[DSE-Dev] Bug#695622: unblock: refpolicy/2:2.20110726-12
Mika Pflüger
debian at mikapflueger.de
Mon Dec 10 20:59:07 UTC 2012
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock package refpolicy version 2:2.20110726-12, changes since
version -11 (which is in testing atm) are:
File label fixes:
* Label ~/.adobe(/.*)? as mozilla_home_t for flash
* Label /usr/sbin/opendkim as dkim_milter_exec_t
* Label postalias as postfix_master_exec_t for newaliases
* Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP
for client control
* Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t for
desktops
* Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
* Label /sbin/xtables-multi (the new iptables)
* Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t
Closes: #690225
All the labelling corrections fix bugs which lead to some important
functionality of the respective program not working if selinux is
installed & enabled. No code/policy is changed, it is only about
labelling the debian locations of files correctly.
* Allow user roles access to mozilla_t classes shm and sem for
sharing the sound device
* Allow user roles access to mozilla_tmp_t
Without this, a confined iceweasel won't be able to use sound
properly, or it won't work at all, respectively.
* Make postfix.pp not depend on unconfined.pp for "strict"
configurations
This fixes loading the postfix policy in strict configurations, which
simply failed previously.
* Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
* Allow systemd_passwd_agent_t access to search selinuxfs and write
to the console for getting a password for encrypted filesystems
These fix booting with systemd and selinux enabled on dm-crypt root
filesystems.
* Allow watchdog_t to read syslog pid files for process watching
Fixing one of the core functionalities of watchdog on selinux-enabled
systems.
Diffstat of the sources (patches applied) ignoring d/changelog and
d/patches:
policy/modules/apps/mozilla.fc | 1 +
policy/modules/apps/mozilla.if | 21 ++++++++++++---------
policy/modules/kernel/corecommands.fc | 2 ++
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/services/devicekit.fc | 1 +
policy/modules/services/dkim.fc | 2 ++
policy/modules/services/dovecot.fc | 2 +-
policy/modules/services/hal.fc | 1 -
policy/modules/services/lda.fc | 1 +
policy/modules/services/postfix.fc | 1 +
policy/modules/services/postfix.if | 4 +++-
policy/modules/services/watchdog.te | 4 ++++
policy/modules/system/iptables.fc | 1 +
policy/modules/system/libraries.fc | 1 +
policy/modules/system/logging.if | 18 ++++++++++++++++++
policy/modules/system/lvm.te | 4 ++++
policy/modules/system/sysnetwork.te | 1 +
policy/modules/system/systemd.te | 8 +++-----
18 files changed, 57 insertions(+), 18 deletions(-)
The debdiff is attached.
unblock refpolicy/2:2.20110726-12
Thanks for your work + cheers,
Mika
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy_2.20110726-11,12.debdiff
Type: application/octet-stream
Size: 26312 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20121210/c1545367/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20121210/c1545367/attachment-0001.pgp>
More information about the SELinux-devel
mailing list