[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#689264: marked as done (unblock: refpolicy/2:2.20110726-11)

Your message dated Sun, 07 Oct 2012 23:14:11 +0200
with message-id <5071F0A3.7060705@dogguy.org>
and subject line Re: Bug#689264: unblock: refpolicy/2:2.20110726-11
has caused the Debian Bug report #689264,
regarding unblock: refpolicy/2:2.20110726-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
689264: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689264
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package refpolicy version 2:2.20110726-11, changes since
version -9 (which is in testing atm) are:

* Fix #683756 (selinux in permissive mode breaks gdm and X)
 The problem arouse due to debian specific gdm3 locations.  In version
 2:2.20110726-10 a patch to fix this was introduced, but it was
 incomplete (fixed only some contexts, not all) and therefore in
 version -11 it was replaced by a correct patch, which is also already
 accepted upstream. The bug is only severity: normal in the BTS, but as
 installing and enabling selinux in permissive mode completely breaks
 the ability to log in via gdm I'd consider it important, at least.
 Regressions are very unlikely as this patch only touches file context
 definitions, no code.

* Update the Vcs-* fields
 The Vcs-* fields in d/control were pointing to an old location,  which
 doesn't work anymore.

* Fix #686670 (Cannot load alsa.pp module)
 debian/patches/0048-Alsa-debian-locations.patch had been merged
 upstream but weren't dropped, leading to duplication and breaking the
 alsa module loading. Dropping the patch fixes this.

* Drop debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
 As in the previous fix, the code present in this one-line patch had
 already been introduced upstream. Dropping the patch removes
 duplicates and thereby avoids problems.

* Fix watch file uversionmangle in debian/watch.


Diffstat of the sources (patches applied) ignoring d/changelog:
 debian/control                        |    4 ++--
 debian/patches/series                 |    3 +--
 debian/watch                          |    5 +----
 policy/modules/admin/alsa.fc          |   14 ++++----------
 policy/modules/kernel/corecommands.fc |    1 +
 policy/modules/services/xserver.fc    |   20 +++++++++++---------
 policy/modules/system/iptables.te     |    1 -
 7 files changed, 20 insertions(+), 28 deletions(-)


The debdiff is attached.

unblock refpolicy/2.20110726-11

Thanks for your work + cheers,

Mika


diff -Nru refpolicy-2.20110726/debian/changelog refpolicy-2.20110726/debian/changelog
--- refpolicy-2.20110726/debian/changelog	2012-06-30 11:42:53.000000000 +0200
+++ refpolicy-2.20110726/debian/changelog	2012-09-30 22:47:31.000000000 +0200
@@ -1,3 +1,30 @@
+refpolicy (2:2.20110726-11) unstable; urgency=low
+
+  * Team upload
+  [ Mika Pflüger ]
+  * Drop incomplete patch adding debian specific gdm3 locations and
+    cherry-pick Laurent's complete patch from upstream instead. Slightly
+    edit the patch to work around an issue in file context ordering.
+
+ -- Laurent Bigonville <bigon@debian.org>  Sun, 30 Sep 2012 22:43:12 +0200
+
+refpolicy (2:2.20110726-10) unstable; urgency=low
+
+  * Team upload.
+  [ Mika Pflüger ]
+  * xserver.fc: Add debian specific /usr/sbin/gdm3 as a location for gdm3.
+    Closes: #683756
+  * debian/control: Update Vcs-* fields.
+
+  [ Laurent Bigonville ]
+  * d/p/0079-Allow-iptables_t-to-do-module_request.patch: Dropped, the code
+    present in this patch was already present later in the code.
+  * d/p/0048-Alsa-debian-locations.patch: Dropped, changes merged upstream,
+    and was breaking module loading due to duplicate paths (Closes: #686670)
+  * debian/watch: Fix watch file uversionmangle
+
+ -- Laurent Bigonville <bigon@debian.org>  Fri, 07 Sep 2012 17:51:13 +0200
+
 refpolicy (2:2.20110726-9) unstable; urgency=high
 
   * Enable UBAC as roles aren't useful.  I recommend using only roles user_r
@@ -10,8 +37,8 @@
   * Change readahead policy to support memlockd.
   * Allow devicekit_power_t, devicekit_disk_t, kerneloops_t, and policykit_t
     to send dbus messages to users.
-  * Grant systemd utilities access to selinuxfs so they can correctly label directories
-    Closes: #678392
+  * Grant systemd utilities access to selinuxfs so they can correctly label
+    directories. Closes: #678392
   * Assigned type consolekit_var_run_t to /var/run/console(/.*)? because it's
     created and managed by consolekit nowadays.
   * Created tunable allow_ssh_connect_reserved_ports to allow ssh client to
@@ -41,7 +68,7 @@
   * Add tcsd.pp (for trousers) to the policy packages
   * Add nut.pp for the nut-server package to the policy packages
   * Load irqbalance.pp if irqbalance Debian package is installed, same for
-    kerneloops, tcsd.pp/trousers, nut.pp/nut-server, 
+    kerneloops, tcsd.pp/trousers, nut.pp/nut-server,
     and smartmon.pp/smartmontools.
   * High urgency because the support for tcsd and nut really needs to be
     tested (and it's broken badly for those people) and portslave.pp is also
diff -Nru refpolicy-2.20110726/debian/control refpolicy-2.20110726/debian/control
--- refpolicy-2.20110726/debian/control	2012-06-11 14:32:03.000000000 +0200
+++ refpolicy-2.20110726/debian/control	2012-09-30 22:47:31.000000000 +0200
@@ -1,6 +1,6 @@
 Source: refpolicy
-VCS-Git: git://anonscm.debian.org/selinux/selinux.git
-VCS-Browser: http://anonscm.debian.org/gitweb/?p=selinux/selinux.git;a=summary
+VCS-Git: git://anonscm.debian.org/selinux/refpolicy.git
+VCS-Browser: http://anonscm.debian.org/gitweb/?p=selinux/refpolicy.git;a=summary
 Priority: optional
 Section: admin
 Homepage: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
diff -Nru refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch
--- refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch	2012-06-15 15:35:25.000000000 +0200
+++ refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <debian@mikapflueger.de>
-Date: Sun, 4 Mar 2012 00:10:16 +0100
-Subject: Alsa debian locations
-
----
- policy/modules/admin/alsa.fc |   14 ++++++++++----
- 1 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index d362d9c..20062d1 100644
---- a/policy/modules/admin/alsa.fc
-+++ b/policy/modules/admin/alsa.fc
-@@ -2,10 +2,16 @@ HOME_DIR/\.asoundrc	--	gen_context(system_u:object_r:alsa_home_t,s0)
- 
- /bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
- 
--/etc/alsa/asound\.state --	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/alsa/pcm(/.*)?	        gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/asound(/.*)?               gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+ifdef(`distro_debian', `
-+/var/lib/alsa/asound\.state --	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/usr/share/alsa/alsa\.conf      gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/usr/share/alsa/pcm(/.*)?       gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+', `
-+/etc/alsa/asound\.state --      gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/asound\.state      --       gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+')
- 
- /sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
- /sbin/salsa 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
diff -Nru refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
--- refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch	2012-06-15 15:35:25.000000000 +0200
+++ refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,20 +0,0 @@
-From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <debian@mikapflueger.de>
-Date: Sun, 4 Mar 2012 02:30:24 +0100
-Subject: Allow iptables_t to do module_request
-
----
- policy/modules/system/iptables.te |    1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 542344f..a8d3947 100644
---- a/policy/modules/system/iptables.te
-+++ b/policy/modules/system/iptables.te
-@@ -27,6 +27,7 @@ files_pid_file(iptables_var_run_t)
- # Iptables local policy
- #
- 
-+kernel_request_load_module(iptables_t)
- allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
- dontaudit iptables_t self:capability sys_tty_config;
- allow iptables_t self:fifo_file rw_fifo_file_perms;
diff -Nru refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch
--- refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch	1970-01-01 01:00:00.000000000 +0100
+++ refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch	2012-09-30 22:47:31.000000000 +0200
@@ -0,0 +1,79 @@
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Mon, 10 Sep 2012 18:11:13 +0200
+Subject: Add Debian locations for GDM 3
+
+---
+ policy/modules/kernel/corecommands.fc |    1 +
+ policy/modules/services/xserver.fc    |   18 ++++++++++--------
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
+index 4dd72ce..00d8b13 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -301,6 +301,7 @@ ifdef(`distro_gentoo',`
+ 
+ ifdef(`distro_debian',`
+ /usr/lib(64)?/ConsoleKit/.*	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/dovecot/.+             --      gen_context(system_u:object_r:bin_t,s0)
+diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
+index eb0566c..4787e5c 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -13,6 +13,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+ #
+ # /etc
+ #
++/etc/gdm(3)?/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+ 
+ /etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
+ 
+@@ -28,10 +31,6 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+ /etc/X11/wdm/Xstartup.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/Xsession[^/]*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+ 
+-/etc/gdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+-/etc/gdm/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+-/etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+-
+ #
+ # /opt
+ #
+@@ -52,8 +51,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+ # /usr
+ #
+ 
++/usr/s?bin/gdm(3)?	--      gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -81,15 +81,17 @@ ifndef(`distro_debian', `
+ # /var
+ #
+ 
+-/var/lib/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ 
+ /var/log/[kw]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/gdm(3)?(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
+ 
+-/var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+ 
diff -Nru refpolicy-2.20110726/debian/patches/series refpolicy-2.20110726/debian/patches/series
--- refpolicy-2.20110726/debian/patches/series	2012-06-27 16:47:53.000000000 +0200
+++ refpolicy-2.20110726/debian/patches/series	2012-09-30 22:47:31.000000000 +0200
@@ -44,7 +44,6 @@
 0045-Remaining-unsorted-changes-for-debian-init.patch
 0046-Add-dev_read_urand-to-several-programs.patch
 0047-Allow-several-programs-to-read-from-the-console.patch
-0048-Alsa-debian-locations.patch
 0049-Correctly-label-rotated-logs-of-apt.patch
 0050-Tweaks-to-the-dpkg-policy-especially-for-support-of-.patch
 0051-Webalizer-policy-adjustments-Labeled-awffull-as-weba.patch
@@ -75,7 +74,6 @@
 0076-Allow-mono_t-to-be-in-role-unconfined_r-Closes-54014.patch
 0077-courier-policy-adjustments-Label-courier-socket-file.patch
 0078-authlogin-policy-adjustments-Label-etc-.group.edit.s.patch
-0079-Allow-iptables_t-to-do-module_request.patch
 0080-debian-library-locations.patch
 0081-Allow-apt-to-silently-get-and-install-packages.patch
 0082-syslog-policy-adjustments-Allow-syslogd_t-capability.patch
@@ -102,3 +100,4 @@
 0170-dirmngr
 0180-latest-misc
 0190-cron-remove-cronjob_t
+0200-Add-Debian-locations-for-GDM-3.patch
diff -Nru refpolicy-2.20110726/debian/watch refpolicy-2.20110726/debian/watch
--- refpolicy-2.20110726/debian/watch	2012-06-10 04:02:01.000000000 +0200
+++ refpolicy-2.20110726/debian/watch	2012-09-30 22:47:31.000000000 +0200
@@ -1,8 +1,5 @@
-# format version number, currently 2; this line is compulsory!
 version=3
 
-opts="uversionmangle=s/^2./0.2./" \
+opts="uversionmangle=s/^2./2./" \
 http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \
  /files/refpolicy/refpolicy-(.*)\.tar\.bz2
-
-# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
On 01/10/2012 00:33, Mika Pflüger wrote:
> Package: release.debian.org Severity: normal User:
> release.debian.org@packages.debian.org Usertags: unblock
> 
> Dear Release Team,
> 
> Please unblock package refpolicy version 2:2.20110726-11, changes
> since version -9 (which is in testing atm) are:
> 

Unblocked.

Regards,

-- 
Mehdi Dogguy مهدي الدڤي

--- End Message ---
Reply to: