Change log for refpolicy package in Ubuntu

175 of 77 results
Published in focal-release on 2019-10-26
Deleted in focal-proposed (Reason: moved to Release)
refpolicy (2:2.20190201-5) unstable; urgency=medium

  * Team upload.
  * Bump Standards-Version to 4.4.0 (no further changes)
  * debian/control: Remove the package (-1) revision from the
    {build-}dependencies, to please lintian
  * Drop debian/source/lintian-overrides, the postrm perl scripts are gone
    for a long time, not sure why these overrides were reintroduced
  * debian/rules: Do not call dpkg-parsechangelog explicitly to get a
    reproductible build time but rely on SOURCE_DATE_EPOCH variable
  * debian/watch: Fix the URL now that the project has been relocated

 -- Laurent Bigonville <email address hidden>  Tue, 27 Aug 2019 15:54:34 +0200

Available diffs

Superseded in focal-release on 2019-10-26
Published in eoan-release on 2019-05-30
Deleted in eoan-proposed (Reason: moved to release)
refpolicy (2:2.20190201-4) unstable; urgency=medium

  * Policy update, lots of little things and allows the signull access that
    systemd-journal from the latest systemd wants.

 -- Russell Coker <email address hidden>  Thu, 30 May 2019 10:28:24 +1000

Available diffs

Superseded in eoan-release on 2019-05-30
Published in disco-release on 2019-03-03
Deleted in disco-proposed (Reason: moved to release)
refpolicy (2:2.20190201-3) unstable; urgency=medium

  * Added policy for apt-cacher and apt-cacher-ng
  * Added policy for memlockd
  * Added type alias rules so you can upgrade from Stretch policy without a
    reboot if you manually relabel.
  * Lots of little changes too

 -- Russell Coker <email address hidden>  Sun, 03 Mar 2019 20:44:04 +1100

Available diffs

Superseded in disco-release on 2019-03-03
Deleted in disco-proposed on 2019-03-05 (Reason: moved to release)
refpolicy (2:2.20190201-2) unstable; urgency=medium

  * Lots of little changes, many for strict configuration.
  * Added policy for certbot AKA letsencrypt.

 -- Russell Coker <email address hidden>  Fri, 22 Feb 2019 00:09:29 +1100

Available diffs

Superseded in disco-release on 2019-02-21
Deleted in disco-proposed on 2019-02-22 (Reason: moved to release)
refpolicy (2:2.20190201-1) unstable; urgency=medium

  * New upstream, lots of Debian patches upstreamed.
  * More systemd support (moving target).
  * New upstream Chromium/Chrome policy.
  * Add xserver_allow_dri tunable for most X server programs to get DRI access.

 -- Russell Coker <email address hidden>  Sun, 03 Feb 2019 23:28:32 +1100

Available diffs

Superseded in disco-release on 2019-02-03
Deleted in disco-proposed on 2019-02-04 (Reason: moved to release)
refpolicy (2:2.20180701-1) unstable; urgency=medium

  * New upstream policy.
  * Depend on version 2.8 of utils.
  * Build new xdg module for X data types.
  * Lots fo policy changes

 -- Russell Coker <email address hidden>  Mon, 21 Jan 2019 14:05:59 +1100

Available diffs

Superseded in disco-release on 2019-01-21
Deleted in disco-proposed on 2019-01-22 (Reason: moved to release)
refpolicy (2:2.20180114-5) unstable; urgency=medium

  * Updated everything in debian/control to refer to version 2.7 of SE Linux
  * Lots of little policy changes.

 -- Russell Coker <email address hidden>  Wed, 02 Jan 2019 10:24:07 +1100

Available diffs

Superseded in disco-release on 2019-01-02
Published in cosmic-release on 2018-05-30
Deleted in cosmic-proposed (Reason: moved to release)
refpolicy (2:2.20180114-4) unstable; urgency=medium

  * Team upload.
  * debian/control: Point Vcs-* fields to new (salsa) machine
  * debian/control: Bump Standards-Version to 4.1.4 (no further changes)
  * debian/control: Bump debhelper build-dependency version to 11 to match
    debian/compat version
  * debian/control: Bump python {build-}dependencies to python3 (Closes:
  * debian/rules: Drop --parallel flag passed to dh command, this is the
    default with debhelper >= 10
  * debian/control: Bump Priority of selinux-policy-mls to optional, Priority
    extra is now deprecated
  * debian/policygentool: Port to python3
  * debian/patches/python3-buildsystem.patch: Port the buildsystem to use
  * Drop debian/source/lintian-overrides, overrides not used anymore

 -- Laurent Bigonville <email address hidden>  Wed, 30 May 2018 11:42:05 +0200

Available diffs

Superseded in cosmic-release on 2018-05-30
Deleted in cosmic-proposed on 2018-06-01 (Reason: moved to release)
refpolicy (2:2.20180114-3) unstable; urgency=medium

  * Added git patch for 20180319.
  * Added git patch for 20180419, fixes lots of typos which changes the
    way things work.  Also adds sctp protocol support.
  * Added git patch for 20180519.
  * Build-depend on version 2.7-2 of checkpolicy and libsepol1-dev and Depend
    on version 2.7-2 of libsepol1 for sctp support.
  * Changed all Build-depends and Depends to version 2.7 from 2.5 and 2.6
    because there's no reason to try to build against ancient versions and we
    don't want to deal with annoying bugs later.
  * Allow mon_t to read generic certs for using SSL for notifications
  * Allow systemd_nspawn_t the mcs_killall if systemd_nspawn_labeled_namespace
    is enabled
  * Allow udev_t to run iptables in iptables_t
  * Some other little systemd stuff

 -- Russell Coker <email address hidden>  Sat, 19 May 2018 11:12:41 +1000

Available diffs

Superseded in cosmic-release on 2018-05-20
Deleted in cosmic-proposed on 2018-05-21 (Reason: moved to release)
refpolicy (2:2.20180114-2) unstable; urgency=medium

  * Included changelog entry 2:2.20161023.1-10

 -- Russell Coker <email address hidden>  Tue, 06 Mar 2018 14:17:33 +1100

Available diffs

Superseded in cosmic-release on 2018-05-05
Published in bionic-release on 2018-02-28
Deleted in bionic-proposed (Reason: moved to release)
refpolicy (2:2.20180114-1) unstable; urgency=medium

  * New upstream 2.20180114 with patch from git version 2.20180220.
    Took that patch because a lot of it was policy I developed.
  * Delete the deprecated macro mmap_file_perms, anyone who uses this should
    change to mmap_exec_file_perms instead.  Closes: #885771
  * Now build-depend on recent toolchain.  Closes: #875546
  * Removed typebounds patch that upstream didn't like, seems to work ok
    without it now, but we can use nnp_transition if necessary.

 -- Russell Coker <email address hidden>  Mon, 26 Feb 2018 23:25:27 +1100

Available diffs

Superseded in bionic-release on 2018-02-28
Deleted in bionic-proposed on 2018-03-01 (Reason: moved to release)
refpolicy (2:2.20171228-1) unstable; urgency=medium

  * New upstream from git with lots of Debian patches merged.  This policy is
    not a candidate for Buster or anything, I'm uploading it to facilitate
    SE Linux development.  The next time Tresys make an official release I'll
    put it in Debian Git and make it a candidate for Buster.
  * Removed authbind policy
  * Set WERROR=y to remove deprecated interfaces
  * Enable UBAC for mcs policy
  * Use compat level 11

 -- Russell Coker <email address hidden>  Thu, 28 Dec 2017 17:46:57 +1100

Available diffs

Superseded in bionic-release on 2017-12-28
Deleted in bionic-proposed on 2017-12-29 (Reason: moved to release)
refpolicy (2:2.20161023.1-10) unstable; urgency=medium

  * Add patch for typebounds. This patch was rejected upstream, to quote
    Chris PeBenito:
    NAK.  This has already been fixed with the upcoming nnp_transition
    nosuid_transition permissions in refpolicy.  I'm afraid distros will
    have to carry policy patches until they can roll out kernels that
    support these permissions.
    Closes: #874201
  * Allow systemd-tmpfiles to delete /var/lib/sudo files.
    Closes: #875668
  * Allow brctl to create files in sysfs and correctly label
    Closes: #875669
  * Give bootloader_t all the access it needs to create initramfs images in
    different situations and communicate with dpkg_t.
    Closes: #875676
  * Allow dnsmasq_t to read it's config dir
    Closes: #875681
  * Build-depend and depend on version 2.7 of tools and libraries.
  * Allow systemd_tmpfiles_t to manage lastlog_t
    Closes: #875726
  * Allow udev_t to talk to init via dbus and get service status in strict
    Closes: #875727

 -- Russell Coker <email address hidden>  Wed, 13 Sep 2017 23:47:21 +1000
Superseded in bionic-release on 2017-11-03
Published in artful-release on 2017-04-20
Obsolete in zesty-release on 2018-06-22
Deleted in zesty-proposed (Reason: moved to release)
refpolicy (2:2.20161023.1-9) unstable; urgency=medium

  * Dontaudit dkim_milter_t binding to labeled udp ports
  * Allow passwd_t to inherit fd from unconfined_t for package scripts
  * Allow httpd_sys_script_t to talk to itself via unix datagrams and send
    syslog messages
  * Allow logwatch_mail_t to rw system_cronjob_t pipes
    Allow logwatch_t to run mdadm
  * Label /etc/postfixadmin as httpd_config_t
  * Allow system_cronjob_t to create directories under /tmp
  * Allow spamass_milter_t to read the overcommit sysctl
  * Allow unconfined domains the capability2:wake_alarm.
  * Added ~/DovecotMail to the list of mail_home_rw_t directories
  * Allow systemd_logind_t to get dpkg_script_t process state and talk to it
    via dbus
  * For allow udev_t
    to read default_t.  Still need that udev bug fixed!

 -- Russell Coker <email address hidden>  Thu, 26 Jan 2017 00:52:00 +1100
Superseded in zesty-release on 2017-01-26
Deleted in zesty-proposed on 2017-01-27 (Reason: moved to release)
refpolicy (2:2.20161023.1-8) unstable; urgency=medium

  * Fixed mistake in previous changelog (attributed a -7 change to -6)
  * Label /usr/sbin/apache2ctl as well. Allow apache to read overcommit sysctl
  * Allow clamd_t to read the overcommit sysctl
  * Allow postfix_postdrop_t to write to postfix_public_t socket, allow
    postfix_master_t to bind to udp generic nodes
  * Allow dovecot_auth_t to write to dovecot_var_run_t fifos and read selinux
    config (needed for pop/imap login)
  * Allow mon local tests to search /var/spool/postfix and autofs mountpoints,
    and to read nfs content. Allow mon net tests to read certs. dontaudit when
    mon local tests try to stat tmpfs files. Allow mon local tests to access
    /dev/xconsole and search mnt_t and boot_t
  * Allow mount_t to getattr nfs filesystems and manage mount_var_run_t dirs
    and files
  * Allow setfiles_t to getattr nfs filesystems.
  * Allow postgrey_t to exec bin_t files, to read netlink_route_sockets,
    and to access udp sockets
  * Allow login programs to share fds with systemd_passwd_agent_t
  * Allow postfix_master_t to stat the spamass_milter_data_t dir
  * Allow dpkg_script_t to tell init_t to stop services
  * Allow initrc_t to tell init_t to halt and get system status - allows
  * Make port 8953 be rndc type for unbound.
  * Lots of policy for systemd_nspawn_t
  * More policy for systemd_coredump_t to do what it wants
  * Allow dkim_milter_t to read vm overcommit sysctl
  * Allow mandb_t to search init pid dirs for systemd
  * Allow initrc_t to reload systemdunit types
  * Make init_manage_all_units() include file:getattr access
  * Allow logrotate to init_manage_all_units for restarting daemons, to stat
    tmpfs filesystems, to get init system status, and capability net_admin
    that systemctl wants
  * Allow network manager to inherit logind pids
  * Allow devicekit_power_t to search init pid dirs
  * Allow named to read vm sysctls
  * Allow mysqld_safe_t to read dpkg db, it inherits cwd from dpkg_script_t
    alow is to read sysfs and kill mysqld_t
    Make mysql_signal interface include signull permission and grant that to
  * Allow rpcd_t to write /proc/fs/lockd/nlm_end_grace
  * Make apache use the new interfaces for nfs access and to read
    httpd_var_lib_t symlinks. Allow httpd_sys_script_t to search init pid
  * Allow auth to send sigchild to xdm
  * Allow chkpwd_t to getattr the selinuxfs
  * Allow system_cronjob_t net_admin capability, manage acct data, and manage
    initrc services
  * Allow crontab domains fsetid capability. Use a separate $2_crontab_t domain
    for each role's crontab program. Give ntp_admin access to system_cronjob_t
    and allow it to manage var_log_t and cron log files
  * Label /var/lib/sddm as xdm_var_lib_t
  * Don't label acct cron job scripts as acct_exec_t
  * Allow systemd-tmpfiles to create /dev/xconsole
  * Create new type for /var/run/iodine
  * Allow logrotate to restart services
  * Made init_script_service_restart() include reload access
  * Dontaudit systemd_logind_t statting files under /dev/shm
    Allow it to setattr unallocated terminals and unlink user_runtime_t files
  * Added boolean allow_smbd_read_shadow for the obvious purpose
    Allow smbd_t to read cupsd_var_run_t socket as well as write to it
  * Allow NetworkManager_t to send dbus messages to unconfined_t
  * Grant access to dri and input_dev devices to system_dbusd_t, gdm3 makes it
    want this

 -- Russell Coker <email address hidden>  Mon, 23 Jan 2017 01:55:57 +1100
Superseded in zesty-release on 2017-01-23
Deleted in zesty-proposed on 2017-01-24 (Reason: moved to release)
refpolicy (2:2.20161023.1-7) unstable; urgency=medium
  [ Laurent Bigonville and cgzones ]
   * Sort the files in the files in the selinux-policy-src.tar.gz tarball by
     name, this should fix the last issue for reproducible build
   * Add genfscon for cpu/online. Closes: #849637
  [ Russell Coker ]
   * Make the boinc patch like the one upstream accepted and make it last in
     the list.
   * Label /etc/sddm/Xsession as xsession_exec_t
   * Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it
   * Allow devicekit_power_t to chat to xdm_t via dbus
   * Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts
   * Allow loadkeys_t to read tmp files created by init scripts
   * Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp
     and to read dbus lib files for /var/lib/dbus
   * Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime,
     relabel to/from user_tmpfs_t, and manage wireless_device_t
   * Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo
     and read/write an inherited socket.
   * Allow xdm_t to send dbus messages to unconfined_t
   * Give crond_t sys_resource so it can set hard ulimit for jobs
   * Allow systemd_logind_t to setattr on the kvm device and user ttys, to
     manage user_tmp_t and user_tmpfs_t files, to read/write the dri device
   * Allow systemd_passwd_agent_t to stat the selinuxfs and search the
     contexts dir
   * Make systemd_read_machines() also allow listing directory
   * Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files()
   * Allow setfiles_t to inherit apt_t file handles
   * Allow system_mail_t to use ptys from apt_t and unconfined_t
   * Label /run/agetty.reload as getty_var_run_t
   * Allow systemd_tmpfiles_t to relabel directories to etc_t
   * Made sysnet_create_config() include { relabelfrom relabelto
     manage_file_perms }, allow systemd_tmpfiles_t to create config, and set
     file contexts entries for /var/run/resolvconf.  Makes policy work with
     resolvconf (but requires resolvconf changes) Closes: #740685
   * Allow dpkg_script_t to restart init services
   * Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t
   * Allow named to read network sysctls and usr files
   * Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as
     ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and
     unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when
     building with systemd support, also allow listing init pid dirs. Label
     /var/lib/systemd/clock as ntp_drift_t
   * Allow systemd_nspawn_t to read system state, search init pid dirs (for
     /run/systemd) and capability net_admin
   * Allow backup_t capabilities chown and fsetid to cp files and preserve
   * Allow logrotate_t to talk to dbus and connect to init streams for
     systemctl, also allow setrlimit for systemctl
   * Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t
     to execute all applications (for ps to getattr mostly)
   * Label /var/lib/wordpress as httpd_var_lib_t
   * Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and
     allow it to manage dirs of type httpd_lock_t
  [ Russell Coker Important ]
   * sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779
   * Support usrmerge, lots of fc changes and subst_dist changes
     Closes: #850032

 -- Russell Coker <email address hidden>  Thu, 12 Jan 2017 18:01:40 +1100
Superseded in zesty-release on 2017-01-12
Deleted in zesty-proposed on 2017-01-13 (Reason: moved to release)
refpolicy (2:2.20161023.1-6) unstable; urgency=medium

  * Label /var/lib/unbound as named_cache_t, closes: #740657
  * Merge patch for gbp.conf from cgzones <email address hidden>
    closes: #849459
  * Merge patch from cgzones <email address hidden> to add new .basemodules
    file. Closes: #849460
  * Make the package build fail when a file is missing.  Closes: #849461
  * Replaced domain_auto_trans with domain_auto_transition_pattern.
    Closes: #849463
  * New type systemd_machined_var_run_t for /run/systemd/machines
  * Allow initrc_t to get the status of null device service files (for
    symlinks) and to reload systemd_unit_t services.
  * Allow systemd_logind_t to manage user_runtime_t directories.
    allow it sys_admin capability.  Allow it to list udev_var_run_t dirs for
  * Label /run/console-setup as udev_var_run_t
  * Label lvmetad as lvm_exec_t
  * Made it conflict with mcstrans because we currently can't get mcstrans,
    dbus, and systemd to work together.
  * Allow systemd_logind_t to create /run/systemd/inhibit and to manage
    systemd_logind_var_run_t dirs and mount/umount,relabelfrom tmpfs_t
  * Allow systemd_machined_t to manage symlinks in it's pid dir
  * Allow systemd_machined_t to stat tmpfs_t and cgroup_t filesystems
  * Updated monit patch from cgzones.
  * Allow policykit_t to stat tmpfs_t and cgroup_t filesystems and to read
  * Change auth_login_pgm_domain() to include writing to sessions fifo.
    and searching user_runtime_t
  * Allow systemd_logind_t and systemd_machined_t to read initrc_t files to
    get cgroup and sessionid
  * Allow systemd_logind_t to read xserver_t files to get cgroup and sessionid
  * Allow system_mail_t to access unix_stream_sockets inherited from init
    for error messages on startup
  * Allow system_cronjob_t to get systemd unit status
  * Allow logrotate to talk to dbus and talk to the private systemd socket for
  * Allow console_device_t to associate with devpts_t:filesystem for /dev/pts/0
  * Allow systemd_logind_t to read all users state for cgroup and sessionid
  * Label /var/run/sddm and /usr/bin/sddm
  * Allow systemd_logind_t to talk to policykit_t and xserver_t by dbus
  * Allow systemd_logind_t to send messages to initrc_t by dbus
  * Allow policykit_t to send dbus messages to all userdomains

 -- Russell Coker <email address hidden>  Sun, 01 Jan 2017 15:33:26 +1100
Superseded in zesty-release on 2017-01-01
Deleted in zesty-proposed on 2017-01-02 (Reason: moved to release)
refpolicy (2:2.20161023.1-5) unstable; urgency=medium

  * Allowed system_munin_plugin_t to read usr_t files and have capability
    net_admin for mii-tool.  Thanks joerg <email address hidden>
    Closes: #619855
  * Allow rsync_t to stat all sock_files and fifo_files when
    rsync_export_all_ro is set.  Thanks joerg <email address hidden>
    Closes: #619979
  * Allow bitlbee_t to read FIPS state.  Closes: #697814
  * Allow mono_t to be in role unconfined_r.  Closes: #734192
  * Allow dpkg_script_t to manage null_device_t services for service scripts
    linked to /dev/null.  Closes: #757994
  * Give systemd_tmpfiles_t sys_admin capability for adjusting quotas.
  * Included initrc_t as a source domain in init_ranged_domain() so that old
    XDM packages that lack a systemd service file will work.
  * Use xserver_role() for unconfined_t so the xdm can start the session.
  * Allow user domains to talk to devicekit_disk_t and devicekit_power_t via
  * Label /run/lvm as lvm_var_run_t
  * Allow dhcpc_t to manage samba config

 -- Russell Coker <email address hidden>  Thu, 29 Dec 2016 01:08:24 +1100
Superseded in zesty-release on 2016-12-29
Deleted in zesty-proposed on 2016-12-30 (Reason: moved to release)
refpolicy (2:2.20161023.1-4) unstable; urgency=medium

  * Allow mon_t to read sysfs.
  * Made gpm_getattr_gpmctl also allow getattr on the fifo_file
  * Allow mount_t to getattr tmpfs_t and rpc_pipefs_t filesystems
  * Allow systemd_logind_t to change identities of files
  * Allow systemd_logind_t to read the cgroups files of all login processes
  * Added monit policy from cgzones <email address hidden>. Closes: #691283
  * Allow udev_t to transition to initrc_t for hotplug scripts, and label
    /etc/network/ip-ip.d/* etc as initrc_exec_t. Policy taken from Wheezy at
    the recommendation of Devin Carraway <email address hidden>
    Closes: #739590

 -- Russell Coker <email address hidden>  Wed, 28 Dec 2016 00:36:11 +1100
Superseded in zesty-release on 2016-12-27
Deleted in zesty-proposed on 2016-12-29 (Reason: moved to release)
refpolicy (2:2.20161023.1-3) unstable; urgency=medium

  * Allow ntpd_t to create sockets.
  * Allow systemd_hostnamed_t and systemd_logind_t to talk to NetworkManager_t
    via dbus.
  * Allow systemd_backlight_t to send syslog messages, read sysfs, read etc_t
    files, read init state, read udev_var_run_t files (udev data).
  * Allow systemd_machined_t to send messages to init_t and initrc_t via dbus,
    connect to the system dbus, read etc_t files, and start and stop init_var_run_t services and init_t system
  * Allow systemd_logind_t to talk to devicekit_power_t and unconfined_t over
  * Allow systemd_tmpfiles_t to read proc_net_t
  * Use /sbin/ldconfig instead of /sbin/ldconfig.real
  * Give devicekit_disk_t wake_alarm capability
  * Write policy for systemd_coredump_t
  * Allow systemd_logind_t to read xdm_t files for XDM state and talk to xdm
    via dbus.
  * Change /lib/systemd/systemd-cryptsetup to
    /usr/lib/systemd/systemd-cryptsetup so file_contexts.subs_dist doesn't
    cause the wrong name to match. Allow lvm_t to load modules for
  * Allow mon_local_test_t to stat gpmctl_t socket. Generally allow the local
    tests to access most things that can't do any harm.
  * Allow systemd_passwd_agent_t to use getty_t fds and read init state.
  * Allow unconfined domains to start and stop etc_t units

 -- Russell Coker <email address hidden>  Wed, 21 Dec 2016 18:35:33 +1100
Superseded in zesty-release on 2016-12-21
Deleted in zesty-proposed on 2016-12-22 (Reason: moved to release)
refpolicy (2:2.20161023.1-2) unstable; urgency=medium

  * Only label files as NetworkManager_initrc_exec_t
  * Use separate domains mon_net_test_t and mon_local_test_t for network and
    local tests
  * Allow boinc to read xdm tmp dirs and connect to the X server, allow it to
    read crypto sysctl for some of it's libraries
  * Allow unconfined_t to request init to reload it's config
  * Make bin_t an entrypoint for inetd_child_t
  * Allow systemd_tmpfiles_t to read selinuxfs and selinux_config_t to find
    correct context Closes: #834228
  * Allow systemd_cgroups_t to read selinux_config_t
  * Allow systemd_sessions_t to get contexts for sessions and default contexts
    for files for correct labeling
  * Allow systemd_logind_t to read cgroup files and getattr cgroupfs, and to
    start and stop user sessions
  * Allow systemd_tmpfiles_t to read kmod_var_run_t for
  * Allow syslogd_t to read SE Linux config
  * Allow dpkg_script_t to reload systemd configuration and to restart
    initrc_exec_t units.
  * Allow sulogin to read crypto sysctls and set booleans
  * Allow cron jobs append and ioctl access to crond_tmp_t
  * Allow systemd_hostnamed_t to read sysfs
  * Policy to allow systemd_backlight_t and systemd_machined_t to do things
  * Give initrc_t, xserver_t, and devicekit_power_t wake_alarm capability.
  * Allow tor to search tmpfs.
  * Allow system_mail_t to inherit file handles from init.

 -- Russell Coker <email address hidden>  Thu, 08 Dec 2016 23:16:14 +1100
Superseded in zesty-release on 2016-12-08
Deleted in zesty-proposed on 2016-12-10 (Reason: moved to release)
refpolicy (2:2.20161023.1-1) unstable; urgency=medium

  * New upstream to remove unwanted files from the archive.
  * Type mon_test_exec_t for /usr/lib/mon/helper/*
  * Give init_t and udev_t capability2:wake_alarm for systemd and systemd-udevd
  * logging_manage_generic_logs(systemd_tmpfiles_t) for /var/log/?tmp
  * Make bin_t an entrypoint for mon_test_t for scripts run from sudo.
  * Allow postfix_master_t to getsched for sort and other programs from startup
    shell scripts

 -- Russell Coker <email address hidden>  Sun, 04 Dec 2016 22:41:31 +1100
Superseded in zesty-release on 2016-12-04
Deleted in zesty-proposed on 2016-12-05 (Reason: moved to release)
refpolicy (2:2.20161023-1) unstable; urgency=medium

  * Rebase to new release

 -- Russell Coker <email address hidden>  Wed, 02 Nov 2016 15:15:07 +1100

Available diffs

Superseded in zesty-release on 2016-11-03
Obsolete in yakkety-release on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to release)
refpolicy (2:2.20151208-1) unstable; urgency=medium

  * Rebase to new upstream
  * Move locallogin, sysadm, udev, and modutils to base
  * Add /lib/systemd to file_contexts.subs_dist and remove duplicate fcontexts
  * Allow unconfined_t to manage all init units
  * Allow dmesg_t and sysadm_t to read /dev/kmsg
  * Label /usr/lib/selinux/hll/pp as bin_t
  * Allow udev_t to create /var/run/network with type net_conf_t
  * Allow auditctl_t to getcap
  * Allow auditd_t setattr on /var/log/audit
  * Allow semanage_t to search policy_src_t dirs for /usr/lib/selinux/hll
  * Label /lib/systemd/libsystemd-shared-.*.so as lib_t
  * Allow systemd_tmpfiles_t and systemd_cgroups_t to read /proc/1/environ
    and /proc/cmdline, and have capability net_admin
  * Allow systemd_tmpfiles_t to create and relabel var_t directories
  * Allow systemd_cgroups_t to send unix dgrams to init.
  * Label /var/run/alsa as alsa_var_lock_t and use type trans for alsa_t to
    create it
  * Allow syslogd_t to create syslogd_var_run_t dirs for
  * Allow alsa_t to manage directories and lnk_files of type alsa_var_lock_t
    for directories under /run/alsa

  * This policy works well for a VM but is known to not work on bare metal.
    I'll upload a new version that fixes this soon.

 -- Russell Coker <email address hidden>  Wed, 03 Aug 2016 10:42:57 +1000

Available diffs

Superseded in yakkety-release on 2016-08-03
Deleted in yakkety-proposed on 2016-08-04 (Reason: moved to release)
refpolicy (2:2.20140421-12) unstable; urgency=medium

  * Team upload.
  * Install the policy.dtd and policy.xml file in the -dev package, it is used
    by some userspace tools

 -- Laurent Bigonville <email address hidden>  Fri, 27 May 2016 20:23:35 +0200

Available diffs

Superseded in yakkety-release on 2016-05-28
Deleted in yakkety-proposed on 2016-05-29 (Reason: moved to release)
refpolicy (2:2.20140421-11) unstable; urgency=medium

  * Team upload.
  * debian/rules:
    - Make sure the content of the .modules file is sorted independently of
      the locale where the package is built.
    - Force the mode of the files and directories when building the
      selinux-policy-src tarball to make the build reproducible.
  * debian/postinst.policy: List the loaded modules from the expected store
    not from the one configured in the config file
  * debian/NEWS: Add some information about the new policy store.
  * debian/postrm.policy: Remove the /var/lib/selinux/final/ directory when
    purging the package. This directory is created when loading the modules.

 -- Laurent Bigonville <email address hidden>  Mon, 16 May 2016 17:49:03 +0200
Superseded in yakkety-release on 2016-05-17
Deleted in yakkety-proposed on 2016-05-18 (Reason: moved to release)
refpolicy (2:2.20140421-10) unstable; urgency=medium

  * Team upload.
  [ Laurent Bigonville ]
  * Fix the maintainer script to support the new policy store from libsemnage
    2.4 (Closes: #805492)
  * debian/gbp.conf: Sign tags by default (Closes: #781670)
  * debian/control: Adjust and cleanup the {build-}dependencies (Closes:
  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
  * debian/rules: Make the build reproducible (Closes: #778232)
  * Remove deprecated system.users and local.users files
  * debian/control: Update Homepage URL (Closes: #780934)
  * debian/rules: Allow parallel build now that the build system is supporting
    it, see #677689
  * debian/policygentool: Remove string exceptions so the script is Python >=
    2.6 compatible (Closes: #585355)
  * Do not install, semanage.trans.LOCK and
    file_contexts.local in /etc/selinux/* this is not needed anymore with the
    new policy store.
  * debian/control: Use https for the Vcs-* URL's to please lintian
  * debian/watch: Fix watch file URL now that the project has moved to github

  [ Russell Coker ]
  * Allow init_t to manage init_var_run_t symlinks and self getsched
    to relabel files and dirs to etc_runtime_t for /run/blkid
    to read/write init_var_run_t fifos for /run/initctl
    kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
  * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
  * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
  * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
  * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
    create it
  * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
  * Allow apache to read sysctl_vm_t for overcommit_memory Allow
    httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
    files and directories for mod_pagespeed.
  * Removed bogus .* in mailman file context that was breaking the regex
  * Lots of mailman changes
  * Allow system_mail_t read/write access to crond_tmp_t
  * Allow postfix_pipe_t to write to postfix_public_t sockets
  * Label /usr/share/mdadm/checkarray as bin_t
  * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
  * Allow systemd_tmpfiles_t to create the cpu_device_t device
  * Allow init_t to manage init_var_run_t links
  * Allow groupadd_t the fsetid capability
  * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
    setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
    dpkg_var_lib_t so dpkg-statoverride can do it's job
  * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
  * Allow webalizer to read fonts and allow logrotate to manage
    webaliser_usage_t files also allow it to be run by logrotate_t.
  * Allow jabber to read ssl certs and give it full access to it's log files
    Don't audit jabber running ps.
  * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
    in log dir
  * Allow webalizer to read usr_t and created webalizer_log_t for it's logs
  * Made logging_log_filetrans and several other logging macros also allow
    reading var_log_t links so a variety of sysadmin symlinks in /var/log
    won't break things
  * Allow postfix_policyd_t to execute bin_t, read urandom, and capability
    New type postfix_policyd_tmp_t
  * Added user_udp_server boolean
  * Allow apt_t to manage dirs of type apt_var_cache_t
  * Allow jabber to connect to the jabber_interserver_port_t TCP port
    Closes: #697843
  * Allow xm_t to create xen_lock_t files for creating the first Xen DomU
  * Allow init_t to manage init_var_run_t for service file symlinks
  * Add init_telinit(dpkg_script_t) for upgrading systemd
  * Allow dpkg_script_t the setfcap capability for systemd postinst.
  * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
  * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
    and have capability net_admin.  Allow logrotate_systemctl_t to manage all
  * Give init_t the audit_read capability for systemd
  * Allow iodined_t access to netlink_route_socket.
  * add init_read_state(systemd_cgroups_t) and
    init_read_state(systemd_tmpfiles_t) for /proc/1/environ
  * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
    be some
    sort of default location. /var/log is a better directory for this
  * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
  * Allow mandb_t to get filesystem attributes
  * Allow syslogd to rename and unlink init_var_run_t files for systemd
    temporary files
  * Allow ntpd_t to delete files for peerstats and loopstats
  * Add correct file labels for squid3 and tunable for squid pinger raw net
    access (default true)
  * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
    xenstored unix sockets
  * Allow qemu_t to read sysfs files for cpu online
  * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
  * Allow xm_t (xl program) to create and rename xend_var_log_t files, read
    kernel images, execute qemu, and inherit fds from sshd etc.
  * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
    /run/xen-hotplug/iptables for when vif-bridge runs iptables
  * Allow xm_t to write to xen_lock_t files not var_lock_t
  * Allow xm_t to load kernel modules
  * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
    it's sockets
  * dontaudit xm_t searching home dir content
  * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
    xend_var_run_t directory
  * Label /var/lock/xl as xen_lock_t
  * allow unconfined_t to execute xl/xm in xm_t domain.
  * Allow system_cronjob_t to configure all systemd services (restart all
  * Allow dpkg_script_t and unconfined_t to manage systemd service files of
    type null_device_t (symlinks to /dev/null)
  * Label /var/run/lwresd/ as named_var_run_t
  * Label /run/xen/qmp* as qemu_var_run_t
  * Also label
  * Allow iptables_t to be in unconfined_r (for Xen)
  * Allow udev_t to restart systemd services
    Closes: #756729
  * Merge Laurent's changes with mine

 -- Laurent Bigonville <email address hidden>  Fri, 13 May 2016 22:29:59 +0200

Available diffs

Superseded in yakkety-release on 2016-05-14
Published in xenial-release on 2015-10-22
Obsolete in wily-release on 2018-01-22
Obsolete in vivid-release on 2018-01-18
Deleted in vivid-proposed (Reason: moved to release)
refpolicy (2:2.20140421-9) unstable; urgency=medium

  * Allow dovecot_t to read /usr/share/dovecot/protocols.d
    Allow dovecot_t capability sys_resource
    Label /usr/lib/dovecot/* as bin_t unless specified otherwise
    Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens
  * Allow clamd_t capability { chown fowner fsetid }
    Allow clamd_t to read sysctl_vm_t
  * Allow dkim_milter_t capability dac_override and read sysctl_vm_t
    allow dkim_milter_t to bind to unreserved UDP ports
  * Label all hard-links of perdition perdition_exec_t
    Allow perdition to read /dev/urandom and capabilities dac_override, chown,
    and fowner
    Allow perdition file trans to perdition_var_run_t for directories
    Also proxy the sieve service - sieve_port_t
    Allow connecting to mysql for map data
  * Allow nrpe_t to read nagios_etc_t and have capability dac_override
  * Allow httpd_t to write to initrc_tmp_t files
    Label /var/lib/php5(/.*)? as httpd_var_lib_t
  * Allow postfix_cleanup_t to talk to the dkim filter
    allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters)
    allow postfix_smtpd_t to talk to clamd_t via unix sockets
    allow postfix_master_t to execute hostname for Debian startup scripts
  * Allow unconfined_cronjob_t role system_r and allow it to restart daemons
    via systemd
    Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session
  * Allow spamass_milter_t to search the postfix spool and sigkill itself
    allow spamc_t to be in system_r for when spamass_milter runs it
  * Allow courier_authdaemon_t to execute a shell
  * Label /usr/bin/maildrop as procmail_exec_t
    Allow procmail_t to connect to courier authdaemon for the courier maildrop,
    also changed courier_stream_connect_authdaemon to use courier_var_run_t
    for the type of the socket file
    Allow procmail_t to read courier config for maildrop.
  * Allow system_mail_t to be in role unconfined_r
  * Label ldconfig.real instead of ldconfig as ldconfig_exec_t
  * Allow apt_t to list directories of type apt_var_log_t
  * Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for
  * Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage
    shadow files, process setfscreate, and capabilities audit_write net_admin
  * Label /usr/lib/xen-*/xl as xm_exec_t

 -- Russell Coker <email address hidden>  Fri, 06 Feb 2015 02:31:05 +1100

Available diffs

Superseded in vivid-release on 2015-02-05
Deleted in vivid-proposed on 2015-02-07 (Reason: moved to release)
refpolicy (2:2.20140421-7) unstable; urgency=medium

  * Label /run/systemd/journal/dev-log and /run/systemd/journal/stdout as
  * Allow bootloadter_t to load kernel modules and run apt-cache
  * Allow systemd_cgroups_t to read /proc/cmdline
  * Allow sshd net_admin capability
  * Allow systemd_logind_t to read kernel sysctls, list tmpfs, and mount on
    /var/auth, and systemd_unit_file_t:service stop.
  * Allow dpkg_script_t to restart systemd unit files of type init_var_run_t
  * Allow local_login_t and user_t to talk to systemd_logind via dbus
  * Allow user_ssh_agent_t to read/write it's own fifo files
  * Allow user_t to talk to gconfd_t via dbus
  * Allow gpg_agent_t to send sigchld to xdm_t, to be a system dbus client,
    to use nsswitch, and to read user xauth file
  * Allow $1_dbusd_t domains systemd_login_read_pid_files access
  * Remove gpg_helper_t, merge gpg_pinentry_t with the main gpg domain, and
    create user_gpg_t, staff_gpg_t, etc.
  * Allow userdomains to talk to kerneloops via dbus
  * Allow sysstat_t to search all mountpoints
  * Allow udev_t self:netlink_route_socket nlmsg_write for interface rename
  * Allow systemd_tmpfiles_t to read kernel sysctls for boot_id
  * Allow setfiles_t to read /dev/urandom
  * Label /var/run/blkid as etc_runtime_t

  * TLDR: Make everything work with latest systemd and allow KDE login with
    latest X11 configuration.

 -- Russell Coker <email address hidden>  Mon, 13 Oct 2014 09:41:44 +1100

Available diffs

Superseded in vivid-release on 2014-10-25
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
refpolicy (2:2.20140421-4) unstable; urgency=medium

  * Team upload.
  * debian/rules: Properly expand flavour directory during build
  * debian/rules: Properly remove postrm scripts in clean target
  * debian/postinst.policy: Remove the modules that are not built anymore from
    the notdefault list
  * debian/postinst.policy: Remove the .disabled file for the modules that are
    now built in the base.pp or not built anymore at all.

 -- Laurent Bigonville <email address hidden>  Sun, 29 Jun 2014 17:33:39 +0200

Available diffs

Superseded in utopic-release on 2014-06-30
Deleted in utopic-proposed on 2014-07-01 (Reason: moved to release)
refpolicy (2:2.20140421-3) unstable; urgency=medium

  * Allow sysadm_t to read policy
  * Make systemd_login_list_pid_dirs() call init_search_pid_dirs() as it
    doesn't work without it
  * Added chromium/google-chrome policy
  * dev_getattr_sysfs(sysstat_t) for Debian cron job
  * Allow sysstat_t to manage it's log files
  * Allow dpkg_script_t to config all systemd services and get init status
  * Allow dpkg_script_t to dirmngr_admin
  * really added systemd_login_list_pid_dirs(system_dbusd_t) (somehow missed
    this last time)
  * Allow sshd to chat with systemd via dbus
  * Allow unconfined_t to restart services
  * systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
  * systemd_dbus_chat_logind(sshd_t)
  * Allow xend to read vm sysctls
  * Allow udev_t to manage xenfs_t files for xenstore-read
  * Allow system_dbusd_t systemd_login_read_pid_files access for
    /run/systemd/users/* files
  * Allow systemd_logind_t to stat tmpfs_t filesystems for /run/user
  * Remove the "genfscon selinuxfs" line from selinux.if in selinux-policy-dev
    to stop sepolgen-ifgen errors.
  * Make udev_relabelto_db() include lnk_file relabeling
  * Allow kernel_t to fs_search_tmpfs, selinux_compute_create_context, and
    kernel_read_unlabeled_state for booting without unconfined.pp
  * Allow system_cronjob_t to manage the apt cache
  * Allow modutils_read_module_config(init_t) and create cgroup_t links for
    strict config. Allow it to relabel from tmpfs_t symlinks
  * Allow init_run_all_scripts_domain (initrc_t) the service { status start
    stop } for all the daemon _initrc_exec_t scripts.
  * Allow sysadm_r to have domain system_mail_t for strict policy
  * Allow init_t to relabel device_t symlinks and pstore_t dirs, load kernel
    modules, manage init_var_run_t sock_files, read /usr, read /dev/urandom,
    systemd_manage_passwd_run, and domain_read_all_domains_state

 -- Russell Coker <email address hidden>  Sun, 29 Jun 2014 19:11:45 +1000

Available diffs

Superseded in utopic-release on 2014-06-29
Deleted in utopic-proposed on 2014-06-30 (Reason: moved to release)
refpolicy (2:2.20140421-2) unstable; urgency=medium

  * Fix systemd support
  * Made init, logging, authlogin, application, userdomain, systemd, dmesg,
    dpkg, usermanage, libraries, fstools, miscfiles, mount, selinuxutil,
    storage and sysnetwork be base modules - some of this is needed for
    systemd, some just makes sense.
  * Disabled modules anaconda, authbind, kudzu, portage, rhgb, speedtouch
  * Allow syslogd_t to read /dev/urandom (for systemd)
  * Change unit files to use .*\.service
  * Default trans syslogd_tmp_t for name /run/log (for systemd)
  * Make /var/auth a mountpoint
  * Allow systemd_tmpfiles_t to relabelto xconsole_device_t
  * Allow init_t to start and stop service systemd_unit_file_t
  * Allow udev_t to write to init_t stream sockets for systemctl
  * Allow syslogd_t to read udev_var_run_t so systemd_journal can get seat data
  * Allow systemd_logind_t to read udev_var_run_t for seat data
  * Allow syslogd_t setgid and setgid for systemd_journal
  * Allow udev_t to read cgroup files for systemd-udevd to read it's own cgroup
  * Give logrotate_t the systemd_systemctl_domain access to restart daemons
  * Make transition from unconfined_t to insmod_t for running modutils and
    remove all unused modutils domains. Make unconfined_t transition to
    insmod_t, this makes depmod run as insmod_t. Make insmod_t write modules
    dep files with the correct context.
  * Allow udev_t to load kernel modules for systemd-udevd
  * Allow initrc_t to systemd_config_all_services
  * Allow lvm_t to talk to init_t via unix socket for systemd
  * Allow allow lvm_t to read sysctl_crypto_t
  * Allow udev_t to read modules_object_t for systemd-udevd
  * Allow udev_t to search /run/systemd for systemd-udevd
  * Allow systemd_tmpfiles_t to relabel man_cache_t
  * Allow initrc_t to get status of init_t for systemd
  * Allow udev_t to get initrc_exec_t service status for when udev runs hdparm

  * Allow ifconfig_t to load kernel modules
  * Allow named_t to read vm sysctls
  * Allow tor_t capabilities chown dac_read_search dac_override fowner
  * Allow fetchmail_t to manage dirs of type fetchmail_uidl_cache_t
  * Allow mysqld_t to connect to itself on unix_stream_socket
  * Allow mysqld_t kernel_read_vm_sysctls for overcommit_memory
  * Allow sysstat_t read and write access to crond_tmp_t (for cron to capture
  * Allow sysstat_t to read it's own log files and read shell_exec_t
  * Included file context for /run/
  * Allow kerneloops_t to read /proc/filesystems
  * Label /var/cache/dirmngr as dirmngr_var_lib_t
  * systemd_login_list_pid_dirs(system_dbusd_t)

 -- Russell Coker <email address hidden>  Wed, 25 Jun 2014 15:38:58 +1000

Available diffs

Superseded in utopic-release on 2014-06-25
Deleted in utopic-proposed on 2014-06-26 (Reason: moved to release)
refpolicy (2:2.20140421-1) unstable; urgency=medium

  * Team upload.
  * New GIT snapshot of the policy
    - Drop debian/patches/upstream/*.patch: Applied upstream
    - Label /etc/locale.alias as locale_t (Closes: #707246)
    - Allow xdm_t to execute gkeyringd_domains and to transition to them
    - Label postgresql manpages properly (Closes: #740591)
    - Allow setfiles_t and restorecond_t to getattr from all fs that support
      xattr (Closes: #740682)
  * Refresh debian/modules.conf.default, debian/ Start
    building the shibboleth module

 -- Laurent Bigonville <email address hidden>  Mon, 21 Apr 2014 23:37:53 +0200

Available diffs

Superseded in utopic-release on 2014-04-26
Published in trusty-release on 2014-02-07
Deleted in trusty-proposed (Reason: moved to release)
refpolicy (2:2.20140206-1) unstable; urgency=medium

  * Team upload.
  * New GIT snapshot of the policy
    - Allow unconfined_u user to enter system_r role again (Closes: #732857)
    - Allow unconfined user to transition to dpkg_t and transitively to
      dpkg_script_t (Closes: #707214)
    - Refresh 0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch
    - Drop d/p/0005-add-missing-newline.patch,
      d/p/0006-allow-udev-write-rulesd.patch: Applied upstream
  * debian/{inst,rm}: Call sepolgen-ifgen after
    selinux-policy-dev installation if SELinux is enabled
  * debian/selinux-policy-dev.install, debian/rules: Install headers in
    /usr/share/selinux/devel, there is no differences between default and mls
    headers, so it's not necessary to install both.
  * debian/rules, debian/example/Makefile, debian/Makefile.devel: Fix
    development Makefile to work with new headers location
  * debian/control: Bump Standards-Version to 3.9.5 (no further changes)

 -- Laurent Bigonville <email address hidden>  Thu, 06 Feb 2014 21:56:55 +0100

Available diffs

Superseded in trusty-release on 2014-02-07
Deleted in trusty-proposed on 2014-02-08 (Reason: moved to release)
refpolicy (2:2.20131214-1) unstable; urgency=low

  * Team upload.
  [ Laurent Bigonville ]
  * New GIT snapshot of the policy
    - Drop all the Debian specific patches, some of the patches have been
      merged upstream, but the rest was making it really difficult to upgrade
      the policy to the new upstream versions.
    - Add block_suspend access vectors (Closes: #722700)
    - libvirt should now run when compiled with selinux support
      (Closes: #559356)
    - Allow smartd daemon to write in /var/lib/smartmontools directory
      (Closes: #720631)
    - NetworkManager should now be able to write /run/network/ifstate
      (Closes: #711083)
    - Allow dovecot self:process setsched permission (Closes: #716753)
    - Add denyhosts policy package (Closes: #700403)
    - deny_ptrace boolean is now gone (Closes: #691284)
    - Allow fail2ban dac_read_search and dac_override capabilities
      (Closes: #700326)
    - irqbalance has now the getsched permission (Closes: #707243)
  * Refresh debian/modules.conf.* for new release, build all the policy
    packages as modules now
  * Drop debian/file_contexts.subs_dist, install upstream one instead
  * debian/rules: policy/rolemap file is gone
  * debian/control: Bump {build-}dependencies to the last userspace release
  * debian/rules: Disable UBAC for the default policy
  * debian/rules: Build the default policy with UNK_PERMS=allow
  * debian/control: Add dependency against selinux-utils for selinuxenabled
  * debian/NEWS: Add some information about the proper way to permanently
    disable a module
  * d/p/0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch:
    Fix FTBFS and allow startpar can getattr of some devices
  * Add d/p/0005-add-missing-newline.patch: Add missing newline at the end of
    the file, this is causing weird behaviour, thanks M4
  * d/p/0006-allow-udev-write-rulesd.patch: Allow udev to write in
    /etc/udev/rules.d (Closes: #712970)

  [ Mika Pflüger ]
  * debian/postinst.policy: Rewrite the postinst script for the
    selinux-policy-* packages to automatically upgrade the running policy.
    (Closes: #552147)
  * debian/copyright: Update to machine-readable copyright format.
  * debian/postrm.policy: Use common postrm script for selinux-policy-*

 -- Laurent Bigonville <email address hidden>  Sun, 15 Dec 2013 22:53:06 +0100
Superseded in trusty-release on 2013-12-16
Deleted in trusty-proposed on 2013-12-17 (Reason: moved to release)
refpolicy (2:2.20110726-13) unstable; urgency=low

  * Team upload.
  [ Mika Pflüger ]
  * Allow dhcpc_t to bind to all udp ports (Closes: #707658).

  [ Laurent Bigonville ]
  * Rework the build system
  * Compress modules files with bzip2
  * debian/control:
    - Bump Standards-Version to 3.9.4 (no further changes)
    - Drop really old Conflicts
    - Add a Breaks against selinux-basics (<< 0.5.2~) so we are sure it
      supports .bz2 compressed modules
  * debian/source/lintian-overrides: Add an override for

 -- Laurent Bigonville <email address hidden>  Fri, 20 Sep 2013 19:18:57 +0200
Superseded in trusty-release on 2013-10-22
Obsolete in saucy-release on 2015-04-24
Obsolete in raring-release on 2015-04-24
Deleted in raring-proposed on 2015-04-27 (Reason: moved to release)
refpolicy (2:2.20110726-12) unstable; urgency=low

  * Team upload.
  [ Russel Coker ]
  * Label ~/.adobe(/.*)? as mozilla_home_t for flash
  * Label /usr/sbin/opendkim as dkim_milter_exec_t
  * Label postalias as postfix_master_exec_t for newaliases
  * Make postfix.pp not depend on unconfined.pp for "strict" configurations
  * Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
    client control
  * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t for desktops
  * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
  * Allow user roles access to mozilla_t classes shm and sem for sharing
    the sound device
  * Allow user roles access to mozilla_tmp_t
  * Label /sbin/xtables-multi (the new iptables)
  * Allow watchdog_t to read syslog pid files for process watching
  * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
  * Allow systemd_passwd_agent_t access to search selinuxfs and write to
    the console for getting a password for encrypted filesystems
  * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
    Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
    Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t
    Closes: #690225

 -- Mika Pflüger <email address hidden>  Fri, 30 Nov 2012 00:28:21 +0100
Superseded in raring-release on 2012-11-30
Deleted in raring-proposed on 2012-12-01 (Reason: moved to release)
refpolicy (2:2.20110726-11) unstable; urgency=low

  * Team upload
  [ Mika Pflüger ]
  * Drop incomplete patch adding debian specific gdm3 locations and
    cherry-pick Laurent's complete patch from upstream instead. Slightly
    edit the patch to work around an issue in file context ordering.

 -- Laurent Bigonville <email address hidden>  Sun, 30 Sep 2012 22:43:12 +0200
Superseded in raring-release on 2012-10-29
Obsolete in quantal-release on 2015-04-24
refpolicy (2:2.20110726-9) unstable; urgency=high

  * Enable UBAC as roles aren't useful.  I recommend using only roles user_r
    and unconfined_r and using UBAC (constraining users from sharing files
    between identities) where you would previously have used roles.
  * Made cron jobs run in regular user domains such as unconfined_t and user_t
    Closes: #679277
  * Had the wrong timestamp on the last upload, corrected it for the record.
  * Allow ftpd to create sock_file objects under /var/run for proftpd
  * Change readahead policy to support memlockd.
  * Allow devicekit_power_t, devicekit_disk_t, kerneloops_t, and policykit_t
    to send dbus messages to users.
  * Grant systemd utilities access to selinuxfs so they can correctly label directories
    Closes: #678392
  * Assigned type consolekit_var_run_t to /var/run/console(/.*)? because it's
    created and managed by consolekit nowadays.
  * Created tunable allow_ssh_connect_reserved_ports to allow ssh client to
    connect to reserved ports.
  * Correctly label all perdition binaries, give perdition_t dac_override, and
    allow perdition_t to create it's own pid directories.
  * Label /etc/dansguardian as squid_etc_t
  * Allow devicekit_power_t to access acpi device and read udev tables and
    allow devicekit_disk_t to read udev tables.
  * Allow sshd_t to write to fifos inherited from systemd
  * High urgency because we really need to have working cron jobs!!!
  * Removed the postinst code to upgrade from pre-squeeze packages.

 -- Russell Coker <email address hidden>  Sat, 30 Jun 2012 19:19:57 +1000

Available diffs

Superseded in quantal-release on 2012-07-01
refpolicy (2:2.20110726-8) unstable; urgency=high

  * Allow dbus domains to search cgroup dirs and init_var_run_t
  * Have init_t transition to devicekit_power_t and devicekit_disk_t for
  * Allow user domains to create netlink_kobject_uevent_socket objects
  * Put dansguardian in squid_t
  * Fixed error in portslave.te that prevented module insertion
  * Allow postgrey_t to exec bin_t for perl and self:netlink_route_socket
  * Allow dac_override access to arpwatch_t
  * Add tcsd.pp (for trousers) to the policy packages
  * Add nut.pp for the nut-server package to the policy packages
  * Load irqbalance.pp if irqbalance Debian package is installed, same for
    kerneloops, tcsd.pp/trousers, nut.pp/nut-server, 
    and smartmon.pp/smartmontools.
  * High urgency because the support for tcsd and nut really needs to be
    tested (and it's broken badly for those people) and portslave.pp is also
    badly broken in previous versions.

 -- Russell Coker <email address hidden>  Sat, 23 Jun 2012 21:43:46 +1000

Available diffs

Superseded in quantal-release on 2012-06-29
refpolicy (2:2.20110726-7) unstable; urgency=high

  [Russell Coker]
  * Got Chromium working!
  * Allow user_dbusd_t to access /run/console
  * Got systemd working
    Closes: #677578
  * Added policy for dirmngr.
  * Added support for wide-dhcpv6-client.
  * Remove all refpolicyerr and almost all refpolicywarn instances, removed all
    obsolete interfaces and fixed syntax errors.
    Closes: #678237
  * Allow all users to run the Postfix mailq command
  * Lots of little changes.
  [Mika Pflüger]
  * Do not ship pyplate.pyc. Closes: #676852

 -- Russell Coker <email address hidden>  Thu, 21 Jun 2012 23:15:59 +1000

Available diffs

Superseded in quantal-release on 2012-06-22
refpolicy (2:2.20110726-6) unstable; urgency=low

  * Added deny_ptrace tunable which some modules depend on
  * Fixed squid and nrpe policy
  * Made all necessary changes to allow a KDE login
    Closes: #677589
  * Made all necessary changes for a mail server running Postfix, Courier
    Maildrop, and Dovecot.  Not all mail server configurations will work (MTAs
    tend to be complex and have lots of interactions) but getting other
    configurations will be easier now.

 -- Russell Coker <email address hidden>  Sun, 17 Jun 2012 06:18:01 +0000

Available diffs

Superseded in quantal-release on 2012-06-18
refpolicy (2:2.20110726-5) unstable; urgency=high

  * Add systemd support - incomplete.
    Closes: #660577.  I opened another bug for systemd not working.
  * Depend on the latest SE Linux libraries
  * Fix many problems that prevented successful boot, now should be quite
    functional for servers.
    Closes: #677579, #613977
  * Fix djbdns port access.
    Closes: #620718

 -- Russell Coker <email address hidden>  Sat, 16 Jun 2012 00:17:13 +1000

Available diffs

Superseded in quantal-release on 2012-06-16
refpolicy (2:2.20110726-4) unstable; urgency=low

  [Russell Coker]
  * Build and upload based on Laurent and Mika's good work.
  * Hopefully will have a new version released very soon, but it's good to just
    upload when there have been significant changes that have no down-side.

  [Laurent Bigonville]
  * debian/control:
    - Bump Standards-Version to 3.9.2
  * Add debian/gbp.conf file
  * Switch to dpkg-source 3.0 (quilt) format
    - Split out existing patches

  [Mika Pflüger]
  * Switch to team maintenance
  * Update Vcs-* fields (Closes: #660328)

 -- Russell Coker <email address hidden>  Sun, 10 Jun 2012 12:07:17 +1000

Available diffs

Superseded in quantal-release on 2012-06-10
Published in precise-release on 2012-02-06
refpolicy (2:2.20110726-3) unstable; urgency=low

  * Label /run/mdadm/map .
    Closes: #643490
  * Stop conflicting with ancient "selinux" package.
    Closes: #576598

 -- Russell Coker <email address hidden>  Wed, 25 Jan 2012 23:52:15 +1100
Superseded in precise-release on 2012-02-06
refpolicy (2:2.20110726-1ubuntu1) precise; urgency=low

  * Merge from Debian testing.  Remaining changes:
    - debian/control: drop "selinux" conflict (Closes: #576598)

Superseded in precise-release on 2011-12-03
refpolicy (2:0.2.20100524-12ubuntu1) precise; urgency=low

  * Merge from debian testing.  Remaining changes:
    - debian/control: drop "selinux" conflict (Closes: #576598)

Superseded in precise-release on 2011-10-16
Obsolete in oneiric-release on 2015-04-24
refpolicy (2:0.2.20100524-10ubuntu1) oneiric; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in oneiric-release on 2011-07-25
refpolicy (2:0.2.20100524-9ubuntu1) oneiric; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in oneiric-release on 2011-05-17
refpolicy (2:0.2.20100524-8ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining change:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in oneiric-release on 2011-05-01
Obsolete in natty-release on 2013-06-04
refpolicy (2:0.2.20100524-7ubuntu1) natty; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in natty-release on 2011-01-13
refpolicy (2:0.2.20100524-6ubuntu1) natty; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in natty-release on 2011-01-13
refpolicy (2:0.2.20100524-5ubuntu1) natty; urgency=low

  * Merge from debian unstable. Remaining change:
    - ebian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in natty-release on 2011-01-09
refpolicy (2:0.2.20100524-4ubuntu1) natty; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598)

Superseded in natty-release on 2010-10-17
Obsolete in maverick-release on 2013-03-05
refpolicy (2:0.2.20100524-2ubuntu1) maverick; urgency=low

  * Merge from debian unstable (LP: #607149). Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598).

Superseded in maverick-release on 2010-07-20
refpolicy (2:0.2.20100524-1ubuntu1) maverick; urgency=low

  * Merge from debian unstable.  Remaining changes: LP: #602199
    - debian/control: drop "selinux" conflict (Debian bug 576598).

Superseded in maverick-release on 2010-07-07
refpolicy (2:0.2.20091117-2ubuntu1) maverick; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/control: drop "selinux" conflict (Debian bug 576598).

Superseded in maverick-release on 2010-06-24
Obsolete in lucid-release on 2016-10-26
refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low

  * debian/control: drop "selinux" conflict for sane installation
    in Ubuntu (Debian bug 576598).
 -- Kees Cook <email address hidden>   Mon, 05 Apr 2010 13:03:23 -0700
Superseded in lucid-release on 2010-04-05
refpolicy (2:0.2.20091117-1) unstable; urgency=low

  * New upstream release.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Sat,  05 Dec 2009 21:32:22 +0000
Superseded in lucid-release on 2009-12-05
refpolicy (2:0.2.20091013-1) unstable; urgency=low

  * New upstream VCS snapshot
  * Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit,
    seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis
    (Miroslav Grepl); xscreensaver (Corentin Labbe)
  * [dd26539]: [topic--urand-fix]: Fix issues related to
    + Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t,
      hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t,
      dmidecode_t, getty_t, and setfiles_t to read /dev/urandom
    + Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and
      portmap_t to read /dev/console
    + Allow udev_t to access anon_inodefs_t
    These changes take care of most of the problems encountered in recent
    reference policy packages in Debian. Thanks to Russell Coker for the

Superseded in lucid-release on 2009-11-06
Obsolete in karmic-release on 2013-03-04
refpolicy (2:0.0.20090621-1) unstable; urgency=low

  * New upstream snapshot.
    - Greylist milter from Paul Howarth.
    - Crack db access for su to handle password expiration, from Brandon Whalen.
    - Misc fixes for unix_update from Brandon Whalen.
    - Add x_device permissions for XI2 functions, from Eamon Walsh.
    - MLS constraints for the x_selection class, from Eamon Walsh.
    - Postgresql updates from KaiGai Kohei.
    - Milter state directory patch from Paul Howarth.
    - Add MLS constrains for ingress/egress and secmark from Paul Moore.
    - Drop write permission from fs_read_rpc_sockets().
    - Remove unused udev_runtime_t type.
    - Patch for RadSec port from Glen Turner.
    - Enable network_peer_controls policy capability from Paul Moore.
    - Btrfs xattr support from Paul Moore.
    - Add db_procedure install permission from KaiGai Kohei.
    - Add support for network interfaces with access controlled by a Boolean
      from the CLIP project.
    - Several fixes from the CLIP project.
    - Add support for labeled Booleans.
    - Remove node definitions and change node usage to generic nodes.
    - Add kernel_service access vectors, from Stephen Smalley.
    - Added modules:
            certmaster (Dan Walsh)
            git (Dan Walsh)
            gpsd (Miroslav Grepl)
            guest (Dan Walsh)
            ifplugd (Dan Walsh)
            lircd (Miroslav Grepl)
            logadm (Dan Walsh)
            pingd (Dan Walsh)
            psad (Dan Walsh)
            portreserve (Dan Walsh)
            ulogd (Dan Walsh)
            webadm (Dan Walsh)
            xguest (Dan Walsh)
            zosremote (Dan Walsh)

     - Fix consistency of audioentropy and iscsi module naming.
     - Debian file context fix for xen from Russell Coker.
     - Xserver MLS fix from Eamon Walsh.
     - Add omapi port for dhcpcd.
     - Deprecate per-role templates and rolemap support.
     - Implement user-based access control for use as role separations.
     - Move shared library calls from individual modules to the domain module.
     - Enable open permission checks policy capability.
     - Remove hierarchy from portage module as it is not a good example of
     - Remove enableaudit target from modular build as semodule -DB supplants it.
     - Added modules:
             milter (Paul Howarth)
  * Sync'd with Russell Coker

Superseded in karmic-release on 2009-06-23
refpolicy (2:0.0.20080702-14.1) unstable; urgency=low

  * Non-maintainer upload.
  * Only record changes to original modules selections. (closes: #524516)
  * Again disable unbuildable portslave policy.
  * Fix pythonsupport policy.

 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  01 Jun 2009 10:46:06 +0100
Superseded in karmic-release on 2009-06-01
Obsolete in jaunty-release on 2013-02-28
refpolicy (2:0.0.20080702-14) unstable; urgency=high

  * Allow noatsecure for Xen domains so that LD_PRELOAD will work across
    a domain transition.  Also dontaudit searching of the sysadm home dir
    and allow xend_t to manage xenstored_var_run_t.
    Allow losetup (fsadm_t) and udev access to Xen image files
  * Add support for Exim.
  * Add support for Jabber, including adding the epmd_t domain for the Erlang
    Port Mapper Daemon (used by ejabberd).  Label port 5280 as being for Jabber
    (the ejabberd web administration service) and port 7777 (SOCKS5
    Bytestreams (XEP-0065) for proxy file transfer).
  * Allow cron to search httpd_sys_content_t
  * Dontaudit logrotate search access to unconfined_home_dir_t.
  * Fixed labelling of /var/lock/mailman
  * Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
    Also allow it to talk to portmap so the IMAP server can do FAM.

Superseded in jaunty-release on 2008-11-06
Obsolete in intrepid-release on 2013-02-20
refpolicy (2:0.0.20080702-6) unstable; urgency=low

  * Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16.
    Closes: #494234
  * Made xserver.pp be loaded whenevedr xbase-clients is installed so that
    /tmp/.ICE-unix gets the right context.
  * Policy updates, allowed rsyslogd to work correctly
    Allow gpg to read/write user files under /tmp
    Set the context of /var/run/portmap_mapping and /var/cache/ldconfig
    Allow users to read symlinks under /var/lib (for python)
    Make udev_t transition when running initrc_exec_t.
    Changed the type of /var/init/rw to var_run_t
    Changed r_dir_perms to list_dir_perms and r_file_perms to read_file_perms
    to avoid warnings.
    Changed read_file_perms to read_lnk_file_perms for lnk_file class.
    Set the contexts for /var/run/hotkey-setup, /var/run/motd, /var/run/kdm/*,
    and /var/lib/gdm/*
    Dontaudit logrotate_t trying to write initrc_var_run_t.

Superseded in intrepid-release on 2008-08-28
refpolicy (2:0.0.20080702-1) unstable; urgency=low

  * Update to latest upstream and take over the package as Manoj seems busy
    on other things.
  * Change the policy package names to selinux-policy-default and
    selinux-policy-mls.  Made selinux-policy-default do strict and targeted
    (targeted by default).
  * Optimise module loading to halve postinst time.
  * Depend on the latest policycoreutils (which sets the right default in

Superseded in intrepid-release on 2008-07-15
Obsolete in hardy-release on 2015-04-24
refpolicy (0.0.20071214-0ubuntu3) hardy; urgency=low

  * debian/patches/cups.patch
  * debian/patches/files.patch
  * debian/patches/lpd.patch
    - Allow cups to use dhcp.
    - Allow most accesses necessary for cups-pdf.
    - Allow cups access to dbus when no dbus policy is loaded.
  * debian/patches/init.patch
  * debian/patches/ssh.patch
    - Allow init to change oom priority of sshd.
  * debian/patches/unconfined.patch
  * debian/patches/users.patch
    - Allowing unconfined_r system_r and access to run_init so that unconfined
      root user's can start/stop/restart services via init scripts
      (LP: #202983, #209773, #211305, #216132)

 -- Caleb Case <email address hidden>   Tue, 25 Mar 2008 16:42:08 -0400
Superseded in hardy-release on 2008-04-15
refpolicy (0.0.20071214-0ubuntu2) hardy; urgency=low

  * debian/patches/conf.patch
    - Adding root to config/appconfig-standard/seusers so that its home
      directory will get labeled correctly.

 -- Caleb Case <email address hidden>   Fri, 29 Feb 2008 12:31:15 -0500
Superseded in hardy-release on 2008-03-01
refpolicy (0.0.20071214-0ubuntu1) hardy; urgency=low

  [ Caleb Case ]
  * New upstream SVN HEAD.
   - Labeled networking peer object class updates.
   - Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
   - Improve several tunables descriptions from Dan Walsh.
   - Patch to clean up ns switch usage in the policy from Dan Walsh.
   - More complete labeled networking infrastructure from KaiGai Kohei.
   - Add interface for libselinux constructor, for libselinux-linked
     SELinux-enabled programs.
   - Patch to restructure user role templates to create restricted user roles
     from Dan Walsh.
   - Russian man page translations from Andrey Markelov.
   - Remove unused types from dbus.
   - Add infrastructure for managing all user web content.
   - Deprecate some old file and dir permission set macros in favor of the
     newer, more consistently-named macros.
   - Patch to clean up unescaped periods in several file context entries from
     Jan-Frode Myklebust.
   - Merge shlib_t into lib_t.
   - Merge strict and targeted policies.  The policy will now behave like the
     strict policy if the unconfined module is not present.  If it is, it will
     behave like the targeted policy.  Added an unconfined role to have a mix
     of confined and unconfined users.
   - Added modules:
   	exim (Dan Walsh)
   	postfixpolicyd (Jan-Frode Myklebust)
   - Add support for setting the unknown permissions handling.
   - Fix XML building for external reference builds and headers builds.
   - Patch to add missing requirements in userdomain interfaces from Shintaro
   - Add tcpd_wrapped_domain() for services that use tcp wrappers.
   - Update MLS constraints from LSPP evaluated policy.
   - Allow initrc_t file descriptors to be inherited regardless of MLS level.
     Accordingly drop MLS permissions from daemons that inherit from any level.
   - Files and radvd updates from Stefan Schulze Frielinghaus.
   - Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
     mls_write_all_levels() and mls_read_all_levels(), for consistency.
   - Add make kernel and init ranged interfaces pass the range transition MLS
     constraints.  Also remove calls to mls_rangetrans_target() in modules that
     use the kernel and init interfaces, since its redundant.
   - Add interfaces for all MLS attributes except X object classes.
   - Require all sensitivities and categories for MLS and MCS policies, not just
     the low and high sensitivity and category.
   - Database userspace object manager classes from KaiGai Kohei.
   - Add third-party interface for Apache CGI.
   - Add getserv and shmemserv nscd permissions.
   - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
   - Added modules:
   	awstats (Stefan Schulze Frielinghaus)
   	bitlbee (Devin Carraway)
   	brctl (Dan Walsh)
   - Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
     libraries module.
   - Unified labeled networking policy from Paul Moore.
   - Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
   - Xen updates from Dan Walsh.
   - Filesystem updates from Dan Walsh.
   - Large samba update from Dan Walsh.
   - Drop snmpd_etc_t.
   - Confine sendmail and logrotate on targeted.
   - Tunable connection to postgresql for users from KaiGai Kohei.
   - Memprotect support patch from Stephen Smalley.
   - Add logging_send_audit_msgs() interface and deprecate
   - Openct updates patch from Dan Walsh.
   - Merge restorecon into setfiles.
   - Patch to begin separating out hald helper programs from Dan Walsh.
   - Fixes for squid, dovecot, and snmp from Dan Walsh.
   - Miscellaneous consolekit fixes from Dan Walsh.
   - Patch to have avahi use the nsswitch interface rather than individual
     permissions from Dan Walsh.
   - Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
   - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
     to handle usage from userhelper from Dan Walsh.
   - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
   - Patch to allow slocate to getattr other filesystems and directories on those
     filesystems from Dan Walsh.
   - Fixes for RHEL4 from the CLIP project.
   - Replace the old lrrd fc entries with munin ones.
   - Move program admin template usage out of userdom_admin_user_template() to
     sysadm policy in userdomain.te to fix usage of the template for third
   - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
     template instead of an interface.
   - Added modules:
   	amtu (Dan Walsh)
   	apcupsd (Dan Walsh)
   	rpcbind (Dan Walsh)
   	rwho (Nalin Dahyabhai)
  * debian/control
    * selinux-policy-refpolicy depends on *-cups an *-unconfined policies.
    * selinux-policy-refpolicy-(cups|unconfined) provide
      selinux-policy-(cups|unconfined) (potentially allowing a user to install
      a dummy package to satisfy).
  * debian/patches/conf.patch
    * added seusers patch that makes all users unconfined by default.
  * debian/selinux-policy-refpolicy.*
    * adding in dbus policy

  [ Joseph Jackson IV ]
  * debian/control
    - Update Debian Maintainer field

  [ J. Tang ]
  * debian/postinst
    - Invoke /usr/sbin/update-selinux-policy to change the policy
    to refpolicy, if possible.
  * debian/selinux-policy-refpolicy.*postrrm
    - Handle purging correctly.

 -- Caleb Case <email address hidden>   Fri, 08 Feb 2008 03:22:20 -0500
Superseded in hardy-release on 2008-02-15
Obsolete in gutsy-release on 2011-09-16
refpolicy (0.0.20070507-5) unstable; urgency=low

  * Allow users to read the dpkg database. With this change, every user
    of the strict policy now has access to dpkg-checkbuildeps, grep-dctrl,
    etc, which was not the case previously.
  * Change the example localStrict.te policy file to silently ignore apt
    searching for something in /var/lib. With this example policy loaded
    in my strict policy UML virtual machine, I can compile packages in
    enforcing mode. Based on advice on the mailing list, allow more things
    to access /selinux
  * Merge in changes from Russell Coker. These include a better fix for

 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  21 May 2007 09:36:31 +0100
Superseded in gutsy-release on 2007-05-21
refpolicy (0.0.20070507-4) unstable; urgency=low

  * Allow apt to run update by giving r_netlink_socket_perms to
  * Allow apt/aptitude to update, and install files
    - Added an interface to apt.if allow silently ignoring processes that
      attempt to use file descriptors from apt. 
    - Bump the apt policy module version number, since we have added to
      the interface. 
    - Added some stuff to dpkg.te to allow debconf .config file
      interactions back to the user 
    - Add an optional  dontaudit rule to libraries.te to allow
      apt-get/aptitude to install packages silently. 
  * Very early in boot, /lib/init/rw is created as a mandatory tmpfs for
    state information. Label that directory as initrc_tmp_t to allow
    mount.te to be permitted to mount a tmpfs there.
  * In init.te, allow /etc/network/if-up.d/mountnfs to create
    /var/run/network/mountnfs as a poor mans lock. 

 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  14 May 2007 12:27:48 +0100
Superseded in gutsy-release on 2007-05-14
refpolicy (0.0.20070507-3) unstable; urgency=low

  * Add hostfs as a recognized remote file-system. This should allow a
    UML virtual machine to function in a fully enforcing mode.

 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  10 May 2007 13:18:48 +0100
Superseded in gutsy-release on 2007-05-10
refpolicy (0.0.20070507-2) unstable; urgency=medium

  * Keep track of modules that are really  built into the base policy in
    Debian.  We then use this list to remove  the modules .pp files from
    the policy shipped, since they can not be installed along with the
    base policy anyway. Make sure we don't add such modules hen
    considering module dependencies either.
  * Added Module ricci to modules.conf for both strict and targeted.

Superseded in gutsy-release on 2007-05-08
refpolicy (0.0.20070417-1) unstable; urgency=low

  * New upstream release.
  * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated
    build dependencies.
  * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for
    gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker
                                                           (Closes: #416910).

 -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  27 Apr 2007 01:19:56 +0100
Superseded in gutsy-release on 2007-04-27
Obsolete in feisty-release on 2009-08-20
refpolicy (0.0.20061018-5) unstable; urgency=high

  * Add policy for log and lock files for aptitude. This is needed for
    proper function; so one does not need to go into permissive mode to
    run aptitude.  Stolen from Erich. This is a low risk change.
  * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file
  * Debian creates /dev/xconsole independently of whether or not a xserver
    has been installed or not. So move the policy related to /dev/sconsole
    out of the xserver policy, and into places where relevant (init.te,
    logging.fc), to reflect the status that /dev/console is present
  * Add support for /etc/network/run  and /dev/shm/network, which seem to
    be Debian specific as well.
  * Allow udev to manage configuration files.

Superseded in feisty-release on 2007-04-10
refpolicy (0.0.20061018-3) unstable; urgency=high

  * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No
    such file or directory", thanks to Lucas Nussbaum. This was fixed by
    moving all the stamps into ./debian instead. I'll re-visit the
    ./debian/stamp/ directory in lenny. This is a pretty minor packaging
    change.                                                 (Closes: #405613).
  * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses
    Debian's FHS paths", thanks to Devin Carraway. From the bug report:
    Many of the files in these packages are overlooked when labelling
    files, because refpolicy's dcc module stipulates paths not consistent
    with the Debian FHS layout.  The files go unlabelled and dcc-client
    (at least) stops working. The two major problems  are the references
    to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian
    packages) and to /var/dcc (all sorts of things, placed under
    /var/lib/dcc).  A side effect of the latter is that dccifd_t and
    probably others need search on var_lib_t, through which it must pass
    to get to /var/lib/dcc.  Fixed the policy; will send upstream.
                                                             (Closes: #404309).
  * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids
    clamd_t search on /var/lib", thanks to Devin Carraway.  This is a
    simple one line change, and obviously an oversight; I think getting
    clamd to work is fairly important.                        (Closes: #404895).
  * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with
    courier policy", thanks to Devin Carraway.  There is detailed
    information of the changes made in the bug report, and in the commit
    logs. Again, fixing courier daemons seems pretty important; SELinux
    tends to get used a lot on remote mail servers, and this fixes issues
    with the policy.                                          (Closes: #405103).

175 of 77 results