#1131142 trixie-pu: package refpolicy/2:2.20250213-12+deb13u1

#1131142#5
Date:
2026-03-18 03:25:06 UTC
From:
To:
[ Reason ]
The current version of refpolicy in Trixie has the following issue when
running under SELinux enforcing mode:

 - Chromium can crash on paste, and pulseaudio might not work with it
 - Missing labels for sympa
 - Missing policy for usbguard
 - PAM sessions can't create wtmp.db-journal
 - systemd_passwd_agent_t can't watch user runtime dirs for daemon restart
 - dhcpd_t can't execute ntpd_exec_t in ntpd_t for dhcp scripts and start
generic units
 - systemd-nspawn terminal doesn't work due to missing allow rules

[ Impact ]
If not approved, users running SELinux on Trixie will continue to encounter
issues listed above.

[ Tests ]
This has been manually tested by me and Russell Coker on Trixie, and went
through Debusine QA/CI, no regression found.

[ Risks ]
Low. The changes consist entirely of localized SELinux policy additions
(allow rules and labeling adjustments).

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
  * Label /var/lib/dbconfig-common/sqlite3/sympa/sympa
  * Allow pam sessions to create wtmp.db-journal
  * Added usbguard policy
  * Allow chromium to stat xattr filesystems, read xkb libs, and give fifo
    files to the window manager (to stop it crashing on paste)
  * Allow pulseaudio_client domains (including the $1_wm_t domains) to mmap
    the tmpfs files related to pulseaudio (for Chrome mostly)
  * Allow systemd_passwd_agent_t to watch user runtime dirs for systemd
    daemon restart
  * Allow dhcpd_t to execute ntpd_exec_t in ntpd_t for dhcp scripts and
start generic units
  * Allow systemd-nspawn to use user terminal devices for directly running
by sysadmin and allow managing mnt_t files

[ More Info ]
- debdiff attached.

#1131142#12
Date:
2026-05-03 10:46:26 UTC
From:
To:
Control: tags -1 + moreinfo

The changelog / versioning is broken:

#1131142#19
Date:
2026-05-23 10:26:13 UTC
From:
To:
Thanks for the tips, I've addressed the problems and attached the new
debdiff. Tested on Trixie, and there is no change of policy compare to
the previous debdiff.


Regards,

Yifei