refpolicy 2:2.20161023.1-7 source package in Ubuntu

Changelog

refpolicy (2:2.20161023.1-7) unstable; urgency=medium
    
  [ Laurent Bigonville and cgzones ]
   * Sort the files in the files in the selinux-policy-src.tar.gz tarball by
     name, this should fix the last issue for reproducible build
   * Add genfscon for cpu/online. Closes: #849637
  [ Russell Coker ]
   * Make the boinc patch like the one upstream accepted and make it last in
     the list.
   * Label /etc/sddm/Xsession as xsession_exec_t
   * Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it
   * Allow devicekit_power_t to chat to xdm_t via dbus
   * Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts
   * Allow loadkeys_t to read tmp files created by init scripts
   * Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp
     and to read dbus lib files for /var/lib/dbus
   * Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime,
     relabel to/from user_tmpfs_t, and manage wireless_device_t
   * Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo
     and read/write an inherited socket.
   * Allow xdm_t to send dbus messages to unconfined_t
   * Give crond_t sys_resource so it can set hard ulimit for jobs
   * Allow systemd_logind_t to setattr on the kvm device and user ttys, to
     manage user_tmp_t and user_tmpfs_t files, to read/write the dri device
   * Allow systemd_passwd_agent_t to stat the selinuxfs and search the
     contexts dir
   * Make systemd_read_machines() also allow listing directory
   * Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files()
   * Allow setfiles_t to inherit apt_t file handles
   * Allow system_mail_t to use ptys from apt_t and unconfined_t
   * Label /run/agetty.reload as getty_var_run_t
   * Allow systemd_tmpfiles_t to relabel directories to etc_t
   * Made sysnet_create_config() include { relabelfrom relabelto
     manage_file_perms }, allow systemd_tmpfiles_t to create config, and set
     file contexts entries for /var/run/resolvconf.  Makes policy work with
     resolvconf (but requires resolvconf changes) Closes: #740685
   * Allow dpkg_script_t to restart init services
   * Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t
   * Allow named to read network sysctls and usr files
   * Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as
     ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and
     unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when
     building with systemd support, also allow listing init pid dirs. Label
     /var/lib/systemd/clock as ntp_drift_t
   * Allow systemd_nspawn_t to read system state, search init pid dirs (for
     /run/systemd) and capability net_admin
   * Allow backup_t capabilities chown and fsetid to cp files and preserve
     ownership
   * Allow logrotate_t to talk to dbus and connect to init streams for
     systemctl, also allow setrlimit for systemctl
   * Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t
     to execute all applications (for ps to getattr mostly)
   * Label /var/lib/wordpress as httpd_var_lib_t
   * Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and
     allow it to manage dirs of type httpd_lock_t
  [ Russell Coker Important ]
   * sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779
   * Support usrmerge, lots of fc changes and subst_dist changes
     Closes: #850032

 -- Russell Coker <email address hidden>  Thu, 12 Jan 2017 18:01:40 +1100