d_t, ifconfig_t, and ping_t to use unallocated ttys (for sysadmin
+login on boot failure)
+ * Allow ntpd_t to start and stop generic units when systemd is used, for
+systemd-timesyncd.
+
+ -- Russell Coker Mon, 04 Oct 2021 15:06:54 +1100
+
refpolicy (2:2.20210203-7) unstable;
. Dontaudit
+fsadm_t inheriting file handles from mon_t.
+ * Allow fsadm_t to do a file type trans for creating
+/dev/megaraid_sas_ioctl_node
+ * Allow java_t to exec bin_t and lib_t files for jspawnhelper, and to read
+cgroup files. Needed for JRE 17
+
+ -- Russell Coker Mon, 14 Jun 2021
tl.monitor for MegaRAID AKA PERC support and
+added support for NVMe devices
+
+ -- Russell Coker Mon, 07 Jun 2021 16:34:01 +1000
+
etbemon (1.3.5-5) unstable; urgency=medium
* Make the deleted-mapped check avoid perl privsep processes, don't want
reverted:
--- etbemon-1.3.5
s under
+different uids
+ * Allow chromium_naclhelper_t process access setcap and signal and
+cap_userns access sys_admin and sys_chroot.
+ Allow chromium_t to read alsa config.
+
+ -- Russell Coker Sat, 08 May 2021 17:55:06 +1000
+
refpolicy (2:2.20210203-5) unstable; urgency=medium
ty net_admin (probably setting buffer size)
+
+ -- Russell Coker Fri, 09 Apr 2021 23:02:14 +1000
+
refpolicy (2:2.20210203-4) unstable; urgency=medium
* Allow ntpd_t to get the status of generic systemd units
diff -Nru refpolicy-2.20210203/debian/modules.conf.default
refpolicy-2.202102
also made it do case-insensitive checks on header field names. Now
+recommends libhash-case-perl as imapnew.monitor depends on it.
+
+ -- Russell Coker Mon, 05 Apr 2021 18:28:52 +1000
+
etbemon (1.3.5-4) unstable; urgency=medium
* Make deleted-mapped.monitor skip programs starting with
nreserved TCP ports
+ * Allow systemd_coredump_t to mmap all executables and to have cap_userns
+sys_ptrace access. dontaudit systemd_coredump_t capability net_admin
+ * Allow mailman_queue_t to connect to port 443
+
+ -- Russell Coker Fri, 05 Mar 2021 21:11:58 +1100
+
refpolicy (2:2.202102
ne option to prevent relabeling
+Closes: #922448
+ * Make fixfiles avoid trying to relabel tmpfs and other non-permanent
+filesystems
+Closes: #984567
+
+ -- Russell Coker Fri, 05 Mar 2021 20:45:24 +1100
+
policycoreutils (3.1-2) unstable; urgency=medium
[ Laurent Bigonville ]
diff -Nru
What's the situation with this one? Could it be included in the next Stretch
update?
On Saturday, 9 December 2017 1:33:39 PM AEDT Russell Coker wrote:
> On Saturday, 2 December 2017 11:05:24 AM AEDT Adam D. Barratt wrote:
> > IFF it's versioned as 2:2.20161023.1-9+deb9u1, us
Closes: #875669
+ * Give bootloader_t all the access it needs to create initramfs images in
+different situations and communicate with dpkg_t.
+Closes: #875676
+ * Allow dnsmasq_t to read it's config dir
+Closes: #875681
+
+ -- Russell Coker Sat, 09 Dec 2017 13:12:05 +1100
+
On Sunday, 19 November 2017 9:41:58 PM AEDT Adam D. Barratt wrote:
> > Section 5.5.1 of the above seemed to indicate that I should do it
> > that way.
> > Did I misunderstand it or does the documentation need improving?
>
> Some combination. :-)
>
> You used reportbug to file the report - did it
I sent such a debdiff almost 2 months ago. Is it ok?
On 30 September 2017 1:39:15 am AEST, "Adam D. Barratt"
wrote:
>On Sat, 2017-09-30 at 01:08 +1000, Russell Coker wrote:
>> I've attached the patches. These all come from the package currently
>> in
>>
On Friday, 29 September 2017 4:39:15 PM AEDT Adam D. Barratt wrote:
> On Sat, 2017-09-30 at 01:08 +1000, Russell Coker wrote:
> > I've attached the patches. These all come from the package currently
> > in
> > Testing.
>
> Thanks, but we don't review individ
I've attached the patches. These all come from the package currently in
Testing.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
Index: refpolicy-2.20161023.1/policy/modules/system/init.te
==
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
0210-bounds-874201 is the most important patch. Without it programs that
should run as tor_t, mysqld_t, and entropyd_t run as init_t and get
unrestricted access to the system. Thi
If logtools had a diff.gz file for the changes in question would it get in? If
so can I upload a version like that?
On 10 January 2017 12:48:39 am LHDT, Julien Cristau wrote:
>On 01/09/2017 02:26 PM, Russell Coker wrote:
>> https://qa.debian.org/excuses.php?package=logtools
https://qa.debian.org/excuses.php?package=logtools
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800258
Logtools was out of testing due to bug 800258 which I had fixed but forgotten
to mention in the changelog. Why is it still out of testing now?
Should I just upload a new version with chan
/xen-*/xl as xm_exec_t
-- Russell Coker Fri, 06 Feb 2015 02:31:05 +1100
refpolicy (2:2.20140421-8) unstable; urgency=medium
* Make all of /etc/ssl apart from /etc/ssl/private etc_t
* Allow systemd_logind_t to search xdm_tmp_t:dir
Allow systemd_tmpfiles_t to create xdm_tmp_t:dir
Make
On Mon, 25 Jun 2012, "Adam D. Barratt" wrote:
> > Currently I have a problem though, policycoreutils in testing depends on
> > libcgroup1 which isn't in testing.
>
> Really? Which architecture at you seeing that on? There shouldn't be
> any packages in testing which depend on libcgroup1, other
On Mon, 25 Jun 2012, "Adam D. Barratt" wrote:
> On Mon, 2012-06-25 at 14:56 +1000, Russell Coker wrote:
> > http://packages.qa.debian.org/libc/libcgroup.html
> >
> > Currently I have a problem though, policycoreutils in testing depends on
> > libcgroup
On Tue, 19 Jun 2012, "Adam D. Barratt" wrote:
> Assuming the change is ready, is there any reason not to upload it now?
There is ongoing work. I'm glad to read that I've got until the end of the
month, I can get some more significant improvements done in that time.
> Framing things in absolut
The policycoreutils package needs an important update. The last version fixed
a bug that made some systems fail to upgrade but did it in the wrong way. The
version in testing right now will result in some systems failing to upgrade
from Squeeze without unreasonable effort by the user. I plan
On Sat, 19 Mar 2011, "Adam D. Barratt" wrote:
> > They have all been tested on multiple systems. Also many of the changes
> > are related to things that didn't work at all previously so there was
> > little scope for regression.
>
> Okay.
Apart from the one I just backed out. :-#
> > > >
On Sat, 12 Mar 2011, "Adam D. Barratt" wrote:
> >* Allow user domains to execute mysqld_exec_t, for KDE
> >* Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
>
> That's this change?
>
> +
> + optional_policy(`
> + gnome_role($2, $1_dbusd_t)
> + ')
>
On Sat, 19 Mar 2011, Russell Coker wrote:
> Below is the definition of gnome_role, when it is called the first
> parameter $1 equals the second parameter $2 from the above optional_policy
> and $2 is the $1_dbusd_t. So it substitutes to
> domain_auto_trans($1_dbusd_t, gconfd_exec
On Sat, 12 Mar 2011, "Adam D. Barratt" wrote:
> On Fri, 2011-03-11 at 23:21 +1100, Russell Coker wrote:
> > The user friendly change list is that this makes USB flash storage
> > devices usable by default on the desktop, Iceweasel works correctly,
> >
pg_agent_t to read etc_t files and sysctl_crypto_t.
+ * Allow network manager to run wpa_cli_exec_t programs.
+
+ -- Russell Coker Fri, 11 Mar 2011 14:28:58 +1100
+
refpolicy (2:0.2.20100524-7) unstable; urgency=low
* Allow crontab_t to create a directory of type crontab_tmp_t, necessary to
On Wed, 26 Aug 2009, Manoj Srivastava wrote:
> if [ -e /etc/pam.d/login ]; then
> perl -pli~ -e 'm/session.*pam_selinux.so/ && s/^\#\s*//o'
> /etc/pam.d/login rm /etc/pam.d/login~
> fi
> if [ -e /etc/pam.d/ssh ]; then
> perl -pli~ -e 'm/session.*pam_selinux.so/ && do { s/^\#\s*//o;
> s/multip
On Fri, 31 Jul 2009, Manoj Srivastava wrote:
> Developer assiociated: Manoj Srivastava (Perhaps also Russell Coker,
> but I have not discussed this with him)
I will be involved in this, but I find it difficult to get enough free time.
> Issues to be solved
Why is version 2:0.0.20080702-6 still in Lenny?
I had submitted a number of requests for newer versions to be included, and my
understanding was that those requests has been accepted. Newer versions up
to 2:0.0.20080702-14 solve some serious issues that will affect users.
What can we do at thi
s you, but after more than
two years without a maintainer upload the package seems unmaintained. Even
so I would have taken more time about it if we had such time.
--
Russell Coker <[EMAIL PROTECTED]>
http://etbe.coker.com.au/ My Blog
http://etbe.coker.com.au/category/security/
dir_t.
* Fixed labelling of /var/lock/mailman
* Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
Also allow it to talk to portmap so the IMAP server can do FAM.
--
Russell Coker <[EMAIL PROTECTED]>
http://etbe.coker.com.au/ My Blog
http://etbe.coker
Sorry, I forgot to ask, please allow this version in Lenny. Without it
sometimes some machines won't boot...
On Tuesday 21 October 2008 00:50, Russell Coker <[EMAIL PROTECTED]> wrote:
> The spamassassin and Clamav changes are needed for some people who use
> those programs.
The spamassassin and Clamav changes are needed for some people who use those
programs.
But the real requirement here is to have the correct labels for device nodes
created by initrc_t. It is needed to allow booting in enforcing mode when
you have a corrupt /etc/fstab file.
refpolicy (2:0.0.2
Below are the changes. The problem with restarting daemons can be solved in
several ways, and the solution that I have implemented (as a default setting)
is not ideal for security - but usability is what we need by default.
With -11 a user who logs in as non-root, runs "su -" and then restarts
99584
-- Russell Coker <[EMAIL PROTECTED]> Sun, 28 Sep 2008 19:23:50 +1000
--
[EMAIL PROTECTED]
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsub
Below is the changelog. The most important thing is the cron changes without
which cron is essentially unusable for users who aren't in the unconfined_t
domain.
* Create new interface crond_search_dir() and use it to allow crond_t to
search clamd_var_lib_t for amavis cron jobs.
* Allow
93979.
NB I won't have time to do any testing of this so someone else will need
to deploy it on a fully functional NAGIOS system.
Closes: #493979
-- Russell Coker <[EMAIL PROTECTED]> Fri, 19 Sep 2008 22:25:00 +1000
refpolicy (2:0.0.20080702-9) unstable; urgency=low
* A
I've got another version that I would like to get in Lenny. This will make a
significant reduction to the number of people who accidentally break their
systems. The change to the recommendation is to avoid confusion, and the man
page references (the see-also section) just makes things easier f
On Tuesday 26 August 2008 05:54, Pierre Habouzit <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 25, 2008 at 12:49:49PM +, Russell Coker wrote:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445595
>
> The patch is broken. Next time, please guess that if there is a guard li
Please unblock setools. The current version in Lenny doesn't support the
Lenny policy version and is of little use. Manoj has already packaged the
new version.
--
[EMAIL PROTECTED]
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software de
e; urgency=low
* Take ownership of the package (temporarily at least).
* Made selinux-activate work on systems without GRUB.
Closes: #498324
* Made selinux-policy-upgrade work when there are local modules.
Closes: #498323
-- Russell Coker <[EMAIL PROTECTED]> Tue, 09 Sep 200
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445595
I have done an NMU of version 0.4.5+cvs20030824-2.1 of the smpeg package. It
has two lines of change as included in a patch on the above bug report.
There has been no response from the maintainer, the bug is almost a year old,
and it has
This new package of rsyslog fixes a bug related to SE Linux that I would like
to have fixed in Lenny.
Is it possible to get the new upstream version of rsyslog in Lenny? If not
then what do we have to do to get the patch back-ported to the version in
Lenny?
--
[EMAIL PROTECTED]
http://etbe.c
On Friday 08 August 2008 13:15, Luk Claes <[EMAIL PROTECTED]> wrote:
> Russell Coker wrote:
> > Please include the latest checkpolicy in Lenny. It is needed to build
> > the recent versions of the policy (such as the one that is already in
> > Lenny).
>
> Th
Please include the latest checkpolicy in Lenny. It is needed to build the
recent versions of the policy (such as the one that is already in Lenny).
--
[EMAIL PROTECTED]
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
On Tuesday 05 August 2008 03:57, Marc 'HE' Brockschmidt <[EMAIL PROTECTED]>
wrote:
> + if [ ! -f /.autorelabel ]; then
> + echo "Relabeled, now reboot"
> + umount -a || true
> + sync
> + reboot -f
> + fi
>
> Why reboot -f? Rest looks more or less OK.
Good catch. I've
I stuffed up nmu2 and have just uploaded nmu3 to unstable. I didn't include
one of the scripts in the files list.
On Monday 04 August 2008 07:26, Russell Coker <[EMAIL PROTECTED]> wrote:
> Please include my latest NMU of selinux-basics in Lenny. The new scripts
> selinux-
oot script
-- Russell Coker <[EMAIL PROTECTED]> Mon, 04 Aug 2008 07:20:18 +1000
selinux-basics (0.3.3+nmu1) unstable; urgency=high
* Non-maintainer upload.
* Added selinux-activate script to handle all aspects of configuring systems
to run SE Linux.
* Made /etc/init.d/selinux-bas
On Sunday 03 August 2008 06:43, Steve Langasek <[EMAIL PROTECTED]> wrote:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493181
> >
> > In the above bug report I have requested a config file comment change and
> > suggested that an application be made to have it included in Lenny.
> >
> > I r
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493316
Please allow libselinux-2.0.65-4 (which I have just uploaded to unstable) into
Lenny to close the above bug.
There is a one-line change which is what Josselin suggested in a response to
the bug.
This is necessary for operation of the audi
On Friday 01 August 2008 16:47, Steve Langasek <[EMAIL PROTECTED]> wrote:
> On Fri, Aug 01, 2008 at 12:08:49PM +1000, Russell Coker wrote:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451722
> >
> > Is pam getting an exception from the freeze?
>
> Yes,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451722
Is pam getting an exception from the freeze?
The above bug report covers what is probably the most significant problem that
is likely to be faced by SE Linux users. If the new pam can't go in then can
we have a back-port of the functional
Please include version 2.0.49-5 in Lenny. The progress report is necessary to
stop users getting confused and pushing reset on an autorelabel operation.
It's uploaded to unstable now.
--
[EMAIL PROTECTED]
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Spon
Please include portslave_2005.04.03.1 (just uploaded to unstable) in Lenny.
Version 2005.04.03 is compiled against an older pppd and is almost entirely
unusable (it only provides telnet and SLIP functionality).
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trou
I have uploaded python-sepolgen 1.0.11-4 to fix a gross module name bug (the
code was as AFAIK impossible to use in the previous version). It closes
487212, please include it in Lenny and push it through as fast as possible.
Fixing a package that is utterly broken should have minimal delay.
I
On Tuesday 29 July 2008 15:56, Luk Claes <[EMAIL PROTECTED]> wrote:
> Russell Coker wrote:
> > When will the new SE Linux policy packages (selinux-policy-default and
> > selinux-policy-mls) and the packages they depend on hit testing?
> >
> > I'm getting ha
When will the new SE Linux policy packages (selinux-policy-default and
selinux-policy-mls) and the packages they depend on hit testing?
I'm getting hassled by some important people who are interested in Debian SE
Linux about why Lenny is all broken at the moment.
There is no reason for the pack
It's already uploaded to unstable.
On Monday 28 July 2008 17:50, Luk Claes <[EMAIL PROTECTED]> wrote:
> > I would like to get version 0.2.11-2 of mcstrans in Lenny.
> >
> > It changes to use libcap2, while this is a trivial change it also
> > prevents the 2.6.25 kernel logging warning messages (wh
I would like to get version 0.2.11-2 of mcstrans in Lenny.
It changes to use libcap2, while this is a trivial change it also prevents the
2.6.25 kernel logging warning messages (which we don't want to have happening
all through Lenny).
It allows correct restarting. While there is no bug report
On Saturday 16 April 2005 03:52, "Marco d'Itri" <[EMAIL PROTECTED]> wrote:
> On Apr 06, Russell Coker <[EMAIL PROTECTED]> wrote:
> > In about 48 hours I'll have a chance to test it. It will have to wait.
>
> Any news about your portslave uplo
61 matches
Mail list logo