[DSE-Dev] policy patch

Mika Pflüger debian at mikapflueger.de
Sat Nov 10 00:23:23 UTC 2012 

Hi,

Am Sun, 21 Oct 2012 04:56:02 +0200
schrieb Mika Pflüger <debian at mikapflueger.de>:

> Hi,
> 
> Am Mon, 15 Oct 2012 00:36:57 +0200
> schrieb Mika Pflüger <debian at mikapflueger.de>:
> > Am Sat, 13 Oct 2012 19:06:06 +1100
> > schrieb Russell Coker <russell at coker.com.au>:
> > > 
> > >   * Label ~/.adobe(/.*)? as mozilla_home_t for flash
> > >   * Label /usr/sbin/opendkim as dkim_milter_exec_t
> > >   * Make postfix.pp not depend on unconfined.pp for "strict"
> > > configurations
> > >   * Label postalias as postfix_master_exec_t for newaliases
> > 
> > I split those into individual patches, checked upstream refpolicy
> > and fedora how it's done over there, modified some of the patches
> > slightly and committed the result into git.
> > 
> > >   * Allow watchdog_t to read syslog pid files for process watching
> > >   * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run()
> > > access
> > >   * Allow systemd_passwd_agent_t access to search selinuxfs and
> > > write to the console for getting a password for encrypted
> > > filesystems
> > >   * Label /sbin/xtables-multi (the new iptables) as
> > > iptables_exec_t
> > >   * Label /run/pm-utils(/.*)? as devicekit_var_run_t not
> > > hald_var_run_t
> > >   * Allow user_t to access mozilla_tmp_t
> > >   * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t
> > >   * Label port 5546 as dhcpc_port_t for the client control port
> > > and allow dhcpc_t to bind to it for TCP
> > >   * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
> > >     Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
> > >     Label /usr/lib/dovecot/(.*/)?lib.*\.so.* as lib_t
> > >     Closes: #690225
> > >   * Allow user_t etc to access mozilla_t classes
> > > shm and sem for sharing the sound device
> > 
> > I hope to get those splitted + checked + committed to git over the
> > next few days.
> > At the same time I will try to propose upstream what makes sense
> > there (mostly debian locations, I guess).
> 
> All patches splitted and checked vs. fedora/upstream. I changed very
> small things like correct alphabetical ordering etc. Additionally, I
> changed the "Label /usr/lib/dovecot/dovecot-lda as lda_exec_t" part to
> retain the labelling of /usr/lib/dovecot/deliver as this is nowadays
> still available as a symlink. You can find it all in git.
> 
> Those which made sense to submit upstream are submitted upstream,
> apart from the syslog pidfile watching. I understand too little of
> neither syslog nor watchdog to know if this belongs upstream or not.
> 
> If someone could upload version -12, I'd write an unblock request.

ping?
Are there some problems with the packaging? I could prepare the upload
and put it into mentors if time constraints are what are blocking the
upload of -12. On the other hand, I'm not sure that downloading from
mentors, is less work than pulling the latest changes from git.

Cheers,

Mika

-- 
Own your own computer. Don't use Windows 7. <http://windows7sins.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20121110/a3700516/attachment.pgp>

More information about the SELinux-devel mailing list