Accepted refpolicy 2:2.20140421-10 (source all) into unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 May 2016 22:29:59 +0200
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20140421-10
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
 selinux-policy-default - Strict and Targeted variants of the SELinux policy
 selinux-policy-dev - Headers from the SELinux reference policy for building modules
 selinux-policy-doc - Documentation for the SELinux reference policy
 selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
 selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 585355 697843 756729 778232 780934 781670 805492 805496
Changes:
 refpolicy (2:2.20140421-10) unstable; urgency=medium
 .
   * Team upload.
   [ Laurent Bigonville ]
   * Fix the maintainer script to support the new policy store from libsemnage
     2.4 (Closes: #805492)
   * debian/gbp.conf: Sign tags by default (Closes: #781670)
   * debian/control: Adjust and cleanup the {build-}dependencies (Closes:
     #805496)
   * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
   * debian/rules: Make the build reproducible (Closes: #778232)
   * Remove deprecated system.users and local.users files
   * debian/control: Update Homepage URL (Closes: #780934)
   * debian/rules: Allow parallel build now that the build system is supporting
     it, see #677689
   * debian/policygentool: Remove string exceptions so the script is Python >=
     2.6 compatible (Closes: #585355)
   * Do not install semanage.read.LOCK, semanage.trans.LOCK and
     file_contexts.local in /etc/selinux/* this is not needed anymore with the
     new policy store.
   * debian/control: Use https for the Vcs-* URL's to please lintian
   * debian/watch: Fix watch file URL now that the project has moved to github
 .
   [ Russell Coker ]
   * Allow init_t to manage init_var_run_t symlinks and self getsched
     to relabel files and dirs to etc_runtime_t for /run/blkid
     to read/write init_var_run_t fifos for /run/initctl
     kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other
     sysctls)
   * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t
     filesystems
   * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
   * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
   * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to
     create it
   * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
   * Allow apache to read sysctl_vm_t for overcommit_memory Allow
     httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t
     files and directories for mod_pagespeed.
   * Removed bogus .* in mailman file context that was breaking the regex
   * Lots of mailman changes
   * Allow system_mail_t read/write access to crond_tmp_t
   * Allow postfix_pipe_t to write to postfix_public_t sockets
   * Label /usr/share/mdadm/checkarray as bin_t
   * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing
     status
   * Allow systemd_tmpfiles_t to create the cpu_device_t device
   * Allow init_t to manage init_var_run_t links
   * Allow groupadd_t the fsetid capability
   * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as
     setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read
     dpkg_var_lib_t so dpkg-statoverride can do it's job
   * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration
   * Allow webalizer to read fonts and allow logrotate to manage
     webaliser_usage_t files also allow it to be run by logrotate_t.
   * Allow jabber to read ssl certs and give it full access to it's log files
     Don't audit jabber running ps.
   * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks
     in log dir
   * Allow webalizer to read usr_t and created webalizer_log_t for it's logs
   * Made logging_log_filetrans and several other logging macros also allow
     reading var_log_t links so a variety of sysadmin symlinks in /var/log
     won't break things
   * Allow postfix_policyd_t to execute bin_t, read urandom, and capability
     chown.
     New type postfix_policyd_tmp_t
   * Added user_udp_server boolean
   * Allow apt_t to manage dirs of type apt_var_cache_t
   * Allow jabber to connect to the jabber_interserver_port_t TCP port
     Closes: #697843
   * Allow xm_t to create xen_lock_t files for creating the first Xen DomU
   * Allow init_t to manage init_var_run_t for service file symlinks
   * Add init_telinit(dpkg_script_t) for upgrading systemd
   * Allow dpkg_script_t the setfcap capability for systemd postinst.
   * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems
   * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t,
     and have capability net_admin.  Allow logrotate_systemctl_t to manage all
     services.
   * Give init_t the audit_read capability for systemd
   * Allow iodined_t access to netlink_route_socket.
   * add init_read_state(systemd_cgroups_t) and
     init_read_state(systemd_tmpfiles_t) for /proc/1/environ
   * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to
     be some
     sort of default location. /var/log is a better directory for this
   * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal
   * Allow mandb_t to get filesystem attributes
   * Allow syslogd to rename and unlink init_var_run_t files for systemd
     temporary files
   * Allow ntpd_t to delete files for peerstats and loopstats
   * Add correct file labels for squid3 and tunable for squid pinger raw net
     access (default true)
   * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to
     xenstored unix sockets
   * Allow qemu_t to read sysfs files for cpu online
   * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-*
   * Allow xm_t (xl program) to create and rename xend_var_log_t files, read
     kernel images, execute qemu, and inherit fds from sshd etc.
   * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via
     /run/xen-hotplug/iptables for when vif-bridge runs iptables
   * Allow xm_t to write to xen_lock_t files not var_lock_t
   * Allow xm_t to load kernel modules
   * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink
     it's sockets
   * dontaudit xm_t searching home dir content
   * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in
     xend_var_run_t directory
   * Label /var/lock/xl as xen_lock_t
   * allow unconfined_t to execute xl/xm in xm_t domain.
   * Allow system_cronjob_t to configure all systemd services (restart all
     daemons)
   * Allow dpkg_script_t and unconfined_t to manage systemd service files of
     type null_device_t (symlinks to /dev/null)
   * Label /var/run/lwresd/lwresd.pid as named_var_run_t
   * Label /run/xen/qmp* as qemu_var_run_t
   * Also label squid3.pid
   * Allow iptables_t to be in unconfined_r (for Xen)
   * Allow udev_t to restart systemd services
     Closes: #756729
   * Merge Laurent's changes with mine
Checksums-Sha1:
 6274875f7fdd38d056f1e86a03017fb3549560df 2089 refpolicy_2.20140421-10.dsc
 4c4f27df1524bbf2a9db69ba250cb945f8a5f479 90016 refpolicy_2.20140421-10.debian.tar.xz
 433730c9090b856c1d6dfaaac32e7604717f893e 2821672 selinux-policy-default_2.20140421-10_all.deb
 029ed851edd6d45c11b9fab474f701cfac435959 443666 selinux-policy-dev_2.20140421-10_all.deb
 82df1c4e0a456118dcb670f881b0b2347e93530e 423478 selinux-policy-doc_2.20140421-10_all.deb
 ada7d89622cb470fce3dd6f5e0bc5da63a21fd3b 2871900 selinux-policy-mls_2.20140421-10_all.deb
 8b8a042e4f7d5e2af769a2bd7318b9dc3828c4c2 1183880 selinux-policy-src_2.20140421-10_all.deb
Checksums-Sha256:
 0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6 2089 refpolicy_2.20140421-10.dsc
 e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b 90016 refpolicy_2.20140421-10.debian.tar.xz
 274656801d596f8ff71c6745a36c56867f0c9e7f9f3d0e2cea98bb12dec0baea 2821672 selinux-policy-default_2.20140421-10_all.deb
 7a8dbdd541378bdf0c6a66f6d27393a64d1de573672dee5feb8fb053b8b5bec6 443666 selinux-policy-dev_2.20140421-10_all.deb
 987384487836b46863ed20c30864a4b1600af836b762ad3f6489da4c04168a40 423478 selinux-policy-doc_2.20140421-10_all.deb
 ecd9622ede56aabb40370a0bd01d151f5ec09e06a7259783428793fb9847fde4 2871900 selinux-policy-mls_2.20140421-10_all.deb
 1b9c76e0e3521a51698bc5d299ad385cc5b94074e7c477c25a7b3ce4f1f2f276 1183880 selinux-policy-src_2.20140421-10_all.deb
Files:
 cd12eda70b44ee8d827288a8f037c90d 2089 admin optional refpolicy_2.20140421-10.dsc
 daa9bad41935fa9966514a77207ae47e 90016 admin optional refpolicy_2.20140421-10.debian.tar.xz
 26a6719a2e8035f1df277de7da5960a4 2821672 admin optional selinux-policy-default_2.20140421-10_all.deb
 c65f722a18d0225b2e70428a2343fbce 443666 admin optional selinux-policy-dev_2.20140421-10_all.deb
 c75fdf3e201c0fbc03f97c91fb24f679 423478 doc optional selinux-policy-doc_2.20140421-10_all.deb
 6fc180e9a11b5994f09a24b515b973dc 2871900 admin extra selinux-policy-mls_2.20140421-10_all.deb
 744b4acc08ea65d4f9083102e86fb8d3 1183880 admin optional selinux-policy-src_2.20140421-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJXNj1bAAoJEB/FiR66sEPVcGEH/15Pp3PP25YP8g/3KJks5/xG
9CCAfqY0NNMXbonrJVALIRdMn8RJ/9ILP7VqretxuE3WW8hWJ3rgkDwuEJoY/IRt
Wayx6knfJuxz0fuLVmHiKfMt2S2lp4AF5zPpan2bn1VgHYwkGfx3w7orm5TaG2OM
I6p4tLVR9ZArdFObVysOOypg4mzeGzoz1VIjVqgHvnml9kZ7ItfsQ0vWh2GMdl0V
/nbaXG7nLBQA4gR6o8CxS4wZdrBfUkv7WbR8UioYggr5NSytrSpzZd4+C6+nUtnu
ErOp7pSeIudQ08v6yCyEuERQHg4w3lI32mKYIQLiE39pQRk73fT4NHCCgV5QxLU=
=AnqX
-----END PGP SIGNATURE-----