Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
0210-bounds-874201 is the most important patch. Without it programs that should run as tor_t, mysqld_t, and entropyd_t run as init_t and get unrestricted access to the system. This is needed due to recent changes in systemd and daemon service files enabling those changes. Now daemons are set to have no new privileges so SE Linux policy has to specify that such daemon domains are subsets of the init_t domain so transitioning from init_t to tor_t for example is strictly decreasing privileges. It is possible that future changes will be submitted to make daemons more secure on non-SE systems (which IMHO is a suitable reason for updating stretch) but which require more changes like this to the SE Linux policy. Bug #874201 0220-delete-lib-sudo-875668 is needed to allow systemd-tmpfiles to delete sudo temporary files. I don't know if there is a security issue with not deleting such files, but it is a functionality issue. Bug #875668 0230-brctl-sysfs-875669 allows brctl to create sysfs files which are related to STP. The functionality appears to be normal without this patch (apart from logging AVC denial messages), but I think we should allow brctl to do all the things it wants. Maybe some bridging operations that I don't do on my network require this. Bug #875669 0250-bootloader-875676 gives bootloader_t lots of access to create initramfs images and communicate with dpkg_t. Bug #875676 0260-dnsmasq-875681 allows dnsmasq_t to read conf.d files, normal operation of this daemon isn't possible without this patch. Bug #875681 I'll send the patches as an update to this bug once it gets a bug number. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
