Publishing details

Published on 2015-10-22
Copied from debian sid in Primary Archive for Debian GNU/Linux

Changelog

refpolicy (2:2.20140421-9) unstable; urgency=medium


  * Allow dovecot_t to read /usr/share/dovecot/protocols.d
    Allow dovecot_t capability sys_resource
    Label /usr/lib/dovecot/* as bin_t unless specified otherwise
    Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens
  * Allow clamd_t capability { chown fowner fsetid }
    Allow clamd_t to read sysctl_vm_t
  * Allow dkim_milter_t capability dac_override and read sysctl_vm_t
    allow dkim_milter_t to bind to unreserved UDP ports
  * Label all hard-links of perdition perdition_exec_t
    Allow perdition to read /dev/urandom and capabilities dac_override, chown,
    and fowner
    Allow perdition file trans to perdition_var_run_t for directories
    Also proxy the sieve service - sieve_port_t
    Allow connecting to mysql for map data
  * Allow nrpe_t to read nagios_etc_t and have capability dac_override
  * Allow httpd_t to write to initrc_tmp_t files
    Label /var/lib/php5(/.*)? as httpd_var_lib_t
  * Allow postfix_cleanup_t to talk to the dkim filter
    allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters)
    allow postfix_smtpd_t to talk to clamd_t via unix sockets
    allow postfix_master_t to execute hostname for Debian startup scripts
  * Allow unconfined_cronjob_t role system_r and allow it to restart daemons
    via systemd
    Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session
    cleanup)
  * Allow spamass_milter_t to search the postfix spool and sigkill itself
    allow spamc_t to be in system_r for when spamass_milter runs it
  * Allow courier_authdaemon_t to execute a shell
  * Label /usr/bin/maildrop as procmail_exec_t
    Allow procmail_t to connect to courier authdaemon for the courier maildrop,
    also changed courier_stream_connect_authdaemon to use courier_var_run_t
    for the type of the socket file
    Allow procmail_t to read courier config for maildrop.
  * Allow system_mail_t to be in role unconfined_r
  * Label ldconfig.real instead of ldconfig as ldconfig_exec_t
  * Allow apt_t to list directories of type apt_var_log_t
  * Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for
    dpkg-preconfigure
  * Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage
    shadow files, process setfscreate, and capabilities audit_write net_admin
    sys_ptrace
  * Label /usr/lib/xen-*/xl as xm_exec_t

 -- Russell Coker <email address hidden>  Fri, 06 Feb 2015 02:31:05 +1100

Available diffs

diff from 2:2.20140421-7 to 2:2.20140421-9 (20.4 KiB)

Builds

Built packages

selinux-policy-default Strict and Targeted variants of the SELinux policy

selinux-policy-dev Headers from the SELinux reference policy for building modules

selinux-policy-doc Documentation for the SELinux reference policy

selinux-policy-mls MLS (Multi Level Security) variant of the SELinux policy

selinux-policy-src Source of the SELinux reference policy for customization

Package files

refpolicy_2.20140421-9.debian.tar.xz (80.4 KiB)
refpolicy_2.20140421-9.dsc (2.3 KiB)
refpolicy_2.20140421.orig.tar.bz2 (668.3 KiB)
selinux-policy-default_2.20140421-9_all.deb (2.7 MiB)
selinux-policy-dev_2.20140421-9_all.deb (403.5 KiB)
selinux-policy-doc_2.20140421-9_all.deb (381.0 KiB)
selinux-policy-mls_2.20140421-9_all.deb (2.7 MiB)
selinux-policy-src_2.20140421-9_all.deb (1.1 MiB)