Debian Security Advisory

DSA-1617-1 refpolicy -- incompatible policy

Date Reported:
25 Jul 2008
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 490271.
In Mitre's CVE dictionary: CVE-2008-1447.
More information:

In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard 'domain' port (53). The incompatibility affects both the 'targeted' and 'strict' policy packages supplied by this version of refpolicy.

This update to the refpolicy packages grants the ability to bind to arbitrary UDP ports to named_t processes. When installed, the updated packages will attempt to update the bind policy module on systems where it had been previously loaded and where the previous version of refpolicy was 0.0.20061018-5 or below.

Because the Debian refpolicy packages are not yet designed with policy module upgradeability in mind, and because SELinux-enabled Debian systems often have some degree of site-specific policy customization, it is difficult to assure that the new bind policy can be successfully upgraded. To this end, the package upgrade will not abort if the bind policy update fails. The new policy module can be found at /usr/share/selinux/refpolicy-targeted/bind.pp after installation. Administrators wishing to use the bind service policy can reconcile any policy incompatibilities and install the upgrade manually thereafter. A more detailed discussion of the corrective procedure may be found on

For the stable distribution (etch), this problem has been fixed in version 0.0.20061018-5.1+etch1.

The unstable distribution (sid) is not affected, as subsequent refpolicy releases have incorporated an analogous change.

We recommend that you upgrade your refpolicy packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.