-
refpolicy (2:2.20210203-11) unstable; urgency=medium
* Add boolean for BOINC GPU/X
* Added labelling for some storage character devices and for
/usr/sbin/mkinitramfs
* Some minor changes to mon and systemd-nspawn policy
* Allow systemd_generator_t to execute all entry types
* Give fsetid capability to certbot
* Tweak matrixd and mailman policy for upstream submission
* Fixes for sympa policy
-- Russell Coker <email address hidden> Mon, 21 Feb 2022 20:52:35 +1100
-
refpolicy (2:2.20210203-10) unstable; urgency=medium
* Team upload.
* debian/control: Adjust the (build-)dependencies for the userspace 3.3
release
-- Laurent Bigonville <email address hidden> Tue, 09 Nov 2021 09:44:53 +0100
-
refpolicy (2:2.20210203-9) unstable; urgency=medium
* Label /opt/google/chrome/chrome_crashpad_handler and
/opt/google/chrome/crashpad_handler as chromium_exec_t
* Allow kmod_t to manage bootloader_tmp_t files and allow bootloader_t to
create and delete /dev/null (for initramfs). Also allow bootloader_t to
read udev rules and network config.
* Merged patches from Topi Miettinen for building only one flavour and for
correctly making a list of modules even when building is asynchronous.
* Added patch for /usr/libexec/sssd/sssd_.+ from Sam Morris.
-- Russell Coker <email address hidden> Thu, 21 Oct 2021 14:23:40 +1100
-
refpolicy (2:2.20210203-8) unstable; urgency=medium
* Label /etc/ppp/ip-pre-up as pppd_initrc_exec_t
* Allow wireshark to rw DRI devices, read crypto sysctls, rw the xserver
mesa shader cache, read the kernel network state, have execmem access
(probably needed for one of the many shared objects it uses), have setsched
access, execute lib files (for it's helper programs), manage xdg config
files (gives warning if it can't do this), manage xdg cache, and read xdg
data files.
* Allow acngtool_t the dac_override capability for managing log files
* Allow pppd to connect create and ioctl pppox_socket and allow it to map
pppd_runtime_t files.
* Allow kmod_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin
login on boot failure)
* Allow ntpd_t to start and stop generic units when systemd is used, for
systemd-timesyncd.
-- Russell Coker <email address hidden> Mon, 04 Oct 2021 15:06:54 +1100
-
refpolicy (2:2.20210203-7) unstable; urgency=medium
* Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt
* Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script
/etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/*
as bin_t.
* Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other
corner cases and allowed fsadm_t to read fsdaemon_var_lib_t. Dontaudit
fsadm_t inheriting file handles from mon_t.
* Allow fsadm_t to do a file type trans for creating
/dev/megaraid_sas_ioctl_node
* Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
cgroup files. Needed for JRE 17
-- Russell Coker <email address hidden> Mon, 14 Jun 2021 09:47:05 +1000
