another SE Linux policy
Below is the changelog for my latest release. It is required for people using
Xen, Exim, mailman, or Courier-POP with TLS.
I believe that the Xen issue is particularly important, although the SE Linux
policy for Xen is not ideal in this regard (doesn't prevent storage related
vulnerabilities). Incidentally I hope to get another release done before
Lenny comes out.
The Exim support will certainly be of interest to people who use that.
refpolicy (2:0.0.20080702-14) unstable; urgency=high
.
* Allow noatsecure for Xen domains so that LD_PRELOAD will work across
a domain transition. Also dontaudit searching of the sysadm home dir
and allow xend_t to manage xenstored_var_run_t.
Allow losetup (fsadm_t) and udev access to Xen image files
* Add support for Exim.
* Add support for Jabber, including adding the epmd_t domain for the Erlang
Port Mapper Daemon (used by ejabberd). Label port 5280 as being for
Jabber
(the ejabberd web administration service) and port 7777 (SOCKS5
Bytestreams (XEP-0065) for proxy file transfer).
* Allow cron to search httpd_sys_content_t
* Dontaudit logrotate search access to unconfined_home_dir_t.
* Fixed labelling of /var/lock/mailman
* Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
Also allow it to talk to portmap so the IMAP server can do FAM.
--
Russell Coker <russell@coker.com.au>
http://etbe.coker.com.au/ My Blog
http://etbe.coker.com.au/category/security/ My Security blog posts
http://www.coker.com.au/selinux/play.html My Play Machine, root PW "SELINUX"
Reply to: