Bug#777205: unblock: refpolicy/2:2.20140421-9
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package refpolicy
Version 2.20140421-8 fixed bugs #771482, #771484, #775223, and #771483.
Version 2.20140421-9 fixed many other problems with the policy that would
have resulted in bug reports if 2.20140421-8 had been released.
The source package refpolicy had been removed from testing. I believe that
the current version is good enough to include in Jessie. It works on full KDE
desktop environments and on a variety of server configurations (including the
mail server used to send this mail).
The changes since the last version that was in testing have added allow rules,
so more things will work than before (less breakage) but as SE Linux is the
second level of security the system still will never be less secure than a
non-SE system.
unblock refpolicy/2:2.20140421-9
Here is the changelog:
refpolicy (2:2.20140421-9) unstable; urgency=medium
* Allow dovecot_t to read /usr/share/dovecot/protocols.d
Allow dovecot_t capability sys_resource
Label /usr/lib/dovecot/* as bin_t unless specified otherwise
Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens
* Allow clamd_t capability { chown fowner fsetid }
Allow clamd_t to read sysctl_vm_t
* Allow dkim_milter_t capability dac_override and read sysctl_vm_t
allow dkim_milter_t to bind to unreserved UDP ports
* Label all hard-links of perdition perdition_exec_t
Allow perdition to read /dev/urandom and capabilities dac_override, chown,
and fowner
Allow perdition file trans to perdition_var_run_t for directories
Also proxy the sieve service - sieve_port_t
Allow connecting to mysql for map data
* Allow nrpe_t to read nagios_etc_t and have capability dac_override
* Allow httpd_t to write to initrc_tmp_t files
Label /var/lib/php5(/.*)? as httpd_var_lib_t
* Allow postfix_cleanup_t to talk to the dkim filter
allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters)
allow postfix_smtpd_t to talk to clamd_t via unix sockets
allow postfix_master_t to execute hostname for Debian startup scripts
* Allow unconfined_cronjob_t role system_r and allow it to restart daemons
via systemd
Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session
cleanup)
* Allow spamass_milter_t to search the postfix spool and sigkill itself
allow spamc_t to be in system_r for when spamass_milter runs it
* Allow courier_authdaemon_t to execute a shell
* Label /usr/bin/maildrop as procmail_exec_t
Allow procmail_t to connect to courier authdaemon for the courier maildrop,
also changed courier_stream_connect_authdaemon to use courier_var_run_t
for the type of the socket file
Allow procmail_t to read courier config for maildrop.
* Allow system_mail_t to be in role unconfined_r
* Label ldconfig.real instead of ldconfig as ldconfig_exec_t
* Allow apt_t to list directories of type apt_var_log_t
* Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for
dpkg-preconfigure
* Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage
shadow files, process setfscreate, and capabilities audit_write net_admin
sys_ptrace
* Label /usr/lib/xen-*/xl as xm_exec_t
-- Russell Coker <russell@coker.com.au> Fri, 06 Feb 2015 02:31:05 +1100
refpolicy (2:2.20140421-8) unstable; urgency=medium
* Make all of /etc/ssl apart from /etc/ssl/private etc_t
* Allow systemd_logind_t to search xdm_tmp_t:dir
Allow systemd_tmpfiles_t to create xdm_tmp_t:dir
Make xserver_create_xdm_tmp_socket also allow unlinking the socket
Allow systemd_tmpfiles_t to create xdm_tmp_t dir
Allow systemd_logind_t to search xdm_tmp_t
Allow system_dbusd_t to write to systemd_logind_var_run_t:fifo_file
for /run/systemd/inhibit/*.ref also added fc for /run/systemd/inhibit
Allow system_dbusd_t to write to /run/systemd/inhibit/* pipes
Allow user_t to talk to user_dbusd_t via unix sockets and also all
dbus clients
Allow systemd_tmpfiles_t to create xfs_tmp_t dirs
Closes: #771482
* Allow userdomains netlink_audit_socket access for logging of X unlock
* Allow $1_user_ssh_agent_t to send sigchld to xdm_t
* Allow local_login_t to write to systemd sessions pipes
* Allow policykit_t to read /run/systemd/machines and /run/systemd/seats/*
* Allow init_status() for user domains for kdeinit
* Remove most of the gpg stuff that I put in 2:2.20140421-7.
Just remove gpg_helper_t, merge gpg_pinentry_t with the main gpg domain,
and make the gpg_t domain only used from user_t. Domain trans from
gpg_agent_t to user_t when running bin_t such as ck-launch-session.
Allow gpg_agent_t and *_ssh_agent_t to append to an inherited user_home_t
file
Closes: #771484
* Allow user_dbusd_t to append to user_home_t
* Allow load_policy_t to read /dev/urandom.
* Label /usr/lib/dovecot/(log)|(ssl-params)|(anvil) dovecot_exec_t so they
can be executed by the main dovecot daemon.
Closes: #775223
* Allow alsa_t to create lockfiles and added fc for
/run/lock/asound.state.lock
* Allow local_login_t capability net_admin
* Allow systemd_logind_t capability sys_admin and mount tmpfs_t
* Allow mozilla_t (Chrome) to manage symlinks in /tmp and create sockets
Allow chrome_sandbox_t to use user_t fd.
Allow mozilla_t to use netlink_kobject_uevent_socket.
Label ~/.config/google-chrome as mozilla_home_t
Label /opt/google/chrome/nacl_helper as chrome_browser_exec_t
Allow chrome_sandbox_t to write to users pty (for startup error messages)
Closes: #771483
* Allow userdomains to read vm sysctls and to create a
netlink_kobject_uevent_socket.
* Allow initrc_t to perform systemd service start/stop operations on
initrc_var_run_t files. This may be a bug in systemd.
* Label .xsession-errors as user_home_t when xdm_t creates it.
* Label /usr/sbin/dhcp6c as dhcpc_exec_t /run/dhcp6c.pid as dhcpc_var_run_t
and /var/lib/dhcpv6 as dhcpc_state_t
* Dontaudit getty_t capability sys_admin
* Allow cronjob_t read-write access to crond_tmp_t.
* Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
* Allow fsadm_t to stat mount_var_run_t for /run/mount/utab
-- Russell Coker <russell@coker.com.au> Mon, 19 Jan 2015 16:27:05 +1100
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Reply to: