Accepted refpolicy 2:2.20140421-10 (source all) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 May 2016 22:29:59 +0200
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20140421-10
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 585355 697843 756729 778232 780934 781670 805492 805496
Changes:
refpolicy (2:2.20140421-10) unstable; urgency=medium
.
* Team upload.
[ Laurent Bigonville ]
* Fix the maintainer script to support the new policy store from libsemnage
2.4 (Closes: #805492)
* debian/gbp.conf: Sign tags by default (Closes: #781670)
* debian/control: Adjust and cleanup the {build-}dependencies (Closes:
#805496)
* debian/control: Bump Standards-Version to 3.9.8 (no further changes)
* debian/rules: Make the build reproducible (Closes: #778232)
* Remove deprecated system.users and local.users files
* debian/control: Update Homepage URL (Closes: #780934)
* debian/rules: Allow parallel build now that the build system is supporting
it, see #677689
* debian/policygentool: Remove string exceptions so the script is Python >=
2.6 compatible (Closes: #585355)
* Do not install semanage.read.LOCK, semanage.trans.LOCK and
file_contexts.local in /etc/selinux/* this is not needed anymore with the
new policy store.
* debian/control: Use https for the Vcs-* URL's to please lintian
* debian/watch: Fix watch file URL now that the project has moved to github
.
[ Russell Coker ]
* Allow init_t to manage init_var_run_t symlinks and self getsched
to relabel files and dirs to etc_runtime_t for /run/blkid
to read/write init_var_run_t fifos for /run/initctl
kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
sysctls)
* Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
filesystems
* Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
* Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
* Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
create it
* apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
* Allow apache to read sysctl_vm_t for overcommit_memory Allow
httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
files and directories for mod_pagespeed.
* Removed bogus .* in mailman file context that was breaking the regex
* Lots of mailman changes
* Allow system_mail_t read/write access to crond_tmp_t
* Allow postfix_pipe_t to write to postfix_public_t sockets
* Label /usr/share/mdadm/checkarray as bin_t
* Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
status
* Allow systemd_tmpfiles_t to create the cpu_device_t device
* Allow init_t to manage init_var_run_t links
* Allow groupadd_t the fsetid capability
* Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
dpkg_var_lib_t so dpkg-statoverride can do it's job
* Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
* Allow webalizer to read fonts and allow logrotate to manage
webaliser_usage_t files also allow it to be run by logrotate_t.
* Allow jabber to read ssl certs and give it full access to it's log files
Don't audit jabber running ps.
* Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
in log dir
* Allow webalizer to read usr_t and created webalizer_log_t for it's logs
* Made logging_log_filetrans and several other logging macros also allow
reading var_log_t links so a variety of sysadmin symlinks in /var/log
won't break things
* Allow postfix_policyd_t to execute bin_t, read urandom, and capability
chown.
New type postfix_policyd_tmp_t
* Added user_udp_server boolean
* Allow apt_t to manage dirs of type apt_var_cache_t
* Allow jabber to connect to the jabber_interserver_port_t TCP port
Closes: #697843
* Allow xm_t to create xen_lock_t files for creating the first Xen DomU
* Allow init_t to manage init_var_run_t for service file symlinks
* Add init_telinit(dpkg_script_t) for upgrading systemd
* Allow dpkg_script_t the setfcap capability for systemd postinst.
* Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
* Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
and have capability net_admin. Allow logrotate_systemctl_t to manage all
services.
* Give init_t the audit_read capability for systemd
* Allow iodined_t access to netlink_route_socket.
* add init_read_state(systemd_cgroups_t) and
init_read_state(systemd_tmpfiles_t) for /proc/1/environ
* Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
be some
sort of default location. /var/log is a better directory for this
* Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
* Allow mandb_t to get filesystem attributes
* Allow syslogd to rename and unlink init_var_run_t files for systemd
temporary files
* Allow ntpd_t to delete files for peerstats and loopstats
* Add correct file labels for squid3 and tunable for squid pinger raw net
access (default true)
* Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
xenstored unix sockets
* Allow qemu_t to read sysfs files for cpu online
* Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
* Allow xm_t (xl program) to create and rename xend_var_log_t files, read
kernel images, execute qemu, and inherit fds from sshd etc.
* Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
/run/xen-hotplug/iptables for when vif-bridge runs iptables
* Allow xm_t to write to xen_lock_t files not var_lock_t
* Allow xm_t to load kernel modules
* Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
it's sockets
* dontaudit xm_t searching home dir content
* Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
xend_var_run_t directory
* Label /var/lock/xl as xen_lock_t
* allow unconfined_t to execute xl/xm in xm_t domain.
* Allow system_cronjob_t to configure all systemd services (restart all
daemons)
* Allow dpkg_script_t and unconfined_t to manage systemd service files of
type null_device_t (symlinks to /dev/null)
* Label /var/run/lwresd/lwresd.pid as named_var_run_t
* Label /run/xen/qmp* as qemu_var_run_t
* Also label squid3.pid
* Allow iptables_t to be in unconfined_r (for Xen)
* Allow udev_t to restart systemd services
Closes: #756729
* Merge Laurent's changes with mine
Checksums-Sha1:
6274875f7fdd38d056f1e86a03017fb3549560df 2089 refpolicy_2.20140421-10.dsc
4c4f27df1524bbf2a9db69ba250cb945f8a5f479 90016 refpolicy_2.20140421-10.debian.tar.xz
433730c9090b856c1d6dfaaac32e7604717f893e 2821672 selinux-policy-default_2.20140421-10_all.deb
029ed851edd6d45c11b9fab474f701cfac435959 443666 selinux-policy-dev_2.20140421-10_all.deb
82df1c4e0a456118dcb670f881b0b2347e93530e 423478 selinux-policy-doc_2.20140421-10_all.deb
ada7d89622cb470fce3dd6f5e0bc5da63a21fd3b 2871900 selinux-policy-mls_2.20140421-10_all.deb
8b8a042e4f7d5e2af769a2bd7318b9dc3828c4c2 1183880 selinux-policy-src_2.20140421-10_all.deb
Checksums-Sha256:
0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6 2089 refpolicy_2.20140421-10.dsc
e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b 90016 refpolicy_2.20140421-10.debian.tar.xz
274656801d596f8ff71c6745a36c56867f0c9e7f9f3d0e2cea98bb12dec0baea 2821672 selinux-policy-default_2.20140421-10_all.deb
7a8dbdd541378bdf0c6a66f6d27393a64d1de573672dee5feb8fb053b8b5bec6 443666 selinux-policy-dev_2.20140421-10_all.deb
987384487836b46863ed20c30864a4b1600af836b762ad3f6489da4c04168a40 423478 selinux-policy-doc_2.20140421-10_all.deb
ecd9622ede56aabb40370a0bd01d151f5ec09e06a7259783428793fb9847fde4 2871900 selinux-policy-mls_2.20140421-10_all.deb
1b9c76e0e3521a51698bc5d299ad385cc5b94074e7c477c25a7b3ce4f1f2f276 1183880 selinux-policy-src_2.20140421-10_all.deb
Files:
cd12eda70b44ee8d827288a8f037c90d 2089 admin optional refpolicy_2.20140421-10.dsc
daa9bad41935fa9966514a77207ae47e 90016 admin optional refpolicy_2.20140421-10.debian.tar.xz
26a6719a2e8035f1df277de7da5960a4 2821672 admin optional selinux-policy-default_2.20140421-10_all.deb
c65f722a18d0225b2e70428a2343fbce 443666 admin optional selinux-policy-dev_2.20140421-10_all.deb
c75fdf3e201c0fbc03f97c91fb24f679 423478 doc optional selinux-policy-doc_2.20140421-10_all.deb
6fc180e9a11b5994f09a24b515b973dc 2871900 admin extra selinux-policy-mls_2.20140421-10_all.deb
744b4acc08ea65d4f9083102e86fb8d3 1183880 admin optional selinux-policy-src_2.20140421-10_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXNj1bAAoJEB/FiR66sEPVcGEH/15Pp3PP25YP8g/3KJks5/xG
9CCAfqY0NNMXbonrJVALIRdMn8RJ/9ILP7VqretxuE3WW8hWJ3rgkDwuEJoY/IRt
Wayx6knfJuxz0fuLVmHiKfMt2S2lp4AF5zPpan2bn1VgHYwkGfx3w7orm5TaG2OM
I6p4tLVR9ZArdFObVysOOypg4mzeGzoz1VIjVqgHvnml9kZ7ItfsQ0vWh2GMdl0V
/nbaXG7nLBQA4gR6o8CxS4wZdrBfUkv7WbR8UioYggr5NSytrSpzZd4+C6+nUtnu
ErOp7pSeIudQ08v6yCyEuERQHg4w3lI32mKYIQLiE39pQRk73fT4NHCCgV5QxLU=
=AnqX
-----END PGP SIGNATURE-----