refpolicy 2:2.20140421-10 source package in Ubuntu
Changelog
refpolicy (2:2.20140421-10) unstable; urgency=medium * Team upload. [ Laurent Bigonville ] * Fix the maintainer script to support the new policy store from libsemnage 2.4 (Closes: #805492) * debian/gbp.conf: Sign tags by default (Closes: #781670) * debian/control: Adjust and cleanup the {build-}dependencies (Closes: #805496) * debian/control: Bump Standards-Version to 3.9.8 (no further changes) * debian/rules: Make the build reproducible (Closes: #778232) * Remove deprecated system.users and local.users files * debian/control: Update Homepage URL (Closes: #780934) * debian/rules: Allow parallel build now that the build system is supporting it, see #677689 * debian/policygentool: Remove string exceptions so the script is Python >= 2.6 compatible (Closes: #585355) * Do not install semanage.read.LOCK, semanage.trans.LOCK and file_contexts.local in /etc/selinux/* this is not needed anymore with the new policy store. * debian/control: Use https for the Vcs-* URL's to please lintian * debian/watch: Fix watch file URL now that the project has moved to github [ Russell Coker ] * Allow init_t to manage init_var_run_t symlinks and self getsched to relabel files and dirs to etc_runtime_t for /run/blkid to read/write init_var_run_t fifos for /run/initctl kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other sysctls) * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t filesystems * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to create it * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir * Allow apache to read sysctl_vm_t for overcommit_memory Allow httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t files and directories for mod_pagespeed. * Removed bogus .* in mailman file context that was breaking the regex * Lots of mailman changes * Allow system_mail_t read/write access to crond_tmp_t * Allow postfix_pipe_t to write to postfix_public_t sockets * Label /usr/share/mdadm/checkarray as bin_t * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing status * Allow systemd_tmpfiles_t to create the cpu_device_t device * Allow init_t to manage init_var_run_t links * Allow groupadd_t the fsetid capability * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read dpkg_var_lib_t so dpkg-statoverride can do it's job * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration * Allow webalizer to read fonts and allow logrotate to manage webaliser_usage_t files also allow it to be run by logrotate_t. * Allow jabber to read ssl certs and give it full access to it's log files Don't audit jabber running ps. * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks in log dir * Allow webalizer to read usr_t and created webalizer_log_t for it's logs * Made logging_log_filetrans and several other logging macros also allow reading var_log_t links so a variety of sysadmin symlinks in /var/log won't break things * Allow postfix_policyd_t to execute bin_t, read urandom, and capability chown. New type postfix_policyd_tmp_t * Added user_udp_server boolean * Allow apt_t to manage dirs of type apt_var_cache_t * Allow jabber to connect to the jabber_interserver_port_t TCP port Closes: #697843 * Allow xm_t to create xen_lock_t files for creating the first Xen DomU * Allow init_t to manage init_var_run_t for service file symlinks * Add init_telinit(dpkg_script_t) for upgrading systemd * Allow dpkg_script_t the setfcap capability for systemd postinst. * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t, and have capability net_admin. Allow logrotate_systemctl_t to manage all services. * Give init_t the audit_read capability for systemd * Allow iodined_t access to netlink_route_socket. * add init_read_state(systemd_cgroups_t) and init_read_state(systemd_tmpfiles_t) for /proc/1/environ * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to be some sort of default location. /var/log is a better directory for this * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal * Allow mandb_t to get filesystem attributes * Allow syslogd to rename and unlink init_var_run_t files for systemd temporary files * Allow ntpd_t to delete files for peerstats and loopstats * Add correct file labels for squid3 and tunable for squid pinger raw net access (default true) * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to xenstored unix sockets * Allow qemu_t to read sysfs files for cpu online * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-* * Allow xm_t (xl program) to create and rename xend_var_log_t files, read kernel images, execute qemu, and inherit fds from sshd etc. * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via /run/xen-hotplug/iptables for when vif-bridge runs iptables * Allow xm_t to write to xen_lock_t files not var_lock_t * Allow xm_t to load kernel modules * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink it's sockets * dontaudit xm_t searching home dir content * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in xend_var_run_t directory * Label /var/lock/xl as xen_lock_t * allow unconfined_t to execute xl/xm in xm_t domain. * Allow system_cronjob_t to configure all systemd services (restart all daemons) * Allow dpkg_script_t and unconfined_t to manage systemd service files of type null_device_t (symlinks to /dev/null) * Label /var/run/lwresd/lwresd.pid as named_var_run_t * Label /run/xen/qmp* as qemu_var_run_t * Also label squid3.pid * Allow iptables_t to be in unconfined_r (for Xen) * Allow udev_t to restart systemd services Closes: #756729 * Merge Laurent's changes with mine -- Laurent Bigonville <email address hidden> Fri, 13 May 2016 22:29:59 +0200
Upload details
- Uploaded by:
- Debian SELinux maintainers
- Uploaded to:
- Sid
- Original maintainer:
- Debian SELinux maintainers
- Architectures:
- all
- Section:
- admin
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
refpolicy_2.20140421-10.dsc | 2.0 KiB | 0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6 |
refpolicy_2.20140421.orig.tar.bz2 | 668.3 KiB | 258ff813c84139175db63958ac8bff2bcce32982bb0d902e06aaaf17dd644367 |
refpolicy_2.20140421-10.debian.tar.xz | 87.9 KiB | e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b |
Available diffs
- diff from 2:2.20140421-9 to 2:2.20140421-10 (24.0 KiB)
No changes file available.
Binary packages built by this source
- selinux-policy-default: No summary available for selinux-policy-default in ubuntu yakkety.
No description available for selinux-
policy- default in ubuntu yakkety.
- selinux-policy-dev: No summary available for selinux-policy-dev in ubuntu yakkety.
No description available for selinux-policy-dev in ubuntu yakkety.
- selinux-policy-doc: No summary available for selinux-policy-doc in ubuntu yakkety.
No description available for selinux-policy-doc in ubuntu yakkety.
- selinux-policy-mls: No summary available for selinux-policy-mls in ubuntu yakkety.
No description available for selinux-policy-mls in ubuntu yakkety.
- selinux-policy-src: No summary available for selinux-policy-src in ubuntu yakkety.
No description available for selinux-policy-src in ubuntu yakkety.