-
refpolicy (2:2.20180114-1) unstable; urgency=medium
* New upstream 2.20180114 with patch from git version 2.20180220.
Took that patch because a lot of it was policy I developed.
* Delete the deprecated macro mmap_file_perms, anyone who uses this should
change to mmap_exec_file_perms instead. Closes: #885771
* Now build-depend on recent toolchain. Closes: #875546
* Removed typebounds patch that upstream didn't like, seems to work ok
without it now, but we can use nnp_transition if necessary.
-- Russell Coker <email address hidden> Mon, 26 Feb 2018 23:25:27 +1100
-
refpolicy (2:2.20171228-1) unstable; urgency=medium
* New upstream from git with lots of Debian patches merged. This policy is
not a candidate for Buster or anything, I'm uploading it to facilitate
SE Linux development. The next time Tresys make an official release I'll
put it in Debian Git and make it a candidate for Buster.
* Removed authbind policy
* Set WERROR=y to remove deprecated interfaces
* Enable UBAC for mcs policy
* Use compat level 11
-- Russell Coker <email address hidden> Thu, 28 Dec 2017 17:46:57 +1100
-
refpolicy (2:2.20161023.1-10) unstable; urgency=medium
* Add patch for typebounds. This patch was rejected upstream, to quote
Chris PeBenito:
NAK. This has already been fixed with the upcoming nnp_transition
nosuid_transition permissions in refpolicy. I'm afraid distros will
have to carry policy patches until they can roll out kernels that
support these permissions.
https://marc.info/?l=selinux&m=150151037511601&w=2
Closes: #874201
* Allow systemd-tmpfiles to delete /var/lib/sudo files.
Closes: #875668
* Allow brctl to create files in sysfs and correctly label
/usr/lib/bridge-utils/.*\.sh
Closes: #875669
* Give bootloader_t all the access it needs to create initramfs images in
different situations and communicate with dpkg_t.
Closes: #875676
* Allow dnsmasq_t to read it's config dir
Closes: #875681
* Build-depend and depend on version 2.7 of tools and libraries.
* Allow systemd_tmpfiles_t to manage lastlog_t
Closes: #875726
* Allow udev_t to talk to init via dbus and get service status in strict
configuration
Closes: #875727
-- Russell Coker <email address hidden> Wed, 13 Sep 2017 23:47:21 +1000
-
refpolicy (2:2.20161023.1-9) unstable; urgency=medium
* Dontaudit dkim_milter_t binding to labeled udp ports
* Allow passwd_t to inherit fd from unconfined_t for package scripts
* Allow httpd_sys_script_t to talk to itself via unix datagrams and send
syslog messages
* Allow logwatch_mail_t to rw system_cronjob_t pipes
Allow logwatch_t to run mdadm
* Label /etc/postfixadmin as httpd_config_t
* Allow system_cronjob_t to create directories under /tmp
* Allow spamass_milter_t to read the overcommit sysctl
* Allow unconfined domains the capability2:wake_alarm.
* Added ~/DovecotMail to the list of mail_home_rw_t directories
* Allow systemd_logind_t to get dpkg_script_t process state and talk to it
via dbus
* For https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933 allow udev_t
to read default_t. Still need that udev bug fixed!
-- Russell Coker <email address hidden> Thu, 26 Jan 2017 00:52:00 +1100
