aioymaps (1.2.5-1) unstable; urgency=medium . * Initial release. (Closes: #1136418) ciftilib (1.6.0-8) unstable; urgency=medium . * Team upload . [ Sébastien Noel ] * Add patch to build with libxml++ 4.0 instead of 2.6 (Closes: #1121313) . [ Jeremy Bícha ] * Add minimal debian/gbp.conf * Update Standards Version to 4.7.4 cmd2 (3.5.1+ds-2) unstable; urgency=medium . * debian/rules: Fixed test_utils exclusion to avoid accidental exclusion * debian/tests/unittests: Ignored tests to correct regression problems cmd2 (3.5.1+ds-1) unstable; urgency=medium . * New upstream version 3.5.1+ds * debian/rules: skip ANSI tests failing with Rich >= 14 / Python 3.14 cmd2 (3.5.0+ds-1) unstable; urgency=medium . * New upstream version 3.5.0+ds * debian/patches: Drop patch fixed in upstream - 003.fix-rich-color-system-dumb-terminal.patch - 004.fix-test-ansi-terminal-tty-mock-term.patch dovecot (1:2.4.4+dfsg1-1) unstable; urgency=medium . [ Luca Boccassi ] * [6261bfd] Install and use sysusers.d config file . [ Noah Meyerhans ] * [9a7a738] Add tests for bug 1134464 regression * [6f1a08b] remove unreproducible TEST_DIR in dovecot-config * [185a225] New upstream version 2.4.4+dfsg1 - CVE-2026-27851: lib-var-expand: Safe filter leaks to all following pipelines - CVE-2026-40016: Sieve :contains/:matches O(N×M) Substring Match Bypasses sieve_max_cpu_time Limit (130× Overrun) - CVE-2026-33603: login: Base64 input can contain tabs that bypass IPC protection - CVE-2026-40020: IMAP folders can be shared-spammed to everyone - CVE-2026-42006: imap-login: Excessive memory usage DoS (Closes: #1136444) * [a6c0328] settings: Use correct symbol STORAGE_LDAP in settings-get.pl * [874cea7] refresh patches * [a4af2a3] Fix test failures on 32-bit systems emacs-cond-let (1.1.1-1) unstable; urgency=medium . * New upstream release * Skip failing tests - Those are known issues upstream. hyphen (2.8.9-3) unstable; urgency=medium . * upload to unstable hyphen (2.8.9-2) experimental; urgency=medium . * debian/watch: point to GitHuband use v5 with Template: GitHub * debian/rules: build hyph_en_US.dic properly and disable tests on indep builds hyphen (2.8.9-1) experimental; urgency=medium . [ Debian Janitor ] * Set upstream metadata fields: Archive, Bug-Database, Bug-Submit, Repository, Repository-Browse. * Update standards version to 4.4.1, no changes needed. . [ Rene Engelhard ] * New upstream version 2.8.9 node-rimraf (6.1.3-2) unstable; urgency=medium . * Team upload * Upload to unstable node-rimraf (6.1.3-1) experimental; urgency=medium . * Team upload * Declare compliance with policy 4.7.4 * Drop "Priority: optional" * New upstream version 6.1.3 + bin moved from src/bin.ts to src/bin.mts + embed package-json-from-dist 1.0.1 (npm-only helper) node-tshy (3.3.2+~cs6.0.2-2) unstable; urgency=medium . * Team upload * Upload to unstable node-tshy (3.3.2+~cs6.0.2-1) experimental; urgency=medium . * Team upload * Declare compliance with policy 4.7.4 * Embed components: jsonc-simple-parser, reghex * New upstream version pciutils (1:3.15.0-2) unstable; urgency=medium . * Remove obsolete lintian override for removed exit-in-shared-library tag. * Add bug-script for pciutils to recommend attaching «lspci -vvxxx» output as requested by upstream. * Add patch to remove «allows …» usage in man pages, warned by lintian. * Add patch to add groff hint to run the tbl preprocessor for pcilmr(8), warned by lintian. python-whey (0.1.1-5) unstable; urgency=medium . * d/rules: Skip tests requiring whey_conda and whey_pth unavailable in Debian python-whey (0.1.1-4) unstable; urgency=medium . * debian/control: - Bumped Standards-Version to 4.7.4 - Remove redundant Priority field - Remove redundant Rules-Requires-Root * debian/manpage/whey.1: Update date in manpage * debian/patches: - debian/paches/001: - 0001: Update patch removed whey-conda dependency (not Debian) - 0003: Update line offsets in skip-function-error patch - 0004: Fixed deprecated license configuration in pyproject.toml" * debian/watch: Update to version 5 format refpolicy (2:2.20250213-13) unstable; urgency=medium . * Source only upload for testing migration refpolicy (2:2.20250213-12) unstable; urgency=medium . [ Russell Coker ] * Fix for usbguard * Label /var/lib/dbconfig-common/sqlite3/sympa/sympa * Allow pam sessions to create wtmp.db-journal refpolicy (2:2.20250213-11) unstable; urgency=medium . * Added usbguard policy * Allow chromium to stat xattr filesystems, read xkb libs, and give fifo files to the window manager (to stop it crashing on paste) * Allow pulseaudio_client domains (including the $1_wm_t domains) to mmap the tmpfs files related to pulseaudio (for Chrome mostly) * Allow systemd_passwd_agent_t to watch user runtime dirs for systemd daemon restart * Allow dhcpd_t to execute ntpd_exec_t in ntpd_t for dhcp scripts and start generic units * Allow systemd-nspawn to use user terminal devices for directly running by sysadmin and allow managing mnt_t files refpolicy (2:2.20250213-10) unstable; urgency=medium . * Allow user_bubblewrap_t to transition to user_t via user_home_t and user_bin_t * Fixes for evolution, colord, dbus, wm, and xdm. Now the GNOME desktop is fully functional and sddm works as a graphical login. refpolicy (2:2.20250213-9) unstable; urgency=medium . * Allow sympa_t to signal itself, create udp sockets, and bind to a generic node * Fixed labelling for /var/log/opensnitchd.log.* and /var/cache/apt-xapian-index/* * Allow systemd-logind to receive fds from xdm - needed for SDDM to function * Labelled /usr/bin/efibootmgr as bootloader_exec_t * Labelled /usr/bin/screendump as screen_exec_t * Labelled /usr/sbin/veritysetup as lvm_exec_t * Add a user login for Debian-gdm that gets the xdm identity * Add some user_wm_t permissions for GNOME and PHOC logins, PHOC and KDE Plasma with gdm3 are fully functional and GNOME is mostly functional. * Add labels for /var/lib/lxc and /var/lib/misc/dnsmasq.[a-z0-9]+.leases refpolicy (2:2.20250213-8) unstable; urgency=medium . * Fix syntax errors * Allow dovecot_auth_t to mape dovecot_runtime_t files * Allow mon_net_test_t to run netutils * removed unused interfaces fs_mounton_memory_pressure and userdom_watch_user_ttys * Remove systemd_logind_use_fds and use systemd_use_logind_fds instead * Allow dhcpc_t to list resolved runtime dir and stat generic units files * Allow systemd-logind and systemd-user-runtime-dir stat /proc as logind failing to do so can cause difficult to diagnose dbus issues with pam_login * Allow fwupd to signal itself refpolicy (2:2.20250213-7) unstable; urgency=medium . * Allow user systemd domains to list user tmp, watch root, read usr files, and create sockets for gpg_t and user_ssh_agent_t * Allow needrestart to list init var lib dirs * Allow dhcpc_t to connect to itself via a unix stream socket * Allow systemd_user_runtime_dir_t to unlink ssh_agent_tmp_t sock files * Allow systemd_machine_id_setup_t to send syslog messages refpolicy (2:2.20250213-6) unstable; urgency=medium . * Allow fail2ban to watch the audit log * Dontaudit needrestart statting device nodes and writing /var dirs * Allow needrestart to read vm overcommit sysctl and logind sessions allow it to send signull to sshd and xdm, allow it to stat generic ptys * Allow semanage to read vm overcommit sysctl * Allow utempter to create dgram sockets and stat localisaton files * Allow systemd-nspawn to read init runtime files (for MAC generation), to write to /dev/kmsg, to send syslog messages * Allow systemd-machined to create dirs of type systemd_machined_runtime_t under init_runtime_t, to see systemd-nspawn processes, to manage it's runtime dirs, and to create and unlink runtime sock_files. * Add policy for opensnitch * Label /etc/kernel/entry-tokenaas etc_runtime_t * Allow NetworkManager_t to read systemd networkd runtime and to get init status refpolicy (2:2.20250213-5) unstable; urgency=medium . * allow user_wm_t and similar domains the sys_nice capability. * Allow needrestart to signal all systemd --user processes * Make the dir type transition for var_lib_t when dpkg_script_t creates subdirs only apply to dirs named "ntpsec" to avoid breaking dkms postinst * Label /var/lib/dkms as src_t * Allow mozilla to talk to ntpd and systemd-logind via dbus * Allow systemd-logind to change ownership of dma_device_t * Allow policykit to get the systemd status * Allow sshd to create /var/lib/wtmpdb refpolicy (2:2.20250213-4) unstable; urgency=medium . * Allow chromium_t to start and get status of user_systemd_t * Allow user_dbusd_t to receive chromium_t file handles and write to them * Allow user_t to write chromium_t fifos * Allow accountsd_t to search init units * Allow cupsd_config_t to connect to cups via stream sockets and to send dbus messages to unconfined_t * Allow power_profilesd_t to dbus message devicekit power * Allow unconfined_t to inherit file handles from systmd_logind_t * Allow gpg_agent_t to read gpg_t files (process status) * Allow acpid to read logind sessions files * Give capability kill to needrestart * Label /var/lib/wtmpdb as faillog_t and allow pam_domain to manage faillog * Allow policykit_t to get status of transient units refpolicy (2:2.20250213-3) unstable; urgency=medium . * allow user_systemd_t to read logind state * allow ntpd to read the vm_overcommit sysctl * allow system_dbusd_t the kill capability and init read runtime files so the latest version of dbus-broker will work * Allow mon local tests to stat dos filesystems Allow mon_t to manage mon_var_lib_t dirs * Allow fail2ban client to read kernel overcommit sysctl * Added type labels for kea dhcp server * Allow modemmanager to setopt on netlink_route_socket * Allow dhcpc_t to get system status and read networkd runtime * Allow fwupd_t to bind and stat netlink route sockets, connect to it's own tcp sockets, and stat it's own udp sockets. * Lots of minor changes to dhcpd policy to support the new kea server * Added label for /run/lock/ntpsec-ntpdate and transition for initrc creation * Allow certbot to read vm overcommit sysctl * Label /usr/lib/openssh/sshd-auth needed by openssh-server 10.0p1-1 refpolicy (2:2.20250213-2) unstable; urgency=medium . * add crio kubernetes openarc podman to the module exclusion list for handsets, previous version failed postinst on handsets refpolicy (2:2.20250213-1) unstable; urgency=medium . * 20250213 new upstream release. * Build-depend on sepol-utils for chkcon * Changed all depends and build-depends to 3.8 of all the SE Linux packages Biggest problem is that libselinux1 3.8 and libsemanage2 3.7 breaks install with "Re-declaration of role unconfined_r" .. "Failed to build AST" * Allow mon_local_test_t to get devicekit power information from dbus * As a temporary measure comment out the validateappconfig in the Makefile to work around a SEGV so we can build this without bugs in other packages getting in the way. refpolicy (2:2.20250115-1) unstable; urgency=medium . * Latest git policy * Allow needrestart to reload init * Label /etc/xdg/Xwayland-session.d/* as xsession_exec_t * Remove the etc_t label for /var/spool/postfix/etc as postfix_master_t needs to write to it and we don't want to grant write access to etc_t refpolicy (2:2.20241211-2) unstable; urgency=medium . * More systemd patches * Allow plymouthd to signal init * Add policy for needrestart refpolicy (2:2.20241211-1) unstable; urgency=medium . * Latest git policy * Allow gpsd_t to getsession * Run gdm-runtime-config as xdm_t * Allow fwupd_t to watch sysctl etc and fwupdmgr_t to manage dconf dirs * Add filetrans pattern for systemd_passwd_agent_t creating systemd_passwd_runtime_t dirs under systemd_user_runtime_t dirs * Label /usr/libexec/gnome-remote-desktop-daemon as xdm_exec_t refpolicy (2:2.20241119-1) unstable; urgency=medium . * Latest git policy * Allow systemd_binfmt_t to read usr files * Allow boinc_t to read vm sysctls * label the new qt6 sddm greeter refpolicy (2:2.20241013-1) unstable; urgency=medium . * Latest git policy * Build-depend on python3-setools >= 4.5.1 due to upstream changes in git refpolicy refpolicy (2:2.20241008-1) unstable; urgency=medium . * Latest git policy, types for /dev/dma_heap/* /dev/udmabuf /dev/userfaultfd * Allow ntpd_t to start and stop generic units for timedatectl set-ntp * Label /opt/microsoft/msedge/microsoft-edge * Remove sys_admin from cups refpolicy (2:2.20240919-1) unstable; urgency=medium . * Latest git policy, systemd changes mostly for namespace resourced * Allow bubblewrap to use user ttys * Allow systemd_machine_id_setup_t to write to kmsg and have dac_override capability for setting systemd.machine_id on the kernel command line. Without this you get system hangs on boot with systemd-boot. * Allow user_wm_t etc to send syslog messages, * Allow lvm_t access to class alg_socket for cryptsetup benchmark * Allow daemon domains to read-write initrc_t unix stream sockets refpolicy (2:2.20240830-1) unstable; urgency=medium . * Latest git policy, mostly container related changes * allow fwupd to write to fixed disks and fwupdmgr to dbus talk to network manager * Allow systemd_nspawn_t to sendto it's own unix dgram sockets, search autofs mounts, and write to systemd notify socket * Give ndc_t access to anon_inode and io_uring * Label shared objects under /opt/brother/scanner/brscan5/ as lib_t * Added label for /usr/libexec/qemu/qemu-bridge-helper for version 1:9.0.2+ds-2 of qemu-system-common * Allow fwupd_t to get it's scheduling, create udp sockets, and read sysnet config * Allow rasdaemon to write sysfs files for /sys/devices/system/memory/soft_offline_page * Allow bubblewrap domains to read sysctl_t for max_user_namespaces * Label /usr/sbin/fsidd as nfsd_exec_t refpolicy (2:2.20240723-2) unstable; urgency=medium . * Allow chromium_t execheap access which Chrome now needs, presumably for JIT * Allow systemd_coredump_t to read cgroup dirs. Dontaudit it for sys_admin capability * Allow all users to chat to fprintd via dbus * Allow boinc_t self getsched * Allow mysqld to read/write memory_pressure_t files * Label /usr/lib/openssh/sshd-session as sshd_exec_t for openssh-server >= 1:9.8p1-1 refpolicy (2:2.20240723-1) unstable; urgency=medium . * Latest git policy which reorders many process permissions so lots of patches needed changes. Also added haproxy module * Label btrfs utility as fsadm_exec_t * Changed to debhelper-compat in build-depends * Allow virtd_t anon_inode access, to read cpuid, to watch etc dirs, also allow it to read vm sysctls * Allow virtlockd_t and virtlogd_t to self getsched, to create unix dgram sockets, to read sysfs files, to read kernel sysfs files, stat /proc, and log to syslogd * Allow systemd_generator_t to create vsock_socket objects * Added some policy for fprintd_t * Label nm-dispatcher as NetworkManager_exec_t * Allow user_systemd_t etc to do netlink_route_socket operations (needed for KDE login) * Allow systemd_logind_t to search it's own proc dirs refpolicy (2:2.20240607-1) unstable; urgency=medium . * Latest git policy with patches needed for latest systemd * Allow apt to setattr it's lib dirs, map it's cache, getsched for itself, and manage apt_tmp_t link files Allow apt to read init state for ischroot * dontaudit apt net_admin because of buffer tweaking * Allow dpkg_script_t to map the man cache, read the apt cache, watch passwd runtime dirs, sys_resource capability, setrlimit, getattr procfs, relabel non auth files, read fonts, stat tmpfs, and be a system bus client * Allow dpkg and dpkg_script_t to read selinux status and file contexts * Allow apt_t to receive logind fds and write to logind pipes * Allow plymouth_t the checkpoint_restore and to signal init * Allow systemd_backlight_t to talk to polkit and unconfined domains via dbus, and read localisation files * Made /usr/lib/kauth/libexec/backlighthelper run in systemd_backlight_t * Allow networkmanager to watch it's main config dir * Allow systemd_t to send dgrams to itself - needed for GUI login with latest systemd setup. Allow it to statfs /proc and stat /usr files refpolicy (2:2.20240415-1) unstable; urgency=medium . * Latest git policy, works with latest systemd * Allow eg25manager_t to use pipes * Allow kernel_t the new capability2 checkpoint_restore permission * Added label for/var/lib/phog - xdm greeter * Added labels for ms-edge * Include module iiosensorproxy for laptops as touch screens need it * Allow systemd_locale_t to read SE Linux config * Give unconfined domains the checkpoint_restore capability * Allow devicekit_disk_t to read generic certificates * Allow local_login_t to receive file handles from systemd-logind, and read apt db * Allow sshd to stat the systemd notify socket * Allow systemd_resolved to write to systemd notify socket * Allow users anon_inode { create read write map } for user mysql etc refpolicy (2:2.20240202-1) unstable; urgency=medium . * label /run/boltd * label /etc/letsencrypt/renewal-hooks files as bin_t * Add label for /usr/lib/chromium/chrome_crashpad_handler * Enabled module hostapd * Changed fwupd policy to have a separate domain for fwupdmgr * Lots of policy needed to support login with the latest systemd-user * Latest git policy refpolicy (2:2.20231119-2) unstable; urgency=medium . * Allow initrc_t to mounton memory_pressure_t files Hopefully the last thing needed to make the latest systemd work correctly refpolicy (2:2.20231119-1) unstable; urgency=medium . * new git ver * systemd 255~rc2-1 in unstable uses initrc_t to launch daemons so needed transition rules for that, initrc_t needs to watch unallocated ttys as part of the getty launch operation, and it needs nnp_transition to all daemon domains for the combination of systemd restrictions on privileges and SE Linux domain transition. Also domains need access to unix_stream_socket file handles created by initrc_t. Systemd versions after 254.5-1 break badly without this. refpolicy (2:2.20231010-1) unstable; urgency=medium . * new git ver * Added more checks for "hostnamectl chassis" output, conainer is vm, convertible/watch/embedded are considered as handset for now, and server has an entry. refpolicy (2:2.20230929-1) unstable; urgency=medium . * new git ver * Upstream merged powerprofiles and rasdaemon and anti-spam and motd patches * Changed preinst to work when /etc/selinux/config doesn't exist refpolicy (2:2.20230919-1) unstable; urgency=medium . * new git ver * Upstream merged eg25manager, iiosensorproxy, lowmemorymonitor, switcheroo, and thunderbolt refpolicy (2:2.20230821-1) unstable; urgency=medium . * new git ver * Add policy for Mobian Allow system_r:init_t:s0 to transition to user context xdm_r:xdm_t:s0 for systemd --user Add consolesetup, eg25manager, feedbackd, geoclue, and iiosensorproxy policy modules for Mobian Lots of other policy changes related to Mobian * Added msdos_t label for exfat * Add bubblewrap, container, and docker modules Consider bubblewrap exerimental at this time * Add support for relabelling files on policy package changes to file contexts, made the policy packages depend on policycoreutils >= 3.5-2 for /usr/libexec/selinux/remove-leaf-dirs * Use -19 and -T0 for zstd for policy source * Use "hostnamectl chassis" to determine list of default policy modules, exclude many things from "handset". refpolicy (2:2.20221101-10) unstable; urgency=medium . * Team upload. [ Christian Göttsche ] * d/patches: drop addition of existent file context (Closes: #1038968) * d/tests: simulate policy building * d/rules: validate build policy (Closes: #1030804) . [ Vagrant Cascadian ] * debian/rules: Pass arguments to tar to use a consistent uid and gid. (Closes: #1030057) . [ Laurent Bigonville ] * debian/control: Bump Standards-Version to 4.6.2 (no further changes) refpolicy (2:2.20221101-9) unstable; urgency=medium . * Added git and thunderbird to the not default modules list * Add filetrans to make dpkg_script_t create /var/lib/ntpsec/ as ntp_drift_t also add fc entry for /var/lib/ntpsec * Allow ndc_t to read vm_overcommit_state and sysfs files * Dontaudit certbot_t net_admin capability, it doesn't need to change network stuff, probably changing buffer sizes. * Allow aptcacher_t to getsched for itself * Allow boinc_t to to connect to unconfinged stream sockets for X access * Allow systemd_locale_t to talk to unconfined users by dbus * Allow xdm_t to talk to systemd-locale via dbus * Allow systemd_generator_t to manage files and dirs of type systemd_user_runtime_unit_t and to read crypto sysctls * Dontaudit writing to lib dirs for fail2ban_t and fail2ban_client_t for python attempts to generate cache files * Dontaudit mysqld_safe (mysql startup script) attempts to write to root dir * Change all toolchain dependencies to >= version 3.4 * Allow jabberd_domain to create jabberd_var_lib_t:sock_file for prosody * Allow dkim_milter_t and clamd_t to get their own scheduling status * Allow auditd_t to map it's config files to avoid recursion when dontaudit rules are disabled * Allow groupadd_t to stat /proc * Allow matrixd_t to read sysfs for CPU information * Give postfwd_milter_t kill capability * Allow unconfined domains the self:anon_inode access. Also allow them to manage dirs in their own domain, Chrome does this * Allow the postfix_map_t domain to read /dev/urandom * Allow mozilla to bind UDP generic nodes, write dbus session runtime sockets, read device sysctls for video hardware specs, and map it's cache files. * Allow fsadm_t to write to boot_t for fstrim * Gave nfsd_t the lease capability, taking leases on files is necessary * dontaudit bootloader_t accessing /dev/mem, mdadm does this for some reason but doesn't need it * Allow fwupd_t to read the vm overcommit sysctl * Allow setfiles_t to read the vm overcommit sysctl * Allow vnstatd_t to read urandom refpolicy (2:2.20221101-8) unstable; urgency=medium . * Fix automated tests error on cron.if line 118 mismatched quotes. refpolicy (2:2.20221101-7) unstable; urgency=medium . * new upload due to signature problems refpolicy (2:2.20221101-4) unstable; urgency=medium . * Allow sshd_t to read var_lib_t files for motd generation * Allow systemd_binfmt_t to statfs binfmt filesystems * Allow systemd_nspawn_t all_unix_dgram_socket_perms to itself * Allow groupdadd_t to read sysctl_kernel_t files * Allow local_login_t to read pam motd files * Allow nfsd_t to read directories of RPC file system pipes * Allow mysqld_t (Mariadb) to create map read write anon_inode objects it creates * Allow kmod_t to read modules_conf_t symlinks, for DKMS * Remove unused debian/gen-deps.sh script. Change to Debhelper compat level 13 Removed an attempt to delete a non-existant pyplate.pyc file Changed to zstd for selinux-policy-src and stopped using a variable for compression options. Why do we even have selinux-policy-src? Removed unneeded build depends and changed the SE Linux build depends to version >=3.4 Change VCS to Vcs in debian/control Change lintian overrides to match new format Change build to not need root Tell Lintian to ignore some very long lines in source Fix copyright URLs Removed trailing whitespace in changelog Use kernel_load_module(brctl_t) instead of just adding a capability Add autopkgtest. Closes: #1012841 refpolicy (2:2.20221101-3) unstable; urgency=medium . * Add auth_write_pam_motd_files() interface for writing to /run/motd.d and correctly label /run/motd.d * Add policy for fwupd (firmware update) * Allow groupadd_t to search kernel fs sysctls * Allow rasdaemon to read sysfs_t * Allow systemd_machined_t to talk to policykit via dbus * Allow systemd_locale_t to write to /run/systemd/notify * Allow systemd_sysctl_t and systemd_tmpfiles_t to search ramfs * Allow systemd_generator_t udp setopt and sysnet_read_config for postconf * Allow systemd_generator_t to stat usr_t files * Allow systemd_modules_load_t to search debugfs * Allow systemd_sysusers_t to use apt ptys * Allow acpid to getsched * Add support for /run/motd.d/ * Allow Chrome to read sysctl_dev_t and write to dbus session runtime socket. Label the Chrome libvulkan.so.1 file as lib_t * Allow systemd_logind_t to delete user tmpfs files and manage tmpfs dirs * Allow systemd_locale_t to talk to unconfined via dbus refpolicy (2:2.20221101-2) unstable; urgency=medium . * Allow $1_dbusd_t to create sock_files under /tmp * Remove the deprecated interfaces that had been in Bullseye * Allow $1_wm_t to read/write input devices and use logind fds * Added systemd_dbus_chat_locale() and allowed xdm and user domains to do it. * Allow user domains to unlink xdm_tmp_t socket files * Allow systemd-coredump, chkpwd_t, and setfiles_t to statfs /proc * Label /usr/lib/NetworkManager/nm-dispatcher* as NetworkManager_exec_t * Label /sbin/fstrim as fsadm_exec_t * Allow setfiles_t to read bin_t links * Make ssh_sysadm_login default to true. Closes: #1012755 * Allow fsadm_t to statfs cgroup filesystems and to read /proc/1/environ for systemd-fsckd. Also dontaudit net_admin capability for systemd-fsckd trying to change buffer sizes. * Allow systemd_sysusers_t to use inherited user terminals and inherit file handles from unconfined_t and give it domain_obj_id_change_exemption() * Made init_runtime_t an init unit file, for automatically generated units refpolicy (2:2.20221101-1) unstable; urgency=medium . * New upstream release * Label /lib/systemd/systemd-fsckd as fsadm_exec_t refpolicy (2:2.20220520-5) unstable; urgency=medium . * label apt.systemd.daily and apt-helper as apt_exec_t for systemd cron jobs * Allow apt_t to get init, systemd-networkd, and network-manager unit status * give systemd_generator_t access to nfsd_fs_t files and systemd_transient_unit_t dirs * Allow kmod_t to read ssl generit certs * Allow systemd_machined_t to get status of systemd_transient_t units refpolicy (2:2.20220520-4) unstable; urgency=medium . * Add label for /etc/dkimkeys Closes: #900188 * Allow chronyd_t to send unix datagrams to unconfined_t and gave it dac_read_search Closes: #962223 * Allow firewalld_t to do netlink_netfilter_socket access, watch firewalld_etc_rw_t dirs, and read generic certs * Allow init_t to watch for reads on console_device_t for autorelabel processing. refpolicy (2:2.20220520-3) unstable; urgency=medium . * Allow systemd_passwd_agent_t to stat /proc and read sys/kernel/cap_last_cap * Allow systemd_backlight_t to stat sysfs and read SE Linux contexts * Allow systemd_logind_t to read localization. * Allow lvm_t to read generic certificates for systmd-cryptsetup * Allow systemd_logind_t to read udev runtime links * Allow systemd-udevd to manage cgroup files * Allow systemd_machined_t, systemd_locale_t, lvm_t, systemd_binfmt_t, and systemd_backlight_t to statfs /proc * give the sys_resource capability to systemd_sysctl_t * Allow chromium to read the vm_overcommit sysctl * Allow systemd_binfmt_t to check executable status of bin files and search cgroup dirs refpolicy (2:2.20220520-2) unstable; urgency=medium . * Added label for /usr/sbin/nfsdcld and gave nfsd_t setpcap capability * Allow syslogd_t to relabel from/to systemd_journal_t * Created 0002-upstream patch file for changes that are in the upstream git refpolicy (2:2.20220520-1) unstable; urgency=medium . * new upstream release refpolicy (2:2.20220403-3) unstable; urgency=medium . * little policy fixes * Changed build-depends from libsepol1 to libsepol2 refpolicy (2:2.20220403-2) unstable; urgency=medium . * Allow init to watch_reads on terminal devices * Allow init_t to mounton files of type init_t * Label /usr/share/unattended-upgrades/* as bin_t * Allow systemd_backlight_t to search cgroup dirs * Allow lvm_t to getattr a cgroup filesystem * Make init_t file handles inheritable by most domains because systemd opens devices for getty * Make xdm_r the default role for SE Linux user xdm refpolicy (2:2.20220403-1) unstable; urgency=medium . * New package based on git. Will have another proper release soon. * Lots of Debian policy upstreamed. * Depend on the latest versions of the libraries. refpolicy (2:2.20210203-11) unstable; urgency=medium . * Add boolean for BOINC GPU/X * Added labelling for some storage character devices and for /usr/sbin/mkinitramfs * Some minor changes to mon and systemd-nspawn policy * Allow systemd_generator_t to execute all entry types * Give fsetid capability to certbot * Tweak matrixd and mailman policy for upstream submission * Fixes for sympa policy refpolicy (2:2.20210203-10) unstable; urgency=medium . * Team upload. * debian/control: Adjust the (build-)dependencies for the userspace 3.3 release refpolicy (2:2.20210203-9) unstable; urgency=medium . * Label /opt/google/chrome/chrome_crashpad_handler and /opt/google/chrome/crashpad_handler as chromium_exec_t * Allow kmod_t to manage bootloader_tmp_t files and allow bootloader_t to create and delete /dev/null (for initramfs). Also allow bootloader_t to read udev rules and network config. * Merged patches from Topi Miettinen for building only one flavour and for correctly making a list of modules even when building is asynchronous. * Added patch for /usr/libexec/sssd/sssd_.+ from Sam Morris. refpolicy (2:2.20210203-8) unstable; urgency=medium . * Label /etc/ppp/ip-pre-up as pppd_initrc_exec_t * Allow wireshark to rw DRI devices, read crypto sysctls, rw the xserver mesa shader cache, read the kernel network state, have execmem access (probably needed for one of the many shared objects it uses), have setsched access, execute lib files (for it's helper programs), manage xdg config files (gives warning if it can't do this), manage xdg cache, and read xdg data files. * Allow acngtool_t the dac_override capability for managing log files * Allow pppd to connect create and ioctl pppox_socket and allow it to map pppd_runtime_t files. * Allow kmod_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin login on boot failure) * Allow ntpd_t to start and stop generic units when systemd is used, for systemd-timesyncd. refpolicy (2:2.20210203-7) unstable; urgency=medium . * Allow certbot to create /var/log/letsencrypt and /var/lib/letsencrypt * Label /etc/wide-dhcpv6/dhcp6c-ifupdown /etc/wide-dhcpv6/dhcp6c-script /etc/dhcp/dhclient-enter-hooks.d/* and /etc/dhcp/dhclient-exit-hooks.d/* as bin_t. * Allow mon_local_test_t to run smartctl in fsadm_t for megaraid and other corner cases and allowed fsadm_t to read fsdaemon_var_lib_t. Dontaudit fsadm_t inheriting file handles from mon_t. * Allow fsadm_t to do a file type trans for creating /dev/megaraid_sas_ioctl_node * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read cgroup files. Needed for JRE 17 refpolicy (2:2.20210203-6) unstable; urgency=medium . * Add policy for cockpit web admin tool * Fixes for puppet policy * Allow system_mail_t to be in role unconfined_r for upgrades of the exim packages * Allow more spamd_log_t access if boolean rspamd_spamd is enabled * Allow httpd_sys_script_t to rw sympa_var_t dirs and manage sympa_var_t files, and to read sympa conf files. Also allow it to read generic certs for sympa and also for lots of other things Allow httpd_t to read sympa conf files, read sympa var files, manage sympa runtime files, and manage sympa runtime sockets Allow sympa to send signull to itself * Allow certbot to search xdg dirs, don't know what it's trying to do but searching doesn't do any harm and makes it easier to discover what's happening. * Allow postgresql to read tls privkey * Give systemd_nspawn_t the audit_control capability * Allow devicekit_disk_t to read logind sessions and write inherited logind inhibit pipes * Give capability kill to inetd_t so it can kill child processes under different uids * Allow chromium_naclhelper_t process access setcap and signal and cap_userns access sys_admin and sys_chroot. Allow chromium_t to read alsa config. refpolicy (2:2.20210203-5) unstable; urgency=medium . * Add policy for rasdaemon * Made mta_manage_mail_home_rw_content() include mail_home_rw_t:file watch access, needed by dovecot_t and probably others in future * Allow restorecond to watch selinux_config_t files. * Allow *_wm_t domains (for window manager processes) to watch xdg_config_t files and to execmod wm_tmpfs_t files (stops kwin_x11 SEGV) * Allow systemd_tmpfiles_t to relabel colord var lib files and dirs * Allow smbcontrol_t to map samba_runtime_t files and send unix datagrams to smbd processes * Allow systemd_user_runtime_dir_t to delete all user runtime sock files and manage pulseaudio_tmp_t dirs * Allow system_cronjob_t to manage var_lib dirs * Allow dovecot to create ~/mail directories. * Label /usr/share/mailman3-web/manage.py as mailman_queue_exec_t Allow mailman_queue_t to read usr files and to create it's own tmpfs files and allow it to map mailman_data_t files * Added systemd policy from upstream git as of 31st Mar to the upstream patch * Label /usr/bin/rspamd file not /usr/bin/rspamd symlink label /var/log/rspamd(/.*)? as spamd_log_t. Allow spamd_t self execmem access when rspamd_spamd. Label port 11333 as spamd_port_t for rspam. * Label /usr/lib/courier/imapd.* and /usr/lib/courier/pop3d.* as courier_pop_exec_t. Allow courier_pop_t to read generic certs, manage courier_var_lib_t files, bind to POP ports, execute courier_exec_t and courier_tcpd_exec_t programs, and map courier config files. Grant courier_pop_t the fowner and chown capabilities (for managing user mail) but dontaudit the fsetid capability. Grant courier_pop_t the setrlimit process access so it can set it's own resource limits. Allow courier_authdaemon_t to search SE Linux default contexts (needed by pam before using unix_chkpwd) and allow it to stat proc files. * Add sympa policy * Allow exim_t to read/write tmp files inherited from cron. Allow exim_t the dac_read_search capability. * Allow apache to map user content files when httpd_read_user_content is set. Label /usr/lib/w3m/* as httpd_sys_script_exec_t * Dontaudit fsdaemon_t capability net_admin (probably setting buffer size) refpolicy (2:2.20210203-4) unstable; urgency=medium . * Allow ntpd_t to get the status of generic systemd units * Allow kernel_t self:perf_event cpu. * Allow chromium to watch network manager runtime dirs (for resolv.conf) Allow chromium to run naclhelper with nnp_transition Allow chromium to watch root dirs Allow chromium to read/write unix sockets from the calling domain * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make mon_local_test_t and systemd_logind_t not have getattr access to tmpfs files audited. * Allow systemd_user_runtime_dir_t to unlink device nodes of type user_tmp_t, they probably should not exist, so it's in the hacks patch. * Allow the acngtool to read random and urandom devices and search fs sysctls * Add wm_write_xdg_data tunable to allow user_wm_t etc to write xdg data. * Allow chromium to watch gnome_xdg_config_t dirs * Label pinentry programs as gpg_agent_exec_t and allow gpg_agent_t to exec them * Create new admin_mail_t domain so that newaliases can work with Postfix * Added a transition rule so that vipw/vigr gives the right context for /etc/passwd and /etc/group * Allow acngtool_t to read /proc/sys/kernel/random/uuid * Allow unconfined domains lockdown confidentiality and integrity access * Allow netutils_t netlink_generic_socket access for tcpdump * Allow smbcontrol to create a sock_file in a samba run dir * Allow mailman_queue_t to bind to all unreserved TCP ports * Allow systemd_coredump_t to mmap all executables and to have cap_userns sys_ptrace access. dontaudit systemd_coredump_t capability net_admin * Allow mailman_queue_t to connect to port 443 refpolicy (2:2.20210203-3) unstable; urgency=medium . * Add policy for blkmapd which is part of nfs service (included in upstream) * Add interfaces systemd_search_user_runtime() * Allow systemd_user_runtime_dir_t to unlink dirmngr sock files * Allow sshd_t to talk to systemd_nspawn_t via Unix sockets * Allow syslogd_t to search systemd_user_runtime_t dirs * Allow acpid_t to rw input device files * Allow restorecond_t to watch all dirs * Allow mailman_queue_t to search the cron spool dir, also allow it to be started as a daemon and to write mailman pid files * Included upstream git patches for latest systemd features, this may save some pain when Bullseye+1 is released * Allow systemd-nspawn to mount on and manage more things when systemd_nspawn_labeled_namespace is on. * Allow smbcontrol_t to talk to itself via Unix domain sockets * Add policy for postfwd * Allow aptcacher_t to read urandom and random devices and to read kernel sysctls * Label /usr/lib/x86_64-linux-gnu/libexec/* as bin_t for KDE/sddm login Allow user to execute and execmod user tmpfs files, for KDE Allow user to write to user_runtime_t sock files * Add policy to run the certbot --nginx which runs nginx, doesn't work in all situations but should cover the common cases. * Set label for /usr/bin/redis-check-rdb (redis server binary in Debian) and allow redis to read certs and read vm and net sysctls. refpolicy (2:2.20210203-2) unstable; urgency=medium . * lots of little policy changes refpolicy (2:2.20210203-1) unstable; urgency=medium . * Allow unconfined_u and sysadm_u to access other identities. * New upstream release! refpolicy (2:2.20210130-1) unstable; urgency=medium . * new archive from git * More Debian stuff upsteamed * Added some filetrans rules to assign the right types when postinst scripts don't label things. refpolicy (2:2.20210126-1) unstable; urgency=medium . * new archive from git, upstream changes include removing unused modules * More Debian stuff upsteamed * Remove: abrt callweaver ccs certmaster certwatch cipe clockspeed clogd consoletype dcc ddcprobe denyhosts dspam firstboot howl imaze jockey ktalk lockdev lsm mailscanner mcelog oav polipo pyicqt resmgr rhcs rhsmcertd ricci rpm vhostmd * Don't enable by default: amtu bugzilla condor * Added SE Linux "user" named xdm for the "sddm" Unix account to be used by the sddm greeter process. This makes the greeter run as xdm_t instead of unconfined_t. refpolicy (2:2.20210120-1) unstable; urgency=medium . * New archive from git * Some Debian stuff upstreamed * Lots of little changes refpolicy (2:2.20210115-1) unstable; urgency=medium . * New archive from git * Added matrixd policy * Fixed the crontab problem refpolicy (2:2.20210112-1) unstable; urgency=medium . * New archive from git * Lots of policy fixes for Debian/Unstable refpolicy (2:2.20201221-1) unstable; urgency=medium . * New archive from git refpolicy (2:2.20200502-1) unstable; urgency=medium . * New archive taken from upstream git. Will base it mostly on git for the development leading to Buster and then take the latest upstream release shortly before release. * Lots of new policy patches. * Make it depend and build depend on version 3.0 of all libraries * Makde the default_contexts have sysadm_r with a higher preference than staff_r for sshd_t * Made dbus a base module refpolicy (2:2.20190201-9) unstable; urgency=medium . * Some more small policy fixes refpolicy (2:2.20190201-8) unstable; urgency=medium . * Team upload. * debian/patches/0001-remove-incorrect-usage-of-is.patch: Fix FTBFS with python 3.8 (Closes: #954510) refpolicy (2:2.20190201-7.1) unstable; urgency=medium . * Non-maintainer upload. * source only upload to enable migration (Closes: #954018) refpolicy (2:2.20190201-7) unstable; urgency=medium . * Allow sysadm_r to bypass UBAC checks (experimental) * Make cron work for sysadm_t * Minor policy changes refpolicy (2:2.20190201-6) unstable; urgency=medium . * debian/rules: Cleanup the support/__pycache__ directory when building the selinux-policy-src package * debian/rules: Set the timezone to UTC before creating the selinux-policy-src tarball, that should make it reproductible refpolicy (2:2.20190201-5) unstable; urgency=medium . * Team upload. * Bump Standards-Version to 4.4.0 (no further changes) * debian/control: Remove the package (-1) revision from the {build-}dependencies, to please lintian * Drop debian/source/lintian-overrides, the postrm perl scripts are gone for a long time, not sure why these overrides were reintroduced * debian/rules: Do not call dpkg-parsechangelog explicitly to get a reproductible build time but rely on SOURCE_DATE_EPOCH variable * debian/watch: Fix the URL now that the project has been relocated refpolicy (2:2.20190201-4) unstable; urgency=medium . * Policy update, lots of little things and allows the signull access that systemd-journal from the latest systemd wants. refpolicy (2:2.20190201-3) unstable; urgency=medium . * Added policy for apt-cacher and apt-cacher-ng * Added policy for memlockd * Added type alias rules so you can upgrade from Stretch policy without a reboot if you manually relabel. * Lots of little changes too refpolicy (2:2.20190201-2) unstable; urgency=medium . * Lots of little changes, many for strict configuration. * Added policy for certbot AKA letsencrypt. refpolicy (2:2.20190201-1) unstable; urgency=medium . * New upstream, lots of Debian patches upstreamed. * More systemd support (moving target). * New upstream Chromium/Chrome policy. * Add xserver_allow_dri tunable for most X server programs to get DRI access. refpolicy (2:2.20180701-1) unstable; urgency=medium . * New upstream policy. * Depend on version 2.8 of utils. * Build new xdg module for X data types. * Lots fo policy changes refpolicy (2:2.20180114-5) unstable; urgency=medium . * Updated everything in debian/control to refer to version 2.7 of SE Linux packages. * Lots of little policy changes. refpolicy (2:2.20180114-4) unstable; urgency=medium . * Team upload. * debian/control: Point Vcs-* fields to new (salsa) machine * debian/control: Bump Standards-Version to 4.1.4 (no further changes) * debian/control: Bump debhelper build-dependency version to 11 to match debian/compat version * debian/control: Bump python {build-}dependencies to python3 (Closes: #900285) * debian/rules: Drop --parallel flag passed to dh command, this is the default with debhelper >= 10 * debian/control: Bump Priority of selinux-policy-mls to optional, Priority extra is now deprecated * debian/policygentool: Port to python3 * debian/patches/python3-buildsystem.patch: Port the buildsystem to use python3 * Drop debian/source/lintian-overrides, overrides not used anymore refpolicy (2:2.20180114-3) unstable; urgency=medium . * Added git patch for 20180319. * Added git patch for 20180419, fixes lots of typos which changes the way things work. Also adds sctp protocol support. * Added git patch for 20180519. * Build-depend on version 2.7-2 of checkpolicy and libsepol1-dev and Depend on version 2.7-2 of libsepol1 for sctp support. * Changed all Build-depends and Depends to version 2.7 from 2.5 and 2.6 because there's no reason to try to build against ancient versions and we don't want to deal with annoying bugs later. * Allow mon_t to read generic certs for using SSL for notifications * Allow systemd_nspawn_t the mcs_killall if systemd_nspawn_labeled_namespace is enabled * Allow udev_t to run iptables in iptables_t * Some other little systemd stuff refpolicy (2:2.20180114-2) unstable; urgency=medium . * Included changelog entry 2:2.20161023.1-10 refpolicy (2:2.20180114-1) unstable; urgency=medium . * New upstream 2.20180114 with patch from git version 2.20180220. Took that patch because a lot of it was policy I developed. * Delete the deprecated macro mmap_file_perms, anyone who uses this should change to mmap_exec_file_perms instead. Closes: #885771 * Now build-depend on recent toolchain. Closes: #875546 * Removed typebounds patch that upstream didn't like, seems to work ok without it now, but we can use nnp_transition if necessary. refpolicy (2:2.20171228-1) unstable; urgency=medium . * New upstream from git with lots of Debian patches merged. This policy is not a candidate for Buster or anything, I'm uploading it to facilitate SE Linux development. The next time Tresys make an official release I'll put it in Debian Git and make it a candidate for Buster. * Removed authbind policy * Set WERROR=y to remove deprecated interfaces * Enable UBAC for mcs policy * Use compat level 11 refpolicy (2:2.20161023.1-10) unstable; urgency=medium . * Add patch for typebounds. This patch was rejected upstream, to quote Chris PeBenito: NAK. This has already been fixed with the upcoming nnp_transition nosuid_transition permissions in refpolicy. I'm afraid distros will have to carry policy patches until they can roll out kernels that support these permissions. https://marc.info/?l=selinux&m=150151037511601&w=2 Closes: #874201 * Allow systemd-tmpfiles to delete /var/lib/sudo files. Closes: #875668 * Allow brctl to create files in sysfs and correctly label /usr/lib/bridge-utils/.*\.sh Closes: #875669 * Give bootloader_t all the access it needs to create initramfs images in different situations and communicate with dpkg_t. Closes: #875676 * Allow dnsmasq_t to read it's config dir Closes: #875681 * Build-depend and depend on version 2.7 of tools and libraries. * Allow systemd_tmpfiles_t to manage lastlog_t Closes: #875726 * Allow udev_t to talk to init via dbus and get service status in strict configuration Closes: #875727 refpolicy (2:2.20161023.1-9) unstable; urgency=medium . * Dontaudit dkim_milter_t binding to labeled udp ports * Allow passwd_t to inherit fd from unconfined_t for package scripts * Allow httpd_sys_script_t to talk to itself via unix datagrams and send syslog messages * Allow logwatch_mail_t to rw system_cronjob_t pipes Allow logwatch_t to run mdadm * Label /etc/postfixadmin as httpd_config_t * Allow system_cronjob_t to create directories under /tmp * Allow spamass_milter_t to read the overcommit sysctl * Allow unconfined domains the capability2:wake_alarm. * Added ~/DovecotMail to the list of mail_home_rw_t directories * Allow systemd_logind_t to get dpkg_script_t process state and talk to it via dbus * For https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933 allow udev_t to read default_t. Still need that udev bug fixed! refpolicy (2:2.20161023.1-8) unstable; urgency=medium . * Fixed mistake in previous changelog (attributed a -7 change to -6) * Label /usr/sbin/apache2ctl as well. Allow apache to read overcommit sysctl * Allow clamd_t to read the overcommit sysctl * Allow postfix_postdrop_t to write to postfix_public_t socket, allow postfix_master_t to bind to udp generic nodes * Allow dovecot_auth_t to write to dovecot_var_run_t fifos and read selinux config (needed for pop/imap login) * Allow mon local tests to search /var/spool/postfix and autofs mountpoints, and to read nfs content. Allow mon net tests to read certs. dontaudit when mon local tests try to stat tmpfs files. Allow mon local tests to access /dev/xconsole and search mnt_t and boot_t * Allow mount_t to getattr nfs filesystems and manage mount_var_run_t dirs and files * Allow setfiles_t to getattr nfs filesystems. * Allow postgrey_t to exec bin_t files, to read netlink_route_sockets, and to access udp sockets * Allow login programs to share fds with systemd_passwd_agent_t * Allow postfix_master_t to stat the spamass_milter_data_t dir * Allow dpkg_script_t to tell init_t to stop services * Allow initrc_t to tell init_t to halt and get system status - allows poweroff!!! * Make port 8953 be rndc type for unbound. * Lots of policy for systemd_nspawn_t * More policy for systemd_coredump_t to do what it wants * Allow dkim_milter_t to read vm overcommit sysctl * Allow mandb_t to search init pid dirs for systemd * Allow initrc_t to reload systemdunit types * Make init_manage_all_units() include file:getattr access * Allow logrotate to init_manage_all_units for restarting daemons, to stat tmpfs filesystems, to get init system status, and capability net_admin that systemctl wants * Allow network manager to inherit logind pids * Allow devicekit_power_t to search init pid dirs * Allow named to read vm sysctls * Allow mysqld_safe_t to read dpkg db, it inherits cwd from dpkg_script_t alow is to read sysfs and kill mysqld_t Make mysql_signal interface include signull permission and grant that to logrotate * Allow rpcd_t to write /proc/fs/lockd/nlm_end_grace * Make apache use the new interfaces for nfs access and to read httpd_var_lib_t symlinks. Allow httpd_sys_script_t to search init pid dirs * Allow auth to send sigchild to xdm * Allow chkpwd_t to getattr the selinuxfs * Allow system_cronjob_t net_admin capability, manage acct data, and manage initrc services * Allow crontab domains fsetid capability. Use a separate $2_crontab_t domain for each role's crontab program. Give ntp_admin access to system_cronjob_t and allow it to manage var_log_t and cron log files * Label /var/lib/sddm as xdm_var_lib_t * Don't label acct cron job scripts as acct_exec_t * Allow systemd-tmpfiles to create /dev/xconsole * Create new type for /var/run/iodine * Allow logrotate to restart services * Made init_script_service_restart() include reload access * Dontaudit systemd_logind_t statting files under /dev/shm Allow it to setattr unallocated terminals and unlink user_runtime_t files * Added boolean allow_smbd_read_shadow for the obvious purpose Allow smbd_t to read cupsd_var_run_t socket as well as write to it * Allow NetworkManager_t to send dbus messages to unconfined_t * Grant access to dri and input_dev devices to system_dbusd_t, gdm3 makes it want this refpolicy (2:2.20161023.1-7) unstable; urgency=medium . [ Laurent Bigonville and cgzones ] * Sort the files in the files in the selinux-policy-src.tar.gz tarball by name, this should fix the last issue for reproducible build * Add genfscon for cpu/online. Closes: #849637 [ Russell Coker ] * Make the boinc patch like the one upstream accepted and make it last in the list. * Label /etc/sddm/Xsession as xsession_exec_t * Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it * Allow devicekit_power_t to chat to xdm_t via dbus * Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts * Allow loadkeys_t to read tmp files created by init scripts * Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp and to read dbus lib files for /var/lib/dbus * Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime, relabel to/from user_tmpfs_t, and manage wireless_device_t * Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo and read/write an inherited socket. * Allow xdm_t to send dbus messages to unconfined_t * Give crond_t sys_resource so it can set hard ulimit for jobs * Allow systemd_logind_t to setattr on the kvm device and user ttys, to manage user_tmp_t and user_tmpfs_t files, to read/write the dri device * Allow systemd_passwd_agent_t to stat the selinuxfs and search the contexts dir * Make systemd_read_machines() also allow listing directory * Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files() * Allow setfiles_t to inherit apt_t file handles * Allow system_mail_t to use ptys from apt_t and unconfined_t * Label /run/agetty.reload as getty_var_run_t * Allow systemd_tmpfiles_t to relabel directories to etc_t * Made sysnet_create_config() include { relabelfrom relabelto manage_file_perms }, allow systemd_tmpfiles_t to create config, and set file contexts entries for /var/run/resolvconf. Makes policy work with resolvconf (but requires resolvconf changes) Closes: #740685 * Allow dpkg_script_t to restart init services * Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t * Allow named to read network sysctls and usr files * Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when building with systemd support, also allow listing init pid dirs. Label /var/lib/systemd/clock as ntp_drift_t * Allow systemd_nspawn_t to read system state, search init pid dirs (for /run/systemd) and capability net_admin * Allow backup_t capabilities chown and fsetid to cp files and preserve ownership * Allow logrotate_t to talk to dbus and connect to init streams for systemctl, also allow setrlimit for systemctl * Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t to execute all applications (for ps to getattr mostly) * Label /var/lib/wordpress as httpd_var_lib_t * Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and allow it to manage dirs of type httpd_lock_t [ Russell Coker Important ] * sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779 * Support usrmerge, lots of fc changes and subst_dist changes Closes: #850032 refpolicy (2:2.20161023.1-6) unstable; urgency=medium . * Label /var/lib/unbound as named_cache_t, closes: #740657 * Merge patch for gbp.conf from cgzones closes: #849459 * Merge patch from cgzones to add new .basemodules file. Closes: #849460 * Make the package build fail when a file is missing. Closes: #849461 * Replaced domain_auto_trans with domain_auto_transition_pattern. Closes: #849463 * New type systemd_machined_var_run_t for /run/systemd/machines * Allow initrc_t to get the status of null device service files (for symlinks) and to reload systemd_unit_t services. * Allow systemd_logind_t to manage user_runtime_t directories. allow it sys_admin capability. Allow it to list udev_var_run_t dirs for /run/udev/tags/power-switch. * Label /run/console-setup as udev_var_run_t * Label lvmetad as lvm_exec_t * Made it conflict with mcstrans because we currently can't get mcstrans, dbus, and systemd to work together. * Allow systemd_logind_t to create /run/systemd/inhibit and to manage systemd_logind_var_run_t dirs and mount/umount,relabelfrom tmpfs_t * Allow systemd_machined_t to manage symlinks in it's pid dir * Allow systemd_machined_t to stat tmpfs_t and cgroup_t filesystems * Updated monit patch from cgzones. * Allow policykit_t to stat tmpfs_t and cgroup_t filesystems and to read urandom * Change auth_login_pgm_domain() to include writing to sessions fifo. and searching user_runtime_t * Allow systemd_logind_t and systemd_machined_t to read initrc_t files to get cgroup and sessionid * Allow systemd_logind_t to read xserver_t files to get cgroup and sessionid * Allow system_mail_t to access unix_stream_sockets inherited from init for error messages on startup * Allow system_cronjob_t to get systemd unit status * Allow logrotate to talk to dbus and talk to the private systemd socket for systemctl * Allow console_device_t to associate with devpts_t:filesystem for /dev/pts/0 * Allow systemd_logind_t to read all users state for cgroup and sessionid files * Label /var/run/sddm and /usr/bin/sddm * Allow systemd_logind_t to talk to policykit_t and xserver_t by dbus * Allow systemd_logind_t to send messages to initrc_t by dbus * Allow policykit_t to send dbus messages to all userdomains refpolicy (2:2.20161023.1-5) unstable; urgency=medium . * Allowed system_munin_plugin_t to read usr_t files and have capability net_admin for mii-tool. Thanks joerg Closes: #619855 * Allow rsync_t to stat all sock_files and fifo_files when rsync_export_all_ro is set. Thanks joerg Closes: #619979 * Allow bitlbee_t to read FIPS state. Closes: #697814 * Allow mono_t to be in role unconfined_r. Closes: #734192 * Allow dpkg_script_t to manage null_device_t services for service scripts linked to /dev/null. Closes: #757994 * Give systemd_tmpfiles_t sys_admin capability for adjusting quotas. * Included initrc_t as a source domain in init_ranged_domain() so that old XDM packages that lack a systemd service file will work. * Use xserver_role() for unconfined_t so the xdm can start the session. * Allow user domains to talk to devicekit_disk_t and devicekit_power_t via dbus * Label /run/lvm as lvm_var_run_t * Allow dhcpc_t to manage samba config refpolicy (2:2.20161023.1-4) unstable; urgency=medium . * Allow mon_t to read sysfs. * Made gpm_getattr_gpmctl also allow getattr on the fifo_file * Allow mount_t to getattr tmpfs_t and rpc_pipefs_t filesystems * Allow systemd_logind_t to change identities of files * Allow systemd_logind_t to read the cgroups files of all login processes * Added monit policy from cgzones . Closes: #691283 * Allow udev_t to transition to initrc_t for hotplug scripts, and label /etc/network/ip-ip.d/* etc as initrc_exec_t. Policy taken from Wheezy at the recommendation of Devin Carraway Closes: #739590 refpolicy (2:2.20161023.1-3) unstable; urgency=medium . * Allow ntpd_t to create sockets. * Allow systemd_hostnamed_t and systemd_logind_t to talk to NetworkManager_t via dbus. * Allow systemd_backlight_t to send syslog messages, read sysfs, read etc_t files, read init state, read udev_var_run_t files (udev data). * Allow systemd_machined_t to send messages to init_t and initrc_t via dbus, connect to the system dbus, read etc_t files, and start and stop init_var_run_t services and init_t system * Allow systemd_logind_t to talk to devicekit_power_t and unconfined_t over dbus * Allow systemd_tmpfiles_t to read proc_net_t * Use /sbin/ldconfig instead of /sbin/ldconfig.real * Give devicekit_disk_t wake_alarm capability * Write policy for systemd_coredump_t * Allow systemd_logind_t to read xdm_t files for XDM state and talk to xdm via dbus. * Change /lib/systemd/systemd-cryptsetup to /usr/lib/systemd/systemd-cryptsetup so file_contexts.subs_dist doesn't cause the wrong name to match. Allow lvm_t to load modules for systemd-cryptsetup * Allow mon_local_test_t to stat gpmctl_t socket. Generally allow the local tests to access most things that can't do any harm. * Allow systemd_passwd_agent_t to use getty_t fds and read init state. * Allow unconfined domains to start and stop etc_t units refpolicy (2:2.20161023.1-2) unstable; urgency=medium . * Only label files as NetworkManager_initrc_exec_t * Use separate domains mon_net_test_t and mon_local_test_t for network and local tests * Allow boinc to read xdm tmp dirs and connect to the X server, allow it to read crypto sysctl for some of it's libraries * Allow unconfined_t to request init to reload it's config * Make bin_t an entrypoint for inetd_child_t * Allow systemd_tmpfiles_t to read selinuxfs and selinux_config_t to find correct context Closes: #834228 * Allow systemd_cgroups_t to read selinux_config_t * Allow systemd_sessions_t to get contexts for sessions and default contexts for files for correct labeling * Allow systemd_logind_t to read cgroup files and getattr cgroupfs, and to start and stop user sessions * Allow systemd_tmpfiles_t to read kmod_var_run_t for /run/tmpfiles.d/kmod.conf * Allow syslogd_t to read SE Linux config * Allow dpkg_script_t to reload systemd configuration and to restart initrc_exec_t units. * Allow sulogin to read crypto sysctls and set booleans * Allow cron jobs append and ioctl access to crond_tmp_t * Allow systemd_hostnamed_t to read sysfs * Policy to allow systemd_backlight_t and systemd_machined_t to do things * Give initrc_t, xserver_t, and devicekit_power_t wake_alarm capability. * Allow tor to search tmpfs. * Allow system_mail_t to inherit file handles from init. refpolicy (2:2.20161023.1-1) unstable; urgency=medium . * New upstream to remove unwanted files from the archive. * Type mon_test_exec_t for /usr/lib/mon/helper/* * Give init_t and udev_t capability2:wake_alarm for systemd and systemd-udevd * logging_manage_generic_logs(systemd_tmpfiles_t) for /var/log/?tmp * Make bin_t an entrypoint for mon_test_t for scripts run from sudo. * Allow postfix_master_t to getsched for sort and other programs from startup shell scripts refpolicy (2:2.20161023-1) unstable; urgency=medium . * Rebase to new release refpolicy (2:2.20151208-1) unstable; urgency=medium . * Rebase to new upstream * Move locallogin, sysadm, udev, and modutils to base * Add /lib/systemd to file_contexts.subs_dist and remove duplicate fcontexts * Allow unconfined_t to manage all init units * Allow dmesg_t and sysadm_t to read /dev/kmsg * Label /usr/lib/selinux/hll/pp as bin_t * Allow udev_t to create /var/run/network with type net_conf_t * Allow auditctl_t to getcap * Allow auditd_t setattr on /var/log/audit * Allow semanage_t to search policy_src_t dirs for /usr/lib/selinux/hll * Label /lib/systemd/libsystemd-shared-.*.so as lib_t * Allow systemd_tmpfiles_t and systemd_cgroups_t to read /proc/1/environ and /proc/cmdline, and have capability net_admin * Allow systemd_tmpfiles_t to create and relabel var_t directories * Allow systemd_cgroups_t to send unix dgrams to init. * Label /var/run/alsa as alsa_var_lock_t and use type trans for alsa_t to create it * Allow syslogd_t to create syslogd_var_run_t dirs for /run/systemd/journal/streams/ * Allow alsa_t to manage directories and lnk_files of type alsa_var_lock_t for directories under /run/alsa . * This policy works well for a VM but is known to not work on bare metal. I'll upload a new version that fixes this soon. refpolicy (2:2.20140421-12) unstable; urgency=medium . * Team upload. * Install the policy.dtd and policy.xml file in the -dev package, it is used by some userspace tools refpolicy (2:2.20140421-11) unstable; urgency=medium . * Team upload. * debian/rules: - Make sure the content of the .modules file is sorted independently of the locale where the package is built. - Force the mode of the files and directories when building the selinux-policy-src tarball to make the build reproducible. * debian/postinst.policy: List the loaded modules from the expected store not from the one configured in the config file * debian/NEWS: Add some information about the new policy store. * debian/postrm.policy: Remove the /var/lib/selinux/final/ directory when purging the package. This directory is created when loading the modules. refpolicy (2:2.20140421-10) unstable; urgency=medium . * Team upload. [ Laurent Bigonville ] * Fix the maintainer script to support the new policy store from libsemnage 2.4 (Closes: #805492) * debian/gbp.conf: Sign tags by default (Closes: #781670) * debian/control: Adjust and cleanup the {build-}dependencies (Closes: #805496) * debian/control: Bump Standards-Version to 3.9.8 (no further changes) * debian/rules: Make the build reproducible (Closes: #778232) * Remove deprecated system.users and local.users files * debian/control: Update Homepage URL (Closes: #780934) * debian/rules: Allow parallel build now that the build system is supporting it, see #677689 * debian/policygentool: Remove string exceptions so the script is Python >= 2.6 compatible (Closes: #585355) * Do not install semanage.read.LOCK, semanage.trans.LOCK and file_contexts.local in /etc/selinux/* this is not needed anymore with the new policy store. * debian/control: Use https for the Vcs-* URL's to please lintian * debian/watch: Fix watch file URL now that the project has moved to github . [ Russell Coker ] * Allow init_t to manage init_var_run_t symlinks and self getsched to relabel files and dirs to etc_runtime_t for /run/blkid to read/write init_var_run_t fifos for /run/initctl kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other sysctls) * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t filesystems * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to create it * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir * Allow apache to read sysctl_vm_t for overcommit_memory Allow httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t files and directories for mod_pagespeed. * Removed bogus .* in mailman file context that was breaking the regex * Lots of mailman changes * Allow system_mail_t read/write access to crond_tmp_t * Allow postfix_pipe_t to write to postfix_public_t sockets * Label /usr/share/mdadm/checkarray as bin_t * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing status * Allow systemd_tmpfiles_t to create the cpu_device_t device * Allow init_t to manage init_var_run_t links * Allow groupadd_t the fsetid capability * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read dpkg_var_lib_t so dpkg-statoverride can do it's job * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration * Allow webalizer to read fonts and allow logrotate to manage webaliser_usage_t files also allow it to be run by logrotate_t. * Allow jabber to read ssl certs and give it full access to it's log files Don't audit jabber running ps. * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks in log dir * Allow webalizer to read usr_t and created webalizer_log_t for it's logs * Made logging_log_filetrans and several other logging macros also allow reading var_log_t links so a variety of sysadmin symlinks in /var/log won't break things * Allow postfix_policyd_t to execute bin_t, read urandom, and capability chown. New type postfix_policyd_tmp_t * Added user_udp_server boolean * Allow apt_t to manage dirs of type apt_var_cache_t * Allow jabber to connect to the jabber_interserver_port_t TCP port Closes: #697843 * Allow xm_t to create xen_lock_t files for creating the first Xen DomU * Allow init_t to manage init_var_run_t for service file symlinks * Add init_telinit(dpkg_script_t) for upgrading systemd * Allow dpkg_script_t the setfcap capability for systemd postinst. * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t, and have capability net_admin. Allow logrotate_systemctl_t to manage all services. * Give init_t the audit_read capability for systemd * Allow iodined_t access to netlink_route_socket. * add init_read_state(systemd_cgroups_t) and init_read_state(systemd_tmpfiles_t) for /proc/1/environ * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to be some sort of default location. /var/log is a better directory for this * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal * Allow mandb_t to get filesystem attributes * Allow syslogd to rename and unlink init_var_run_t files for systemd temporary files * Allow ntpd_t to delete files for peerstats and loopstats * Add correct file labels for squid3 and tunable for squid pinger raw net access (default true) * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to xenstored unix sockets * Allow qemu_t to read sysfs files for cpu online * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-* * Allow xm_t (xl program) to create and rename xend_var_log_t files, read kernel images, execute qemu, and inherit fds from sshd etc. * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via /run/xen-hotplug/iptables for when vif-bridge runs iptables * Allow xm_t to write to xen_lock_t files not var_lock_t * Allow xm_t to load kernel modules * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink it's sockets * dontaudit xm_t searching home dir content * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in xend_var_run_t directory * Label /var/lock/xl as xen_lock_t * allow unconfined_t to execute xl/xm in xm_t domain. * Allow system_cronjob_t to configure all systemd services (restart all daemons) * Allow dpkg_script_t and unconfined_t to manage systemd service files of type null_device_t (symlinks to /dev/null) * Label /var/run/lwresd/lwresd.pid as named_var_run_t * Label /run/xen/qmp* as qemu_var_run_t * Also label squid3.pid * Allow iptables_t to be in unconfined_r (for Xen) * Allow udev_t to restart systemd services Closes: #756729 * Merge Laurent's changes with mine refpolicy (2:2.20140421-9) unstable; urgency=medium . * Allow dovecot_t to read /usr/share/dovecot/protocols.d Allow dovecot_t capability sys_resource Label /usr/lib/dovecot/* as bin_t unless specified otherwise Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens * Allow clamd_t capability { chown fowner fsetid } Allow clamd_t to read sysctl_vm_t * Allow dkim_milter_t capability dac_override and read sysctl_vm_t allow dkim_milter_t to bind to unreserved UDP ports * Label all hard-links of perdition perdition_exec_t Allow perdition to read /dev/urandom and capabilities dac_override, chown, and fowner Allow perdition file trans to perdition_var_run_t for directories Also proxy the sieve service - sieve_port_t Allow connecting to mysql for map data * Allow nrpe_t to read nagios_etc_t and have capability dac_override * Allow httpd_t to write to initrc_tmp_t files Label /var/lib/php5(/.*)? as httpd_var_lib_t * Allow postfix_cleanup_t to talk to the dkim filter allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters) allow postfix_smtpd_t to talk to clamd_t via unix sockets allow postfix_master_t to execute hostname for Debian startup scripts * Allow unconfined_cronjob_t role system_r and allow it to restart daemons via systemd Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session cleanup) * Allow spamass_milter_t to search the postfix spool and sigkill itself allow spamc_t to be in system_r for when spamass_milter runs it * Allow courier_authdaemon_t to execute a shell * Label /usr/bin/maildrop as procmail_exec_t Allow procmail_t to connect to courier authdaemon for the courier maildrop, also changed courier_stream_connect_authdaemon to use courier_var_run_t for the type of the socket file Allow procmail_t to read courier config for maildrop. * Allow system_mail_t to be in role unconfined_r * Label ldconfig.real instead of ldconfig as ldconfig_exec_t * Allow apt_t to list directories of type apt_var_log_t * Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for dpkg-preconfigure * Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage shadow files, process setfscreate, and capabilities audit_write net_admin sys_ptrace * Label /usr/lib/xen-*/xl as xm_exec_t refpolicy (2:2.20140421-7) unstable; urgency=medium . * Label /run/systemd/journal/dev-log and /run/systemd/journal/stdout as devlog_t * Allow bootloadter_t to load kernel modules and run apt-cache * Allow systemd_cgroups_t to read /proc/cmdline * Allow sshd net_admin capability * Allow systemd_logind_t to read kernel sysctls, list tmpfs, and mount on /var/auth, and systemd_unit_file_t:service stop. * Allow dpkg_script_t to restart systemd unit files of type init_var_run_t * Allow local_login_t and user_t to talk to systemd_logind via dbus * Allow user_ssh_agent_t to read/write it's own fifo files * Allow user_t to talk to gconfd_t via dbus * Allow gpg_agent_t to send sigchld to xdm_t, to be a system dbus client, to use nsswitch, and to read user xauth file * Allow $1_dbusd_t domains systemd_login_read_pid_files access * Remove gpg_helper_t, merge gpg_pinentry_t with the main gpg domain, and create user_gpg_t, staff_gpg_t, etc. * Allow userdomains to talk to kerneloops via dbus * Allow sysstat_t to search all mountpoints * Allow udev_t self:netlink_route_socket nlmsg_write for interface rename * Allow systemd_tmpfiles_t to read kernel sysctls for boot_id * Allow setfiles_t to read /dev/urandom * Label /var/run/blkid as etc_runtime_t . * TLDR: Make everything work with latest systemd and allow KDE login with latest X11 configuration. refpolicy (2:2.20140421-6) unstable; urgency=medium . [ Laurent Bigonville ] * debian/patches/0046-misc-not-systemd: Remove duplicate dev_associate(hugetlbfs_t) rule . [ Russell Coker ] * Allow dpkg_script_t to restart all daemons under systemd * Allow ndc_t the block_suspend capability * Allow systemd_logind_t self:process signal access * allow systemd_logind_t systemd_unit_file_t:service start; * allow systemd_tmpfiles_t and systemd_cgroups_t capability net_admin * allow systemd_tmpfiles_t process getcap * storage_getattr_fixed_disk_dev(xend_t) for running lsscsi * Allow xenstored_t to search bin_t * New type systemd_journal_log_t for /var/log/journal and /var/run/log/journal * Added audit_read to capability2 class * Allow kerneloops_t, systemd_tmpfiles_t, and systemd_logind_t to read /dev/urandom * Allow all user domains to read /var/lib/dpkg * Allow udev_t to read kernel module files for systemd-udevd * Allow alsa_t to search locks * Allow systemd-tmpfilesd to setattr many device types and create /dev/xconsole * Allow unconfined_t to get statyus of systemd jobs * Add FC entry for /var/run/wd_keepalive.pid and /var/run/sm-notify.pid refpolicy (2:2.20140421-5) unstable; urgency=medium . * Allow system_cronjob_t to read apt_var_lib_t and ntp_conf_t. * Allow init_t to create /dev/log and netlink_audit_socket accesss * Allow init_t to manage systemd_passwd_var_run_t links * Allow freshclam_t to talk to http_cache_port_t * Allow system_cronjob_t to talk to init socket for restarting daemons under systemd * allow init_t setsched access for (tmpfiles) from systemd * Allow dpkg_t to transition to dpkg_script_t when running dpkg_var_lib_t (postinst etc scripts) * Allow init_t netlink_selinux_socket access for commands like "halt" in strict mode * Allow initrc_t to perform service operations on init_script_file_type * Label /opt/google/chrome/cron/google-chrome bin_t * Make Chrome/Chromium run in the correct domain * Add domain systemd_cgroups_t for kernel executing /lib/systemd/systemd-cgroups-agent * Allow dpkg_script_t to read the policy * Allow systemd_passwd_agent_t to write to /dev/kmsg and log to syslogd * Allow init_t to write to watchdog_device_t for systemd shutdown * Allow initrc_t to write net_conf_t for network boot scripts * Allow init_t to create var_auth_t directories for systemd * Allow initrc_t to read postfix config on Debian * Allow initrc_t to talk to init_t via unix sockets * Allow init_t to read udev_var_run_t files for systemd to read udev output * Allow init_t to read all pidfiles, for systemd * Allow postfix_postqueue_t to send sigchld to all userdomains refpolicy (2:2.20140421-4) unstable; urgency=medium . * Team upload. * debian/rules: Properly expand flavour directory during build * debian/rules: Properly remove postrm scripts in clean target * debian/postinst.policy: Remove the modules that are not built anymore from the notdefault list * debian/postinst.policy: Remove the .disabled file for the modules that are now built in the base.pp or not built anymore at all. refpolicy (2:2.20140421-3) unstable; urgency=medium . * Allow sysadm_t to read policy * Make systemd_login_list_pid_dirs() call init_search_pid_dirs() as it doesn't work without it * Added chromium/google-chrome policy * dev_getattr_sysfs(sysstat_t) for Debian cron job * Allow sysstat_t to manage it's log files * Allow dpkg_script_t to config all systemd services and get init status * Allow dpkg_script_t to dirmngr_admin * really added systemd_login_list_pid_dirs(system_dbusd_t) (somehow missed this last time) * Allow sshd to chat with systemd via dbus * Allow unconfined_t to restart services * systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) * systemd_dbus_chat_logind(sshd_t) * Allow xend to read vm sysctls * Allow udev_t to manage xenfs_t files for xenstore-read * Allow system_dbusd_t systemd_login_read_pid_files access for /run/systemd/users/* files * Allow systemd_logind_t to stat tmpfs_t filesystems for /run/user * Remove the "genfscon selinuxfs" line from selinux.if in selinux-policy-dev to stop sepolgen-ifgen errors. * Make udev_relabelto_db() include lnk_file relabeling * Allow kernel_t to fs_search_tmpfs, selinux_compute_create_context, and kernel_read_unlabeled_state for booting without unconfined.pp * Allow system_cronjob_t to manage the apt cache * Allow modutils_read_module_config(init_t) and create cgroup_t links for strict config. Allow it to relabel from tmpfs_t symlinks * Allow init_run_all_scripts_domain (initrc_t) the service { status start stop } for all the daemon _initrc_exec_t scripts. * Allow sysadm_r to have domain system_mail_t for strict policy * Allow init_t to relabel device_t symlinks and pstore_t dirs, load kernel modules, manage init_var_run_t sock_files, read /usr, read /dev/urandom, systemd_manage_passwd_run, and domain_read_all_domains_state refpolicy (2:2.20140421-2) unstable; urgency=medium . * Fix systemd support * Made init, logging, authlogin, application, userdomain, systemd, dmesg, dpkg, usermanage, libraries, fstools, miscfiles, mount, selinuxutil, storage and sysnetwork be base modules - some of this is needed for systemd, some just makes sense. * Disabled modules anaconda, authbind, kudzu, portage, rhgb, speedtouch * Allow syslogd_t to read /dev/urandom (for systemd) * Change unit files to use .*\.service * Default trans syslogd_tmp_t for name /run/log (for systemd) * Make /var/auth a mountpoint * Allow systemd_tmpfiles_t to relabelto xconsole_device_t * Allow init_t to start and stop service systemd_unit_file_t * Allow udev_t to write to init_t stream sockets for systemctl * Allow syslogd_t to read udev_var_run_t so systemd_journal can get seat data * Allow systemd_logind_t to read udev_var_run_t for seat data * Allow syslogd_t setgid and setgid for systemd_journal * Allow udev_t to read cgroup files for systemd-udevd to read it's own cgroup * Give logrotate_t the systemd_systemctl_domain access to restart daemons * Make transition from unconfined_t to insmod_t for running modutils and remove all unused modutils domains. Make unconfined_t transition to insmod_t, this makes depmod run as insmod_t. Make insmod_t write modules dep files with the correct context. * Allow udev_t to load kernel modules for systemd-udevd * Allow initrc_t to systemd_config_all_services * Allow lvm_t to talk to init_t via unix socket for systemd * Allow allow lvm_t to read sysctl_crypto_t * Allow udev_t to read modules_object_t for systemd-udevd * Allow udev_t to search /run/systemd for systemd-udevd * Allow systemd_tmpfiles_t to relabel man_cache_t * Allow initrc_t to get status of init_t for systemd * Allow udev_t to get initrc_exec_t service status for when udev runs hdparm script . * Allow ifconfig_t to load kernel modules * Allow named_t to read vm sysctls * Allow tor_t capabilities chown dac_read_search dac_override fowner * Allow fetchmail_t to manage dirs of type fetchmail_uidl_cache_t * Allow mysqld_t to connect to itself on unix_stream_socket * Allow mysqld_t kernel_read_vm_sysctls for overcommit_memory * Allow sysstat_t read and write access to crond_tmp_t (for cron to capture stdout/stderr). * Allow sysstat_t to read it's own log files and read shell_exec_t * Included file context for /run/kdm.pid * Allow kerneloops_t to read /proc/filesystems * Label /var/cache/dirmngr as dirmngr_var_lib_t * systemd_login_list_pid_dirs(system_dbusd_t) refpolicy (2:2.20140421-1) unstable; urgency=medium . * Team upload. * New GIT snapshot of the policy - Drop debian/patches/upstream/*.patch: Applied upstream - Label /etc/locale.alias as locale_t (Closes: #707246) - Allow xdm_t to execute gkeyringd_domains and to transition to them - Label postgresql manpages properly (Closes: #740591) - Allow setfiles_t and restorecond_t to getattr from all fs that support xattr (Closes: #740682) * Refresh debian/modules.conf.default, debian/modules.conf.mls: Start building the shibboleth module refpolicy (2:2.20140311-1) unstable; urgency=medium . * Team upload. * New upstream release * d/p/u/0001-Properly-label-git-shell-and-other-git-commands-for-.patch: Properly label git commands as bin_t and git-shell as shell_exec_t * d/p/u/0002-Label-usr-sbin-lightdm-as-xdm_exec_t.patch: Properly label lightdm executable as xdm_exec_t (Closes: #739163) * d/p/u/0003-Add-several-fcontext-for-debian-specific-paths-for-n.patch: Properly label ntp initscript and other ntp related files (Closes: #740656) refpolicy (2:2.20140206-1) unstable; urgency=medium . * Team upload. * New GIT snapshot of the policy - Allow unconfined_u user to enter system_r role again (Closes: #732857) - Allow unconfined user to transition to dpkg_t and transitively to dpkg_script_t (Closes: #707214) - Refresh 0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch - Drop d/p/0005-add-missing-newline.patch, d/p/0006-allow-udev-write-rulesd.patch: Applied upstream * debian/selinux-policy-dev.post{inst,rm}: Call sepolgen-ifgen after selinux-policy-dev installation if SELinux is enabled * debian/selinux-policy-dev.install, debian/rules: Install headers in /usr/share/selinux/devel, there is no differences between default and mls headers, so it's not necessary to install both. * debian/rules, debian/example/Makefile, debian/Makefile.devel: Fix development Makefile to work with new headers location * debian/control: Bump Standards-Version to 3.9.5 (no further changes) refpolicy (2:2.20131214-1) unstable; urgency=low . * Team upload. [ Laurent Bigonville ] * New GIT snapshot of the policy - Drop all the Debian specific patches, some of the patches have been merged upstream, but the rest was making it really difficult to upgrade the policy to the new upstream versions. - Add block_suspend access vectors (Closes: #722700) - libvirt should now run when compiled with selinux support (Closes: #559356) - Allow smartd daemon to write in /var/lib/smartmontools directory (Closes: #720631) - NetworkManager should now be able to write /run/network/ifstate (Closes: #711083) - Allow dovecot self:process setsched permission (Closes: #716753) - Add denyhosts policy package (Closes: #700403) - deny_ptrace boolean is now gone (Closes: #691284) - Allow fail2ban dac_read_search and dac_override capabilities (Closes: #700326) - irqbalance has now the getsched permission (Closes: #707243) * Refresh debian/modules.conf.* for new release, build all the policy packages as modules now * Drop debian/file_contexts.subs_dist, install upstream one instead * debian/rules: policy/rolemap file is gone * debian/control: Bump {build-}dependencies to the last userspace release * debian/rules: Disable UBAC for the default policy * debian/rules: Build the default policy with UNK_PERMS=allow * debian/control: Add dependency against selinux-utils for selinuxenabled * debian/NEWS: Add some information about the proper way to permanently disable a module * d/p/0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch: Fix FTBFS and allow startpar can getattr of some devices * Add d/p/0005-add-missing-newline.patch: Add missing newline at the end of the file, this is causing weird behaviour, thanks M4 * d/p/0006-allow-udev-write-rulesd.patch: Allow udev to write in /etc/udev/rules.d (Closes: #712970) . [ Mika Pflüger ] * debian/postinst.policy: Rewrite the postinst script for the selinux-policy-* packages to automatically upgrade the running policy. (Closes: #552147) * debian/copyright: Update to machine-readable copyright format. * debian/postrm.policy: Use common postrm script for selinux-policy-* packages. refpolicy (2:2.20110726-13) unstable; urgency=low . * Team upload. [ Mika Pflüger ] * Allow dhcpc_t to bind to all udp ports (Closes: #707658). . [ Laurent Bigonville ] * Rework the build system * Compress modules files with bzip2 * debian/control: - Bump Standards-Version to 3.9.4 (no further changes) - Drop really old Conflicts - Add a Breaks against selinux-basics (<< 0.5.2~) so we are sure it supports .bz2 compressed modules * debian/source/lintian-overrides: Add an override for maintainer-script-lacks-debhelper-token refpolicy (2:2.20110726-12) unstable; urgency=low . * Team upload. [ Russel Coker ] * Label ~/.adobe(/.*)? as mozilla_home_t for flash * Label /usr/sbin/opendkim as dkim_milter_exec_t * Label postalias as postfix_master_exec_t for newaliases * Make postfix.pp not depend on unconfined.pp for "strict" configurations * Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for client control * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t for desktops * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t * Allow user roles access to mozilla_t classes shm and sem for sharing the sound device * Allow user roles access to mozilla_tmp_t * Label /sbin/xtables-multi (the new iptables) * Allow watchdog_t to read syslog pid files for process watching * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access * Allow systemd_passwd_agent_t access to search selinuxfs and write to the console for getting a password for encrypted filesystems * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t. Label /usr/lib/dovecot/dovecot-lda as lda_exec_t Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t Closes: #690225 refpolicy (2:2.20110726-11) unstable; urgency=low . * Team upload [ Mika Pflüger ] * Drop incomplete patch adding debian specific gdm3 locations and cherry-pick Laurent's complete patch from upstream instead. Slightly edit the patch to work around an issue in file context ordering. refpolicy (2:2.20110726-10) unstable; urgency=low . [ Mika Pflüger ] * xserver.fc: Add debian specific /usr/sbin/gdm3 as a location for gdm3. Closes: #683756 * debian/control: Update Vcs-* fields. . [ Laurent Bigonville ] * d/p/0079-Allow-iptables_t-to-do-module_request.patch: Dropped, the code present in this patch was already present later in the code. * d/p/0048-Alsa-debian-locations.patch: Dropped, changes merged upstream, and was breaking module loading due to duplicate paths (Closes: #686670) * debian/watch: Fix watch file uversionmangle refpolicy (2:2.20110726-9) unstable; urgency=high * Enable UBAC as roles aren't useful. I recommend using only roles user_r and unconfined_r and using UBAC (constraining users from sharing files between identities) where you would previously have used roles. * Made cron jobs run in regular user domains such as unconfined_t and user_t Closes: #679277 * Had the wrong timestamp on the last upload, corrected it for the record. * Allow ftpd to create sock_file objects under /var/run for proftpd * Change readahead policy to support memlockd. * Allow devicekit_power_t, devicekit_disk_t, kerneloops_t, and policykit_t to send dbus messages to users. * Grant systemd utilities access to selinuxfs so they can correctly label directories Closes: #678392 * Assigned type consolekit_var_run_t to /var/run/console(/.*)? because it's created and managed by consolekit nowadays. * Created tunable allow_ssh_connect_reserved_ports to allow ssh client to connect to reserved ports. * Correctly label all perdition binaries, give perdition_t dac_override, and allow perdition_t to create it's own pid directories. * Label /etc/dansguardian as squid_etc_t * Allow devicekit_power_t to access acpi device and read udev tables and allow devicekit_disk_t to read udev tables. * Allow sshd_t to write to fifos inherited from systemd * High urgency because we really need to have working cron jobs!!! * Removed the postinst code to upgrade from pre-squeeze packages. refpolicy (2:2.20110726-8) unstable; urgency=high * Allow dbus domains to search cgroup dirs and init_var_run_t * Have init_t transition to devicekit_power_t and devicekit_disk_t for systemd. * Allow user domains to create netlink_kobject_uevent_socket objects * Put dansguardian in squid_t * Fixed error in portslave.te that prevented module insertion * Allow postgrey_t to exec bin_t for perl and self:netlink_route_socket access * Allow dac_override access to arpwatch_t * Add tcsd.pp (for trousers) to the policy packages * Add nut.pp for the nut-server package to the policy packages * Load irqbalance.pp if irqbalance Debian package is installed, same for kerneloops, tcsd.pp/trousers, nut.pp/nut-server, and smartmon.pp/smartmontools. * High urgency because the support for tcsd and nut really needs to be tested (and it's broken badly for those people) and portslave.pp is also badly broken in previous versions. refpolicy (2:2.20110726-7) unstable; urgency=high [Russell Coker] * Got Chromium working! * Allow user_dbusd_t to access /run/console * Got systemd working Closes: #677578 * Added policy for dirmngr. * Added support for wide-dhcpv6-client. * Remove all refpolicyerr and almost all refpolicywarn instances, removed all obsolete interfaces and fixed syntax errors. Closes: #678237 * Allow all users to run the Postfix mailq command * Lots of little changes. [Mika Pflüger] * Do not ship pyplate.pyc. Closes: #676852 refpolicy (2:2.20110726-6) unstable; urgency=low * Added deny_ptrace tunable which some modules depend on * Fixed squid and nrpe policy * Made all necessary changes to allow a KDE login Closes: #677589 * Made all necessary changes for a mail server running Postfix, Courier Maildrop, and Dovecot. Not all mail server configurations will work (MTAs tend to be complex and have lots of interactions) but getting other configurations will be easier now. refpolicy (2:2.20110726-5) unstable; urgency=high * Add systemd support - incomplete. Closes: #660577. I opened another bug for systemd not working. * Depend on the latest SE Linux libraries * Fix many problems that prevented successful boot, now should be quite functional for servers. Closes: #677579, #613977 * Fix djbdns port access. Closes: #620718 refpolicy (2:2.20110726-4) unstable; urgency=low [Russell Coker] * Build and upload based on Laurent and Mika's good work. * Hopefully will have a new version released very soon, but it's good to just upload when there have been significant changes that have no down-side. [Laurent Bigonville] * debian/control: - Bump Standards-Version to 3.9.2 * Add debian/gbp.conf file * Switch to dpkg-source 3.0 (quilt) format - Split out existing patches [Mika Pflüger] * Switch to team maintenance * Update Vcs-* fields (Closes: #660328) refpolicy (2:2.20110726-3) unstable; urgency=low * Label /run/mdadm/map . Closes: #643490 * Stop conflicting with ancient "selinux" package. Closes: #576598 refpolicy (2:2.20110726-2) unstable; urgency=low * Merged all the patches from 2:0.2.20100524-13. * Allow mozilla_t to search user_home_t for ~/.config/chromium * Allow mozilla_t to create sym links in /tmp * Use a separate default setrans.conf for mls * Allow inetd_t setrlimit access * Allow mozilla_t to create socket files in /tmp, for chromium * Remove the hack for /run etc that was introduced in 2:0.2.20100524-10 * Correctly label nrpe.cfg as nrpe_etc_t refpolicy (2:2.20110726-1) unstable; urgency=low * New upstream policy * Built for Wheezy, made it depend on all Wheezy versions. It won't work on Squeeze and can't be easily backported. * Label /dev/xconsole as xconsole_device_t * Allow syslogd_t capability sys_nice and process:{ getsched setsched } * Allow xconsole_device_t to be associated with device_t filesystems * This version is a bit rough, you can boot unstable in enforcing mode and login via ssh but I won't guarantee any more. refpolicy (2:0.2.20100524-12) unstable; urgency=low * Allow perdition to bind to sieve port, read /dev/urandom, and capabilities chown and fowner. * Allow nrpe_t to manage nagios_var_run_t files. * Change the in_unconfined_r() interface so that postfix_postqueue_t can read and write unconfined_t fifos. * Allow quota_t to load kernel modules. refpolicy (2:0.2.20100524-11) unstable; urgency=low * Allow snmpd to setuid and setgid. * Allow nagios services to connect to mysql servers via tcp and read /etc files for mysql. * Allow nagios_mail_plugin_t to read usr files. * Allow postfix_postqueue_t to use a fd from nagios_mail_plugin_t. * Allow crond_t the sys_resource capability to set resource limits for children. * Allow user_t to manage httpd_user_content_t, also allow httpd_t the same access to httpd_user_content_t sym-links as to files. * Allow gpg_agent_t to create sock_files under ~/.gnupg Allow gpg_pinentry_t to read var_lib_t files for fonts.conf * Allow perdition to authenticate with mysql, read directories of type perdition_etc_t, connect to the pop ports * Allow nagios_checkdisk_plugin_t to getattr all mountpoint dirs, so it can check the root directory of a filesystem. refpolicy (2:0.2.20100524-10) unstable; urgency=low * Label gpgsm as gpg_exec_t * Add policy for /run etc, thanks to Martin Orr for working on this, even though we can't use subst now. Closes: #629066, #628039, #626720 refpolicy (2:0.2.20100524-9) unstable; urgency=low * Make gnome.pp not be autoloaded and revert some of the gnome stuff from the previous version. Getting gnome (gconfd) policy to work correctly is too hard for Squeeze. * Allow user_t to talk to xdm_var_run_t sockets so switch user can work. * Allow mailman_mail_t to read /dev/urandom and usr_t files * Allow xenconsoled_t capability sys_tty_config and create unix_dgram_socket * Allow iodine_t to read /proc/filesystems * Allow jabber_t to write it's fifos, process set/getsched, connect to generic tcp ports, and bind to udp ports. * Label /var/lib/sudo as pam_var_run_t * Allow sshd_t to read gitosis files. * Made the gitosis label apply to /srv/gitosis. * Allow webalizer to read usr_t files for geoip database. * Allow user_t and staff_t consolekit_dbus_chat() access so they can determine their session status - necessary to login in KDE sometimes. * Label ~/.gnupg/gpg.conf as user_home_t and allow user_t to list directories of type gpg_secret_t so gpg-agent can start. * Allow gpg_agent_t to launch a user session and send sigchld to xdm_t * Allow user_ssh_agent_t to send sigchld to xdm_t and allow it to run the gpg agent. * Add new paths for chromium-browser to support the version in unstable, needed for backports. * Allow user_mail_t to transition to postfix_master_t for postalias, confined by roles. Uses domain_system_change_exemption() for user_mail_t via postfix_domtrans_master() which isn't ideal. refpolicy (2:0.2.20100524-8) unstable; urgency=low * Add tunable user_manage_dos_files which defaults to true * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub * Allow mozilla to create directories under /tmp * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on installation if libgconf2-4 is installed * Use correct label for /usr/lib/upower/upowerd * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK) * Allow user domains to execute mysqld_exec_t, for KDE * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t. * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to search /var/lib and manage fetchmail_uidl_cache_t dirs * Allow xm_t to read kernel image files, needed for DomU startup on boot * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t. * Allow network manager to run wpa_cli_exec_t programs. refpolicy (2:0.2.20100524-7) unstable; urgency=low * Allow crontab_t to create a directory of type crontab_tmp_t, necessary to allow crontab -e to work refpolicy (2:0.2.20100524-6) unstable; urgency=low * Allow mysqld_safe_t to send messages to syslogd * Allow mysqld_t to run shell scripts (shell_exec_t and bin_t) * Fixed a bug in the previous release that stopped MTAs from talking to the dkim-milter, the .if file had the wrong type. * Made it load ipsec.pp if ipsec-tools or racoon is installed * Include policy for the iodine IP over DNS tunnel daemon * Allow saslauthd_t to talk to mysqld via TCP * Allow freshclam_t to read proc_t files * Allow postfix_local_t to write to mail_spool_t files for locking * Allow system_mail_t (sendmail) to get read/write access to crond_tmp_t refpolicy (2:0.2.20100524-5) unstable; urgency=low * Label /usr/bin/tcsh as shell_exec_t * Domain trans from unconfined_t to depmod_t * Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp * Don't include /usr/sbin/spamass-milter and /var/spool/postfix/spamass in spamassassin.fc as they are in milter.fc * Label /var/run/spamass as spamass_milter_data_t * Allow lvm_t rw access to unconfined_t semaphores. * Added in_unconfined_r() interface and made postfix user domains use it so they can be in the role unconfined_r. Ugly but no better solution at this time Closes: #592038 #599053 * Include Chromium policy in mozilla.pp * Allow sshd getcap and setcap access * Correctly label ~/.xsession-errors * Allow spamc_t to be in system_r and allow it access to netlink_route_socket * Allow lda_t to talk to the Courier Authdaemon - for courier maildrop * Allow fetchmail_t to read usr_t for certificates and to create /tmp files * Allow cron jobs to write to crond_tmp_t * Label courier socket files as courier_var_run_t * Run /usr/sbin/authdaemond as courier_authdaemon_t * Allow dkim_milter_t to read proc_t files and create /tmp files * Allow dovecot domains to search dovecot_etc_t dirs * Allow dovecot_auth_t to talk to mysqld via TCP and read /etc/mysql/my.cnf * Label /etc/network/run as etc_t * Label X as spamass_milter_var_run_t * Remove unconfined_exec_t label from /usr/bin/qemu Closes: #601686 * Label /usr/lib/apache2/mpm-*/apache2 as httpd_exec_t Closes: #608291 * Allow nagios.pp to be installed without apache.pp Closes: #587596 * Removed amavis.pp because it doesn't work and it's functionality is covered by clamav.pp Closes: #559860 * Allow mono_t to be in role unconfined_r Closes: #540143 refpolicy (2:0.2.20100524-4) unstable; urgency=low * Label /dev/vd* as fixed_disk_device_t, closes: #589997 * Remove mcskillall and mcsptraceall from unconfined_t, the sysadmin should have unconfined_t:SystemLow-SystemHigh. refpolicy (2:0.2.20100524-3) unstable; urgency=low * Give freshclam_t and clamd_t the same access WRT execmem. * Install lvm.pp when dmsetup is installed. * Add label for /usr/lib/udisks/udisks-daemon . * Made devicekit.pp and ricci.pp not depend on consoletype.pp and don't build consoletype. * label /usr/lib/udisks/.* as bin_t * label /etc/kde4 the same way as /etc/kde3. * Escape the . in /etc/init.d/mount... * Allow insmod_t the capability sys_admin. * Label all of /etc/network/run/* as etc_runtime_t and allow udev_t to manage such files. * Label /etc/network/if-(up|down).d/postfix as initrc_exec_t so that udev can reload Postfix and push the queue. * Label /usr/lib/ConsoleKit(/.*)? as bin_t to avoid an error message on graphical login. * On initial install load module policykit.pp when policykit-1 is installed. * label /lib/init/rw(/.*)? as var_run_t. * label /var/run/xauth as xdm_var_run_t. * label /var/run/motd as initrc_var_run_t. refpolicy (2:0.2.20100524-2) unstable; urgency=low * Include tmpreaper in base policy as mountnfs-bootclean.sh and mountall-bootclean.sh need to run as tmpreaper_t. * Added a new mcsdeleteall attribute for tmpreaper_t so that it can delete files and directories regardless of mcs level. * Allow perdition netlink_route_socket access. * Allow nrpe_t to execute sudo and search /var/spool also don't audit capability sys_resource. * Allow postfix_local_t to run sendmail for programs like vacation * Make the milter module be loaded if the milter-greylist or spamass-milter package is installed. Make spamassassin policy optional when using the milter module. * Added a bunch of fixes from git mostly trivial stuff but also allowed bootloader_t to load modules, allowed kismet_t to search home directories, * Don't allow cron daemon to search /var/lib/logrotate. * Fixed a typo in gitosis.if * Commented out the genfscon line in selinux.if for the includes directory, now sepolgen-ifgen works without error. refpolicy (2:0.2.20100524-1) unstable; urgency=low * New Upstream release. This version has had a good deal of testing for server use but almost no testing for desktop use. The usual "Unstable" disclaimers apply. * Disable UBAC - see http://etbe.coker.com.au/2010/05/26/ubac-selinux-debian/ * Allow mount_t to read sysfs_t. * Allow lvm_t to create semaphores. * Allow mount_t and setfiles_t to read/write device_t chr_file. * Allow udev to read sym-links in it's config directory. * Allow vbetool_t to read inotify directories. * Allow gpm_t self signull and signal access. refpolicy (2:0.2.20091117-2) unstable; urgency=low * Label /etc/gdm/Xsession, /etc/gdm/PostSession/* and /etc/gdm/PreSession/* as xsession_exec_t. * Label /usr/lib/dbus-1.0/dbus-daemon-launch-helper as dbusd_exec_t. * Allow syslogd_t to read/write access to xconsole_device_t. * Allow system_dbusd_t list access to inotifyfs. * Allow udev to manage symlinks under /dev * Treat devtmpfs the same way as tmpfs. * Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease * Allow iptables_t, insmod_t and mount_t to do module_request * Use lib32 instead of lib64 * Make manage_lnk_file_perms allow write access for setting the timestamp. * Use filesystem transitions for hugetlbfs_t. * Label xenfs_t and allow xend etc to use it. * Use lda_t for mail local delivery * Allow udev to manage xenfs_t files, to write to etc_runtime_t (for ifstate), and to load modules. * Allow ifconfig to load modules. * Made auth_domtrans_chk_passwd() specify dontaudit for shadow_t file open. refpolicy (2:0.2.20091117-1) unstable; urgency=low * New upstream release. refpolicy (2:0.2.20091013-1) unstable; urgency=low * New upstream VCS snapshot * Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit, seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis (Miroslav Grepl); xscreensaver (Corentin Labbe) * [dd26539]: [topic--urand-fix]: Fix issues related to /dev/{urandom,console} + Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t, hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t, dmidecode_t, getty_t, and setfiles_t to read /dev/urandom + Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and portmap_t to read /dev/console + Allow udev_t to access anon_inodefs_t These changes take care of most of the problems encountered in recent reference policy packages in Debian. Thanks to Russell Coker for the fixes. refpolicy (2:0.2.20090828-1) unstable; urgency=low * New upstream snapshot. - Deprecated the userdom_xwindwos_client_template(). * Modified the list of modules we build (added consolekit, and added a dependency on consolekit to the devicekit policymodule. Turned off ddcprobe, since it needs kudzu. * Bug fix: "linking policy fails", thanks to Jonathan Nieder (Closes: #544079). * Bug fix: "linking policy fails (with a statement to file a bug)", thanks to Philipp Kern (Closes: #543148). * Bug fix: "module cvs appears to depend on module apache", thanks to Russell Coker (Closes: #539855). * Bug fix: "SELinux prevented console-kit-dae from using the terminal /dev/tty0", thanks to Ritesh Raj Sarraf. We now have: policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t) This should allow access to all terms and ttys. (Closes: #515167). * Bug fix: "SELinux is preventing pulseaudio from loading /usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context system_u:object_r:textrel_shlib_t, so this should now work. (Closes: #515166). * [1ba2425]: nscd cache location changed from /var/db/nscd to /var/cache/nscd. The nscd policy module uses the old nscd cache location. The cache location changed with glibc 2.7-1, and the current nscd does place the files in /var/cache/nscd/. Bug fix: "nscd cache location changed from /var/db/nscd to /var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779). refpolicy (2:0.2.20090818-1) unstable; urgency=low * New upstream snapshot, with a number of improvements. - Misc Gentoo fixes from Corentin Labbe. - Debian policykit fixes from Martin Orr. - Fix unconfined_r use of unconfined_java_t. - Add missing x_device rules for XI2 functions, from Eamon Walsh. - Add missing rules to make unconfined_cronjob_t a valid cron job domain. - Add btrfs and ext4 to labeling targets. - Fix infrastructure to expand macros in initrc_context when installing. - Handle unix_chkpwd usage by useradd and groupadd. - Add missing compatibility aliases for xdm_xserver*_t types. refpolicy (2:0.2.20090730-2) unstable; urgency=low * Bug fix: "selinux policy violation "Unknown" fo rs2ram (hald_t)", thanks to Ritesh Raj Sarraf. This has been fixed for a while, but I only just tested it. (Closes: #515566). * Re-enable building in parallel. The current statge should be friendlier to jobserver mode, disabling which causewd all the issues with the previous state. refpolicy (2:0.2.20090730-1) unstable; urgency=low * New upstream release. * Updated the location of dovecot's configuration files. * Bug fix: "dovecot's etc files are in unexpected location", thanks to Frank Engler (Closes: #517712). * Fixed rules to note that parallel=N fails. * Bug fix: "FTBFS: tmp/rolemap.conf":2194:ERROR 'syntax error' at token 'genfscon' on line 704548:", thanks to Lucas Nussbaum (Closes: #536899). * Bug fix: "dpkg-buildpackage -j2 fails on AMD64", thanks to Russell Coker (Closes: #538789). refpolicy (0.0.20070507-5) unstable; urgency=low * Allow users to read the dpkg database. With this change, every user of the strict policy now has access to dpkg-checkbuildeps, grep-dctrl, etc, which was not the case previously. * Change the example localStrict.te policy file to silently ignore apt searching for something in /var/lib. With this example policy loaded in my strict policy UML virtual machine, I can compile packages in enforcing mode. Based on advice on the mailing list, allow more things to access /selinux * Merge in changes from Russell Coker. These include a better fix for /lib.init/rw. refpolicy (0.0.20070507-4) unstable; urgency=low * Allow apt to run update by giving r_netlink_socket_perms to self:netlink_route_socket. * Allow apt/aptitude to update, and install files - Added an interface to apt.if allow silently ignoring processes that attempt to use file descriptors from apt. - Bump the apt policy module version number, since we have added to the interface. - Added some stuff to dpkg.te to allow debconf .config file interactions back to the user - Add an optional dontaudit rule to libraries.te to allow apt-get/aptitude to install packages silently. * Very early in boot, /lib/init/rw is created as a mandatory tmpfs for state information. Label that directory as initrc_tmp_t to allow mount.te to be permitted to mount a tmpfs there. * In init.te, allow /etc/network/if-up.d/mountnfs to create /var/run/network/mountnfs as a poor mans lock. refpolicy (0.0.20070507-3) unstable; urgency=low * Add hostfs as a recognized remote file-system. This should allow a UML virtual machine to function in a fully enforcing mode. refpolicy (0.0.20070507-2) unstable; urgency=medium * Keep track of modules that are really built into the base policy in Debian. We then use this list to remove the modules .pp files from the policy shipped, since they can not be installed along with the base policy anyway. Make sure we don't add such modules hen considering module dependencies either. * Added Module ricci to modules.conf for both strict and targeted. refpolicy (0.0.20070507-1) unstable; urgency=low * New upstream SVN HEAD. - Miscellaneous consolekit fixes from Dan Walsh. - Patch to have avahi use the nsswitch interface rather than individual permissions from Dan Walsh. - Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes to handle usage from userhelper from Dan Walsh. - Patch to allow amavis to read spamassassin libraries from Dan Walsh. - Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. - Fixes for RHEL4 from the CLIP project. - Replace the old lrrd fc entries with munin ones. - Move program admin template usage out of userdom_admin_user_template() to sysadm policy in userdomain.te to fix usage of the template for third parties. - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a template instead of an interface. - Added modules: rwho (Nalin Dahyabhai) * Updated dependencies, since this refpolicy needs newer toolchain, refpolicy (0.0.20070417-1) unstable; urgency=low * New upstream release. * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated build dependencies. * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker (Closes: #416910). refpolicy (0.0.20061018-5) unstable; urgency=high * Add policy for log and lock files for aptitude. This is needed for proper function; so one does not need to go into permissive mode to run aptitude. Stolen from Erich. This is a low risk change. * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file context. * Debian creates /dev/xconsole independently of whether or not a xserver has been installed or not. So move the policy related to /dev/sconsole out of the xserver policy, and into places where relevant (init.te, logging.fc), to reflect the status that /dev/console is present anyway. * Add support for /etc/network/run and /dev/shm/network, which seem to be Debian specific as well. * Allow udev to manage configuration files. refpolicy (0.0.20061018-4) unstable; urgency=low * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor. While this does not belong in the postinst, I have addedthis to the README.Debian file. This should be a low risk change. (Closes: #407691). * Bug fix: "Default build.conf doesn't match default strict/targeted policy", thanks to Stefan.The build.conf included in the reference source policy describe to build a policy of the type "strict". The default binary policies coming with Debian are build with the policy type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in source to conform to what we really use. (changes TYPE=strict to TYPE=strict-mcs, very low risk change. (Closes: #411256). * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not allow tcp connection mode", thanks to Rafal Kupka. This bug really should be at least important, and we should fully support a class of security product like OpenVPN on machines which are running SELinux, and this is a very low risk change. (Closes: #409041). * Install header files required for policy building for both strict and targeted policies in a new -dev package, so it becomes really useful to work with the source package. Moved the examples from the -src package to this new -dev package, since the example is only useful in with the headers provided. This is a new package, but it contains only files already in the sources (No upstream changes at all), and is the result of make install-headers. This new package has no rdepends, and should be a very low risk addition to Debian. * This release should be a whole lot better for building local policies, including the policygentool for creating a new policy from scratch, and ability to build local policy modular packages. The build.conf files have been cleaned up, and the source policy defaults to targeted policy, which is standard in Debian, as opposed to the strict policy, which has priority optional. refpolicy (0.0.20061018-3) unstable; urgency=high * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No such file or directory", thanks to Lucas Nussbaum. This was fixed by moving all the stamps into ./debian instead. I'll re-visit the ./debian/stamp/ directory in lenny. This is a pretty minor packaging change. (Closes: #405613). * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses Debian's FHS paths", thanks to Devin Carraway. From the bug report: Many of the files in these packages are overlooked when labelling files, because refpolicy's dcc module stipulates paths not consistent with the Debian FHS layout. The files go unlabelled and dcc-client (at least) stops working. The two major problems are the references to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian packages) and to /var/dcc (all sorts of things, placed under /var/lib/dcc). A side effect of the latter is that dccifd_t and probably others need search on var_lib_t, through which it must pass to get to /var/lib/dcc. Fixed the policy; will send upstream. (Closes: #404309). * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids clamd_t search on /var/lib", thanks to Devin Carraway. This is a simple one line change, and obviously an oversight; I think getting clamd to work is fairly important. (Closes: #404895). * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with courier policy", thanks to Devin Carraway. There is detailed information of the changes made in the bug report, and in the commit logs. Again, fixing courier daemons seems pretty important; SELinux tends to get used a lot on remote mail servers, and this fixes issues with the policy. (Closes: #405103). refpolicy (0.0.20061018-2) unstable; urgency=high * The This update enables MCS for targeted and strict, uses 1024 categories (as Fedora uses - necessary for compatability). Please note that enabling MCS categories is required for compatibility with filesystems created on Fedora Core 5 and above, RHEL 5 and above, and CentOS 5 and above. MCS categories is also a feature that we plan for all future releases of SE Linux and does not have a nice upgrade path - releasing etch without MCS will make things painful for SE Linux users on the upgrade to lenny. This feature has been extensively tested by Russel Coker and myself, and does not otherwise impact the install. * Allow semanage to use the initrd file descriptor in targeted policy. * Fix a bug with restorecon. * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to David Härdeman (Closes: #402293). refpolicy (0.0.20061018-1) unstable; urgency=low * New upstream release * Updated copyright file with the new location of the sources, and added a watch file. * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list retrieval suggestion", thanks to Alexander Buerger. Thanks to the provided suggestion, the selection of policy modules to install is not only faster, it is actually correct :) (Closes: #388744). * Bug fix: "Makefile for building policy modules?", thanks to Uwe Hermann. Provided an intial version, may have bugs. (Closes: #389116). refpolicy (0.0.20060911-2) unstable; urgency=low * Fixed a typo in policy postinst that made all the policies reload at every update. refpolicy (0.0.20060911-1) unstable; urgency=low * New upstream SCM HEAD. * Synched with Erich Schubert + Added first draft of python-support. You'll want to relabel these files. + Build python-support and setroubleshoot modules + Removed modules from guessing hintfile that are included in base. * Bug fix: "Defaults should match the strict/targeted policy", thanks to Uwe Hermann. Makde them match strict. (Closes: #386931). * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy files", thanks to Simon Richard Grint (Closes: #386909). * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann (Closes: #386887). * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe Hermann (Closes: #386930). * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885). * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict and targeted for -src package", thanks to Erich Schubert (Closes: #386573). refpolicy (0.0.20060907-3) unstable; urgency=low * Updated a few more policy modules to latest versions for Debian. refpolicy (0.0.20060907-2) unstable; urgency=low * Update the module/package mapping. * In the selinux-policy-refpolicy-src package, now ship the modules.conf.strict and the modules.conf.targeted files which are used to build the corresponding policy packages, snce the raw modules.conf package has issues on Debian. * With this version, we no longer ship the selinux-policy-refpolicy-src unpacked into /etc with a gazillion conffiles; instead, we now ship a compressed tarball in /usr/src, which the user may unpack where they wish, and install policies as they wish. refpolicy (0.0.20060907-1) unstable; urgency=low * New upstream SCM HEAD. * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular targeted policy", thanks to Simon Richard Grint. Put a wrapper around the offending lines to only take effect when running a strict policy. (Closes: #384502). * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe Hermann. Fixed upstream. (Closes: #384850). refpolicy (0.0.20060813-2) unstable; urgency=low * Bug fix: "Needs gawk", thanks to Simon Richard Grint (Closes: #382821). * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/* manpages?", thanks to Uwe Hermann (Closes: #372789). * Fix errors in post installation initial policy creation process in the postinst. * Add directories required during policy build during postinst. This bug prevented any policies being built when the package was initially installed. Also, create an empty file_contexts.local file if it does not already exist. * Make selinux-policy-refpolicy-targeted provide and replace the obsolete package selinux-policy-default; which should in the future be just a virtual package. * Added postrm packages to strict and targeted policy packages, in order to clean out the directories in which files are created during policy build. * Rewrote the postinst in perl to allow us to do module dependency checks, and to map policy modules to debian packages, in order to better detect the modules that would be necessary for the target machine. * Also, compiling with either MCS or MLS produced errors while installing policy, since we lack setrans daemon. So we are now building with out them, created an easy to modify option to re-enable it later. * Updated modules.conf to use the latest offerings from Erich. refpolicy (0.0.20060813-1) unstable; urgency=low * New upstream SCM HEAD. * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR 'syntax error' at token '' on line 3416:", thanks to Andreas Jochens (Closes: #379559). * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict", thanks to Devin Carraway (Closes: #379376). * Python transition (#2): you are building a private python module. (Closes: #380930). refpolicy (0.0.20060509-2) unstable; urgency=low * Modified some paths to be more in line with upstream standards. refpolicy (0.0.20060509-1) unstable; urgency=low * New upstream release. First packaging for Sid. remind (06.02.06-1) unstable; urgency=medium . * New upstream version 06.02.06 * Bump policy version (no changes) runit (2.3.1-4) unstable; urgency=medium . * trigger-sv: drop pidof, use s-s-d (dpkg) instead (Closes: #1136579) * quilt (patch 0020): use timeout for chpst -l (lock) * add a runit script for cruft-ng * invoke-run: - update manpage, document user services - revert chdir to /home/username for user-services for now rust-bitstring (0.2.1-1) unstable; urgency=medium . * Initial upload to sid, needed for rust-cidr. rust-cidr (0.3.2-1) unstable; urgency=medium . * Initial upload to sid, needed for ican-rdap (#1099105). rust-diesel (2.3.9-1) unstable; urgency=medium . * Package diesel 2.3.9 from crates.io using debcargo 2.8.2 * Fix RUSTSEC-2026-0136 and RUSTSEC-2026-0137 rust-openssl-sys (0.9.115-1) unstable; urgency=medium . * Team upload. * Package openssl-sys 0.9.115 from crates.io using debcargo 2.8.2 rust-openssl-sys (0.9.114-1) unstable; urgency=medium . * Team upload. * Package openssl-sys 0.9.114 from crates.io using debcargo 2.8.2 scdoc (1.11.4-2) unstable; urgency=medium . * Add scdoc.1.scd and scdoc.5.scd to examples (Closes: #1135985) * debian/control: + Drop redundant Priority field + Bump Standards-Version to 4.7.4 (no changes required) * debian/watch: + Capitalize the `Version` to follow the standard sherlock (0.16.0-2) unstable; urgency=medium . [ Josenilson Ferreira da Silva ] * Revert d/tests/control: skip NSFW tests that depend on upstream data.json . [ Matheus Polkorny ] * d/sherlock.NEWS: Document local data.json as default * d/m/sherlock.1: Update for local data.json default and remote option * d/p/force-use-of-local-data.json-by-default.patch: New patch * d/p/tests-Disable-site-exclusions-to-fix-autopkgtest.patch: New Patch * d/t/control: Add new depends python3-rstr * d/clean: It's no more necessary * d/copyright: Add myself in debian/* sploitscan (0.14.3-1) unstable; urgency=medium . * New upstream version 0.14.3 * debian/control: - Added Build-depends python3-git - Bumped Standards-Version to 4.7.4 - Removed redundant Priority field - Removed redundant Rules-Requires-Root * debian/patches: - 001: Fixed manpage font warnings by replacing invalid \fC escape - 002: Fixed overly restrictive GitPython version constraint * debian/watch: Updated to version 5 format sqlsmith (1.5-1) unstable; urgency=medium . [ Debian Janitor ] * Remove constraints unnecessary since buster: + Build-Depends: Drop versioned constraint on libpqxx-dev. . [ Christoph Berg ] * New upstream version 1.5. * Move packaging repository to salsa. * Clean up properly after a build. (Closes: 1048544) vsftpd (3.0.5-0.7) unstable; urgency=medium . * Non-maintainer upload. * Fix existing lintian override for new syntax * Rename vsftpd.tmpfile -> vsftpd.tmpfiles * Fix lintian: unusual-interpreter /usr/bin/python . [ Luca Boccassi ] * Install and use sysusers.d/tmpfiles.d config files vsftpd (3.0.5-0.6) unstable; urgency=medium . * Non-maintainer upload. * Add debian/salsa-ci.yml * Add missing Pre-Depends: ${misc:Pre-Depends} in vsftpd. * Rely on pre-initialized dpkg-architecture variables. * Use versioned copyright format URI. * Update standards version to 4.7.4, no changes needed. * Update renamed lintian tag names in lintian overrides. * Replace /var/run by /run everywhere (Closes: #966489) * postrm: do not attempt to duplicate dh_installsystemd actions * Add Documentation tag to vsftpd.service zypper (1.14.97-1) unstable; urgency=medium . * Update upstream source from tag 'upstream/1.14.97'