swift at gentoo
Mar 22, 2012, 12:28 PM
Post #1 of 1
(128 views)
Permalink
|
|
SELinux base policy rev 5 in hardened-dev
|
|
Hi guys,
I've pushed rev 5 of the base policy (and selinux-dhcp) to the hardened-dev
overlay. This one contains the following changes since rev 4:
<no bug> Do not audit getattr/search on user_home_dir_t stuff from within portage_fetch_t
<no bug> Do not audit getattr on udev netlink_kobject_uevent_sockets and unix_stream_sockets from within initrc (bootmisc)
<no bug> Allow init scripts (bootmisc) to clean up /tmp location
<no bug> Allow init scripts to delete stale syslog control sockets
<no bug> Allow bootmisc to mkdir/rmdir in /var/lib
<no bug> Allow mount to setsched on kernel_t
<no bug> Mark the selinuxfs mounts as mountpoints
<no bug> Do not audit searches by mount on unlabeled_t before it mounts on them
#389425 Update patch for DHCP regarding binding to generic UDP ports
<no bug> Support integrated run_init properly again
<no bug> Add in references to sysfs where SELinux access is used (dev_getattr_sysfs_fs)
<no bug> Mark /lib/rc/console as initrc_state_t to allow bootup to remove stale files in there
<no bug> Do not attempt to update base in selinux-base, wait for selinux-base-policy
<no bug> Allow nginx_t to list the content of its configuration directories
<no bug> Mark /var/lib/ip6tables as initrc_tmp_t to allow init script to save/restore
This is the first candidate for pushing to main tree (of the 20120215 policy
series). If there are no particular blockers in a few days, I'll do that
(and also do the last stabilization on the 20110726 series).
In the mean time, I'm going to start pushing out patches upstream so if
refpolicy wants some patches structured differently, I'll update them in our
tree as well.
Wkr,
Sven Vermeulen
|
