2008
refpolicy (0.0.20061018-5.1+etch1) stable-security; urgency=high
* Non-maintainer upload by the security team.
* Allow named_t to bind to all UDP ports, not just the DNS port;
this enables DNS port randomization, introduced by bind9
1:9.3.4-2etch3 in response to DSA-1603-1 / CVE-2008-1447. The
change does not represent a vulnerability in refpolicy, rather
a compatibility fix for an urgent and widely-deployed package.
(Closes: #490271).
* Upgrade the bind policy module at upgrade, if and only if the
previously-installed refpolicy package was <= 0.0.20061018-5
-- Devin Carraway <devin@debian.org> Sat, 12 Jul 2008 09:33:09 +0000
2007
refpolicy (0.0.20061018-5) unstable; urgency=high
* Add policy for log and lock files for aptitude. This is needed for
proper function; so one does not need to go into permissive mode to
run aptitude. Stolen from Erich. This is a low risk change.
* Debian puts grub in /usr/sbin/grub. Reflect that in the initial file
context.
* Debian creates /dev/xconsole independently of whether or not a xserver
has been installed or not. So move the policy related to /dev/sconsole
out of the xserver policy, and into places where relevant (init.te,
logging.fc), to reflect the status that /dev/console is present
anyway.
* Add support for /etc/network/run and /dev/shm/network, which seem to
be Debian specific as well.
* Allow udev to manage configuration files.
-- Manoj Srivastava <srivasta@debian.org> Fri, 9 Mar 2007 00:22:19 -0600
refpolicy (0.0.20061018-4) unstable; urgency=low
* Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to
fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor.
While this does not belong in the postinst, I have addedthis to the
README.Debian file. This should be a low risk change. (Closes: #407691).
* Bug fix: "Default build.conf doesn't match default strict/targeted
policy", thanks to Stefan.The build.conf included in the reference
source policy describe to build a policy of the type "strict". The
default binary policies coming with Debian are build with the policy
type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in
source to conform to what we really use. (changes TYPE=strict to
TYPE=strict-mcs, very low risk change. (Closes: #411256).
* Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not
allow tcp connection mode", thanks to Rafal Kupka. This bug really
should be at least important, and we should fully support a class of
security product like OpenVPN on machines which are running SELinux,
and this is a very low risk change. (Closes: #409041).
* Install header files required for policy building for both strict and
targeted policies in a new -dev package, so it becomes really useful
to work with the source package. Moved the examples from the -src
package to this new -dev package, since the example is only useful in
with the headers provided. This is a new package, but it contains only
files already in the sources (No upstream changes at all), and is the
result of make install-headers. This new package has no rdepends, and
should be a very low risk addition to Debian.
* This release should be a whole lot better for building local policies,
including the policygentool for creating a new policy from scratch,
and ability to build local policy modular packages. The build.conf
files have been cleaned up, and the source policy defaults to targeted
policy, which is standard in Debian, as opposed to the strict policy,
which has priority optional.
-- Manoj Srivastava <srivasta@debian.org> Mon, 26 Feb 2007 22:37:17 -0600
refpolicy (0.0.20061018-3) unstable; urgency=high
* Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No
such file or directory", thanks to Lucas Nussbaum. This was fixed by
moving all the stamps into ./debian instead. I'll re-visit the
./debian/stamp/ directory in lenny. This is a pretty minor packaging
change. (Closes: #405613).
* Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses
Debian's FHS paths", thanks to Devin Carraway. From the bug report:
Many of the files in these packages are overlooked when labelling
files, because refpolicy's dcc module stipulates paths not consistent
with the Debian FHS layout. The files go unlabelled and dcc-client
(at least) stops working. The two major problems are the references
to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian
packages) and to /var/dcc (all sorts of things, placed under
/var/lib/dcc). A side effect of the latter is that dccifd_t and
probably others need search on var_lib_t, through which it must pass
to get to /var/lib/dcc. Fixed the policy; will send upstream.
(Closes: #404309).
* Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids
clamd_t search on /var/lib", thanks to Devin Carraway. This is a
simple one line change, and obviously an oversight; I think getting
clamd to work is fairly important. (Closes: #404895).
* Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with
courier policy", thanks to Devin Carraway. There is detailed
information of the changes made in the bug report, and in the commit
logs. Again, fixing courier daemons seems pretty important; SELinux
tends to get used a lot on remote mail servers, and this fixes issues
with the policy. (Closes: #405103).
-- Manoj Srivastava <srivasta@debian.org> Mon, 15 Jan 2007 13:20:30 -0600
2006
refpolicy (0.0.20061018-2) unstable; urgency=high
* The This update enables MCS for targeted and strict, uses 1024
categories (as Fedora uses - necessary for compatability). Please note
that enabling MCS categories is required for compatibility with
filesystems created on Fedora Core 5 and above, RHEL 5 and above, and
CentOS 5 and above. MCS categories is also a feature that we plan for
all future releases of SE Linux and does not have a nice upgrade path
- releasing etch without MCS will make things painful for SE Linux
users on the upgrade to lenny. This feature has been extensively
tested by Russel Coker and myself, and does not otherwise impact the
install.
* Allow semanage to use the initrd file descriptor in targeted policy.
* Fix a bug with restorecon.
* Bug fix: "refpolicy: qemu should have execmem permissions", thanks to
David Härdeman (Closes: #402293).
-- Manoj Srivastava <srivasta@debian.org> Fri, 22 Dec 2006 10:33:22 -0600
refpolicy (0.0.20061018-1) unstable; urgency=low
* New upstream release
* Updated copyright file with the new location of the sources, and added
a watch file.
* Bug fix: "selinux-policy-refpolicy-targeted: postinst package list
retrieval suggestion", thanks to Alexander Buerger. Thanks to the
provided suggestion, the selection of policy modules to install is not
only faster, it is actually correct :) (Closes: #388744).
* Bug fix: "Makefile for building policy modules?", thanks to Uwe
Hermann. Provided an intial version, may have bugs. (Closes: #389116).
-- Manoj Srivastava <srivasta@debian.org> Tue, 24 Oct 2006 14:31:22 -0500
refpolicy (0.0.20060911-2) unstable; urgency=low
* Fixed a typo in policy postinst that made all the policies reload at
every update.
-- Manoj Srivastava <srivasta@debian.org> Tue, 12 Sep 2006 10:28:11 -0500
refpolicy (0.0.20060911-1) unstable; urgency=low
* New upstream SCM HEAD. * Synched with Erich Schubert <erich@debian.org> + Added first draft of python-support. You'll want to relabel these files. + Build python-support and setroubleshoot modules + Removed modules from guessing hintfile that are included in base. * Bug fix: "Defaults should match the strict/targeted policy", thanks to Uwe Hermann. Makde them match strict. (Closes: #386931). * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy files", thanks to Simon Richard Grint (Closes: #386909). * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann (Closes: #386887). * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe Hermann (Closes: #386930). * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885). * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict and targeted for -src package", thanks to Erich Schubert (Closes: #386573).
-- Manoj Srivastava <srivasta@debian.org> Mon, 11 Sep 2006 17:46:10 -0500
refpolicy (0.0.20060907-3) unstable; urgency=low
* Updated a few more policy modules to latest versions for Debian.
-- Manoj Srivastava <srivasta@debian.org> Fri, 8 Sep 2006 12:42:22 -0500
refpolicy (0.0.20060907-2) unstable; urgency=low
* Update the module/package mapping.
* In the selinux-policy-refpolicy-src package, now ship the
modules.conf.strict and the modules.conf.targeted files which are used
to build the corresponding policy packages, snce the raw modules.conf
package has issues on Debian.
* With this version, we no longer ship the selinux-policy-refpolicy-src
unpacked into /etc with a gazillion conffiles; instead, we now ship a
compressed tarball in /usr/src, which the user may unpack where they
wish, and install policies as they wish.
-- Manoj Srivastava <srivasta@debian.org> Fri, 8 Sep 2006 10:49:40 -0500
refpolicy (0.0.20060907-1) unstable; urgency=low
* New upstream SCM HEAD.
* Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular
targeted policy", thanks to Simon Richard Grint. Put a wrapper around
the offending lines to only take effect when running a strict policy.
(Closes: #384502).
* Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe
Hermann. Fixed upstream. (Closes: #384850).
-- Manoj Srivastava <srivasta@debian.org> Fri, 8 Sep 2006 00:27:39 -0500
refpolicy (0.0.20060813-2) unstable; urgency=low
* Bug fix: "Needs gawk", thanks to Simon Richard Grint
(Closes: #382821).
* Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/*
manpages?", thanks to Uwe Hermann (Closes: #372789).
* Fix errors in post installation initial policy creation process in the
postinst.
* Add directories required during policy build during postinst. This bug
prevented any policies being built when the package was initially
installed. Also, create an empty file_contexts.local file if it does
not already exist.
* Make selinux-policy-refpolicy-targeted provide and replace the
obsolete package selinux-policy-default; which should in the future be
just a virtual package.
* Added postrm packages to strict and targeted policy packages, in order
to clean out the directories in which files are created during policy
build.
* Rewrote the postinst in perl to allow us to do module dependency
checks, and to map policy modules to debian packages, in order to
better detect the modules that would be necessary for the target
machine.
* Also, compiling with either MCS or MLS produced errors while
installing policy, since we lack setrans daemon. So we are now
building with out them, created an easy to modify option to re-enable
it later.
* Updated modules.conf to use the latest offerings from Erich.
-- Manoj Srivastava <srivasta@debian.org> Mon, 21 Aug 2006 14:59:52 -0500
refpolicy (0.0.20060813-1) unstable; urgency=low
* New upstream SCM HEAD.
* Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR
'syntax error' at token '' on line 3416:", thanks to Andreas Jochens
(Closes: #379559).
* Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict",
thanks to Devin Carraway (Closes: #379376).
* Python transition (#2): you are building a private python module.
(Closes: #380930).
-- Manoj Srivastava <srivasta@debian.org> Tue, 15 Aug 2006 09:53:06 -0500
refpolicy (0.0.20060509-2) unstable; urgency=low
* Modified some paths to be more in line with upstream standards.
-- Manoj Srivastava <srivasta@debian.org> Fri, 12 May 2006 08:30:08 -0500
refpolicy (0.0.20060509-1) unstable; urgency=low
* New upstream release. First packaging for Sid.
-- Manoj Srivastava <srivasta@debian.org> Tue, 9 May 2006 13:56:10 -0500
refpolicy (20060506-1) sesarge; urgency=low
* New upstream checkout from CVS. * Even more new modules.
-- Erich Schubert <erich@debian.org> Sat, 6 May 2006 21:44:07 +0200
refpolicy (20060418-2) sesarge; urgency=low
* New upstream checkout from CVS.
-- Erich Schubert <erich@debian.org> Fri, 21 Apr 2006 19:17:05 +0200
refpolicy (20060417-1) sesarge; urgency=low
* New upstream checkout from CVS.
* Until module linking is fixed, build everything into base.
(Sorry, this will result in a much larger policy than necessary.
Feel free to use the -src package to build your own!)
-- Erich Schubert <erich@debian.org> Mon, 17 Apr 2006 21:04:49 +0200
refpolicy (20060414-1) sesarge; urgency=low
* New upstream version with tons of new policy files
-- Erich Schubert <erich@debian.org> Mon, 17 Apr 2006 20:48:50 +0200
refpolicy (20060329-2) sesarge; urgency=low
* Merge upstream 20060329-2
-- Erich Schubert <erich@debian.org> Mon, 3 Apr 2006 00:44:06 +0200
refpolicy (20060324-2) sesarge; urgency=low
* Merge upstream 20060324-4
-- Erich Schubert <erich@debian.org> Sat, 25 Mar 2006 03:34:36 +0100
refpolicy (20060324-1) sesarge; urgency=low
* Merge upstream 20060323-2 * Merge changes by Thomas Bleher * Build with checkpolicy 1.30.1 * Sorry, still doesn't work with make > 3.80
-- Erich Schubert <erich@debian.org> Sat, 25 Mar 2006 02:21:00 +0100
refpolicy (20060315-2) sesarge; urgency=low
* Make modular policy actually work. Hopefully.
(Up to now, optional_policy(`module') in base was not working upstream!)
* Revamp build process, don't use CDBS anymore since I didn't figure out
how to do two clean runs of the same source tree, and there is little
benefit here without any autotools or library magic needed
-- Erich Schubert <erich@debian.org> Fri, 17 Mar 2006 20:51:55 +0100
refpolicy (20060315-1.1) sesarge; urgency=low
* Small tweaks and bugfixes to policy
-- Erich Schubert <erich@debian.org> Thu, 16 Mar 2006 23:13:40 +0100
refpolicy (20060315-1) sesarge; urgency=low
* Merge with upstream and debian changes as of 20060309, rev 50
* Merge with upstream and debian changes as of 20060315, rev 55
* Added "netuser" role, similar to user_tcp_server boolean, but
you can enable it for single users only.
-- Erich Schubert <erich@debian.org> Thu, 16 Mar 2006 00:23:54 +0100
refpolicy (20060306-1) sesarge; urgency=low
* Merge with upstream and debian policy changes as of 20060306, Rev 31
* Try to auto-build a policy after a fresh install in postinst
* Add inetd module to base for now
* Increase policycoreutils build-dep to hopefully solve the users_extra
issues by using a newer policycoreutils for building...
-- Erich Schubert <erich@debian.org> Mon, 6 Mar 2006 17:10:43 +0100
refpolicy (20060227-1) sesarge; urgency=low
* Merge with upstream and debian policy changes as of 20060227, Rev 20
-- Erich Schubert <erich@debian.org> Tue, 28 Feb 2006 03:48:48 +0100
refpolicy (20060224-2) sesarge; urgency=low
* Update build process to not require a tarball, include previous
patches into our "branch" of the reference policy instead.
-- Erich Schubert <erich@debian.org> Tue, 28 Feb 2006 03:13:51 +0100
refpolicy (20060224-1) sesarge; urgency=low
* New upstream CVS checkout.
* Move policy src from /etc to /usr/share/selinux/refpolicy
This avoids an apt-get size limitation and follows Fedora.
* Ship edited build.conf with policy source.
* Use debhelper for installing documentation.
* Add dependency for source onto gawk.
-- Erich Schubert <erich@debian.org> Sat, 25 Feb 2006 01:01:44 +0100
refpolicy (20060222-1) sesarge; urgency=low
* New upstream CVS checkout.
* Thomas also provided a workaround for the make issues in his version.
* Update dpkg/apt policy to interface renamings
* Remove dpkg_script_exec_t, as supporting this would require bad hacks
to dpkg and/or tar. Use dpkg_var_lib_t instead.
-- Erich Schubert <erich@debian.org> Thu, 23 Feb 2006 02:01:35 +0100
refpolicy (20060217-3) sesarge; urgency=low
* Create selinux-policy-refpolicy-doc package * DIRECT_INITRC=y
-- Thomas Bleher <ThomasBleher@gmx.de> Mon, 20 Feb 2006 23:43:53 +0000
refpolicy (20060217-2) sesarge; urgency=low
* Added first drafts of dpkg, apt policy
-- Erich Schubert <erich@debian.org> Sat, 18 Feb 2006 03:20:59 +0100
refpolicy (20060217-1) sesarge; urgency=low
* New upstream CVS checkout * Document make incompaibility via build-dep * Don't build some redhat specific policy modules, minor tweaks
-- Erich Schubert <erich@debian.org> Tue, 14 Feb 2006 02:35:04 +0100
refpolicy (20060213-1) sesarge; urgency=low
* New upstream CVS checkout. * Still not really useable
-- Erich Schubert <erich@debian.org> Tue, 14 Feb 2006 02:35:04 +0100
refpolicy (20060117-1) sesarge; urgency=low
* Experimental release
-- Erich Schubert <erich@debian.org> Mon, 13 Feb 2006 22:50:03 +0100