-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 19 Apr 2023 20:24:14 +1000 Source: refpolicy Architecture: source Version: 2:2.20221101-9 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> Changed-By: Russell Coker <russell@coker.com.au> Changes: refpolicy (2:2.20221101-9) unstable; urgency=medium . * Added git and thunderbird to the not default modules list * Add filetrans to make dpkg_script_t create /var/lib/ntpsec/ as ntp_drift_t also add fc entry for /var/lib/ntpsec * Allow ndc_t to read vm_overcommit_state and sysfs files * Dontaudit certbot_t net_admin capability, it doesn't need to change network stuff, probably changing buffer sizes. * Allow aptcacher_t to getsched for itself * Allow boinc_t to to connect to unconfinged stream sockets for X access * Allow systemd_locale_t to talk to unconfined users by dbus * Allow xdm_t to talk to systemd-locale via dbus * Allow systemd_generator_t to manage files and dirs of type systemd_user_runtime_unit_t and to read crypto sysctls * Dontaudit writing to lib dirs for fail2ban_t and fail2ban_client_t for python attempts to generate cache files * Dontaudit mysqld_safe (mysql startup script) attempts to write to root dir * Change all toolchain dependencies to >= version 3.4 * Allow jabberd_domain to create jabberd_var_lib_t:sock_file for prosody * Allow dkim_milter_t and clamd_t to get their own scheduling status * Allow auditd_t to map it's config files to avoid recursion when dontaudit rules are disabled * Allow groupadd_t to stat /proc * Allow matrixd_t to read sysfs for CPU information * Give postfwd_milter_t kill capability * Allow unconfined domains the self:anon_inode access. Also allow them to manage dirs in their own domain, Chrome does this * Allow the postfix_map_t domain to read /dev/urandom * Allow mozilla to bind UDP generic nodes, write dbus session runtime sockets, read device sysctls for video hardware specs, and map it's cache files. * Allow fsadm_t to write to boot_t for fstrim * Gave nfsd_t the lease capability, taking leases on files is necessary * dontaudit bootloader_t accessing /dev/mem, mdadm does this for some reason but doesn't need it * Allow fwupd_t to read the vm overcommit sysctl * Allow setfiles_t to read the vm overcommit sysctl * Allow vnstatd_t to read urandom Checksums-Sha1: 19c9a8792f99f5a91df18ea7eb592d9699587a99 2442 refpolicy_2.20221101-9.dsc af98a6c2b17f76299555183f50722b6b7050bcf4 108148 refpolicy_2.20221101-9.debian.tar.xz 3e22db04c28f45d8c2f7a85460997186296536f4 8555 refpolicy_2.20221101-9_amd64.buildinfo Checksums-Sha256: fa452b3263c146d65027d5df9d1041e989776ff8834660c6382c608a6d544a23 2442 refpolicy_2.20221101-9.dsc 9ff5cb44ebd15931e96dd5a6d632f1058c7919914709536a6c771dceb980c1d8 108148 refpolicy_2.20221101-9.debian.tar.xz e2cea6742f71145e0bdadc586ece6d3ca308d0dd2c5b4bccaf704b1d54b08eb4 8555 refpolicy_2.20221101-9_amd64.buildinfo Files: 042b5eb81068e7637fb16716bf572771 2442 admin optional refpolicy_2.20221101-9.dsc 07cf4924f462b78dae4eaa7881bb6d66 108148 admin optional refpolicy_2.20221101-9.debian.tar.xz 0cd0805a096b956a5308bdcbff024149 8555 admin optional refpolicy_2.20221101-9_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAmQ/w8MACgkQ0UHNMPxL j3kB/RAAv0eytUMNKJm9Qbx3zHfg/hQ5fRbOraa3i615j7BzfdxrhNIYrg1oqe0Y 2p2VX1UHOcSh9puP/N81a3C/forsm6X+oRFyeyGjETuqMlZ76izk4w4q1KZ5Q/BN 4RbtGSHAhCskXNqwvf970V4IuBl47VjUYOUz6qy7db7/5nPW/1w/9kpRbN4SteeS 7T+I5AesrNQ2vhmtyvuu1CIswHObZ1QIxUfGafEWWqrJjvIgZq8DsBEPdk/87ICo 8ABQ8mvkJC13bKnHMECFMoXfcfh9l2eFWhlySAP19AjBxWpiVxrdlK5FO2DObpYL vNt5JlKsE6zLsGXdyJCzETuF8kRwqrSSyjmXxmAN4Zkdnr2nH4ytbYhc+9MpdJsU 05FcxlT34S6Lt4iLm8MELPtpotAYnsn+EBsj9jzLuuwGgu90+7ZJXoUYcBO2jGo2 SwhckPGlM4AJFx/SLgfDDGrLb0ly17FZoRQPUEAr9D/rQgLD19Its83swm2BTpXi TlKc8I1VHunp6r07Bkn4kUpTlLxsCzMIUIrWwV7orKDvMtsXfIg21zn3uXiQj/t/ CMBd6Wkf3B0jSttGJ9cD6EjddXUKXT4v7q8QuGyCtN+0cUZXVpwvWArcSvefznEK kQ61zJ3+X7D6tl+2oWpmGCKfOo4rU9ub2vdnfIwSdNZVNV1m1UY= =VthJ -----END PGP SIGNATURE-----