Bug#695622: marked as done (unblock: refpolicy/2:2.20110726-12)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 11 Dec 2012 19:59:26 +0100
with message-id <50C7828E.4090907@thykier.net>
and subject line Re: Bug#695622: unblock: refpolicy/2:2.20110726-12
has caused the Debian Bug report #695622,
regarding unblock: refpolicy/2:2.20110726-12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
695622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695622
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: refpolicy/2:2.20110726-12
• From: Mika Pflüger <debian@mikapflueger.de>
• Date: Mon, 10 Dec 2012 21:59:07 +0100
• Message-id: <[🔎] 20121210215907.44bdcd75@george.anarkia>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package refpolicy version 2:2.20110726-12, changes since
version -11 (which is in testing atm) are:

File label fixes:
   * Label ~/.adobe(/.*)? as mozilla_home_t for flash
   * Label /usr/sbin/opendkim as dkim_milter_exec_t
   * Label postalias as postfix_master_exec_t for newaliases
   * Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP
  for client control
   * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t for
  desktops
   * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
   * Label /sbin/xtables-multi (the new iptables)
   * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
     Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
     Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t
     Closes: #690225

All the labelling corrections fix bugs which lead to some important
functionality of the respective program not working if selinux is
installed & enabled. No code/policy is changed, it is only about
labelling the debian locations of files correctly.

   * Allow user roles access to mozilla_t classes shm and sem for
  sharing the sound device
   * Allow user roles access to mozilla_tmp_t

Without this, a confined iceweasel won't be able to use sound
properly, or it won't work at all, respectively.

   * Make postfix.pp not depend on unconfined.pp for "strict"
  configurations

This fixes loading the postfix policy in strict configurations, which
simply failed previously.

   * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
   * Allow systemd_passwd_agent_t access to search selinuxfs and write
  to the console for getting a password for encrypted filesystems

These fix booting with systemd and selinux enabled on dm-crypt root
filesystems.

   * Allow watchdog_t to read syslog pid files for process watching

Fixing one of the core functionalities of watchdog on selinux-enabled
systems.


Diffstat of the sources (patches applied) ignoring d/changelog and
d/patches:
 policy/modules/apps/mozilla.fc          |    1 +
 policy/modules/apps/mozilla.if          |   21 ++++++++++++---------
 policy/modules/kernel/corecommands.fc   |    2 ++
 policy/modules/kernel/corenetwork.te.in |    2 +-
 policy/modules/services/devicekit.fc    |    1 +
 policy/modules/services/dkim.fc         |    2 ++
 policy/modules/services/dovecot.fc      |    2 +-
 policy/modules/services/hal.fc          |    1 -
 policy/modules/services/lda.fc          |    1 +
 policy/modules/services/postfix.fc      |    1 +
 policy/modules/services/postfix.if      |    4 +++-
 policy/modules/services/watchdog.te     |    4 ++++
 policy/modules/system/iptables.fc       |    1 +
 policy/modules/system/libraries.fc      |    1 +
 policy/modules/system/logging.if        |   18 ++++++++++++++++++
 policy/modules/system/lvm.te            |    4 ++++
 policy/modules/system/sysnetwork.te     |    1 +
 policy/modules/system/systemd.te        |    8 +++-----
 18 files changed, 57 insertions(+), 18 deletions(-)


The debdiff is attached.

unblock refpolicy/2:2.20110726-12

Thanks for your work + cheers,

Mika

Attachment: refpolicy_2.20110726-11,12.debdiff
Description: Binary data

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Mika Pflüger <debian@mikapflueger.de>, 695622-done@bugs.debian.org
• Subject: Re: Bug#695622: unblock: refpolicy/2:2.20110726-12
• From: Niels Thykier <niels@thykier.net>
• Date: Tue, 11 Dec 2012 19:59:26 +0100
• Message-id: <50C7828E.4090907@thykier.net>
• In-reply-to: <[🔎] 20121210215907.44bdcd75@george.anarkia>
• References: <[🔎] 20121210215907.44bdcd75@george.anarkia>

On 2012-12-10 21:59, Mika Pflüger wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear Release Team,
> 
> Please unblock package refpolicy version 2:2.20110726-12, changes since
> version -11 (which is in testing atm) are:
> 
> File label fixes:
>    * Label ~/.adobe(/.*)? as mozilla_home_t for flash
>    * Label /usr/sbin/opendkim as dkim_milter_exec_t
>    * Label postalias as postfix_master_exec_t for newaliases
>    * Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP
>   for client control
>    * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t for
>   desktops
>    * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
>    * Label /sbin/xtables-multi (the new iptables)
>    * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
>      Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
>      Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t
>      Closes: #690225
> 
> All the labelling corrections fix bugs which lead to some important
> functionality of the respective program not working if selinux is
> installed & enabled. No code/policy is changed, it is only about
> labelling the debian locations of files correctly.
> 
>    * Allow user roles access to mozilla_t classes shm and sem for
>   sharing the sound device
>    * Allow user roles access to mozilla_tmp_t
> 
> Without this, a confined iceweasel won't be able to use sound
> properly, or it won't work at all, respectively.
> 
>    * Make postfix.pp not depend on unconfined.pp for "strict"
>   configurations
> 
> This fixes loading the postfix policy in strict configurations, which
> simply failed previously.
> 
>    * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
>    * Allow systemd_passwd_agent_t access to search selinuxfs and write
>   to the console for getting a password for encrypted filesystems
> 
> These fix booting with systemd and selinux enabled on dm-crypt root
> filesystems.
> 
>    * Allow watchdog_t to read syslog pid files for process watching
> 
> Fixing one of the core functionalities of watchdog on selinux-enabled
> systems.
> 
> 
> Diffstat of the sources (patches applied) ignoring d/changelog and
> d/patches:
>  [...]
> 
> 
> The debdiff is attached.
> 
> unblock refpolicy/2:2.20110726-12
> 
> Thanks for your work + cheers,
> 
> Mika
> 

Unblocked, thanks.

~Niels

--- End Message ---