new SE Linux policy for Lenny
The changes allow Postfix to be almost entirely functional (I'm testing
another update for the Postfix package postinst script). It allows Postfix
to work with SpamAssassin, allows dictd to work, makes installation faster
(an issue of complaint on Debian-devel), fixed the labelling for udev (needed
for a "strict" configuration to boot), and fixed some minor problems with
courier and Apache.
While this will hopefully not be the last update before Lenny gets entirely
frozen (unless I run out of time), it's a significant improvement and it
would be good to get it approved now.
refpolicy (2:0.0.20080702-8) unstable; urgency=low
* Made the postinst faster on machines with small amounts of memory. 5%
improvement on AMD64 with 64M of RAM. Not sure how much benefit it might
give for a NSLUG.
* Allowed dictd to create pid file.
* Allowed mcstransd to getcap.
* Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d
scripts running as run_init_t.
* Makes Postfix work correctly.
* Allow $1_mail_t to read proc_t:file (for Postfix).
-- Russell Coker <firstname.lastname@example.org> Fri, 12 Sep 2008 10:51:01 +1000
refpolicy (2:0.0.20080702-7) unstable; urgency=low
* Polish updates, added labelling for /lib/udev/create_static_nodes,
/var/log/prelink.log, and corrected labelling for /var/run/kdm
* Made Postfix work with unconfined_t.
* Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
to talk to it.
* Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access
Also allowed courier_sqwebmail_t to access /dev/urandom.
* Allowed courier-pop and apache to access unconfined home directories.
* Changed the policy for /var/cache/ldconfig to match upstream.
* Allowed unconfined_t to run run_init.