refpolicy - incompatible policy

In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447).
The fix, while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process running in the
named_t domain to bind sockets to UDP ports other than the standard ‘domain’
port (53).
The incompatibility affects both the ‘targeted’ and ‘strict’ policy packages
supplied by this version of refpolicy.

This update to the refpolicy packages grants the ability to bind to
arbitrary UDP ports to named_t processes.
When installed, the updated packages will attempt to update the bind policy
module on systems where it had been previously loaded and where the previous
version of refpolicy was 0.0.20061018-5 or below.

Because the Debian refpolicy packages are not yet designed with policy module
upgradeability in mind, and because SELinux-enabled Debian systems often have
some degree of site-specific policy customization, it is difficult to assure
that the new bind policy can be successfully upgraded.
To this end, the package upgrade will not abort if the bind policy update
fails.
The new policy module can be found at
/usr/share/selinux/refpolicy-targeted/bind.pp after installation.
Administrators wishing to use the bind service policy can reconcile any policy
incompatibilities and install the upgrade manually thereafter.
A more detailed discussion of the corrective procedure may be found on
<https://wiki.debian.org/SELinux/Issues/BindPortRandomization&gt;.

For the stable distribution (etch), this problem has been fixed in
version 0.0.20061018-5.1+etch1.

The unstable distribution (sid) is not affected, as subsequent refpolicy
releases have incorporated an analogous change.

We recommend that you upgrade your refpolicy packages.