Bug#877195: marked as done (stretch-pu: package refpolicy/2:2.20161023.1-9)
Your message dated Sun, 31 Mar 2019 15:04:30 +0100
with message-id <1554041070.2650.35.camel@adam-barratt.org.uk>
and subject line Re: Bug#877195: the patches
has caused the Debian Bug report #877195,
regarding stretch-pu: package refpolicy/2:2.20161023.1-9
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
877195: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877195
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package refpolicy/2:2.20161023.1-9
- From: Russell Coker <russell@coker.com.au>
- Date: Sat, 30 Sep 2017 00:57:35 +1000
- Message-id: <150669705559.16091.6356209500625300505.reportbug@xev>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
0210-bounds-874201 is the most important patch. Without it programs that
should run as tor_t, mysqld_t, and entropyd_t run as init_t and get
unrestricted access to the system. This is needed due to recent changes in
systemd and daemon service files enabling those changes. Now daemons are set
to have no new privileges so SE Linux policy has to specify that such daemon
domains are subsets of the init_t domain so transitioning from init_t to tor_t
for example is strictly decreasing privileges. It is possible that future
changes will be submitted to make daemons more secure on non-SE systems
(which IMHO is a suitable reason for updating stretch) but which require more
changes like this to the SE Linux policy. Bug #874201
0220-delete-lib-sudo-875668 is needed to allow systemd-tmpfiles to delete
sudo temporary files. I don't know if there is a security issue with not
deleting such files, but it is a functionality issue. Bug #875668
0230-brctl-sysfs-875669 allows brctl to create sysfs files which are related
to STP. The functionality appears to be normal without this patch (apart
from logging AVC denial messages), but I think we should allow brctl to do
all the things it wants. Maybe some bridging operations that I don't do on
my network require this. Bug #875669
0250-bootloader-875676 gives bootloader_t lots of access to create initramfs
images and communicate with dpkg_t. Bug #875676
0260-dnsmasq-875681 allows dnsmasq_t to read conf.d files, normal operation of
this daemon isn't possible without this patch. Bug #875681
I'll send the patches as an update to this bug once it gets a bug number.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On Sat, 2019-03-09 at 16:02 +0000, Adam D. Barratt wrote:
> On Tue, 2018-02-27 at 18:48 +0000, Adam D. Barratt wrote:
> > On Tue, 2018-02-27 at 13:22 +1100, Russell Coker wrote:
> > > What's the situation with this one? Could it be included in the
> > > next
> > > Stretch
> > > update?
> >
> > The +confirmed and "... then OK" in my mail of December 2nd that
> > you
> > quote below was intended as an acknowledgement that you could go
> > ahead
> > with the upload.
>
> Ping? I plan on closing this bug in a couple of weeks time if nothing
> happens.
Doing so with this mail.
Regards,
Adam
--- End Message ---
Reply to: