Hi guys 'n girls,
The next iteration of our policies is now in the hardened-dev overlay. For
~arch users, this is one you will probably need to install through a small
workaround, but first the changes:
#417937 Do not audit access to device_t:chr_file by dmesg
#417857 Support dynamic /run directories
#413719 Correct udev context in /run/udev
<no bug> Backporting SEPostgresql changes
<no bug> Update udev file contexts (udevadm and udevd binaries)
#417821 Mark /etc/selinux/*/modules as semanage_store_t (fixes
permission issue on .../modules/tmp)
~arch users will, if they have -r9 or -r10 installed, need to do the
following steps first:
"""
setenforce 0
semanage fcontext -a -t semanage_store_t "/etc/selinux/strict/modules"
restorecon -R /etc/selinux/strict/modules
setenforce 1
"""
This is because otherwise any attempt to load the new policy will result in
a failure. Of course, substitute "strict" with your SELinux policy type you
have installed.
This also means that r9 and r10 are no candidates for stabilization. And
since r8 is fairly low on changes, r11 is the next stabilization candidate.
Wkr,
Sven Vermeulen
