Change log for refpolicy package in Ubuntu
| 1 → 75 of 116 results | First • Previous • Next • Last |
refpolicy (2:2.20240202-1) unstable; urgency=medium * label /run/boltd * label /etc/letsencrypt/renewal-hooks files as bin_t * Add label for /usr/lib/chromium/chrome_crashpad_handler * Enabled module hostapd * Changed fwupd policy to have a separate domain for fwupdmgr * Lots of policy needed to support login with the latest systemd-user * Latest git policy -- Russell Coker <email address hidden> Fri, 02 Feb 2024 16:55:45 +1100
Available diffs
- diff from 2:2.20231119-2 to 2:2.20240202-1 (50.7 KiB)
refpolicy (2:2.20231119-2) unstable; urgency=medium
* Allow initrc_t to mounton memory_pressure_t files
Hopefully the last thing needed to make the latest systemd work correctly
-- Russell Coker <email address hidden> Sun, 19 Nov 2023 22:39:04 +1100
Available diffs
refpolicy (2:2.20231119-1) unstable; urgency=medium
* new git ver
* systemd 255~rc2-1 in unstable uses initrc_t to launch daemons so needed
transition rules for that, initrc_t needs to watch unallocated ttys as
part of the getty launch operation, and it needs nnp_transition to all
daemon domains for the combination of systemd restrictions on privileges
and SE Linux domain transition.
Also domains need access to unix_stream_socket file handles created by
initrc_t.
Systemd versions after 254.5-1 break badly without this.
-- Russell Coker <email address hidden> Sun, 19 Nov 2023 17:27:44 +1100
Available diffs
- diff from 2:2.20231010-1 to 2:2.20231119-1 (21.8 KiB)
refpolicy (2:2.20231010-1) unstable; urgency=medium
* new git ver
* Added more checks for "hostnamectl chassis" output, conainer is vm,
convertible/watch/embedded are considered as handset for now, and server
has an entry.
-- Russell Coker <email address hidden> Sun, 22 Oct 2023 15:31:53 +1100
Available diffs
- diff from 2:2.20230929-1 to 2:2.20231010-1 (34.6 KiB)
| Superseded in noble-release |
| Published in mantic-release |
| Deleted in mantic-proposed (Reason: Moved to mantic) |
refpolicy (2:2.20230929-1) unstable; urgency=medium * new git ver * Upstream merged powerprofiles and rasdaemon and anti-spam and motd patches * Changed preinst to work when /etc/selinux/config doesn't exist -- Russell Coker <email address hidden> Fri, 29 Sep 2023 01:15:21 +1000
Available diffs
- diff from 2:2.20221101-10 to 2:2.20230929-1 (145.9 KiB)
- diff from 2:2.20230821-1 to 2:2.20230929-1 (79.6 KiB)
| Superseded in mantic-proposed |
refpolicy (2:2.20230821-1) unstable; urgency=medium
* new git ver
* Add policy for Mobian
Allow system_r:init_t:s0 to transition to user context xdm_r:xdm_t:s0 for
systemd --user
Add consolesetup, eg25manager, feedbackd, geoclue, and iiosensorproxy
policy modules for Mobian
Lots of other policy changes related to Mobian
* Added msdos_t label for exfat
* Add bubblewrap, container, and docker modules
Consider bubblewrap exerimental at this time
* Add support for relabelling files on policy package changes to file
contexts, made the policy packages depend on policycoreutils >= 3.5-2 for
/usr/libexec/selinux/remove-leaf-dirs
* Use -19 and -T0 for zstd for policy source
* Use "hostnamectl chassis" to determine list of default policy modules,
exclude many things from "handset".
-- Russell Coker <email address hidden> Sat, 26 Aug 2023 12:54:10 +1000
Available diffs
- diff from 2:2.20221101-10 to 2:2.20230821-1 (112.3 KiB)
refpolicy (2:2.20221101-10) unstable; urgency=medium
* Team upload.
[ Christian Göttsche ]
* d/patches: drop addition of existent file context (Closes: #1038968)
* d/tests: simulate policy building
* d/rules: validate build policy (Closes: #1030804)
[ Vagrant Cascadian ]
* debian/rules: Pass arguments to tar to use a consistent uid and gid.
(Closes: #1030057)
[ Laurent Bigonville ]
* debian/control: Bump Standards-Version to 4.6.2 (no further changes)
-- Laurent Bigonville <email address hidden> Sat, 15 Jul 2023 09:47:27 +0200
Available diffs
refpolicy (2:2.20221101-9ubuntu1) mantic; urgency=medium
* Fix "Updating selinux default policy" and similar failures due to a
duplicate rspamd policy entry (LP: #2027733)
-- Dan Bungert <email address hidden> Thu, 13 Jul 2023 13:27:28 -0600
Available diffs
refpolicy (2:2.20221101-9) unstable; urgency=medium
* Added git and thunderbird to the not default modules list
* Add filetrans to make dpkg_script_t create /var/lib/ntpsec/ as ntp_drift_t
also add fc entry for /var/lib/ntpsec
* Allow ndc_t to read vm_overcommit_state and sysfs files
* Dontaudit certbot_t net_admin capability, it doesn't need to change
network stuff, probably changing buffer sizes.
* Allow aptcacher_t to getsched for itself
* Allow boinc_t to to connect to unconfinged stream sockets for X access
* Allow systemd_locale_t to talk to unconfined users by dbus
* Allow xdm_t to talk to systemd-locale via dbus
* Allow systemd_generator_t to manage files and dirs of type
systemd_user_runtime_unit_t and to read crypto sysctls
* Dontaudit writing to lib dirs for fail2ban_t and fail2ban_client_t for
python attempts to generate cache files
* Dontaudit mysqld_safe (mysql startup script) attempts to write to root dir
* Change all toolchain dependencies to >= version 3.4
* Allow jabberd_domain to create jabberd_var_lib_t:sock_file for prosody
* Allow dkim_milter_t and clamd_t to get their own scheduling status
* Allow auditd_t to map it's config files to avoid recursion when dontaudit
rules are disabled
* Allow groupadd_t to stat /proc
* Allow matrixd_t to read sysfs for CPU information
* Give postfwd_milter_t kill capability
* Allow unconfined domains the self:anon_inode access.
Also allow them to manage dirs in their own domain, Chrome does this
* Allow the postfix_map_t domain to read /dev/urandom
* Allow mozilla to bind UDP generic nodes, write dbus session runtime
sockets, read device sysctls for video hardware specs, and map it's cache
files.
* Allow fsadm_t to write to boot_t for fstrim
* Gave nfsd_t the lease capability, taking leases on files is necessary
* dontaudit bootloader_t accessing /dev/mem, mdadm does this for some reason
but doesn't need it
* Allow fwupd_t to read the vm overcommit sysctl
* Allow setfiles_t to read the vm overcommit sysctl
* Allow vnstatd_t to read urandom
-- Russell Coker <email address hidden> Wed, 19 Apr 2023 20:24:14 +1000
Available diffs
- diff from 2:2.20221101-4 to 2:2.20221101-9 (17.9 KiB)
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
refpolicy (2:2.20221101-4) unstable; urgency=medium
* Allow sshd_t to read var_lib_t files for motd generation
* Allow systemd_binfmt_t to statfs binfmt filesystems
* Allow systemd_nspawn_t all_unix_dgram_socket_perms to itself
* Allow groupdadd_t to read sysctl_kernel_t files
* Allow local_login_t to read pam motd files
* Allow nfsd_t to read directories of RPC file system pipes
* Allow mysqld_t (Mariadb) to create map read write anon_inode objects it creates
* Allow kmod_t to read modules_conf_t symlinks, for DKMS
* Remove unused debian/gen-deps.sh script.
Change to Debhelper compat level 13
Removed an attempt to delete a non-existant pyplate.pyc file
Changed to zstd for selinux-policy-src and stopped using a variable for
compression options. Why do we even have selinux-policy-src?
Removed unneeded build depends and changed the SE Linux build depends
to version >=3.4
Change VCS to Vcs in debian/control
Change lintian overrides to match new format
Change build to not need root
Tell Lintian to ignore some very long lines in source
Fix copyright URLs
Removed trailing whitespace in changelog
Use kernel_load_module(brctl_t) instead of just adding a capability
Add autopkgtest. Closes: #1012841
-- Russell Coker <email address hidden> Sun, 29 Jan 2023 15:07:05 +1100
Available diffs
refpolicy (2:2.20221101-3) unstable; urgency=medium
* Add auth_write_pam_motd_files() interface for writing to /run/motd.d and
correctly label /run/motd.d
* Add policy for fwupd (firmware update)
* Allow groupadd_t to search kernel fs sysctls
* Allow rasdaemon to read sysfs_t
* Allow systemd_machined_t to talk to policykit via dbus
* Allow systemd_locale_t to write to /run/systemd/notify
* Allow systemd_sysctl_t and systemd_tmpfiles_t to search ramfs
* Allow systemd_generator_t udp setopt and sysnet_read_config for postconf
* Allow systemd_generator_t to stat usr_t files
* Allow systemd_modules_load_t to search debugfs
* Allow systemd_sysusers_t to use apt ptys
* Allow acpid to getsched
* Add support for /run/motd.d/
* Allow Chrome to read sysctl_dev_t and write to dbus session runtime
socket. Label the Chrome libvulkan.so.1 file as lib_t
* Allow systemd_logind_t to delete user tmpfs files and manage tmpfs dirs
* Allow systemd_locale_t to talk to unconfined via dbus
-- Russell Coker <email address hidden> Mon, 09 Jan 2023 18:05:47 +1100
Available diffs
refpolicy (2:2.20221101-2) unstable; urgency=medium
* Allow $1_dbusd_t to create sock_files under /tmp
* Remove the deprecated interfaces that had been in Bullseye
* Allow $1_wm_t to read/write input devices and use logind fds
* Added systemd_dbus_chat_locale() and allowed xdm and user domains to do it.
* Allow user domains to unlink xdm_tmp_t socket files
* Allow systemd-coredump, chkpwd_t, and setfiles_t to statfs /proc
* Label /usr/lib/NetworkManager/nm-dispatcher* as NetworkManager_exec_t
* Label /sbin/fstrim as fsadm_exec_t
* Allow setfiles_t to read bin_t links
* Make ssh_sysadm_login default to true. Closes: #1012755
* Allow fsadm_t to statfs cgroup filesystems and to read /proc/1/environ
for systemd-fsckd. Also dontaudit net_admin capability for systemd-fsckd
trying to change buffer sizes.
* Allow systemd_sysusers_t to use inherited user terminals and inherit file
handles from unconfined_t and give it domain_obj_id_change_exemption()
* Made init_runtime_t an init unit file, for automatically generated units
-- Russell Coker <email address hidden> Mon, 02 Jan 2023 22:02:36 +1100
Available diffs
- diff from 2:2.20221101-1 to 2:2.20221101-2 (36.9 KiB)
refpolicy (2:2.20221101-1) unstable; urgency=medium * New upstream release * Label /lib/systemd/systemd-fsckd as fsadm_exec_t -- Russell Coker <email address hidden> Sun, 06 Nov 2022 23:02:25 +1100
Available diffs
- diff from 2:2.20220520-5 to 2:2.20221101-1 (83.9 KiB)
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
refpolicy (2:2.20220520-5) unstable; urgency=medium
* label apt.systemd.daily and apt-helper as apt_exec_t for systemd cron jobs
* Allow apt_t to get init, systemd-networkd, and network-manager unit status
* give systemd_generator_t access to nfsd_fs_t files and
systemd_transient_unit_t dirs
* Allow kmod_t to read ssl generit certs
* Allow systemd_machined_t to get status of systemd_transient_t units
-- Russell Coker <email address hidden> Mon, 26 Sep 2022 19:59:14 +1000
Available diffs
refpolicy (2:2.20220520-4) unstable; urgency=medium
* Add label for /etc/dkimkeys Closes: #900188
* Allow chronyd_t to send unix datagrams to unconfined_t and gave it
dac_read_search Closes: #962223
* Allow firewalld_t to do netlink_netfilter_socket access, watch
firewalld_etc_rw_t dirs, and read generic certs
* Allow init_t to watch for reads on console_device_t for autorelabel
processing.
-- Russell Coker <email address hidden> Sun, 18 Sep 2022 12:48:43 +1000
Available diffs
refpolicy (2:2.20220520-2) unstable; urgency=medium * Added label for /usr/sbin/nfsdcld and gave nfsd_t setpcap capability * Allow syslogd_t to relabel from/to systemd_journal_t * Created 0002-upstream patch file for changes that are in the upstream git -- Russell Coker <email address hidden> Sun, 14 Aug 2022 00:20:28 +1000
Available diffs
- diff from 2:2.20220520-1 to 2:2.20220520-2 (12.0 KiB)
refpolicy (2:2.20220520-1) unstable; urgency=medium * new upstream release -- Russell Coker <email address hidden> Sun, 22 May 2022 21:55:06 +1000
Available diffs
- diff from 2:2.20220403-3 to 2:2.20220520-1 (27.7 KiB)
refpolicy (2:2.20220403-3) unstable; urgency=medium * little policy fixes * Changed build-depends from libsepol1 to libsepol2 -- Russell Coker <email address hidden> Tue, 12 Apr 2022 23:38:26 +1000
Available diffs
- diff from 2:2.20210203-10 to 2:2.20220403-3 (200.9 KiB)
- diff from 2:2.20210203-11 to 2:2.20220403-3 (199.5 KiB)
refpolicy (2:2.20210203-11) unstable; urgency=medium
* Add boolean for BOINC GPU/X
* Added labelling for some storage character devices and for
/usr/sbin/mkinitramfs
* Some minor changes to mon and systemd-nspawn policy
* Allow systemd_generator_t to execute all entry types
* Give fsetid capability to certbot
* Tweak matrixd and mailman policy for upstream submission
* Fixes for sympa policy
-- Russell Coker <email address hidden> Mon, 21 Feb 2022 20:52:35 +1100
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
refpolicy (2:2.20210203-10) unstable; urgency=medium
* Team upload.
* debian/control: Adjust the (build-)dependencies for the userspace 3.3
release
-- Laurent Bigonville <email address hidden> Tue, 09 Nov 2021 09:44:53 +0100
Available diffs
- diff from 2:2.20210203-9 to 2:2.20210203-10 (988 bytes)
refpolicy (2:2.20210203-9) unstable; urgency=medium
* Label /opt/google/chrome/chrome_crashpad_handler and
/opt/google/chrome/crashpad_handler as chromium_exec_t
* Allow kmod_t to manage bootloader_tmp_t files and allow bootloader_t to
create and delete /dev/null (for initramfs). Also allow bootloader_t to
read udev rules and network config.
* Merged patches from Topi Miettinen for building only one flavour and for
correctly making a list of modules even when building is asynchronous.
* Added patch for /usr/libexec/sssd/sssd_.+ from Sam Morris.
-- Russell Coker <email address hidden> Thu, 21 Oct 2021 14:23:40 +1100
Available diffs
- diff from 2:2.20210203-7 to 2:2.20210203-9 (5.2 KiB)
- diff from 2:2.20210203-8 to 2:2.20210203-9 (3.0 KiB)
| Superseded in jammy-proposed |
refpolicy (2:2.20210203-8) unstable; urgency=medium
* Label /etc/ppp/ip-pre-up as pppd_initrc_exec_t
* Allow wireshark to rw DRI devices, read crypto sysctls, rw the xserver
mesa shader cache, read the kernel network state, have execmem access
(probably needed for one of the many shared objects it uses), have setsched
access, execute lib files (for it's helper programs), manage xdg config
files (gives warning if it can't do this), manage xdg cache, and read xdg
data files.
* Allow acngtool_t the dac_override capability for managing log files
* Allow pppd to connect create and ioctl pppox_socket and allow it to map
pppd_runtime_t files.
* Allow kmod_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin
login on boot failure)
* Allow ntpd_t to start and stop generic units when systemd is used, for
systemd-timesyncd.
-- Russell Coker <email address hidden> Mon, 04 Oct 2021 15:06:54 +1100
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
refpolicy (2:2.20210203-7) unstable; urgency=medium
* Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
* Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script
/etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/*
as bin_t.
* Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other
corner cases and allowed fsadm_t to read fsdaemon_var_lib_t. Dontaudit
fsadm_t inheriting file handles from mon_t.
* Allow fsadm_t to do a file type trans for creating
/dev/megaraid_sas_ioctl_node
* Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
cgroup files. Needed for JRE 17
-- Russell Coker <email address hidden> Mon, 14 Jun 2021 09:47:05 +1000
Available diffs
refpolicy (2:2.20210203-6) unstable; urgency=medium
* Add policy for cockpit web admin tool
* Fixes for puppet policy
* Allow system_mail_t to be in role unconfined_r for upgrades of the exim
packages
* Allow more spamd_log_t access if boolean rspamd_spamd is enabled
* Allow httpd_sys_script_t to rw sympa_var_t dirs and manage sympa_var_t
files, and to read sympa conf files. Also allow it to read generic certs
for sympa and also for lots of other things
Allow httpd_t to read sympa conf files, read sympa var files, manage sympa
runtime files, and manage sympa runtime sockets
Allow sympa to send signull to itself
* Allow certbot to search xdg dirs, don't know what it's trying to do but
searching doesn't do any harm and makes it easier to discover what's
happening.
* Allow postgresql to read tls privkey
* Give systemd_nspawn_t the audit_control capability
* Allow devicekit_disk_t to read logind sessions and write inherited logind
inhibit pipes
* Give capability kill to inetd_t so it can kill child processes under
different uids
* Allow chromium_naclhelper_t process access setcap and signal and
cap_userns access sys_admin and sys_chroot.
Allow chromium_t to read alsa config.
-- Russell Coker <email address hidden> Sat, 08 May 2021 17:55:06 +1000
Available diffs
refpolicy (2:2.20210203-5) unstable; urgency=medium
* Add policy for rasdaemon
* Made mta_manage_mail_home_rw_content() include mail_home_rw_t:file watch
access, needed by dovecot_t and probably others in future
* Allow restorecond to watch selinux_config_t files.
* Allow *_wm_t domains (for window manager processes) to watch xdg_config_t
files and to execmod wm_tmpfs_t files (stops kwin_x11 SEGV)
* Allow systemd_tmpfiles_t to relabel colord var lib files and dirs
* Allow smbcontrol_t to map samba_runtime_t files and send unix datagrams
to smbd processes
* Allow systemd_user_runtime_dir_t to delete all user runtime sock files
and manage pulseaudio_tmp_t dirs
* Allow system_cronjob_t to manage var_lib dirs
* Allow dovecot to create ~/mail directories.
* Label /usr/share/mailman3-web/manage.py as mailman_queue_exec_t
Allow mailman_queue_t to read usr files and to create it's own tmpfs files
and allow it to map mailman_data_t files
* Added systemd policy from upstream git as of 31st Mar to the upstream patch
* Label /usr/bin/rspamd file not /usr/bin/rspamd symlink
label /var/log/rspamd(/.*)? as spamd_log_t. Allow spamd_t self execmem
access when rspamd_spamd. Label port 11333 as spamd_port_t for rspam.
* Label /usr/lib/courier/imapd.* and /usr/lib/courier/pop3d.* as
courier_pop_exec_t. Allow courier_pop_t to read generic certs, manage
courier_var_lib_t files, bind to POP ports, execute courier_exec_t and
courier_tcpd_exec_t programs, and map courier config files. Grant
courier_pop_t the fowner and chown capabilities (for managing user mail)
but dontaudit the fsetid capability. Grant courier_pop_t the setrlimit
process access so it can set it's own resource limits. Allow
courier_authdaemon_t to search SE Linux default contexts (needed by pam
before using unix_chkpwd) and allow it to stat proc files.
* Add sympa policy
* Allow exim_t to read/write tmp files inherited from cron. Allow exim_t
the dac_read_search capability.
* Allow apache to map user content files when httpd_read_user_content is set.
Label /usr/lib/w3m/* as httpd_sys_script_exec_t
* Dontaudit fsdaemon_t capability net_admin (probably setting buffer size)
-- Russell Coker <email address hidden> Fri, 09 Apr 2021 23:02:14 +1000
Available diffs
- diff from 2:2.20210203-3 to 2:2.20210203-5 (25.7 KiB)
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: moved to Release) |
refpolicy (2:2.20210203-3) unstable; urgency=medium
* Add policy for blkmapd which is part of nfs service (included in upstream)
* Add interfaces systemd_search_user_runtime()
* Allow systemd_user_runtime_dir_t to unlink dirmngr sock files
* Allow sshd_t to talk to systemd_nspawn_t via Unix sockets
* Allow syslogd_t to search systemd_user_runtime_t dirs
* Allow acpid_t to rw input device files
* Allow restorecond_t to watch all dirs
* Allow mailman_queue_t to search the cron spool dir, also allow it to be
started as a daemon and to write mailman pid files
* Included upstream git patches for latest systemd features, this may
save some pain when Bullseye+1 is released
* Allow systemd-nspawn to mount on and manage more things when
systemd_nspawn_labeled_namespace is on.
* Allow smbcontrol_t to talk to itself via Unix domain sockets
* Add policy for postfwd
* Allow aptcacher_t to read urandom and random devices and to read kernel
sysctls
* Label /usr/lib/x86_64-linux-gnu/libexec/* as bin_t for KDE/sddm login
Allow user to execute and execmod user tmpfs files, for KDE
Allow user to write to user_runtime_t sock files
* Add policy to run the certbot --nginx which runs nginx, doesn't work
in all situations but should cover the common cases.
* Set label for /usr/bin/redis-check-rdb (redis server binary in Debian)
and allow redis to read certs and read vm and net sysctls.
-- Russell Coker <email address hidden> Tue, 23 Feb 2021 16:57:40 +1100
Available diffs
- diff from 2:2.20210203-2 to 2:2.20210203-3 (19.6 KiB)
refpolicy (2:2.20210203-2) unstable; urgency=medium * lots of little policy changes -- Russell Coker <email address hidden> Fri, 12 Feb 2021 10:24:33 +1100
Available diffs
refpolicy (2:2.20210203-1) unstable; urgency=medium * Allow unconfined_u and sysadm_u to access other identities. * New upstream release! -- Russell Coker <email address hidden> Thu, 04 Feb 2021 03:34:45 +1100
Available diffs
- diff from 2:2.20210130-1 to 2:2.20210203-1 (64.1 KiB)
refpolicy (2:2.20210130-1) unstable; urgency=medium
* new archive from git
* More Debian stuff upsteamed
* Added some filetrans rules to assign the right types when postinst
scripts don't label things.
-- Russell Coker <email address hidden> Sun, 31 Jan 2021 00:32:23 +1100
Available diffs
- diff from 2:2.20210126-1 to 2:2.20210130-1 (32.0 KiB)
refpolicy (2:2.20210126-1) unstable; urgency=medium
* new archive from git, upstream changes include removing unused modules
* More Debian stuff upsteamed
* Remove: abrt callweaver ccs certmaster certwatch cipe clockspeed clogd
consoletype dcc ddcprobe denyhosts dspam firstboot howl imaze jockey
ktalk lockdev lsm mailscanner mcelog oav polipo pyicqt resmgr rhcs
rhsmcertd ricci rpm vhostmd
* Don't enable by default: amtu bugzilla condor
* Added SE Linux "user" named xdm for the "sddm" Unix account to be used
by the sddm greeter process. This makes the greeter run as xdm_t
instead of unconfined_t.
-- Russell Coker <email address hidden> Fri, 29 Jan 2021 01:50:16 +1100
Available diffs
- diff from 2:2.20210120-1 to 2:2.20210126-1 (77.3 KiB)
refpolicy (2:2.20210120-1) unstable; urgency=medium * New archive from git * Some Debian stuff upstreamed * Lots of little changes -- Russell Coker <email address hidden> Sat, 23 Jan 2021 22:22:15 +1100
Available diffs
- diff from 2:2.20210115-1 to 2:2.20210120-1 (48.1 KiB)
refpolicy (2:2.20210115-1) unstable; urgency=medium * New archive from git * Added matrixd policy * Fixed the crontab problem -- Russell Coker <email address hidden> Mon, 18 Jan 2021 00:41:23 +1100
Available diffs
- diff from 2:2.20210112-1 to 2:2.20210115-1 (37.4 KiB)
refpolicy (2:2.20210112-1) unstable; urgency=medium * New archive from git * Lots of policy fixes for Debian/Unstable -- Russell Coker <email address hidden> Thu, 14 Jan 2021 00:28:01 +1100
Available diffs
- diff from 2:2.20201221-1 to 2:2.20210112-1 (21.2 KiB)
refpolicy (2:2.20201221-1) unstable; urgency=medium * New archive from git -- Russell Coker <email address hidden> Mon, 21 Dec 2020 22:15:44 +1100
Available diffs
- diff from 2:2.20200502-1 to 2:2.20201221-1 (169.6 KiB)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
refpolicy (2:2.20200502-1) unstable; urgency=medium
* New archive taken from upstream git. Will base it mostly on git for the
development leading to Buster and then take the latest upstream release
shortly before release.
* Lots of new policy patches.
* Make it depend and build depend on version 3.0 of all libraries
* Makde the default_contexts have sysadm_r with a higher preference than
staff_r for sshd_t
* Made dbus a base module
-- Russell Coker <email address hidden> Sat, 02 May 2020 19:20:27 +1000
Available diffs
- diff from 2:2.20190201-9 to 2:2.20200502-1 (260.4 KiB)
refpolicy (2:2.20190201-9) unstable; urgency=medium * Some more small policy fixes -- Russell Coker <email address hidden> Wed, 29 Apr 2020 19:32:04 +1000
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
refpolicy (2:2.20190201-8) unstable; urgency=medium
* Team upload.
* debian/patches/0001-remove-incorrect-usage-of-is.patch: Fix FTBFS with
python 3.8 (Closes: #954510)
-- Laurent Bigonville <email address hidden> Thu, 02 Apr 2020 10:59:43 +0200
Available diffs
refpolicy (2:2.20190201-7) unstable; urgency=medium * Allow sysadm_r to bypass UBAC checks (experimental) * Make cron work for sysadm_t * Minor policy changes -- Russell Coker <email address hidden> Wed, 15 Jan 2020 18:53:25 +1100
Available diffs
refpolicy (2:2.20190201-6) unstable; urgency=medium
* debian/rules: Cleanup the support/__pycache__ directory when building the
selinux-policy-src package
* debian/rules: Set the timezone to UTC before creating the
selinux-policy-src tarball, that should make it reproductible
-- Laurent Bigonville <email address hidden> Thu, 26 Dec 2019 13:34:27 +0100
Available diffs
- diff from 2:2.20190201-5 to 2:2.20190201-6 (821 bytes)
refpolicy (2:2.20190201-5) unstable; urgency=medium
* Team upload.
* Bump Standards-Version to 4.4.0 (no further changes)
* debian/control: Remove the package (-1) revision from the
{build-}dependencies, to please lintian
* Drop debian/source/lintian-overrides, the postrm perl scripts are gone
for a long time, not sure why these overrides were reintroduced
* debian/rules: Do not call dpkg-parsechangelog explicitly to get a
reproductible build time but rely on SOURCE_DATE_EPOCH variable
* debian/watch: Fix the URL now that the project has been relocated
-- Laurent Bigonville <email address hidden> Tue, 27 Aug 2019 15:54:34 +0200
Available diffs
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
refpolicy (2:2.20190201-4) unstable; urgency=medium
* Policy update, lots of little things and allows the signull access that
systemd-journal from the latest systemd wants.
-- Russell Coker <email address hidden> Thu, 30 May 2019 10:28:24 +1000
Available diffs
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
refpolicy (2:2.20190201-3) unstable; urgency=medium
* Added policy for apt-cacher and apt-cacher-ng
* Added policy for memlockd
* Added type alias rules so you can upgrade from Stretch policy without a
reboot if you manually relabel.
* Lots of little changes too
-- Russell Coker <email address hidden> Sun, 03 Mar 2019 20:44:04 +1100
Available diffs
refpolicy (2:2.20190201-2) unstable; urgency=medium * Lots of little changes, many for strict configuration. * Added policy for certbot AKA letsencrypt. -- Russell Coker <email address hidden> Fri, 22 Feb 2019 00:09:29 +1100
Available diffs
- diff from 2:2.20190201-1 to 2:2.20190201-2 (11.9 KiB)
refpolicy (2:2.20190201-1) unstable; urgency=medium * New upstream, lots of Debian patches upstreamed. * More systemd support (moving target). * New upstream Chromium/Chrome policy. * Add xserver_allow_dri tunable for most X server programs to get DRI access. -- Russell Coker <email address hidden> Sun, 03 Feb 2019 23:28:32 +1100
Available diffs
- diff from 2:2.20180701-1 to 2:2.20190201-1 (349.6 KiB)
refpolicy (2:2.20180701-1) unstable; urgency=medium * New upstream policy. * Depend on version 2.8 of utils. * Build new xdg module for X data types. * Lots fo policy changes -- Russell Coker <email address hidden> Mon, 21 Jan 2019 14:05:59 +1100
Available diffs
refpolicy (2:2.20180114-5) unstable; urgency=medium
* Updated everything in debian/control to refer to version 2.7 of SE Linux
packages.
* Lots of little policy changes.
-- Russell Coker <email address hidden> Wed, 02 Jan 2019 10:24:07 +1100
Available diffs
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
refpolicy (2:2.20180114-4) unstable; urgency=medium
* Team upload.
* debian/control: Point Vcs-* fields to new (salsa) machine
* debian/control: Bump Standards-Version to 4.1.4 (no further changes)
* debian/control: Bump debhelper build-dependency version to 11 to match
debian/compat version
* debian/control: Bump python {build-}dependencies to python3 (Closes:
#900285)
* debian/rules: Drop --parallel flag passed to dh command, this is the
default with debhelper >= 10
* debian/control: Bump Priority of selinux-policy-mls to optional, Priority
extra is now deprecated
* debian/policygentool: Port to python3
* debian/patches/python3-buildsystem.patch: Port the buildsystem to use
python3
* Drop debian/source/lintian-overrides, overrides not used anymore
-- Laurent Bigonville <email address hidden> Wed, 30 May 2018 11:42:05 +0200
Available diffs
refpolicy (2:2.20180114-3) unstable; urgency=medium
* Added git patch for 20180319.
* Added git patch for 20180419, fixes lots of typos which changes the
way things work. Also adds sctp protocol support.
* Added git patch for 20180519.
* Build-depend on version 2.7-2 of checkpolicy and libsepol1-dev and Depend
on version 2.7-2 of libsepol1 for sctp support.
* Changed all Build-depends and Depends to version 2.7 from 2.5 and 2.6
because there's no reason to try to build against ancient versions and we
don't want to deal with annoying bugs later.
* Allow mon_t to read generic certs for using SSL for notifications
* Allow systemd_nspawn_t the mcs_killall if systemd_nspawn_labeled_namespace
is enabled
* Allow udev_t to run iptables in iptables_t
* Some other little systemd stuff
-- Russell Coker <email address hidden> Sat, 19 May 2018 11:12:41 +1000
Available diffs
- diff from 2:2.20180114-2 to 2:2.20180114-3 (22.8 KiB)
refpolicy (2:2.20180114-2) unstable; urgency=medium * Included changelog entry 2:2.20161023.1-10 -- Russell Coker <email address hidden> Tue, 06 Mar 2018 14:17:33 +1100
Available diffs
- diff from 2:2.20180114-1 to 2:2.20180114-2 (988 bytes)
| Superseded in cosmic-release |
| Published in bionic-release |
| Deleted in bionic-proposed (Reason: moved to release) |
refpolicy (2:2.20180114-1) unstable; urgency=medium
* New upstream 2.20180114 with patch from git version 2.20180220.
Took that patch because a lot of it was policy I developed.
* Delete the deprecated macro mmap_file_perms, anyone who uses this should
change to mmap_exec_file_perms instead. Closes: #885771
* Now build-depend on recent toolchain. Closes: #875546
* Removed typebounds patch that upstream didn't like, seems to work ok
without it now, but we can use nnp_transition if necessary.
-- Russell Coker <email address hidden> Mon, 26 Feb 2018 23:25:27 +1100
Available diffs
- diff from 2:2.20171228-1 to 2:2.20180114-1 (304.5 KiB)
refpolicy (2:2.20171228-1) unstable; urgency=medium
* New upstream from git with lots of Debian patches merged. This policy is
not a candidate for Buster or anything, I'm uploading it to facilitate
SE Linux development. The next time Tresys make an official release I'll
put it in Debian Git and make it a candidate for Buster.
* Removed authbind policy
* Set WERROR=y to remove deprecated interfaces
* Enable UBAC for mcs policy
* Use compat level 11
-- Russell Coker <email address hidden> Thu, 28 Dec 2017 17:46:57 +1100
Available diffs
- diff from 2:2.20161023.1-10 to 2:2.20171228-1 (617.7 KiB)
refpolicy (2:2.20161023.1-10) unstable; urgency=medium
* Add patch for typebounds. This patch was rejected upstream, to quote
Chris PeBenito:
NAK. This has already been fixed with the upcoming nnp_transition
nosuid_transition permissions in refpolicy. I'm afraid distros will
have to carry policy patches until they can roll out kernels that
support these permissions.
https://marc.info/?l=selinux&m=150151037511601&w=2
Closes: #874201
* Allow systemd-tmpfiles to delete /var/lib/sudo files.
Closes: #875668
* Allow brctl to create files in sysfs and correctly label
/usr/lib/bridge-utils/.*\.sh
Closes: #875669
* Give bootloader_t all the access it needs to create initramfs images in
different situations and communicate with dpkg_t.
Closes: #875676
* Allow dnsmasq_t to read it's config dir
Closes: #875681
* Build-depend and depend on version 2.7 of tools and libraries.
* Allow systemd_tmpfiles_t to manage lastlog_t
Closes: #875726
* Allow udev_t to talk to init via dbus and get service status in strict
configuration
Closes: #875727
-- Russell Coker <email address hidden> Wed, 13 Sep 2017 23:47:21 +1000
Available diffs
| Superseded in bionic-release |
| Obsolete in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
refpolicy (2:2.20161023.1-9) unstable; urgency=medium
* Dontaudit dkim_milter_t binding to labeled udp ports
* Allow passwd_t to inherit fd from unconfined_t for package scripts
* Allow httpd_sys_script_t to talk to itself via unix datagrams and send
syslog messages
* Allow logwatch_mail_t to rw system_cronjob_t pipes
Allow logwatch_t to run mdadm
* Label /etc/postfixadmin as httpd_config_t
* Allow system_cronjob_t to create directories under /tmp
* Allow spamass_milter_t to read the overcommit sysctl
* Allow unconfined domains the capability2:wake_alarm.
* Added ~/DovecotMail to the list of mail_home_rw_t directories
* Allow systemd_logind_t to get dpkg_script_t process state and talk to it
via dbus
* For https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933 allow udev_t
to read default_t. Still need that udev bug fixed!
-- Russell Coker <email address hidden> Thu, 26 Jan 2017 00:52:00 +1100
Available diffs
refpolicy (2:2.20161023.1-8) unstable; urgency=medium
* Fixed mistake in previous changelog (attributed a -7 change to -6)
* Label /usr/sbin/apache2ctl as well. Allow apache to read overcommit sysctl
* Allow clamd_t to read the overcommit sysctl
* Allow postfix_postdrop_t to write to postfix_public_t socket, allow
postfix_master_t to bind to udp generic nodes
* Allow dovecot_auth_t to write to dovecot_var_run_t fifos and read selinux
config (needed for pop/imap login)
* Allow mon local tests to search /var/spool/postfix and autofs mountpoints,
and to read nfs content. Allow mon net tests to read certs. dontaudit when
mon local tests try to stat tmpfs files. Allow mon local tests to access
/dev/xconsole and search mnt_t and boot_t
* Allow mount_t to getattr nfs filesystems and manage mount_var_run_t dirs
and files
* Allow setfiles_t to getattr nfs filesystems.
* Allow postgrey_t to exec bin_t files, to read netlink_route_sockets,
and to access udp sockets
* Allow login programs to share fds with systemd_passwd_agent_t
* Allow postfix_master_t to stat the spamass_milter_data_t dir
* Allow dpkg_script_t to tell init_t to stop services
* Allow initrc_t to tell init_t to halt and get system status - allows
poweroff!!!
* Make port 8953 be rndc type for unbound.
* Lots of policy for systemd_nspawn_t
* More policy for systemd_coredump_t to do what it wants
* Allow dkim_milter_t to read vm overcommit sysctl
* Allow mandb_t to search init pid dirs for systemd
* Allow initrc_t to reload systemdunit types
* Make init_manage_all_units() include file:getattr access
* Allow logrotate to init_manage_all_units for restarting daemons, to stat
tmpfs filesystems, to get init system status, and capability net_admin
that systemctl wants
* Allow network manager to inherit logind pids
* Allow devicekit_power_t to search init pid dirs
* Allow named to read vm sysctls
* Allow mysqld_safe_t to read dpkg db, it inherits cwd from dpkg_script_t
alow is to read sysfs and kill mysqld_t
Make mysql_signal interface include signull permission and grant that to
logrotate
* Allow rpcd_t to write /proc/fs/lockd/nlm_end_grace
* Make apache use the new interfaces for nfs access and to read
httpd_var_lib_t symlinks. Allow httpd_sys_script_t to search init pid
dirs
* Allow auth to send sigchild to xdm
* Allow chkpwd_t to getattr the selinuxfs
* Allow system_cronjob_t net_admin capability, manage acct data, and manage
initrc services
* Allow crontab domains fsetid capability. Use a separate $2_crontab_t domain
for each role's crontab program. Give ntp_admin access to system_cronjob_t
and allow it to manage var_log_t and cron log files
* Label /var/lib/sddm as xdm_var_lib_t
* Don't label acct cron job scripts as acct_exec_t
* Allow systemd-tmpfiles to create /dev/xconsole
* Create new type for /var/run/iodine
* Allow logrotate to restart services
* Made init_script_service_restart() include reload access
* Dontaudit systemd_logind_t statting files under /dev/shm
Allow it to setattr unallocated terminals and unlink user_runtime_t files
* Added boolean allow_smbd_read_shadow for the obvious purpose
Allow smbd_t to read cupsd_var_run_t socket as well as write to it
* Allow NetworkManager_t to send dbus messages to unconfined_t
* Grant access to dri and input_dev devices to system_dbusd_t, gdm3 makes it
want this
-- Russell Coker <email address hidden> Mon, 23 Jan 2017 01:55:57 +1100
Available diffs
refpolicy (2:2.20161023.1-7) unstable; urgency=medium
[ Laurent Bigonville and cgzones ]
* Sort the files in the files in the selinux-policy-src.tar.gz tarball by
name, this should fix the last issue for reproducible build
* Add genfscon for cpu/online. Closes: #849637
[ Russell Coker ]
* Make the boinc patch like the one upstream accepted and make it last in
the list.
* Label /etc/sddm/Xsession as xsession_exec_t
* Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it
* Allow devicekit_power_t to chat to xdm_t via dbus
* Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts
* Allow loadkeys_t to read tmp files created by init scripts
* Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp
and to read dbus lib files for /var/lib/dbus
* Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime,
relabel to/from user_tmpfs_t, and manage wireless_device_t
* Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo
and read/write an inherited socket.
* Allow xdm_t to send dbus messages to unconfined_t
* Give crond_t sys_resource so it can set hard ulimit for jobs
* Allow systemd_logind_t to setattr on the kvm device and user ttys, to
manage user_tmp_t and user_tmpfs_t files, to read/write the dri device
* Allow systemd_passwd_agent_t to stat the selinuxfs and search the
contexts dir
* Make systemd_read_machines() also allow listing directory
* Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files()
* Allow setfiles_t to inherit apt_t file handles
* Allow system_mail_t to use ptys from apt_t and unconfined_t
* Label /run/agetty.reload as getty_var_run_t
* Allow systemd_tmpfiles_t to relabel directories to etc_t
* Made sysnet_create_config() include { relabelfrom relabelto
manage_file_perms }, allow systemd_tmpfiles_t to create config, and set
file contexts entries for /var/run/resolvconf. Makes policy work with
resolvconf (but requires resolvconf changes) Closes: #740685
* Allow dpkg_script_t to restart init services
* Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t
* Allow named to read network sysctls and usr files
* Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as
ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and
unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when
building with systemd support, also allow listing init pid dirs. Label
/var/lib/systemd/clock as ntp_drift_t
* Allow systemd_nspawn_t to read system state, search init pid dirs (for
/run/systemd) and capability net_admin
* Allow backup_t capabilities chown and fsetid to cp files and preserve
ownership
* Allow logrotate_t to talk to dbus and connect to init streams for
systemctl, also allow setrlimit for systemctl
* Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t
to execute all applications (for ps to getattr mostly)
* Label /var/lib/wordpress as httpd_var_lib_t
* Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and
allow it to manage dirs of type httpd_lock_t
[ Russell Coker Important ]
* sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779
* Support usrmerge, lots of fc changes and subst_dist changes
Closes: #850032
-- Russell Coker <email address hidden> Thu, 12 Jan 2017 18:01:40 +1100
Available diffs
refpolicy (2:2.20161023.1-6) unstable; urgency=medium
* Label /var/lib/unbound as named_cache_t, closes: #740657
* Merge patch for gbp.conf from cgzones <email address hidden>
closes: #849459
* Merge patch from cgzones <email address hidden> to add new .basemodules
file. Closes: #849460
* Make the package build fail when a file is missing. Closes: #849461
* Replaced domain_auto_trans with domain_auto_transition_pattern.
Closes: #849463
* New type systemd_machined_var_run_t for /run/systemd/machines
* Allow initrc_t to get the status of null device service files (for
symlinks) and to reload systemd_unit_t services.
* Allow systemd_logind_t to manage user_runtime_t directories.
allow it sys_admin capability. Allow it to list udev_var_run_t dirs for
/run/udev/tags/power-switch.
* Label /run/console-setup as udev_var_run_t
* Label lvmetad as lvm_exec_t
* Made it conflict with mcstrans because we currently can't get mcstrans,
dbus, and systemd to work together.
* Allow systemd_logind_t to create /run/systemd/inhibit and to manage
systemd_logind_var_run_t dirs and mount/umount,relabelfrom tmpfs_t
* Allow systemd_machined_t to manage symlinks in it's pid dir
* Allow systemd_machined_t to stat tmpfs_t and cgroup_t filesystems
* Updated monit patch from cgzones.
* Allow policykit_t to stat tmpfs_t and cgroup_t filesystems and to read
urandom
* Change auth_login_pgm_domain() to include writing to sessions fifo.
and searching user_runtime_t
* Allow systemd_logind_t and systemd_machined_t to read initrc_t files to
get cgroup and sessionid
* Allow systemd_logind_t to read xserver_t files to get cgroup and sessionid
* Allow system_mail_t to access unix_stream_sockets inherited from init
for error messages on startup
* Allow system_cronjob_t to get systemd unit status
* Allow logrotate to talk to dbus and talk to the private systemd socket for
systemctl
* Allow console_device_t to associate with devpts_t:filesystem for /dev/pts/0
* Allow systemd_logind_t to read all users state for cgroup and sessionid
files
* Label /var/run/sddm and /usr/bin/sddm
* Allow systemd_logind_t to talk to policykit_t and xserver_t by dbus
* Allow systemd_logind_t to send messages to initrc_t by dbus
* Allow policykit_t to send dbus messages to all userdomains
-- Russell Coker <email address hidden> Sun, 01 Jan 2017 15:33:26 +1100
Available diffs
refpolicy (2:2.20161023.1-5) unstable; urgency=medium
* Allowed system_munin_plugin_t to read usr_t files and have capability
net_admin for mii-tool. Thanks joerg <email address hidden>
Closes: #619855
* Allow rsync_t to stat all sock_files and fifo_files when
rsync_export_all_ro is set. Thanks joerg <email address hidden>
Closes: #619979
* Allow bitlbee_t to read FIPS state. Closes: #697814
* Allow mono_t to be in role unconfined_r. Closes: #734192
* Allow dpkg_script_t to manage null_device_t services for service scripts
linked to /dev/null. Closes: #757994
* Give systemd_tmpfiles_t sys_admin capability for adjusting quotas.
* Included initrc_t as a source domain in init_ranged_domain() so that old
XDM packages that lack a systemd service file will work.
* Use xserver_role() for unconfined_t so the xdm can start the session.
* Allow user domains to talk to devicekit_disk_t and devicekit_power_t via
dbus
* Label /run/lvm as lvm_var_run_t
* Allow dhcpc_t to manage samba config
-- Russell Coker <email address hidden> Thu, 29 Dec 2016 01:08:24 +1100
Available diffs
refpolicy (2:2.20161023.1-4) unstable; urgency=medium
* Allow mon_t to read sysfs.
* Made gpm_getattr_gpmctl also allow getattr on the fifo_file
* Allow mount_t to getattr tmpfs_t and rpc_pipefs_t filesystems
* Allow systemd_logind_t to change identities of files
* Allow systemd_logind_t to read the cgroups files of all login processes
* Added monit policy from cgzones <email address hidden>. Closes: #691283
* Allow udev_t to transition to initrc_t for hotplug scripts, and label
/etc/network/ip-ip.d/* etc as initrc_exec_t. Policy taken from Wheezy at
the recommendation of Devin Carraway <email address hidden>
Closes: #739590
-- Russell Coker <email address hidden> Wed, 28 Dec 2016 00:36:11 +1100
Available diffs
refpolicy (2:2.20161023.1-3) unstable; urgency=medium
* Allow ntpd_t to create sockets.
* Allow systemd_hostnamed_t and systemd_logind_t to talk to NetworkManager_t
via dbus.
* Allow systemd_backlight_t to send syslog messages, read sysfs, read etc_t
files, read init state, read udev_var_run_t files (udev data).
* Allow systemd_machined_t to send messages to init_t and initrc_t via dbus,
connect to the system dbus, read etc_t files, and start and stop init_var_run_t services and init_t system
* Allow systemd_logind_t to talk to devicekit_power_t and unconfined_t over
dbus
* Allow systemd_tmpfiles_t to read proc_net_t
* Use /sbin/ldconfig instead of /sbin/ldconfig.real
* Give devicekit_disk_t wake_alarm capability
* Write policy for systemd_coredump_t
* Allow systemd_logind_t to read xdm_t files for XDM state and talk to xdm
via dbus.
* Change /lib/systemd/systemd-cryptsetup to
/usr/lib/systemd/systemd-cryptsetup so file_contexts.subs_dist doesn't
cause the wrong name to match. Allow lvm_t to load modules for
systemd-cryptsetup
* Allow mon_local_test_t to stat gpmctl_t socket. Generally allow the local
tests to access most things that can't do any harm.
* Allow systemd_passwd_agent_t to use getty_t fds and read init state.
* Allow unconfined domains to start and stop etc_t units
-- Russell Coker <email address hidden> Wed, 21 Dec 2016 18:35:33 +1100
Available diffs
refpolicy (2:2.20161023.1-2) unstable; urgency=medium
* Only label files as NetworkManager_initrc_exec_t
* Use separate domains mon_net_test_t and mon_local_test_t for network and
local tests
* Allow boinc to read xdm tmp dirs and connect to the X server, allow it to
read crypto sysctl for some of it's libraries
* Allow unconfined_t to request init to reload it's config
* Make bin_t an entrypoint for inetd_child_t
* Allow systemd_tmpfiles_t to read selinuxfs and selinux_config_t to find
correct context Closes: #834228
* Allow systemd_cgroups_t to read selinux_config_t
* Allow systemd_sessions_t to get contexts for sessions and default contexts
for files for correct labeling
* Allow systemd_logind_t to read cgroup files and getattr cgroupfs, and to
start and stop user sessions
* Allow systemd_tmpfiles_t to read kmod_var_run_t for
/run/tmpfiles.d/kmod.conf
* Allow syslogd_t to read SE Linux config
* Allow dpkg_script_t to reload systemd configuration and to restart
initrc_exec_t units.
* Allow sulogin to read crypto sysctls and set booleans
* Allow cron jobs append and ioctl access to crond_tmp_t
* Allow systemd_hostnamed_t to read sysfs
* Policy to allow systemd_backlight_t and systemd_machined_t to do things
* Give initrc_t, xserver_t, and devicekit_power_t wake_alarm capability.
* Allow tor to search tmpfs.
* Allow system_mail_t to inherit file handles from init.
-- Russell Coker <email address hidden> Thu, 08 Dec 2016 23:16:14 +1100
Available diffs
refpolicy (2:2.20161023.1-1) unstable; urgency=medium
* New upstream to remove unwanted files from the archive.
* Type mon_test_exec_t for /usr/lib/mon/helper/*
* Give init_t and udev_t capability2:wake_alarm for systemd and systemd-udevd
* logging_manage_generic_logs(systemd_tmpfiles_t) for /var/log/?tmp
* Make bin_t an entrypoint for mon_test_t for scripts run from sudo.
* Allow postfix_master_t to getsched for sort and other programs from startup
shell scripts
-- Russell Coker <email address hidden> Sun, 04 Dec 2016 22:41:31 +1100
Available diffs
refpolicy (2:2.20161023-1) unstable; urgency=medium * Rebase to new release -- Russell Coker <email address hidden> Wed, 02 Nov 2016 15:15:07 +1100
Available diffs
- diff from 2:2.20151208-1 to 2:2.20161023-1 (177.0 KiB)
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
refpolicy (2:2.20151208-1) unstable; urgency=medium
* Rebase to new upstream
* Move locallogin, sysadm, udev, and modutils to base
* Add /lib/systemd to file_contexts.subs_dist and remove duplicate fcontexts
* Allow unconfined_t to manage all init units
* Allow dmesg_t and sysadm_t to read /dev/kmsg
* Label /usr/lib/selinux/hll/pp as bin_t
* Allow udev_t to create /var/run/network with type net_conf_t
* Allow auditctl_t to getcap
* Allow auditd_t setattr on /var/log/audit
* Allow semanage_t to search policy_src_t dirs for /usr/lib/selinux/hll
* Label /lib/systemd/libsystemd-shared-.*.so as lib_t
* Allow systemd_tmpfiles_t and systemd_cgroups_t to read /proc/1/environ
and /proc/cmdline, and have capability net_admin
* Allow systemd_tmpfiles_t to create and relabel var_t directories
* Allow systemd_cgroups_t to send unix dgrams to init.
* Label /var/run/alsa as alsa_var_lock_t and use type trans for alsa_t to
create it
* Allow syslogd_t to create syslogd_var_run_t dirs for
/run/systemd/journal/streams/
* Allow alsa_t to manage directories and lnk_files of type alsa_var_lock_t
for directories under /run/alsa
* This policy works well for a VM but is known to not work on bare metal.
I'll upload a new version that fixes this soon.
-- Russell Coker <email address hidden> Wed, 03 Aug 2016 10:42:57 +1000
Available diffs
- diff from 2:2.20140421-12 to 2:2.20151208-1 (255.9 KiB)
refpolicy (2:2.20140421-12) unstable; urgency=medium
* Team upload.
* Install the policy.dtd and policy.xml file in the -dev package, it is used
by some userspace tools
-- Laurent Bigonville <email address hidden> Fri, 27 May 2016 20:23:35 +0200
Available diffs
- diff from 2:2.20140421-11 to 2:2.20140421-12 (693 bytes)
refpolicy (2:2.20140421-11) unstable; urgency=medium
* Team upload.
* debian/rules:
- Make sure the content of the .modules file is sorted independently of
the locale where the package is built.
- Force the mode of the files and directories when building the
selinux-policy-src tarball to make the build reproducible.
* debian/postinst.policy: List the loaded modules from the expected store
not from the one configured in the config file
* debian/NEWS: Add some information about the new policy store.
* debian/postrm.policy: Remove the /var/lib/selinux/final/ directory when
purging the package. This directory is created when loading the modules.
-- Laurent Bigonville <email address hidden> Mon, 16 May 2016 17:49:03 +0200
Available diffs
refpolicy (2:2.20140421-10) unstable; urgency=medium
* Team upload.
[ Laurent Bigonville ]
* Fix the maintainer script to support the new policy store from libsemnage
2.4 (Closes: #805492)
* debian/gbp.conf: Sign tags by default (Closes: #781670)
* debian/control: Adjust and cleanup the {build-}dependencies (Closes:
#805496)
* debian/control: Bump Standards-Version to 3.9.8 (no further changes)
* debian/rules: Make the build reproducible (Closes: #778232)
* Remove deprecated system.users and local.users files
* debian/control: Update Homepage URL (Closes: #780934)
* debian/rules: Allow parallel build now that the build system is supporting
it, see #677689
* debian/policygentool: Remove string exceptions so the script is Python >=
2.6 compatible (Closes: #585355)
* Do not install semanage.read.LOCK, semanage.trans.LOCK and
file_contexts.local in /etc/selinux/* this is not needed anymore with the
new policy store.
* debian/control: Use https for the Vcs-* URL's to please lintian
* debian/watch: Fix watch file URL now that the project has moved to github
[ Russell Coker ]
* Allow init_t to manage init_var_run_t symlinks and self getsched
to relabel files and dirs to etc_runtime_t for /run/blkid
to read/write init_var_run_t fifos for /run/initctl
kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
sysctls)
* Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
filesystems
* Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
* Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
* Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
create it
* apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
* Allow apache to read sysctl_vm_t for overcommit_memory Allow
httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
files and directories for mod_pagespeed.
* Removed bogus .* in mailman file context that was breaking the regex
* Lots of mailman changes
* Allow system_mail_t read/write access to crond_tmp_t
* Allow postfix_pipe_t to write to postfix_public_t sockets
* Label /usr/share/mdadm/checkarray as bin_t
* Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
status
* Allow systemd_tmpfiles_t to create the cpu_device_t device
* Allow init_t to manage init_var_run_t links
* Allow groupadd_t the fsetid capability
* Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
dpkg_var_lib_t so dpkg-statoverride can do it's job
* Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
* Allow webalizer to read fonts and allow logrotate to manage
webaliser_usage_t files also allow it to be run by logrotate_t.
* Allow jabber to read ssl certs and give it full access to it's log files
Don't audit jabber running ps.
* Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
in log dir
* Allow webalizer to read usr_t and created webalizer_log_t for it's logs
* Made logging_log_filetrans and several other logging macros also allow
reading var_log_t links so a variety of sysadmin symlinks in /var/log
won't break things
* Allow postfix_policyd_t to execute bin_t, read urandom, and capability
chown.
New type postfix_policyd_tmp_t
* Added user_udp_server boolean
* Allow apt_t to manage dirs of type apt_var_cache_t
* Allow jabber to connect to the jabber_interserver_port_t TCP port
Closes: #697843
* Allow xm_t to create xen_lock_t files for creating the first Xen DomU
* Allow init_t to manage init_var_run_t for service file symlinks
* Add init_telinit(dpkg_script_t) for upgrading systemd
* Allow dpkg_script_t the setfcap capability for systemd postinst.
* Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
* Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
and have capability net_admin. Allow logrotate_systemctl_t to manage all
services.
* Give init_t the audit_read capability for systemd
* Allow iodined_t access to netlink_route_socket.
* add init_read_state(systemd_cgroups_t) and
init_read_state(systemd_tmpfiles_t) for /proc/1/environ
* Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
be some
sort of default location. /var/log is a better directory for this
* Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
* Allow mandb_t to get filesystem attributes
* Allow syslogd to rename and unlink init_var_run_t files for systemd
temporary files
* Allow ntpd_t to delete files for peerstats and loopstats
* Add correct file labels for squid3 and tunable for squid pinger raw net
access (default true)
* Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
xenstored unix sockets
* Allow qemu_t to read sysfs files for cpu online
* Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
* Allow xm_t (xl program) to create and rename xend_var_log_t files, read
kernel images, execute qemu, and inherit fds from sshd etc.
* Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
/run/xen-hotplug/iptables for when vif-bridge runs iptables
* Allow xm_t to write to xen_lock_t files not var_lock_t
* Allow xm_t to load kernel modules
* Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
it's sockets
* dontaudit xm_t searching home dir content
* Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
xend_var_run_t directory
* Label /var/lock/xl as xen_lock_t
* allow unconfined_t to execute xl/xm in xm_t domain.
* Allow system_cronjob_t to configure all systemd services (restart all
daemons)
* Allow dpkg_script_t and unconfined_t to manage systemd service files of
type null_device_t (symlinks to /dev/null)
* Label /var/run/lwresd/lwresd.pid as named_var_run_t
* Label /run/xen/qmp* as qemu_var_run_t
* Also label squid3.pid
* Allow iptables_t to be in unconfined_r (for Xen)
* Allow udev_t to restart systemd services
Closes: #756729
* Merge Laurent's changes with mine
-- Laurent Bigonville <email address hidden> Fri, 13 May 2016 22:29:59 +0200
Available diffs
- diff from 2:2.20140421-9 to 2:2.20140421-10 (24.0 KiB)
| Superseded in yakkety-release |
| Published in xenial-release |
| Obsolete in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
refpolicy (2:2.20140421-9) unstable; urgency=medium
* Allow dovecot_t to read /usr/share/dovecot/protocols.d
Allow dovecot_t capability sys_resource
Label /usr/lib/dovecot/* as bin_t unless specified otherwise
Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens
* Allow clamd_t capability { chown fowner fsetid }
Allow clamd_t to read sysctl_vm_t
* Allow dkim_milter_t capability dac_override and read sysctl_vm_t
allow dkim_milter_t to bind to unreserved UDP ports
* Label all hard-links of perdition perdition_exec_t
Allow perdition to read /dev/urandom and capabilities dac_override, chown,
and fowner
Allow perdition file trans to perdition_var_run_t for directories
Also proxy the sieve service - sieve_port_t
Allow connecting to mysql for map data
* Allow nrpe_t to read nagios_etc_t and have capability dac_override
* Allow httpd_t to write to initrc_tmp_t files
Label /var/lib/php5(/.*)? as httpd_var_lib_t
* Allow postfix_cleanup_t to talk to the dkim filter
allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters)
allow postfix_smtpd_t to talk to clamd_t via unix sockets
allow postfix_master_t to execute hostname for Debian startup scripts
* Allow unconfined_cronjob_t role system_r and allow it to restart daemons
via systemd
Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session
cleanup)
* Allow spamass_milter_t to search the postfix spool and sigkill itself
allow spamc_t to be in system_r for when spamass_milter runs it
* Allow courier_authdaemon_t to execute a shell
* Label /usr/bin/maildrop as procmail_exec_t
Allow procmail_t to connect to courier authdaemon for the courier maildrop,
also changed courier_stream_connect_authdaemon to use courier_var_run_t
for the type of the socket file
Allow procmail_t to read courier config for maildrop.
* Allow system_mail_t to be in role unconfined_r
* Label ldconfig.real instead of ldconfig as ldconfig_exec_t
* Allow apt_t to list directories of type apt_var_log_t
* Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for
dpkg-preconfigure
* Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage
shadow files, process setfscreate, and capabilities audit_write net_admin
sys_ptrace
* Label /usr/lib/xen-*/xl as xm_exec_t
-- Russell Coker <email address hidden> Fri, 06 Feb 2015 02:31:05 +1100
Available diffs
- diff from 2:2.20140421-7 to 2:2.20140421-9 (20.4 KiB)
refpolicy (2:2.20140421-7) unstable; urgency=medium
* Label /run/systemd/journal/dev-log and /run/systemd/journal/stdout as
devlog_t
* Allow bootloadter_t to load kernel modules and run apt-cache
* Allow systemd_cgroups_t to read /proc/cmdline
* Allow sshd net_admin capability
* Allow systemd_logind_t to read kernel sysctls, list tmpfs, and mount on
/var/auth, and systemd_unit_file_t:service stop.
* Allow dpkg_script_t to restart systemd unit files of type init_var_run_t
* Allow local_login_t and user_t to talk to systemd_logind via dbus
* Allow user_ssh_agent_t to read/write it's own fifo files
* Allow user_t to talk to gconfd_t via dbus
* Allow gpg_agent_t to send sigchld to xdm_t, to be a system dbus client,
to use nsswitch, and to read user xauth file
* Allow $1_dbusd_t domains systemd_login_read_pid_files access
* Remove gpg_helper_t, merge gpg_pinentry_t with the main gpg domain, and
create user_gpg_t, staff_gpg_t, etc.
* Allow userdomains to talk to kerneloops via dbus
* Allow sysstat_t to search all mountpoints
* Allow udev_t self:netlink_route_socket nlmsg_write for interface rename
* Allow systemd_tmpfiles_t to read kernel sysctls for boot_id
* Allow setfiles_t to read /dev/urandom
* Label /var/run/blkid as etc_runtime_t
* TLDR: Make everything work with latest systemd and allow KDE login with
latest X11 configuration.
-- Russell Coker <email address hidden> Mon, 13 Oct 2014 09:41:44 +1100
Available diffs
- diff from 2:2.20140421-4 to 2:2.20140421-7 (20.5 KiB)
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
refpolicy (2:2.20140421-4) unstable; urgency=medium
* Team upload.
* debian/rules: Properly expand flavour directory during build
* debian/rules: Properly remove postrm scripts in clean target
* debian/postinst.policy: Remove the modules that are not built anymore from
the notdefault list
* debian/postinst.policy: Remove the .disabled file for the modules that are
now built in the base.pp or not built anymore at all.
-- Laurent Bigonville <email address hidden> Sun, 29 Jun 2014 17:33:39 +0200
Available diffs
refpolicy (2:2.20140421-3) unstable; urgency=medium
* Allow sysadm_t to read policy
* Make systemd_login_list_pid_dirs() call init_search_pid_dirs() as it
doesn't work without it
* Added chromium/google-chrome policy
* dev_getattr_sysfs(sysstat_t) for Debian cron job
* Allow sysstat_t to manage it's log files
* Allow dpkg_script_t to config all systemd services and get init status
* Allow dpkg_script_t to dirmngr_admin
* really added systemd_login_list_pid_dirs(system_dbusd_t) (somehow missed
this last time)
* Allow sshd to chat with systemd via dbus
* Allow unconfined_t to restart services
* systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
* systemd_dbus_chat_logind(sshd_t)
* Allow xend to read vm sysctls
* Allow udev_t to manage xenfs_t files for xenstore-read
* Allow system_dbusd_t systemd_login_read_pid_files access for
/run/systemd/users/* files
* Allow systemd_logind_t to stat tmpfs_t filesystems for /run/user
* Remove the "genfscon selinuxfs" line from selinux.if in selinux-policy-dev
to stop sepolgen-ifgen errors.
* Make udev_relabelto_db() include lnk_file relabeling
* Allow kernel_t to fs_search_tmpfs, selinux_compute_create_context, and
kernel_read_unlabeled_state for booting without unconfined.pp
* Allow system_cronjob_t to manage the apt cache
* Allow modutils_read_module_config(init_t) and create cgroup_t links for
strict config. Allow it to relabel from tmpfs_t symlinks
* Allow init_run_all_scripts_domain (initrc_t) the service { status start
stop } for all the daemon _initrc_exec_t scripts.
* Allow sysadm_r to have domain system_mail_t for strict policy
* Allow init_t to relabel device_t symlinks and pstore_t dirs, load kernel
modules, manage init_var_run_t sock_files, read /usr, read /dev/urandom,
systemd_manage_passwd_run, and domain_read_all_domains_state
-- Russell Coker <email address hidden> Sun, 29 Jun 2014 19:11:45 +1000
Available diffs
refpolicy (2:2.20140421-2) unstable; urgency=medium
* Fix systemd support
* Made init, logging, authlogin, application, userdomain, systemd, dmesg,
dpkg, usermanage, libraries, fstools, miscfiles, mount, selinuxutil,
storage and sysnetwork be base modules - some of this is needed for
systemd, some just makes sense.
* Disabled modules anaconda, authbind, kudzu, portage, rhgb, speedtouch
* Allow syslogd_t to read /dev/urandom (for systemd)
* Change unit files to use .*\.service
* Default trans syslogd_tmp_t for name /run/log (for systemd)
* Make /var/auth a mountpoint
* Allow systemd_tmpfiles_t to relabelto xconsole_device_t
* Allow init_t to start and stop service systemd_unit_file_t
* Allow udev_t to write to init_t stream sockets for systemctl
* Allow syslogd_t to read udev_var_run_t so systemd_journal can get seat data
* Allow systemd_logind_t to read udev_var_run_t for seat data
* Allow syslogd_t setgid and setgid for systemd_journal
* Allow udev_t to read cgroup files for systemd-udevd to read it's own cgroup
* Give logrotate_t the systemd_systemctl_domain access to restart daemons
* Make transition from unconfined_t to insmod_t for running modutils and
remove all unused modutils domains. Make unconfined_t transition to
insmod_t, this makes depmod run as insmod_t. Make insmod_t write modules
dep files with the correct context.
* Allow udev_t to load kernel modules for systemd-udevd
* Allow initrc_t to systemd_config_all_services
* Allow lvm_t to talk to init_t via unix socket for systemd
* Allow allow lvm_t to read sysctl_crypto_t
* Allow udev_t to read modules_object_t for systemd-udevd
* Allow udev_t to search /run/systemd for systemd-udevd
* Allow systemd_tmpfiles_t to relabel man_cache_t
* Allow initrc_t to get status of init_t for systemd
* Allow udev_t to get initrc_exec_t service status for when udev runs hdparm
script
* Allow ifconfig_t to load kernel modules
* Allow named_t to read vm sysctls
* Allow tor_t capabilities chown dac_read_search dac_override fowner
* Allow fetchmail_t to manage dirs of type fetchmail_uidl_cache_t
* Allow mysqld_t to connect to itself on unix_stream_socket
* Allow mysqld_t kernel_read_vm_sysctls for overcommit_memory
* Allow sysstat_t read and write access to crond_tmp_t (for cron to capture
stdout/stderr).
* Allow sysstat_t to read it's own log files and read shell_exec_t
* Included file context for /run/kdm.pid
* Allow kerneloops_t to read /proc/filesystems
* Label /var/cache/dirmngr as dirmngr_var_lib_t
* systemd_login_list_pid_dirs(system_dbusd_t)
-- Russell Coker <email address hidden> Wed, 25 Jun 2014 15:38:58 +1000
Available diffs
- diff from 2:2.20140421-1 to 2:2.20140421-2 (32.6 KiB)
refpolicy (2:2.20140421-1) unstable; urgency=medium
* Team upload.
* New GIT snapshot of the policy
- Drop debian/patches/upstream/*.patch: Applied upstream
- Label /etc/locale.alias as locale_t (Closes: #707246)
- Allow xdm_t to execute gkeyringd_domains and to transition to them
- Label postgresql manpages properly (Closes: #740591)
- Allow setfiles_t and restorecond_t to getattr from all fs that support
xattr (Closes: #740682)
* Refresh debian/modules.conf.default, debian/modules.conf.mls: Start
building the shibboleth module
-- Laurent Bigonville <email address hidden> Mon, 21 Apr 2014 23:37:53 +0200
Available diffs
- diff from 2:2.20140206-1 to 2:2.20140421-1 (306.9 KiB)
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
refpolicy (2:2.20140206-1) unstable; urgency=medium
* Team upload.
* New GIT snapshot of the policy
- Allow unconfined_u user to enter system_r role again (Closes: #732857)
- Allow unconfined user to transition to dpkg_t and transitively to
dpkg_script_t (Closes: #707214)
- Refresh 0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch
- Drop d/p/0005-add-missing-newline.patch,
d/p/0006-allow-udev-write-rulesd.patch: Applied upstream
* debian/selinux-policy-dev.post{inst,rm}: Call sepolgen-ifgen after
selinux-policy-dev installation if SELinux is enabled
* debian/selinux-policy-dev.install, debian/rules: Install headers in
/usr/share/selinux/devel, there is no differences between default and mls
headers, so it's not necessary to install both.
* debian/rules, debian/example/Makefile, debian/Makefile.devel: Fix
development Makefile to work with new headers location
* debian/control: Bump Standards-Version to 3.9.5 (no further changes)
-- Laurent Bigonville <email address hidden> Thu, 06 Feb 2014 21:56:55 +0100
Available diffs
- diff from 2:2.20131214-1 to 2:2.20140206-1 (12.7 KiB)
refpolicy (2:2.20131214-1) unstable; urgency=low
* Team upload.
[ Laurent Bigonville ]
* New GIT snapshot of the policy
- Drop all the Debian specific patches, some of the patches have been
merged upstream, but the rest was making it really difficult to upgrade
the policy to the new upstream versions.
- Add block_suspend access vectors (Closes: #722700)
- libvirt should now run when compiled with selinux support
(Closes: #559356)
- Allow smartd daemon to write in /var/lib/smartmontools directory
(Closes: #720631)
- NetworkManager should now be able to write /run/network/ifstate
(Closes: #711083)
- Allow dovecot self:process setsched permission (Closes: #716753)
- Add denyhosts policy package (Closes: #700403)
- deny_ptrace boolean is now gone (Closes: #691284)
- Allow fail2ban dac_read_search and dac_override capabilities
(Closes: #700326)
- irqbalance has now the getsched permission (Closes: #707243)
* Refresh debian/modules.conf.* for new release, build all the policy
packages as modules now
* Drop debian/file_contexts.subs_dist, install upstream one instead
* debian/rules: policy/rolemap file is gone
* debian/control: Bump {build-}dependencies to the last userspace release
* debian/rules: Disable UBAC for the default policy
* debian/rules: Build the default policy with UNK_PERMS=allow
* debian/control: Add dependency against selinux-utils for selinuxenabled
* debian/NEWS: Add some information about the proper way to permanently
disable a module
* d/p/0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch:
Fix FTBFS and allow startpar can getattr of some devices
* Add d/p/0005-add-missing-newline.patch: Add missing newline at the end of
the file, this is causing weird behaviour, thanks M4
* d/p/0006-allow-udev-write-rulesd.patch: Allow udev to write in
/etc/udev/rules.d (Closes: #712970)
[ Mika Pflüger ]
* debian/postinst.policy: Rewrite the postinst script for the
selinux-policy-* packages to automatically upgrade the running policy.
(Closes: #552147)
* debian/copyright: Update to machine-readable copyright format.
* debian/postrm.policy: Use common postrm script for selinux-policy-*
packages.
-- Laurent Bigonville <email address hidden> Sun, 15 Dec 2013 22:53:06 +0100
Available diffs
refpolicy (2:2.20110726-13) unstable; urgency=low
* Team upload.
[ Mika Pflüger ]
* Allow dhcpc_t to bind to all udp ports (Closes: #707658).
[ Laurent Bigonville ]
* Rework the build system
* Compress modules files with bzip2
* debian/control:
- Bump Standards-Version to 3.9.4 (no further changes)
- Drop really old Conflicts
- Add a Breaks against selinux-basics (<< 0.5.2~) so we are sure it
supports .bz2 compressed modules
* debian/source/lintian-overrides: Add an override for
maintainer-script-lacks-debhelper-token
-- Laurent Bigonville <email address hidden> Fri, 20 Sep 2013 19:18:57 +0200
Available diffs
- diff from 2:2.20110726-12 to 2:2.20110726-13 (35.4 KiB)
| 1 → 75 of 116 results | First • Previous • Next • Last |
