[ubuntu/natty] refpolicy 2:0.2.20100524-5ubuntu1 (Accepted)
Bhavani Shankar
bhavi at ubuntu.com
Sun Jan 9 13:40:31 UTC 2011
refpolicy (2:0.2.20100524-5ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining change:
- ebian/control: drop "selinux" conflict (Debian bug 576598)
refpolicy (2:0.2.20100524-5) unstable; urgency=low
* Label /usr/bin/tcsh as shell_exec_t
* Domain trans from unconfined_t to depmod_t
* Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp
* Don't include /usr/sbin/spamass-milter and /var/spool/postfix/spamass in
spamassassin.fc as they are in milter.fc
* Label /var/run/spamass as spamass_milter_data_t
* Allow lvm_t rw access to unconfined_t semaphores.
* Added in_unconfined_r() interface and made postfix user domains use it
so they can be in the role unconfined_r. Ugly but no better solution at
this time
Closes: #592038 #599053
* Include Chromium policy in mozilla.pp
* Allow sshd getcap and setcap access
* Correctly label ~/.xsession-errors
* Allow spamc_t to be in system_r and allow it access to netlink_route_socket
* Allow lda_t to talk to the Courier Authdaemon - for courier maildrop
* Allow fetchmail_t to read usr_t for certificates and to create /tmp files
* Allow cron jobs to write to crond_tmp_t
* Label courier socket files as courier_var_run_t
* Run /usr/sbin/authdaemond as courier_authdaemon_t
* Allow dkim_milter_t to read proc_t files and create /tmp files
* Allow dovecot domains to search dovecot_etc_t dirs
* Allow dovecot_auth_t to talk to mysqld via TCP and read /etc/mysql/my.cnf
* Label /etc/network/run as etc_t
* Label X as spamass_milter_var_run_t
* Remove unconfined_exec_t label from /usr/bin/qemu
Closes: #601686
* Label /usr/lib/apache2/mpm-*/apache2 as httpd_exec_t
Closes: #608291
* Allow nagios.pp to be installed without apache.pp
Closes: #587596
* Removed amavis.pp because it doesn't work and it's functionality is covered
by clamav.pp
Closes: #559860
* Allow mono_t to be in role unconfined_r
Closes: #540143
refpolicy (2:0.2.20100524-4ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598)
refpolicy (2:0.2.20100524-4) unstable; urgency=low
* Label /dev/vd* as fixed_disk_device_t, closes: #589997
* Remove mcskillall and mcsptraceall from unconfined_t, the sysadmin should
have unconfined_t:SystemLow-SystemHigh.
refpolicy (2:0.2.20100524-3) unstable; urgency=low
* Give freshclam_t and clamd_t the same access WRT execmem.
* Install lvm.pp when dmsetup is installed.
* Add label for /usr/lib/udisks/udisks-daemon .
* Made devicekit.pp and ricci.pp not depend on consoletype.pp and don't
build consoletype.
* label /usr/lib/udisks/.* as bin_t
* label /etc/kde4 the same way as /etc/kde3.
* Escape the . in /etc/init.d/mount...
* Allow insmod_t the capability sys_admin.
* Label all of /etc/network/run/* as etc_runtime_t and allow udev_t to manage
such files.
* Label /etc/network/if-(up|down).d/postfix as initrc_exec_t so that udev
can reload Postfix and push the queue.
* Label /usr/lib/ConsoleKit(/.*)? as bin_t to avoid an error message on
graphical login.
* On initial install load module policykit.pp when policykit-1 is installed.
* label /lib/init/rw(/.*)? as var_run_t.
* label /var/run/xauth as xdm_var_run_t.
* label /var/run/motd as initrc_var_run_t.
refpolicy (2:0.2.20100524-2ubuntu1) maverick; urgency=low
* Merge from debian unstable (LP: #607149). Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598).
refpolicy (2:0.2.20100524-2) unstable; urgency=low
* Include tmpreaper in base policy as mountnfs-bootclean.sh and
mountall-bootclean.sh need to run as tmpreaper_t.
* Added a new mcsdeleteall attribute for tmpreaper_t so that it can
delete files and directories regardless of mcs level.
* Allow perdition netlink_route_socket access.
* Allow nrpe_t to execute sudo and search /var/spool
also don't audit capability sys_resource.
* Allow postfix_local_t to run sendmail for programs like vacation
* Make the milter module be loaded if the milter-greylist or spamass-milter
package is installed. Make spamassassin policy optional when using the
milter module.
* Added a bunch of fixes from git mostly trivial stuff but also allowed
bootloader_t to load modules, allowed kismet_t to search home directories,
* Don't allow cron daemon to search /var/lib/logrotate.
* Fixed a typo in gitosis.if
* Commented out the genfscon line in selinux.if for the includes directory,
now sepolgen-ifgen works without error.
refpolicy (2:0.2.20100524-1ubuntu1) maverick; urgency=low
* Merge from debian unstable. Remaining changes: LP: #602199
- debian/control: drop "selinux" conflict (Debian bug 576598).
refpolicy (2:0.2.20100524-1) unstable; urgency=low
* New Upstream release. This version has had a good deal of testing for
server use but almost no testing for desktop use. The usual "Unstable"
disclaimers apply.
* Disable UBAC - see http://etbe.coker.com.au/2010/05/26/ubac-selinux-debian/
* Allow mount_t to read sysfs_t.
* Allow lvm_t to create semaphores.
* Allow mount_t and setfiles_t to read/write device_t chr_file.
* Allow udev to read sym-links in it's config directory.
* Allow vbetool_t to read inotify directories.
* Allow gpm_t self signull and signal access.
refpolicy (2:0.2.20091117-3) unstable; urgency=low
* label Google Chrome as unconfined_execmem_exec_t
* Change the apache_content_template() macro to not define the type
httpd_$1_script_exec_t, now the caller must unconditionally define it and
can therefore use it in it's .fc file without making a .fc dependency.
* Allow setrans_t to read proc_t files.
* Allow pppd to load modules.
* Allow watchdog_t to read/write /dev/watchdog
* Allow rpcd_t getcap and setcap access.
* Allow insmod_t to mount a rpc_pipefs_t filesystem.
* Correctly label kdm.log.* pm-*log* aptitude*
* Allow consolekit_t to access pam console data.
* Correctly label consolekit scripts
* Allow mount_t to set the scheduling for kernel threads.
refpolicy (2:0.2.20091117-2ubuntu1) maverick; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598).
refpolicy (2:0.2.20091117-2) unstable; urgency=low
* Label /etc/gdm/Xsession, /etc/gdm/PostSession/* and /etc/gdm/PreSession/*
as xsession_exec_t.
* Label /usr/lib/dbus-1.0/dbus-daemon-launch-helper as dbusd_exec_t.
* Allow syslogd_t to read/write access to xconsole_device_t.
* Allow system_dbusd_t list access to inotifyfs.
* Allow udev to manage symlinks under /dev
* Treat devtmpfs the same way as tmpfs.
* Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
* Allow iptables_t, insmod_t and mount_t to do module_request
* Use lib32 instead of lib64
Closes: #569297
* Make manage_lnk_file_perms allow write access for setting the timestamp.
* Use filesystem transitions for hugetlbfs_t.
* Label xenfs_t and allow xend etc to use it.
* Use lda_t for mail local delivery
* Allow udev to manage xenfs_t files, to write to etc_runtime_t (for ifstate),
and to load modules.
* Allow ifconfig to load modules.
* Made auth_domtrans_chk_passwd() specify dontaudit for shadow_t file open.
refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low
* debian/control: drop "selinux" conflict for sane installation
in Ubuntu (Debian bug 576598).
refpolicy (2:0.2.20091117-1) unstable; urgency=low
* New upstream release.
refpolicy (2:0.2.20091013-1) unstable; urgency=low
* New upstream VCS snapshot
* Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit,
seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis
(Miroslav Grepl); xscreensaver (Corentin Labbe)
* [dd26539]: [topic--urand-fix]: Fix issues related to
/dev/{urandom,console}
+ Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t,
hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t,
dmidecode_t, getty_t, and setfiles_t to read /dev/urandom
+ Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and
portmap_t to read /dev/console
+ Allow udev_t to access anon_inodefs_t
These changes take care of most of the problems encountered in recent
reference policy packages in Debian. Thanks to Russell Coker for the
fixes.
refpolicy (2:0.2.20090828-1) unstable; urgency=low
* New upstream snapshot.
- Deprecated the userdom_xwindwos_client_template().
* Modified the list of modules we build (added consolekit, and added a
dependency on consolekit to the devicekit policymodule. Turned off
ddcprobe, since it needs kudzu.
* Bug fix: "linking policy fails", thanks to Jonathan Nieder
(Closes: #544079).
* Bug fix: "linking policy fails (with a statement to file a bug)",
thanks to Philipp Kern (Closes: #543148).
* Bug fix: "module cvs appears to depend on module apache", thanks to
Russell Coker (Closes: #539855).
* Bug fix: "SELinux prevented console-kit-dae from using the terminal
/dev/tty0", thanks to Ritesh Raj Sarraf. We now have:
policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
This should allow access to all terms and ttys. (Closes: #515167).
* Bug fix: "SELinux is preventing pulseaudio from loading
/usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to
Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context
system_u:object_r:textrel_shlib_t, so this should now work.
(Closes: #515166).
* [1ba2425]: nscd cache location changed from /var/db/nscd to
/var/cache/nscd. The nscd policy module uses the old
nscd cache location. The cache location changed with glibc 2.7-1,
and the current nscd does place the files in /var/cache/nscd/.
Bug fix: "nscd cache location changed from /var/db/nscd to
/var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779).
refpolicy (2:0.2.20090818-1) unstable; urgency=low
* New upstream snapshot, with a number of improvements.
- Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t.
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets.
- Fix infrastructure to expand macros in initrc_context when installing.
- Handle unix_chkpwd usage by useradd and groupadd.
- Add missing compatibility aliases for xdm_xserver*_t types.
refpolicy (2:0.2.20090730-2.1) unstable; urgency=low
* Build policykit policy and default to loading it when the policykit
package is installed.
* Default to loading the consolekit module when the consolekit package is
installed.
refpolicy (2:0.2.20090730-2) unstable; urgency=low
* Bug fix: "selinux policy violation "Unknown" fo rs2ram
(hald_t)", thanks to Ritesh Raj Sarraf. This has been fixed for a
while, but I only just tested it. (Closes: #515566).
* Re-enable building in parallel. The current statge should be
friendlier to jobserver mode, disabling which causewd all the issues
with the previous state.
refpolicy (2:0.2.20090730-1) unstable; urgency=low
* New upstream release.
* Updated the location of dovecot's configuration files.
* Bug fix: "dovecot's etc files are in unexpected location", thanks
to Frank Engler (Closes: #517712).
* Fixed rules to note that parallel=N fails.
* Bug fix: "FTBFS: tmp/rolemap.conf":2194:ERROR 'syntax
error' at token 'genfscon' on line 704548:", thanks to
Lucas Nussbaum (Closes: #536899).
* Bug fix: "dpkg-buildpackage -j2 fails on AMD64", thanks to Russell
Coker (Closes: #538789).
refpolicy (2:0.0.20090629-1) unstable; urgency=low
* New upstream snapshot.
* [82f63f3]: Removed the lda policy package. There were a number of
reasons for doing so: this package was created in order to deal with
local mail delivery in Debian, and has not been adopted upstream. I
would like to remove the divergence from upstream policy, and not
maintian it. so that was incentive. Also, upstream policy for
mail-related packages has been improved in the meanwhile, and the lda
package was conflicting with some of the changes, so that was added
reason for it to go.
refpolicy (2:0.0.20090621-1) unstable; urgency=low
* New upstream snapshot.
- Greylist milter from Paul Howarth.
- Crack db access for su to handle password expiration, from Brandon Whalen.
- Misc fixes for unix_update from Brandon Whalen.
- Add x_device permissions for XI2 functions, from Eamon Walsh.
- MLS constraints for the x_selection class, from Eamon Walsh.
- Postgresql updates from KaiGai Kohei.
- Milter state directory patch from Paul Howarth.
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.
- Enable network_peer_controls policy capability from Paul Moore.
- Btrfs xattr support from Paul Moore.
- Add db_procedure install permission from KaiGai Kohei.
- Add support for network interfaces with access controlled by a Boolean
from the CLIP project.
- Several fixes from the CLIP project.
- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
certmaster (Dan Walsh)
git (Dan Walsh)
gpsd (Miroslav Grepl)
guest (Dan Walsh)
ifplugd (Dan Walsh)
lircd (Miroslav Grepl)
logadm (Dan Walsh)
pingd (Dan Walsh)
psad (Dan Walsh)
portreserve (Dan Walsh)
ulogd (Dan Walsh)
webadm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)
- Fix consistency of audioentropy and iscsi module naming.
- Debian file context fix for xen from Russell Coker.
- Xserver MLS fix from Eamon Walsh.
- Add omapi port for dhcpcd.
- Deprecate per-role templates and rolemap support.
- Implement user-based access control for use as role separations.
- Move shared library calls from individual modules to the domain module.
- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
hieararchy.
- Remove enableaudit target from modular build as semodule -DB supplants it.
- Added modules:
milter (Paul Howarth)
* Sync'd with Russell Coker
refpolicy (2:0.0.20081014-1) unstable; urgency=low
* New upstream release
- Fix httpd_enable_homedirs to actually provide the access it is
supposed to provide.
- Add unused interface/template parameter metadata in XML.
- Patch to handle postfix data_directory from Vaclav Ovsik.
- SE-Postgresql policy from KaiGai Kohei.
- Patch for X.org dbus support from Martin Orr.
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
- Module loading now requires setsched on kernel threads.
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
- X application data class from Eamon Walsh and Ted Toth.
- Move user roles into individual modules.
- Make hald_log_t a log file.
- Cryptsetup runs shell scripts. Patch from Martin Orr.
- Add file for enabling policy capabilities.
- Patch to fix leaky interface/template call depth calculator from
Vaclav Ovsik.
- Added modules:
kerneloops (Dan Walsh)
kismet (Dan Walsh)
podsleuth (Dan Walsh)
prelude (Dan Walsh)
qemu (Dan Walsh)
virt (Dan Walsh)
* Updated the link to the shared copyright file.
refpolicy (2:0.0.20080702-16) unstable; urgency=low
* Allow system_dbusd_t to read /proc/X/cmdline so it knows the client name
* Label /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon as bin_t
* Allow $1_gpg_t to read inotifyfs_t directories
* Allow user_t signull access to xdm_t for gdmflexiserver
* Fix the path for deliver in lda.fc
* Load lda.pp when dovecot-common is installed and dovecot.pp when other
dovecot packages are installed. Allow lda_t to use dovecot auth socket
* Allow dovecot_auth_t to create sockets labeled as dovecot_var_run_t,
also allow chown capability to apply correct ownership
* Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t
files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat
filesystems, get a list of processes, and check mysql and postgresql
databases.
* Make mail_spool_t a filesystem_type.
* Allow snmpd_t capabilities setuid and chown
* Allow xdm_xserver_t to send dbus messages to unconfined_t
* Allow postfix_cleanup_t shutdown access to a postfix_smtpd_t
unix_stream_socket
* Allow clamd_t access to inherit it's own fds.
* Enable the watchdog policy in the build.
* Grant capability ipc_lock to dpkg_t
refpolicy (2:0.0.20080702-15) unstable; urgency=low
* Gave every domain that has process:setcap access also have process:getcap.
* Set the type of /etc/network/run/ifstate to etc_runtime_t and allow
udev_t to write to it.
* allow apt_t to manage directories of type apt_var_log_t
* allow initrc_t postfix_etc_t:file ioctl;
* allow postfix_showq_t to be used from user roles.
* allow postfix_virtual_t to connect to postfix_private_t sockets
* allow postfix_pipe_t to execute bin_t
* allow initrc_t udev_tbl_t:file unlink and device_t:dir rmdir
* allow the Courier POP server fill rw_file_perms access to courier_var_lib_t.
* allow jabberd_t to connect to jabber_interserver_port_t.
* allow fcrond to do all the funky things it desires.
* allow cupsd_t to read/write generic USB devices.
* allow webalizer to read /usr files (for GeoIP).
* Enable dovecot_t for daemon_access_unconfined_home
* dontaudit logrotate stating terminal devices.
* allow dpkg_t to set rlimit
* Label /var/lib/squirrelmail/data(/.*)? as httpd_squirrelmail_t.
* allow apmd_t to talk to hald_t via dbus.
* allow dovecot to connect to Mysql and PostgreSQL
* label most /usr/lib/dovecot/* files as bin_t
* Added new "lda" module for email local delivery agents such as maildrop
and procmail and don't build procmail.pp any more.
* Label /var/run/xauth/* as xdm_var_run_t.
* Label /var/run/openvpn.client* as openvpn_var_run_t.
* Make /var/log/?dm.log.* files get the type xserver_log_t
* Make /var/log/aptitude* files get the type apt_var_log_t
* Make /var/run/gdm_socket get the type xdm_var_run_t
* Labelled the entrypoint scripts under /etc/gdm as xsession_exec_t
* Fixed Debian labelling for atspool
* allow openvpn_t to access var_lib_t and usr_t files for vulnkey.
* allow user domains to access the xdm socket of type xdm_var_run_t for
switch user.
* allow unconfined_t to transition to system_dbusd_t.
Closes: #498965
refpolicy (2:0.0.20080702-14.1) unstable; urgency=low
* Fix FTBS problems when building in parallel, by moving to the new,
make -j friendly targets in debian/rules. These rules have been tested
in several packages, and have been tested often with
"fakeroot make -j4 -f ./debian/rules binary".
* Updated the VCS-* variables in control to point to the git repo.
refpolicy (2:0.0.20080702-14) unstable; urgency=high
* Allow noatsecure for Xen domains so that LD_PRELOAD will work across
a domain transition. Also dontaudit searching of the sysadm home dir
and allow xend_t to manage xenstored_var_run_t.
Allow losetup (fsadm_t) and udev access to Xen image files
* Add support for Exim.
* Add support for Jabber, including adding the epmd_t domain for the Erlang
Port Mapper Daemon (used by ejabberd). Label port 5280 as being for Jabber
(the ejabberd web administration service) and port 7777 (SOCKS5
Bytestreams (XEP-0065) for proxy file transfer).
* Allow cron to search httpd_sys_content_t
* Dontaudit logrotate search access to unconfined_home_dir_t.
* Fixed labelling of /var/lock/mailman
* Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
Also allow it to talk to portmap so the IMAP server can do FAM.
refpolicy (2:0.0.20080702-13) unstable; urgency=high
* Allow spamd_t to create a Unix domain socket.
* Allow clamd_t to read files under /usr (for Perl).
Allow it to connect to amavisd_send_port_t.
Allow it to talk to itself by unix stream sockets and bind to UDP nodes.
Closes: #502274
* Allow logrotate_t to transition to webalizer_t for web log processing.
* Allow initrc_t to create fixed_disk_device_t nodes under var_run_t,
for the case where /etc/fstab has an error regarding the root fs.
* Use the Lenny paths for xm, xend, xenstored, and xenconsoled.
Add some extra permissions that Xen needs.
refpolicy (2:0.0.20080702-12) unstable; urgency=low
* Allow procmail to deliver mail to the unconfined home directories if
daemon_access_unconfined_home is set.
* Add the audioentropy module for use with the randomsound package.
* Allow spamd_t the kill capability.
* Make the default range for MCS __default__ users be s0-s0:c0.c1023,
this fixes a problem with restarting daemons after logging in as non-root
and running "su -".
refpolicy (2:0.0.20080702-11) unstable; urgency=high
* Create new interface crond_search_dir() and use it to allow crond_t to
search clamd_var_lib_t for amavis cron jobs.
* Allow postfix_cleanup_t to talk to dkim for signing local messages.
* Allow freshclam_t to read the routing table and talk to http_cache_port_t.
* Allow clamd_t to search bin_t and read bin_t links.
* Allow clamd_t to search postfix_spool_t for creation of Unix domain socket
in the sub-directory, this is ugly and a little bit wrong but makes it
easier to configure Postfix.
* Allow semanage_t (for setsebool and semodule) to call statfs().
* Add Asterisk policy module, and grant setcap access.
* Copy the Fedora 10 cron changes to reduce the policy size.
Allow user_t to send sigchld to user_crontab_t and to write to
user_crontab_tmp_t files. Necessary for full functionality!
refpolicy (2:0.0.20080702-10) unstable; urgency=low
* Allow mailserver local delivery agent to manage_file_perm access to
mail_spool_t
Closes: #499218
* Build a module for xen, and make lvm support optional in it.
* Make the postinst link the xen, lvm, and pcmcia modules if appropriate.
* Added the clamav module to the policy.
* Wrote a new DKIM module.
* Allowed crontab to create directories under /tmp.
* Made unconfined_crond_t an alias for unconfined_t and made unconfined cron
jobs work.
* Built the NAGIOS module and include the suggested change from #493979.
NB I won't have time to do any testing of this so someone else will need
to deploy it on a fully functional NAGIOS system.
Closes: #493979
refpolicy (2:0.0.20080702-9) unstable; urgency=low
* Allow the Postfix newaliases to create new /etc/aliases.db file so that
the postinst for Postfix can work.
* The last update broke unconfined_mail_t for systems not running postfix,
fixing that (thanks Martin Orr).
Closes: #499064
* Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk).
Closes: #496809
refpolicy (2:0.0.20080702-8) unstable; urgency=low
* Made the postinst faster on machines with small amounts of memory. 5%
improvement on AMD64 with 64M of RAM. Not sure how much benefit it might
give for a NSLUG.
* Allowed dictd to create pid file.
* Allowed mcstransd to getcap.
* Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d
scripts running as run_init_t.
Closes: #498965
* Makes Postfix work correctly.
Closes: #473043
* Allow $1_mail_t to read proc_t:file (for Postfix).
refpolicy (2:0.0.20080702-7) unstable; urgency=low
* Polish updates, added labelling for /lib/udev/create_static_nodes,
/var/log/prelink.log, and corrected labelling for /var/run/kdm
* Made Postfix work with unconfined_t.
* Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
to talk to it.
* Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access it.
Also allowed courier_sqwebmail_t to access /dev/urandom.
* Allowed courier-pop and apache to access unconfined home directories.
* Changed the policy for /var/cache/ldconfig to match upstream.
* Allowed unconfined_t to run run_init.
refpolicy (2:0.0.20080702-6) unstable; urgency=low
* Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16.
Closes: #494234
* Made xserver.pp be loaded whenevedr xbase-clients is installed so that
/tmp/.ICE-unix gets the right context.
* Policy updates, allowed rsyslogd to work correctly
Allow gpg to read/write user files under /tmp
Set the context of /var/run/portmap_mapping and /var/cache/ldconfig
Allow users to read symlinks under /var/lib (for python)
Make udev_t transition when running initrc_exec_t.
Changed the type of /var/init/rw to var_run_t
Changed r_dir_perms to list_dir_perms and r_file_perms to read_file_perms
to avoid warnings.
Changed read_file_perms to read_lnk_file_perms for lnk_file class.
Set the contexts for /var/run/hotkey-setup, /var/run/motd, /var/run/kdm/*,
and /var/lib/gdm/*
Dontaudit logrotate_t trying to write initrc_var_run_t.
refpolicy (2:0.0.20080702-5) unstable; urgency=low
* Allow unconfined_r to transition to system_r.
refpolicy (2:0.0.20080702-4) unstable; urgency=low
* Policy updates.
* Depend on libsepol1 version 2.0.30-2.
refpolicy (2:0.0.20080702-3) unstable; urgency=low
* More policy fixes.
* Made it build-depend and depend on libsepol1 (>=2.0.30-2)
Closes: #492318
* Made it automatically change the SELINUXTYPE if the old value is obsolete
and the policy was linked successfully.
refpolicy (2:0.0.20080702-2) unstable; urgency=low
* Made the mls package extra and made some other packages optional.
Closes: #490760
* Merged some patches from older policy packages.
refpolicy (2:0.0.20080702-1) unstable; urgency=low
* Update to latest upstream and take over the package as Manoj seems busy
on other things.
* Change the policy package names to selinux-policy-default and
selinux-policy-mls. Made selinux-policy-default do strict and targeted
(targeted by default).
* Optimise module loading to halve postinst time.
* Depend on the latest policycoreutils (which sets the right default in
/etc/selinux/config).
Date: Sun, 09 Jan 2011 19:02:47 +0530
Changed-By: Bhavani Shankar <bhavi at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Bhavani Shankar <right2bhavi at gmail.com>
https://launchpad.net/ubuntu/natty/+source/refpolicy/2:0.2.20100524-5ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Jan 2011 19:02:47 +0530
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc
Architecture: source
Version: 2:0.2.20100524-5ubuntu1
Distribution: natty
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bhavani Shankar <bhavi at ubuntu.com>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 473043 490760 492318 493979 494234 496809 498965 499064 499218 502274 506779 515166 515167 515566 517712 536899 538789 539855 540143 543148 544079 559860 569297 587596 589997 592038 601686 608291
Launchpad-Bugs-Fixed: 602199 607149
Changes:
refpolicy (2:0.2.20100524-5ubuntu1) natty; urgency=low
.
* Merge from debian unstable. Remaining change:
- ebian/control: drop "selinux" conflict (Debian bug 576598)
.
refpolicy (2:0.2.20100524-5) unstable; urgency=low
.
* Label /usr/bin/tcsh as shell_exec_t
* Domain trans from unconfined_t to depmod_t
* Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp
* Don't include /usr/sbin/spamass-milter and /var/spool/postfix/spamass in
spamassassin.fc as they are in milter.fc
* Label /var/run/spamass as spamass_milter_data_t
* Allow lvm_t rw access to unconfined_t semaphores.
* Added in_unconfined_r() interface and made postfix user domains use it
so they can be in the role unconfined_r. Ugly but no better solution at
this time
Closes: #592038 #599053
* Include Chromium policy in mozilla.pp
* Allow sshd getcap and setcap access
* Correctly label ~/.xsession-errors
* Allow spamc_t to be in system_r and allow it access to netlink_route_socket
* Allow lda_t to talk to the Courier Authdaemon - for courier maildrop
* Allow fetchmail_t to read usr_t for certificates and to create /tmp files
* Allow cron jobs to write to crond_tmp_t
* Label courier socket files as courier_var_run_t
* Run /usr/sbin/authdaemond as courier_authdaemon_t
* Allow dkim_milter_t to read proc_t files and create /tmp files
* Allow dovecot domains to search dovecot_etc_t dirs
* Allow dovecot_auth_t to talk to mysqld via TCP and read /etc/mysql/my.cnf
* Label /etc/network/run as etc_t
* Label X as spamass_milter_var_run_t
* Remove unconfined_exec_t label from /usr/bin/qemu
Closes: #601686
* Label /usr/lib/apache2/mpm-*/apache2 as httpd_exec_t
Closes: #608291
* Allow nagios.pp to be installed without apache.pp
Closes: #587596
* Removed amavis.pp because it doesn't work and it's functionality is covered
by clamav.pp
Closes: #559860
* Allow mono_t to be in role unconfined_r
Closes: #540143
.
refpolicy (2:0.2.20100524-4ubuntu1) natty; urgency=low
.
* Merge from debian unstable. Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598)
.
refpolicy (2:0.2.20100524-4) unstable; urgency=low
.
* Label /dev/vd* as fixed_disk_device_t, closes: #589997
* Remove mcskillall and mcsptraceall from unconfined_t, the sysadmin should
have unconfined_t:SystemLow-SystemHigh.
.
refpolicy (2:0.2.20100524-3) unstable; urgency=low
.
* Give freshclam_t and clamd_t the same access WRT execmem.
* Install lvm.pp when dmsetup is installed.
* Add label for /usr/lib/udisks/udisks-daemon .
* Made devicekit.pp and ricci.pp not depend on consoletype.pp and don't
build consoletype.
* label /usr/lib/udisks/.* as bin_t
* label /etc/kde4 the same way as /etc/kde3.
* Escape the . in /etc/init.d/mount...
* Allow insmod_t the capability sys_admin.
* Label all of /etc/network/run/* as etc_runtime_t and allow udev_t to manage
such files.
* Label /etc/network/if-(up|down).d/postfix as initrc_exec_t so that udev
can reload Postfix and push the queue.
* Label /usr/lib/ConsoleKit(/.*)? as bin_t to avoid an error message on
graphical login.
* On initial install load module policykit.pp when policykit-1 is installed.
* label /lib/init/rw(/.*)? as var_run_t.
* label /var/run/xauth as xdm_var_run_t.
* label /var/run/motd as initrc_var_run_t.
.
refpolicy (2:0.2.20100524-2ubuntu1) maverick; urgency=low
.
* Merge from debian unstable (LP: #607149). Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598).
.
refpolicy (2:0.2.20100524-2) unstable; urgency=low
.
* Include tmpreaper in base policy as mountnfs-bootclean.sh and
mountall-bootclean.sh need to run as tmpreaper_t.
* Added a new mcsdeleteall attribute for tmpreaper_t so that it can
delete files and directories regardless of mcs level.
* Allow perdition netlink_route_socket access.
* Allow nrpe_t to execute sudo and search /var/spool
also don't audit capability sys_resource.
* Allow postfix_local_t to run sendmail for programs like vacation
* Make the milter module be loaded if the milter-greylist or spamass-milter
package is installed. Make spamassassin policy optional when using the
milter module.
* Added a bunch of fixes from git mostly trivial stuff but also allowed
bootloader_t to load modules, allowed kismet_t to search home directories,
* Don't allow cron daemon to search /var/lib/logrotate.
* Fixed a typo in gitosis.if
* Commented out the genfscon line in selinux.if for the includes directory,
now sepolgen-ifgen works without error.
.
refpolicy (2:0.2.20100524-1ubuntu1) maverick; urgency=low
.
* Merge from debian unstable. Remaining changes: LP: #602199
- debian/control: drop "selinux" conflict (Debian bug 576598).
.
refpolicy (2:0.2.20100524-1) unstable; urgency=low
.
* New Upstream release. This version has had a good deal of testing for
server use but almost no testing for desktop use. The usual "Unstable"
disclaimers apply.
.
* Disable UBAC - see http://etbe.coker.com.au/2010/05/26/ubac-selinux-debian/
* Allow mount_t to read sysfs_t.
* Allow lvm_t to create semaphores.
* Allow mount_t and setfiles_t to read/write device_t chr_file.
* Allow udev to read sym-links in it's config directory.
* Allow vbetool_t to read inotify directories.
* Allow gpm_t self signull and signal access.
.
refpolicy (2:0.2.20091117-3) unstable; urgency=low
.
* label Google Chrome as unconfined_execmem_exec_t
* Change the apache_content_template() macro to not define the type
httpd_$1_script_exec_t, now the caller must unconditionally define it and
can therefore use it in it's .fc file without making a .fc dependency.
* Allow setrans_t to read proc_t files.
* Allow pppd to load modules.
* Allow watchdog_t to read/write /dev/watchdog
* Allow rpcd_t getcap and setcap access.
* Allow insmod_t to mount a rpc_pipefs_t filesystem.
* Correctly label kdm.log.* pm-*log* aptitude*
* Allow consolekit_t to access pam console data.
* Correctly label consolekit scripts
* Allow mount_t to set the scheduling for kernel threads.
.
refpolicy (2:0.2.20091117-2ubuntu1) maverick; urgency=low
.
* Merge from debian unstable. Remaining changes:
- debian/control: drop "selinux" conflict (Debian bug 576598).
.
refpolicy (2:0.2.20091117-2) unstable; urgency=low
.
* Label /etc/gdm/Xsession, /etc/gdm/PostSession/* and /etc/gdm/PreSession/*
as xsession_exec_t.
* Label /usr/lib/dbus-1.0/dbus-daemon-launch-helper as dbusd_exec_t.
* Allow syslogd_t to read/write access to xconsole_device_t.
* Allow system_dbusd_t list access to inotifyfs.
* Allow udev to manage symlinks under /dev
* Treat devtmpfs the same way as tmpfs.
* Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
* Allow iptables_t, insmod_t and mount_t to do module_request
* Use lib32 instead of lib64
Closes: #569297
* Make manage_lnk_file_perms allow write access for setting the timestamp.
* Use filesystem transitions for hugetlbfs_t.
* Label xenfs_t and allow xend etc to use it.
* Use lda_t for mail local delivery
* Allow udev to manage xenfs_t files, to write to etc_runtime_t (for ifstate),
and to load modules.
* Allow ifconfig to load modules.
* Made auth_domtrans_chk_passwd() specify dontaudit for shadow_t file open.
.
refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low
.
* debian/control: drop "selinux" conflict for sane installation
in Ubuntu (Debian bug 576598).
.
refpolicy (2:0.2.20091117-1) unstable; urgency=low
.
* New upstream release.
.
refpolicy (2:0.2.20091013-1) unstable; urgency=low
.
* New upstream VCS snapshot
* Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit,
seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis
(Miroslav Grepl); xscreensaver (Corentin Labbe)
* [dd26539]: [topic--urand-fix]: Fix issues related to
/dev/{urandom,console}
+ Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t,
hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t,
dmidecode_t, getty_t, and setfiles_t to read /dev/urandom
+ Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and
portmap_t to read /dev/console
+ Allow udev_t to access anon_inodefs_t
These changes take care of most of the problems encountered in recent
reference policy packages in Debian. Thanks to Russell Coker for the
fixes.
.
refpolicy (2:0.2.20090828-1) unstable; urgency=low
.
* New upstream snapshot.
- Deprecated the userdom_xwindwos_client_template().
* Modified the list of modules we build (added consolekit, and added a
dependency on consolekit to the devicekit policymodule. Turned off
ddcprobe, since it needs kudzu.
* Bug fix: "linking policy fails", thanks to Jonathan Nieder
(Closes: #544079).
* Bug fix: "linking policy fails (with a statement to file a bug)",
thanks to Philipp Kern (Closes: #543148).
* Bug fix: "module cvs appears to depend on module apache", thanks to
Russell Coker (Closes: #539855).
* Bug fix: "SELinux prevented console-kit-dae from using the terminal
/dev/tty0", thanks to Ritesh Raj Sarraf. We now have:
policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
This should allow access to all terms and ttys. (Closes: #515167).
* Bug fix: "SELinux is preventing pulseaudio from loading
/usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to
Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context
system_u:object_r:textrel_shlib_t, so this should now work.
(Closes: #515166).
* [1ba2425]: nscd cache location changed from /var/db/nscd to
/var/cache/nscd. The nscd policy module uses the old
nscd cache location. The cache location changed with glibc 2.7-1,
and the current nscd does place the files in /var/cache/nscd/.
Bug fix: "nscd cache location changed from /var/db/nscd to
/var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779).
.
refpolicy (2:0.2.20090818-1) unstable; urgency=low
.
* New upstream snapshot, with a number of improvements.
- Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t.
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets.
- Fix infrastructure to expand macros in initrc_context when installing.
- Handle unix_chkpwd usage by useradd and groupadd.
- Add missing compatibility aliases for xdm_xserver*_t types.
.
refpolicy (2:0.2.20090730-2.1) unstable; urgency=low
.
* Build policykit policy and default to loading it when the policykit
package is installed.
* Default to loading the consolekit module when the consolekit package is
installed.
.
refpolicy (2:0.2.20090730-2) unstable; urgency=low
.
* Bug fix: "selinux policy violation "Unknown" fo rs2ram
(hald_t)", thanks to Ritesh Raj Sarraf. This has been fixed for a
while, but I only just tested it. (Closes: #515566).
* Re-enable building in parallel. The current statge should be
friendlier to jobserver mode, disabling which causewd all the issues
with the previous state.
.
refpolicy (2:0.2.20090730-1) unstable; urgency=low
.
* New upstream release.
* Updated the location of dovecot's configuration files.
* Bug fix: "dovecot's etc files are in unexpected location", thanks
to Frank Engler (Closes: #517712).
* Fixed rules to note that parallel=N fails.
* Bug fix: "FTBFS: tmp/rolemap.conf":2194:ERROR 'syntax
error' at token 'genfscon' on line 704548:", thanks to
Lucas Nussbaum (Closes: #536899).
* Bug fix: "dpkg-buildpackage -j2 fails on AMD64", thanks to Russell
Coker (Closes: #538789).
.
refpolicy (2:0.0.20090629-1) unstable; urgency=low
.
* New upstream snapshot.
* [82f63f3]: Removed the lda policy package. There were a number of
reasons for doing so: this package was created in order to deal with
local mail delivery in Debian, and has not been adopted upstream. I
would like to remove the divergence from upstream policy, and not
maintian it. so that was incentive. Also, upstream policy for
mail-related packages has been improved in the meanwhile, and the lda
package was conflicting with some of the changes, so that was added
reason for it to go.
.
refpolicy (2:0.0.20090621-1) unstable; urgency=low
.
* New upstream snapshot.
- Greylist milter from Paul Howarth.
- Crack db access for su to handle password expiration, from Brandon Whalen.
- Misc fixes for unix_update from Brandon Whalen.
- Add x_device permissions for XI2 functions, from Eamon Walsh.
- MLS constraints for the x_selection class, from Eamon Walsh.
- Postgresql updates from KaiGai Kohei.
- Milter state directory patch from Paul Howarth.
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.
- Enable network_peer_controls policy capability from Paul Moore.
- Btrfs xattr support from Paul Moore.
- Add db_procedure install permission from KaiGai Kohei.
- Add support for network interfaces with access controlled by a Boolean
from the CLIP project.
- Several fixes from the CLIP project.
- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
certmaster (Dan Walsh)
git (Dan Walsh)
gpsd (Miroslav Grepl)
guest (Dan Walsh)
ifplugd (Dan Walsh)
lircd (Miroslav Grepl)
logadm (Dan Walsh)
pingd (Dan Walsh)
psad (Dan Walsh)
portreserve (Dan Walsh)
ulogd (Dan Walsh)
webadm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)
.
- Fix consistency of audioentropy and iscsi module naming.
- Debian file context fix for xen from Russell Coker.
- Xserver MLS fix from Eamon Walsh.
- Add omapi port for dhcpcd.
- Deprecate per-role templates and rolemap support.
- Implement user-based access control for use as role separations.
- Move shared library calls from individual modules to the domain module.
- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
hieararchy.
- Remove enableaudit target from modular build as semodule -DB supplants it.
- Added modules:
milter (Paul Howarth)
* Sync'd with Russell Coker
.
refpolicy (2:0.0.20081014-1) unstable; urgency=low
.
* New upstream release
- Fix httpd_enable_homedirs to actually provide the access it is
supposed to provide.
- Add unused interface/template parameter metadata in XML.
- Patch to handle postfix data_directory from Vaclav Ovsik.
- SE-Postgresql policy from KaiGai Kohei.
- Patch for X.org dbus support from Martin Orr.
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
- Module loading now requires setsched on kernel threads.
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
- X application data class from Eamon Walsh and Ted Toth.
- Move user roles into individual modules.
- Make hald_log_t a log file.
- Cryptsetup runs shell scripts. Patch from Martin Orr.
- Add file for enabling policy capabilities.
- Patch to fix leaky interface/template call depth calculator from
Vaclav Ovsik.
- Added modules:
kerneloops (Dan Walsh)
kismet (Dan Walsh)
podsleuth (Dan Walsh)
prelude (Dan Walsh)
qemu (Dan Walsh)
virt (Dan Walsh)
* Updated the link to the shared copyright file.
.
refpolicy (2:0.0.20080702-16) unstable; urgency=low
.
* Allow system_dbusd_t to read /proc/X/cmdline so it knows the client name
* Label /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon as bin_t
* Allow $1_gpg_t to read inotifyfs_t directories
* Allow user_t signull access to xdm_t for gdmflexiserver
* Fix the path for deliver in lda.fc
* Load lda.pp when dovecot-common is installed and dovecot.pp when other
dovecot packages are installed. Allow lda_t to use dovecot auth socket
* Allow dovecot_auth_t to create sockets labeled as dovecot_var_run_t,
also allow chown capability to apply correct ownership
* Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t
files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat
filesystems, get a list of processes, and check mysql and postgresql
databases.
* Make mail_spool_t a filesystem_type.
* Allow snmpd_t capabilities setuid and chown
* Allow xdm_xserver_t to send dbus messages to unconfined_t
* Allow postfix_cleanup_t shutdown access to a postfix_smtpd_t
unix_stream_socket
* Allow clamd_t access to inherit it's own fds.
* Enable the watchdog policy in the build.
* Grant capability ipc_lock to dpkg_t
.
refpolicy (2:0.0.20080702-15) unstable; urgency=low
.
* Gave every domain that has process:setcap access also have process:getcap.
* Set the type of /etc/network/run/ifstate to etc_runtime_t and allow
udev_t to write to it.
* allow apt_t to manage directories of type apt_var_log_t
* allow initrc_t postfix_etc_t:file ioctl;
* allow postfix_showq_t to be used from user roles.
* allow postfix_virtual_t to connect to postfix_private_t sockets
* allow postfix_pipe_t to execute bin_t
* allow initrc_t udev_tbl_t:file unlink and device_t:dir rmdir
* allow the Courier POP server fill rw_file_perms access to courier_var_lib_t.
* allow jabberd_t to connect to jabber_interserver_port_t.
* allow fcrond to do all the funky things it desires.
* allow cupsd_t to read/write generic USB devices.
* allow webalizer to read /usr files (for GeoIP).
* Enable dovecot_t for daemon_access_unconfined_home
* dontaudit logrotate stating terminal devices.
* allow dpkg_t to set rlimit
* Label /var/lib/squirrelmail/data(/.*)? as httpd_squirrelmail_t.
* allow apmd_t to talk to hald_t via dbus.
* allow dovecot to connect to Mysql and PostgreSQL
* label most /usr/lib/dovecot/* files as bin_t
* Added new "lda" module for email local delivery agents such as maildrop
and procmail and don't build procmail.pp any more.
* Label /var/run/xauth/* as xdm_var_run_t.
* Label /var/run/openvpn.client* as openvpn_var_run_t.
* Make /var/log/?dm.log.* files get the type xserver_log_t
* Make /var/log/aptitude* files get the type apt_var_log_t
* Make /var/run/gdm_socket get the type xdm_var_run_t
* Labelled the entrypoint scripts under /etc/gdm as xsession_exec_t
* Fixed Debian labelling for atspool
* allow openvpn_t to access var_lib_t and usr_t files for vulnkey.
* allow user domains to access the xdm socket of type xdm_var_run_t for
switch user.
* allow unconfined_t to transition to system_dbusd_t.
Closes: #498965
.
refpolicy (2:0.0.20080702-14.1) unstable; urgency=low
.
* Fix FTBS problems when building in parallel, by moving to the new,
make -j friendly targets in debian/rules. These rules have been tested
in several packages, and have been tested often with
"fakeroot make -j4 -f ./debian/rules binary".
* Updated the VCS-* variables in control to point to the git repo.
.
refpolicy (2:0.0.20080702-14) unstable; urgency=high
.
* Allow noatsecure for Xen domains so that LD_PRELOAD will work across
a domain transition. Also dontaudit searching of the sysadm home dir
and allow xend_t to manage xenstored_var_run_t.
Allow losetup (fsadm_t) and udev access to Xen image files
* Add support for Exim.
* Add support for Jabber, including adding the epmd_t domain for the Erlang
Port Mapper Daemon (used by ejabberd). Label port 5280 as being for Jabber
(the ejabberd web administration service) and port 7777 (SOCKS5
Bytestreams (XEP-0065) for proxy file transfer).
* Allow cron to search httpd_sys_content_t
* Dontaudit logrotate search access to unconfined_home_dir_t.
* Fixed labelling of /var/lock/mailman
* Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
Also allow it to talk to portmap so the IMAP server can do FAM.
.
refpolicy (2:0.0.20080702-13) unstable; urgency=high
.
* Allow spamd_t to create a Unix domain socket.
* Allow clamd_t to read files under /usr (for Perl).
Allow it to connect to amavisd_send_port_t.
Allow it to talk to itself by unix stream sockets and bind to UDP nodes.
Closes: #502274
* Allow logrotate_t to transition to webalizer_t for web log processing.
* Allow initrc_t to create fixed_disk_device_t nodes under var_run_t,
for the case where /etc/fstab has an error regarding the root fs.
* Use the Lenny paths for xm, xend, xenstored, and xenconsoled.
Add some extra permissions that Xen needs.
.
refpolicy (2:0.0.20080702-12) unstable; urgency=low
.
* Allow procmail to deliver mail to the unconfined home directories if
daemon_access_unconfined_home is set.
* Add the audioentropy module for use with the randomsound package.
* Allow spamd_t the kill capability.
* Make the default range for MCS __default__ users be s0-s0:c0.c1023,
this fixes a problem with restarting daemons after logging in as non-root
and running "su -".
.
refpolicy (2:0.0.20080702-11) unstable; urgency=high
.
* Create new interface crond_search_dir() and use it to allow crond_t to
search clamd_var_lib_t for amavis cron jobs.
* Allow postfix_cleanup_t to talk to dkim for signing local messages.
* Allow freshclam_t to read the routing table and talk to http_cache_port_t.
* Allow clamd_t to search bin_t and read bin_t links.
* Allow clamd_t to search postfix_spool_t for creation of Unix domain socket
in the sub-directory, this is ugly and a little bit wrong but makes it
easier to configure Postfix.
* Allow semanage_t (for setsebool and semodule) to call statfs().
* Add Asterisk policy module, and grant setcap access.
* Copy the Fedora 10 cron changes to reduce the policy size.
Allow user_t to send sigchld to user_crontab_t and to write to
user_crontab_tmp_t files. Necessary for full functionality!
.
refpolicy (2:0.0.20080702-10) unstable; urgency=low
.
* Allow mailserver local delivery agent to manage_file_perm access to
mail_spool_t
Closes: #499218
* Build a module for xen, and make lvm support optional in it.
* Make the postinst link the xen, lvm, and pcmcia modules if appropriate.
* Added the clamav module to the policy.
* Wrote a new DKIM module.
* Allowed crontab to create directories under /tmp.
* Made unconfined_crond_t an alias for unconfined_t and made unconfined cron
jobs work.
* Built the NAGIOS module and include the suggested change from #493979.
NB I won't have time to do any testing of this so someone else will need
to deploy it on a fully functional NAGIOS system.
Closes: #493979
.
refpolicy (2:0.0.20080702-9) unstable; urgency=low
.
* Allow the Postfix newaliases to create new /etc/aliases.db file so that
the postinst for Postfix can work.
* The last update broke unconfined_mail_t for systems not running postfix,
fixing that (thanks Martin Orr).
Closes: #499064
* Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk).
Closes: #496809
.
refpolicy (2:0.0.20080702-8) unstable; urgency=low
.
* Made the postinst faster on machines with small amounts of memory. 5%
improvement on AMD64 with 64M of RAM. Not sure how much benefit it might
give for a NSLUG.
* Allowed dictd to create pid file.
* Allowed mcstransd to getcap.
* Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d
scripts running as run_init_t.
Closes: #498965
* Makes Postfix work correctly.
Closes: #473043
* Allow $1_mail_t to read proc_t:file (for Postfix).
.
refpolicy (2:0.0.20080702-7) unstable; urgency=low
.
* Polish updates, added labelling for /lib/udev/create_static_nodes,
/var/log/prelink.log, and corrected labelling for /var/run/kdm
* Made Postfix work with unconfined_t.
* Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
to talk to it.
* Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access it.
Also allowed courier_sqwebmail_t to access /dev/urandom.
* Allowed courier-pop and apache to access unconfined home directories.
* Changed the policy for /var/cache/ldconfig to match upstream.
* Allowed unconfined_t to run run_init.
.
refpolicy (2:0.0.20080702-6) unstable; urgency=low
.
* Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16.
Closes: #494234
* Made xserver.pp be loaded whenevedr xbase-clients is installed so that
/tmp/.ICE-unix gets the right context.
* Policy updates, allowed rsyslogd to work correctly
Allow gpg to read/write user files under /tmp
Set the context of /var/run/portmap_mapping and /var/cache/ldconfig
Allow users to read symlinks under /var/lib (for python)
Make udev_t transition when running initrc_exec_t.
Changed the type of /var/init/rw to var_run_t
Changed r_dir_perms to list_dir_perms and r_file_perms to read_file_perms
to avoid warnings.
Changed read_file_perms to read_lnk_file_perms for lnk_file class.
Set the contexts for /var/run/hotkey-setup, /var/run/motd, /var/run/kdm/*,
and /var/lib/gdm/*
Dontaudit logrotate_t trying to write initrc_var_run_t.
.
refpolicy (2:0.0.20080702-5) unstable; urgency=low
.
* Allow unconfined_r to transition to system_r.
.
refpolicy (2:0.0.20080702-4) unstable; urgency=low
.
* Policy updates.
* Depend on libsepol1 version 2.0.30-2.
.
refpolicy (2:0.0.20080702-3) unstable; urgency=low
.
* More policy fixes.
* Made it build-depend and depend on libsepol1 (>=2.0.30-2)
Closes: #492318
* Made it automatically change the SELINUXTYPE if the old value is obsolete
and the policy was linked successfully.
.
refpolicy (2:0.0.20080702-2) unstable; urgency=low
.
* Made the mls package extra and made some other packages optional.
Closes: #490760
* Merged some patches from older policy packages.
.
refpolicy (2:0.0.20080702-1) unstable; urgency=low
.
* Update to latest upstream and take over the package as Manoj seems busy
on other things.
* Change the policy package names to selinux-policy-default and
selinux-policy-mls. Made selinux-policy-default do strict and targeted
(targeted by default).
* Optimise module loading to halve postinst time.
* Depend on the latest policycoreutils (which sets the right default in
/etc/selinux/config).
Checksums-Sha1:
66b6cb73b80d60172e943588601a4996b918be87 1913 refpolicy_0.2.20100524-5ubuntu1.dsc
8c222885774a6ff4740b93767d82f9ce2f519de1 107437 refpolicy_0.2.20100524-5ubuntu1.diff.gz
Checksums-Sha256:
7e077e0984abc8dc5f67722bafa5bb2fe77679b91132fcb6805b164a81f87de7 1913 refpolicy_0.2.20100524-5ubuntu1.dsc
61ad05641f25f30a8b687ed726022515c567c093d14bfa20f6884ac225b78abe 107437 refpolicy_0.2.20100524-5ubuntu1.diff.gz
Files:
0ba2aff24e26665d2db8da0237b8b4ce 1913 admin optional refpolicy_0.2.20100524-5ubuntu1.dsc
d83bf61fe69571061314a247a2b8e40e 107437 admin optional refpolicy_0.2.20100524-5ubuntu1.diff.gz
Original-Maintainer: Russell Coker <russell at coker.com.au>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJNKbqyAAoJELvsaMmE4aGoCmoH/AkiW3uhvTKP2dgTkXFVL5XP
Gb3KvldoQDINop60Onsio7IyAo9xN1EWWhJjnIXqgtbLSSaHBECoaU1oy95eBxOV
BNTZeM6t/U8ylURU9UMNl5YcreCIe/BP3LOyBAetNeKnWrqnZs94c/lhejN6UcJJ
JlJVVdNqSej1jm50rOBk/N1wszjlhPyzo2OKrqi2e48JP6ANlqRGwWNiaJ08D2ZE
I9MxMTX/gqMHh9vd0SKwaTYp7l4i9yHv5OxAiNPee2tmfhDj0Wu7Qqbv7otgdd1x
i4w/p0+Oh4RbbJ6/kzd18wi3PaOBUEmqFMMlzg3L0nQN2QmCBmH2XwLrf7ex8go=
=u8Ph
-----END PGP SIGNATURE-----
More information about the Natty-changes
mailing list