refpolicy 2:2.20140421-10 source package in Ubuntu

Changelog

refpolicy (2:2.20140421-10) unstable; urgency=medium

  * Team upload.
  [ Laurent Bigonville ]
  * Fix the maintainer script to support the new policy store from libsemnage
    2.4 (Closes: #805492)
  * debian/gbp.conf: Sign tags by default (Closes: #781670)
  * debian/control: Adjust and cleanup the {build-}dependencies (Closes:
    #805496)
  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
  * debian/rules: Make the build reproducible (Closes: #778232)
  * Remove deprecated system.users and local.users files
  * debian/control: Update Homepage URL (Closes: #780934)
  * debian/rules: Allow parallel build now that the build system is supporting
    it, see #677689
  * debian/policygentool: Remove string exceptions so the script is Python >=
    2.6 compatible (Closes: #585355)
  * Do not install semanage.read.LOCK, semanage.trans.LOCK and
    file_contexts.local in /etc/selinux/* this is not needed anymore with the
    new policy store.
  * debian/control: Use https for the Vcs-* URL's to please lintian
  * debian/watch: Fix watch file URL now that the project has moved to github

  [ Russell Coker ]
  * Allow init_t to manage init_var_run_t symlinks and self getsched
    to relabel files and dirs to etc_runtime_t for /run/blkid
    to read/write init_var_run_t fifos for /run/initctl
    kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
    sysctls)
  * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
    filesystems
  * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
  * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
  * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
    create it
  * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
  * Allow apache to read sysctl_vm_t for overcommit_memory Allow
    httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
    files and directories for mod_pagespeed.
  * Removed bogus .* in mailman file context that was breaking the regex
  * Lots of mailman changes
  * Allow system_mail_t read/write access to crond_tmp_t
  * Allow postfix_pipe_t to write to postfix_public_t sockets
  * Label /usr/share/mdadm/checkarray as bin_t
  * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
    status
  * Allow systemd_tmpfiles_t to create the cpu_device_t device
  * Allow init_t to manage init_var_run_t links
  * Allow groupadd_t the fsetid capability
  * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
    setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
    dpkg_var_lib_t so dpkg-statoverride can do it's job
  * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
  * Allow webalizer to read fonts and allow logrotate to manage
    webaliser_usage_t files also allow it to be run by logrotate_t.
  * Allow jabber to read ssl certs and give it full access to it's log files
    Don't audit jabber running ps.
  * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
    in log dir
  * Allow webalizer to read usr_t and created webalizer_log_t for it's logs
  * Made logging_log_filetrans and several other logging macros also allow
    reading var_log_t links so a variety of sysadmin symlinks in /var/log
    won't break things
  * Allow postfix_policyd_t to execute bin_t, read urandom, and capability
    chown.
    New type postfix_policyd_tmp_t
  * Added user_udp_server boolean
  * Allow apt_t to manage dirs of type apt_var_cache_t
  * Allow jabber to connect to the jabber_interserver_port_t TCP port
    Closes: #697843
  * Allow xm_t to create xen_lock_t files for creating the first Xen DomU
  * Allow init_t to manage init_var_run_t for service file symlinks
  * Add init_telinit(dpkg_script_t) for upgrading systemd
  * Allow dpkg_script_t the setfcap capability for systemd postinst.
  * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
  * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
    and have capability net_admin.  Allow logrotate_systemctl_t to manage all
    services.
  * Give init_t the audit_read capability for systemd
  * Allow iodined_t access to netlink_route_socket.
  * add init_read_state(systemd_cgroups_t) and
    init_read_state(systemd_tmpfiles_t) for /proc/1/environ
  * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
    be some
    sort of default location. /var/log is a better directory for this
  * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
  * Allow mandb_t to get filesystem attributes
  * Allow syslogd to rename and unlink init_var_run_t files for systemd
    temporary files
  * Allow ntpd_t to delete files for peerstats and loopstats
  * Add correct file labels for squid3 and tunable for squid pinger raw net
    access (default true)
  * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
    xenstored unix sockets
  * Allow qemu_t to read sysfs files for cpu online
  * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
  * Allow xm_t (xl program) to create and rename xend_var_log_t files, read
    kernel images, execute qemu, and inherit fds from sshd etc.
  * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
    /run/xen-hotplug/iptables for when vif-bridge runs iptables
  * Allow xm_t to write to xen_lock_t files not var_lock_t
  * Allow xm_t to load kernel modules
  * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
    it's sockets
  * dontaudit xm_t searching home dir content
  * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
    xend_var_run_t directory
  * Label /var/lock/xl as xen_lock_t
  * allow unconfined_t to execute xl/xm in xm_t domain.
  * Allow system_cronjob_t to configure all systemd services (restart all
    daemons)
  * Allow dpkg_script_t and unconfined_t to manage systemd service files of
    type null_device_t (symlinks to /dev/null)
  * Label /var/run/lwresd/lwresd.pid as named_var_run_t
  * Label /run/xen/qmp* as qemu_var_run_t
  * Also label squid3.pid
  * Allow iptables_t to be in unconfined_r (for Xen)
  * Allow udev_t to restart systemd services
    Closes: #756729
  * Merge Laurent's changes with mine

 -- Laurent Bigonville <email address hidden>  Fri, 13 May 2016 22:29:59 +0200

Upload details

Uploaded by:
Debian SELinux maintainers
Uploaded to:
Sid
Original maintainer:
Debian SELinux maintainers
Architectures:
all
Section:
admin
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Yakkety: [FULLYBUILT] amd64

Downloads

File Size SHA-256 Checksum
refpolicy_2.20140421-10.dsc 2.0 KiB 0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6
refpolicy_2.20140421.orig.tar.bz2 668.3 KiB 258ff813c84139175db63958ac8bff2bcce32982bb0d902e06aaaf17dd644367
refpolicy_2.20140421-10.debian.tar.xz 87.9 KiB e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b

Available diffs

No changes file available.

Binary packages built by this source

selinux-policy-default: No summary available for selinux-policy-default in ubuntu yakkety.

No description available for selinux-policy-default in ubuntu yakkety.

selinux-policy-dev: No summary available for selinux-policy-dev in ubuntu yakkety.

No description available for selinux-policy-dev in ubuntu yakkety.

selinux-policy-doc: No summary available for selinux-policy-doc in ubuntu yakkety.

No description available for selinux-policy-doc in ubuntu yakkety.

selinux-policy-mls: No summary available for selinux-policy-mls in ubuntu yakkety.

No description available for selinux-policy-mls in ubuntu yakkety.

selinux-policy-src: No summary available for selinux-policy-src in ubuntu yakkety.

No description available for selinux-policy-src in ubuntu yakkety.