[ Reason ]
The current version of refpolicy in Trixie has the following issue when
running under SELinux enforcing mode:
- Chromium can crash on paste, and pulseaudio might not work with it
- Missing labels for sympa
- Missing policy for usbguard
- PAM sessions can't create wtmp.db-journal
- systemd_passwd_agent_t can't watch user runtime dirs for daemon restart
- dhcpd_t can't execute ntpd_exec_t in ntpd_t for dhcp scripts and start
generic units
- systemd-nspawn terminal doesn't work due to missing allow rules
[ Impact ]
If not approved, users running SELinux on Trixie will continue to encounter
issues listed above.
[ Tests ]
This has been manually tested by me and Russell Coker on Trixie, and went
through Debusine QA/CI, no regression found.
[ Risks ]
Low. The changes consist entirely of localized SELinux policy additions
(allow rules and labeling adjustments).
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Label /var/lib/dbconfig-common/sqlite3/sympa/sympa
* Allow pam sessions to create wtmp.db-journal
* Added usbguard policy
* Allow chromium to stat xattr filesystems, read xkb libs, and give fifo
files to the window manager (to stop it crashing on paste)
* Allow pulseaudio_client domains (including the $1_wm_t domains) to mmap
the tmpfs files related to pulseaudio (for Chrome mostly)
* Allow systemd_passwd_agent_t to watch user runtime dirs for systemd
daemon restart
* Allow dhcpd_t to execute ntpd_exec_t in ntpd_t for dhcp scripts and
start generic units
* Allow systemd-nspawn to use user terminal devices for directly running
by sysadmin and allow managing mnt_t files
[ More Info ]
- debdiff attached.