-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 19 Apr 2023 20:24:14 +1000
Source: refpolicy
Architecture: source
Version: 2:2.20221101-9
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Russell Coker <russell@coker.com.au>
Changes:
 refpolicy (2:2.20221101-9) unstable; urgency=medium
 .
   * Added git and thunderbird to the not default modules list
   * Add filetrans to make dpkg_script_t create /var/lib/ntpsec/ as ntp_drift_t
     also add fc entry for /var/lib/ntpsec
   * Allow ndc_t to read vm_overcommit_state and sysfs files
   * Dontaudit certbot_t net_admin capability, it doesn't need to change
     network stuff, probably changing buffer sizes.
   * Allow aptcacher_t to getsched for itself
   * Allow boinc_t to to connect to unconfinged stream sockets for X access
   * Allow systemd_locale_t to talk to unconfined users by dbus
   * Allow xdm_t to talk to systemd-locale via dbus
   * Allow systemd_generator_t to manage files and dirs of type
     systemd_user_runtime_unit_t and to read crypto sysctls
   * Dontaudit writing to lib dirs for fail2ban_t and fail2ban_client_t for
     python attempts to generate cache files
   * Dontaudit mysqld_safe (mysql startup script) attempts to write to root dir
   * Change all toolchain dependencies to >= version 3.4
   * Allow jabberd_domain to create jabberd_var_lib_t:sock_file for prosody
   * Allow dkim_milter_t and clamd_t to get their own scheduling status
   * Allow auditd_t to map it's config files to avoid recursion when dontaudit
     rules are disabled
   * Allow groupadd_t to stat /proc
   * Allow matrixd_t to read sysfs for CPU information
   * Give postfwd_milter_t kill capability
   * Allow unconfined domains the self:anon_inode access.
     Also allow them to manage dirs in their own domain, Chrome does this
   * Allow the postfix_map_t domain to read /dev/urandom
   * Allow mozilla to bind UDP generic nodes, write dbus session runtime
     sockets, read device sysctls for video hardware specs, and map it's cache
     files.
   * Allow fsadm_t to write to boot_t for fstrim
   * Gave nfsd_t the lease capability, taking leases on files is necessary
   * dontaudit bootloader_t accessing /dev/mem, mdadm does this for some reason
     but doesn't need it
   * Allow fwupd_t to read the vm overcommit sysctl
   * Allow setfiles_t to read the vm overcommit sysctl
   * Allow vnstatd_t to read urandom
Checksums-Sha1:
 19c9a8792f99f5a91df18ea7eb592d9699587a99 2442 refpolicy_2.20221101-9.dsc
 af98a6c2b17f76299555183f50722b6b7050bcf4 108148 refpolicy_2.20221101-9.debian.tar.xz
 3e22db04c28f45d8c2f7a85460997186296536f4 8555 refpolicy_2.20221101-9_amd64.buildinfo
Checksums-Sha256:
 fa452b3263c146d65027d5df9d1041e989776ff8834660c6382c608a6d544a23 2442 refpolicy_2.20221101-9.dsc
 9ff5cb44ebd15931e96dd5a6d632f1058c7919914709536a6c771dceb980c1d8 108148 refpolicy_2.20221101-9.debian.tar.xz
 e2cea6742f71145e0bdadc586ece6d3ca308d0dd2c5b4bccaf704b1d54b08eb4 8555 refpolicy_2.20221101-9_amd64.buildinfo
Files:
 042b5eb81068e7637fb16716bf572771 2442 admin optional refpolicy_2.20221101-9.dsc
 07cf4924f462b78dae4eaa7881bb6d66 108148 admin optional refpolicy_2.20221101-9.debian.tar.xz
 0cd0805a096b956a5308bdcbff024149 8555 admin optional refpolicy_2.20221101-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAmQ/w8MACgkQ0UHNMPxL
j3kB/RAAv0eytUMNKJm9Qbx3zHfg/hQ5fRbOraa3i615j7BzfdxrhNIYrg1oqe0Y
2p2VX1UHOcSh9puP/N81a3C/forsm6X+oRFyeyGjETuqMlZ76izk4w4q1KZ5Q/BN
4RbtGSHAhCskXNqwvf970V4IuBl47VjUYOUz6qy7db7/5nPW/1w/9kpRbN4SteeS
7T+I5AesrNQ2vhmtyvuu1CIswHObZ1QIxUfGafEWWqrJjvIgZq8DsBEPdk/87ICo
8ABQ8mvkJC13bKnHMECFMoXfcfh9l2eFWhlySAP19AjBxWpiVxrdlK5FO2DObpYL
vNt5JlKsE6zLsGXdyJCzETuF8kRwqrSSyjmXxmAN4Zkdnr2nH4ytbYhc+9MpdJsU
05FcxlT34S6Lt4iLm8MELPtpotAYnsn+EBsj9jzLuuwGgu90+7ZJXoUYcBO2jGo2
SwhckPGlM4AJFx/SLgfDDGrLb0ly17FZoRQPUEAr9D/rQgLD19Its83swm2BTpXi
TlKc8I1VHunp6r07Bkn4kUpTlLxsCzMIUIrWwV7orKDvMtsXfIg21zn3uXiQj/t/
CMBd6Wkf3B0jSttGJ9cD6EjddXUKXT4v7q8QuGyCtN+0cUZXVpwvWArcSvefznEK
kQ61zJ3+X7D6tl+2oWpmGCKfOo4rU9ub2vdnfIwSdNZVNV1m1UY=
=VthJ
-----END PGP SIGNATURE-----