshd etc.
* Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
/run/xen-hotplug/iptables for when vif-bridge runs iptables
* Allow xm_t to write to xen_lock_t files not var_lock_t
* Allow xm_t to load kernel modules
* Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
it's sockets
* dontaudit xm_t searching home dir content
* Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
xend_var_run_t directory
* Label /var/lock/xl as xen_lock_t
* allow unconfined_t to execute xl/xm in xm_t domain.
* Allow system_cronjob_t to configure all systemd services (restart all
daemons)
* Allow dpkg_script_t and unconfined_t to manage systemd service files of
type null_device_t (symlinks to /dev/null)
* Label /var/run/lwresd/lwresd.pid as named_var_run_t
* Label /run/xen/qmp* as qemu_var_run_t
* Also label squid3.pid
* Allow iptables_t to be in unconfined_r (for Xen)
* Allow udev_t to restart systemd services
Closes: #756729
* Merge Laurent's changes with mine
-- Laurent Bigonville <email address hidden> Fri, 13 May 2016 22:29:59 +0200
Upload details
- Uploaded by:
- Debian SELinux maintainers
- Uploaded to:
- Sid
- Original maintainer:
- Debian SELinux maintainers
- Architectures:
- all
- Section:
- admin
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| refpolicy_2.20140421-10.dsc | 2.0 KiB | 0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6 |
| refpolicy_2.20140421.orig.tar.bz2 | 668.3 KiB | 258ff813c84139175db63958ac8bff2bcce32982bb0d902e06aaaf17dd644367 |
| refpolicy_2.20140421-10.debian.tar.xz | 87.9 KiB | e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b |
Available diffs
- diff from 2:2.20140421-9 to 2:2.20140421-10 (24.0 KiB)
No changes file available.
Binary packages built by this source
- selinux-policy-default: No summary available for selinux-policy-default in ubuntu yakkety.
No description available for selinux-
policy- default in ubuntu yakkety.
- selinux-policy-dev: No summary available for selinux-policy-dev in ubuntu yakkety.
No description available for selinux-policy-dev in ubuntu yakkety.
- selinux-policy-doc: No summary available for selinux-policy-doc in ubuntu yakkety.
No description available for selinux-policy-doc in ubuntu yakkety.
- selinux-policy-mls: No summary available for selinux-policy-mls in ubuntu yakkety.
No description available for selinux-policy-mls in ubuntu yakkety.
- selinux-policy-src: No summary available for selinux-policy-src in ubuntu yakkety.
No description available for selinux-policy-src in ubuntu yakkety.
