--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear Release Team,
Please unblock package refpolicy version 2:2.20110726-11, changes since
version -9 (which is in testing atm) are:
* Fix #683756 (selinux in permissive mode breaks gdm and X)
The problem arouse due to debian specific gdm3 locations. In version
2:2.20110726-10 a patch to fix this was introduced, but it was
incomplete (fixed only some contexts, not all) and therefore in
version -11 it was replaced by a correct patch, which is also already
accepted upstream. The bug is only severity: normal in the BTS, but as
installing and enabling selinux in permissive mode completely breaks
the ability to log in via gdm I'd consider it important, at least.
Regressions are very unlikely as this patch only touches file context
definitions, no code.
* Update the Vcs-* fields
The Vcs-* fields in d/control were pointing to an old location, which
doesn't work anymore.
* Fix #686670 (Cannot load alsa.pp module)
debian/patches/0048-Alsa-debian-locations.patch had been merged
upstream but weren't dropped, leading to duplication and breaking the
alsa module loading. Dropping the patch fixes this.
* Drop debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
As in the previous fix, the code present in this one-line patch had
already been introduced upstream. Dropping the patch removes
duplicates and thereby avoids problems.
* Fix watch file uversionmangle in debian/watch.
Diffstat of the sources (patches applied) ignoring d/changelog:
debian/control | 4 ++--
debian/patches/series | 3 +--
debian/watch | 5 +----
policy/modules/admin/alsa.fc | 14 ++++----------
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/services/xserver.fc | 20 +++++++++++---------
policy/modules/system/iptables.te | 1 -
7 files changed, 20 insertions(+), 28 deletions(-)
The debdiff is attached.
unblock refpolicy/2.20110726-11
Thanks for your work + cheers,
Mika
diff -Nru refpolicy-2.20110726/debian/changelog
refpolicy-2.20110726/debian/changelog
--- refpolicy-2.20110726/debian/changelog 2012-06-30 11:42:53.000000000
+0200
+++ refpolicy-2.20110726/debian/changelog 2012-09-30 22:47:31.000000000
+0200
@@ -1,3 +1,30 @@
+refpolicy (2:2.20110726-11) unstable; urgency=low
+
+ * Team upload
+ [ Mika Pflüger ]
+ * Drop incomplete patch adding debian specific gdm3 locations and
+ cherry-pick Laurent's complete patch from upstream instead. Slightly
+ edit the patch to work around an issue in file context ordering.
+
+ -- Laurent Bigonville <[email protected]> Sun, 30 Sep 2012 22:43:12 +0200
+
+refpolicy (2:2.20110726-10) unstable; urgency=low
+
+ * Team upload.
+ [ Mika Pflüger ]
+ * xserver.fc: Add debian specific /usr/sbin/gdm3 as a location for gdm3.
+ Closes: #683756
+ * debian/control: Update Vcs-* fields.
+
+ [ Laurent Bigonville ]
+ * d/p/0079-Allow-iptables_t-to-do-module_request.patch: Dropped, the code
+ present in this patch was already present later in the code.
+ * d/p/0048-Alsa-debian-locations.patch: Dropped, changes merged upstream,
+ and was breaking module loading due to duplicate paths (Closes: #686670)
+ * debian/watch: Fix watch file uversionmangle
+
+ -- Laurent Bigonville <[email protected]> Fri, 07 Sep 2012 17:51:13 +0200
+
refpolicy (2:2.20110726-9) unstable; urgency=high
* Enable UBAC as roles aren't useful. I recommend using only roles user_r
@@ -10,8 +37,8 @@
* Change readahead policy to support memlockd.
* Allow devicekit_power_t, devicekit_disk_t, kerneloops_t, and policykit_t
to send dbus messages to users.
- * Grant systemd utilities access to selinuxfs so they can correctly label
directories
- Closes: #678392
+ * Grant systemd utilities access to selinuxfs so they can correctly label
+ directories. Closes: #678392
* Assigned type consolekit_var_run_t to /var/run/console(/.*)? because it's
created and managed by consolekit nowadays.
* Created tunable allow_ssh_connect_reserved_ports to allow ssh client to
@@ -41,7 +68,7 @@
* Add tcsd.pp (for trousers) to the policy packages
* Add nut.pp for the nut-server package to the policy packages
* Load irqbalance.pp if irqbalance Debian package is installed, same for
- kerneloops, tcsd.pp/trousers, nut.pp/nut-server,
+ kerneloops, tcsd.pp/trousers, nut.pp/nut-server,
and smartmon.pp/smartmontools.
* High urgency because the support for tcsd and nut really needs to be
tested (and it's broken badly for those people) and portslave.pp is also
diff -Nru refpolicy-2.20110726/debian/control
refpolicy-2.20110726/debian/control
--- refpolicy-2.20110726/debian/control 2012-06-11 14:32:03.000000000 +0200
+++ refpolicy-2.20110726/debian/control 2012-09-30 22:47:31.000000000 +0200
@@ -1,6 +1,6 @@
Source: refpolicy
-VCS-Git: git://anonscm.debian.org/selinux/selinux.git
-VCS-Browser: http://anonscm.debian.org/gitweb/?p=selinux/selinux.git;a=summary
+VCS-Git: git://anonscm.debian.org/selinux/refpolicy.git
+VCS-Browser:
http://anonscm.debian.org/gitweb/?p=selinux/refpolicy.git;a=summary
Priority: optional
Section: admin
Homepage: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
diff -Nru refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch
refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch
--- refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch
2012-06-15 15:35:25.000000000 +0200
+++ refpolicy-2.20110726/debian/patches/0048-Alsa-debian-locations.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <[email protected]>
-Date: Sun, 4 Mar 2012 00:10:16 +0100
-Subject: Alsa debian locations
-
----
- policy/modules/admin/alsa.fc | 14 ++++++++++----
- 1 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index d362d9c..20062d1 100644
---- a/policy/modules/admin/alsa.fc
-+++ b/policy/modules/admin/alsa.fc
-@@ -2,10 +2,16 @@ HOME_DIR/\.asoundrc --
gen_context(system_u:object_r:alsa_home_t,s0)
-
- /bin/alsaunmute --
gen_context(system_u:object_r:alsa_exec_t,s0)
-
--/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
--/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/asound(/.*)?
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+ifdef(`distro_debian', `
-+/var/lib/alsa/asound\.state --
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/usr/share/alsa/alsa\.conf
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/usr/share/alsa/pcm(/.*)?
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+', `
-+/etc/alsa/asound\.state --
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/asound\.state --
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+')
-
- /sbin/alsactl --
gen_context(system_u:object_r:alsa_exec_t,s0)
- /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff -Nru
refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
---
refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
2012-06-15 15:35:25.000000000 +0200
+++
refpolicy-2.20110726/debian/patches/0079-Allow-iptables_t-to-do-module_request.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,20 +0,0 @@
-From: =?UTF-8?q?Mika=20Pfl=C3=BCger?= <[email protected]>
-Date: Sun, 4 Mar 2012 02:30:24 +0100
-Subject: Allow iptables_t to do module_request
-
----
- policy/modules/system/iptables.te | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/policy/modules/system/iptables.te
b/policy/modules/system/iptables.te
-index 542344f..a8d3947 100644
---- a/policy/modules/system/iptables.te
-+++ b/policy/modules/system/iptables.te
-@@ -27,6 +27,7 @@ files_pid_file(iptables_var_run_t)
- # Iptables local policy
- #
-
-+kernel_request_load_module(iptables_t)
- allow iptables_t self:capability { dac_read_search dac_override net_admin
net_raw };
- dontaudit iptables_t self:capability sys_tty_config;
- allow iptables_t self:fifo_file rw_fifo_file_perms;
diff -Nru
refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch
refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch
---
refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch
1970-01-01 01:00:00.000000000 +0100
+++
refpolicy-2.20110726/debian/patches/0200-Add-Debian-locations-for-GDM-3.patch
2012-09-30 22:47:31.000000000 +0200
@@ -0,0 +1,79 @@
+From: Laurent Bigonville <[email protected]>
+Date: Mon, 10 Sep 2012 18:11:13 +0200
+Subject: Add Debian locations for GDM 3
+
+---
+ policy/modules/kernel/corecommands.fc | 1 +
+ policy/modules/services/xserver.fc | 18 ++++++++++--------
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
+index 4dd72ce..00d8b13 100644
+--- a/policy/modules/kernel/corecommands.fc
++++ b/policy/modules/kernel/corecommands.fc
+@@ -301,6 +301,7 @@ ifdef(`distro_gentoo',`
+
+ ifdef(`distro_debian',`
+ /usr/lib(64)?/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon --
gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/dovecot/.+ --
gen_context(system_u:object_r:bin_t,s0)
+diff --git a/policy/modules/services/xserver.fc
b/policy/modules/services/xserver.fc
+index eb0566c..4787e5c 100644
+--- a/policy/modules/services/xserver.fc
++++ b/policy/modules/services/xserver.fc
+@@ -13,6 +13,9 @@ HOME_DIR/\.Xauthority.* --
gen_context(system_u:object_r:xauth_home_t,s0)
+ #
+ # /etc
+ #
++/etc/gdm(3)?/PostSession/.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/gdm(3)?/PreSession/.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
++/etc/gdm(3)?/Xsession --
gen_context(system_u:object_r:xsession_exec_t,s0)
+
+ /etc/init\.d/xfree86-common --
gen_context(system_u:object_r:xserver_exec_t,s0)
+
+@@ -28,10 +31,6 @@ HOME_DIR/\.Xauthority.* --
gen_context(system_u:object_r:xauth_home_t,s0)
+ /etc/X11/wdm/Xstartup.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
+ /etc/X11/Xsession[^/]* --
gen_context(system_u:object_r:xsession_exec_t,s0)
+
+-/etc/gdm/Xsession --
gen_context(system_u:object_r:xsession_exec_t,s0)
+-/etc/gdm/PostSession/.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
+-/etc/gdm/PreSession/.* --
gen_context(system_u:object_r:xsession_exec_t,s0)
+-
+ #
+ # /opt
+ #
+@@ -52,8 +51,9 @@ HOME_DIR/\.Xauthority.* --
gen_context(system_u:object_r:xauth_home_t,s0)
+ # /usr
+ #
+
++/usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary --
gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm --
gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+ /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -81,15 +81,17 @@ ifndef(`distro_debian', `
+ # /var
+ #
+
+-/var/lib/[xgkw]dm(/.*)?
gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/gdm(3)?(/.*)?
gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/[xkw]dm(/.*)?
gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+ /var/log/[kw]dm\.log.* --
gen_context(system_u:object_r:xserver_log_t,s0)
+-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/gdm(3)?(/.*)?
gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* --
gen_context(system_u:object_r:xserver_log_t,s0)
+
+-/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
diff -Nru refpolicy-2.20110726/debian/patches/series
refpolicy-2.20110726/debian/patches/series
--- refpolicy-2.20110726/debian/patches/series 2012-06-27 16:47:53.000000000
+0200
+++ refpolicy-2.20110726/debian/patches/series 2012-09-30 22:47:31.000000000
+0200
@@ -44,7 +44,6 @@
0045-Remaining-unsorted-changes-for-debian-init.patch
0046-Add-dev_read_urand-to-several-programs.patch
0047-Allow-several-programs-to-read-from-the-console.patch
-0048-Alsa-debian-locations.patch
0049-Correctly-label-rotated-logs-of-apt.patch
0050-Tweaks-to-the-dpkg-policy-especially-for-support-of-.patch
0051-Webalizer-policy-adjustments-Labeled-awffull-as-weba.patch
@@ -75,7 +74,6 @@
0076-Allow-mono_t-to-be-in-role-unconfined_r-Closes-54014.patch
0077-courier-policy-adjustments-Label-courier-socket-file.patch
0078-authlogin-policy-adjustments-Label-etc-.group.edit.s.patch
-0079-Allow-iptables_t-to-do-module_request.patch
0080-debian-library-locations.patch
0081-Allow-apt-to-silently-get-and-install-packages.patch
0082-syslog-policy-adjustments-Allow-syslogd_t-capability.patch
@@ -102,3 +100,4 @@
0170-dirmngr
0180-latest-misc
0190-cron-remove-cronjob_t
+0200-Add-Debian-locations-for-GDM-3.patch
diff -Nru refpolicy-2.20110726/debian/watch refpolicy-2.20110726/debian/watch
--- refpolicy-2.20110726/debian/watch 2012-06-10 04:02:01.000000000 +0200
+++ refpolicy-2.20110726/debian/watch 2012-09-30 22:47:31.000000000 +0200
@@ -1,8 +1,5 @@
-# format version number, currently 2; this line is compulsory!
version=3
-opts="uversionmangle=s/^2./0.2./" \
+opts="uversionmangle=s/^2./2./" \
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \
/files/refpolicy/refpolicy-(.*)\.tar\.bz2
-
-# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4
signature.asc
Description: PGP signature
--- End Message ---
