selinux-policy-src - Source of the SELinux reference policy for customization

Distribution: Ubuntu 16.04 LTS (Xenial Xerus)
Repository: Ubuntu Universe i386
Package name: selinux-policy-src
Package version: 2.20140421
Package release: 9
Package architecture: all
Package type: deb
Installed size: 1.20 KB
Download size: 1.11 MB
Official Mirror:
The SELinux Reference Policy (refpolicy) is a complete SELinux policy, as an alternative to the existing strict and targeted policies available from The goal is to have this policy as the system policy, be and used as the basis for creating other policies. Refpolicy is based on the current strict and targeted policies, but aims to accomplish many additional goals: + Strong Modularity + Clearly stated security Goals + Documentation + Development Tool Support + Forward Looking + Configurability + Flexible Base Policy + Application Policy Variations + Multi-Level Security This is the source of the policy, provided so that local variations of SELinux policy may be created.



    Source package: refpolicy

    Install Howto

    1. Update the package index:
      # sudo apt-get update
    2. Install selinux-policy-src deb package:
      # sudo apt-get install selinux-policy-src


    • /usr/share/doc/selinux-policy-src/NEWS.Debian.gz
    • /usr/share/doc/selinux-policy-src/changelog.Debian.gz
    • /usr/share/doc/selinux-policy-src/copyright
    • /usr/src/selinux-policy-src.tar.gz


    2015-02-06 - Russell Coker <> refpolicy (2:2.20140421-9) unstable; urgency=medium * Allow dovecot_t to read /usr/share/dovecot/protocols.d Allow dovecot_t capability sys_resource Label /usr/lib/dovecot/* as bin_t unless specified otherwise Allow dovecot_auth_t to manage dovecot_var_run_t for auth tokens * Allow clamd_t capability { chown fowner fsetid } Allow clamd_t to read sysctl_vm_t * Allow dkim_milter_t capability dac_override and read sysctl_vm_t allow dkim_milter_t to bind to unreserved UDP ports * Label all hard-links of perdition perdition_exec_t Allow perdition to read /dev/urandom and capabilities dac_override, chown, and fowner Allow perdition file trans to perdition_var_run_t for directories Also proxy the sieve service - sieve_port_t Allow connecting to mysql for map data * Allow nrpe_t to read nagios_etc_t and have capability dac_override * Allow httpd_t to write to initrc_tmp_t files Label /var/lib/php5(/.*)? as httpd_var_lib_t * Allow postfix_cleanup_t to talk to the dkim filter allow postfix_cleanup_t to use postfix_smtpd_t fds (for milters) allow postfix_smtpd_t to talk to clamd_t via unix sockets allow postfix_master_t to execute hostname for Debian startup scripts * Allow unconfined_cronjob_t role system_r and allow it to restart daemons via systemd Allow system_cronjob_t to unlink httpd_var_lib_t files (for PHP session cleanup) * Allow spamass_milter_t to search the postfix spool and sigkill itself allow spamc_t to be in system_r for when spamass_milter runs it * Allow courier_authdaemon_t to execute a shell * Label /usr/bin/maildrop as procmail_exec_t Allow procmail_t to connect to courier authdaemon for the courier maildrop, also changed courier_stream_connect_authdaemon to use courier_var_run_t for the type of the socket file Allow procmail_t to read courier config for maildrop. * Allow system_mail_t to be in role unconfined_r * Label ldconfig.real instead of ldconfig as ldconfig_exec_t * Allow apt_t to list directories of type apt_var_log_t * Allow dpkg_t to execute dpkg_tmp_t and load kernel modules for dpkg-preconfigure * Allow dpkg_script_t to create udp sockets, netlink audit sockets, manage shadow files, process setfscreate, and capabilities audit_write net_admin sys_ptrace * Label /usr/lib/xen-*/xl as xm_exec_t