-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-13584 2009-12-23 21:03:50 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 12 Version : 3.6.32 Release : 63.fc12 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20090730 -------------------------------------------------------------------------------- Update Information: * Tue Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-63 - Allow sendmail setpgid - Allow dovecot to read nfs homedirs * Tue Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-62 - Add label for /var/ekpd - Allow portreserve to look at bin files - Allow gssd to ask the kernel to load modules - If you can run mount you can run fusermount * Mon Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-61 - Fixes for sandbox_x_server - Fix ntop policy - Sandbox fixes * Fri Dec 18 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-60 - Fixs for cluster policy - mysql_safe fixes - Fixes for sssd - Cgroup access for virtd - Dontaudit fail2ban leaks -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-63 - Allow sendmail setpgid - Allow dovecot to read nfs homedirs * Mon Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-62 - Add label for /var/ekpd - Allow portreserve to look at bin files - Allow gssd to ask the kernel to load modules - If you can run mount you can run fusermount * Mon Dec 21 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-61 - Fixes for sandbox_x_server - Fix ntop policy - Sandbox fixes * Fri Dec 18 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-60 - Fixs for cluster policy - mysql_safe fixes - Fixes for sssd - Cgroup access for virtd - Dontaudit fail2ban leaks * Tue Dec 15 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-59 - Dontaudit udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read symlinks on noxattr file systems - Remove wine from unconfined domain if unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port - Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to communicate with racoon and zebra - Allow dbus service dbus_chat with unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices - Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files - Change label on fusermount * Thu Dec 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-58 - Dontaudit udp_socket leaks for xauth_t * Wed Dec 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-57 - Allow unconfined_t to send dbus messages to setroubleshoot - Allow confined screen app to setattr on user ttys - remove wine_t from unconfined domain when unconfined.pp disabled - Allow sysadm_t to communicate with racoon - Allow xauth to be run from all unconfined user types - Fix labeling on all /var/cache/mod_* apps - Allow asterisk to communicate with postgresql - Fix labeling for /var/lib/certmaster - Add policy for ksmtuned and tgtd - Fixes fro vhostmd * Mon Dec 7 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-56 - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-55 - Add fprintd_chat(unconfined_t) to fix su timeout problem - Make xguest follow allow_execstack boolean - Dontaudit dbus looking at nfs * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-54 - Require selinux-policy from selinux-policy-TYPE - Add labeling to /usr/lib/win32 textrel_shlib_t - dontaudit all leaks for abrt_helper - Fix labeling for mythtv - Dontaudit setroubleshoot_fix leaks - Allow xauth_t to read usr_t - Allow iptables to use fifo files - Fix labeling on /var/lib/wifiroamd * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-53 - Remove transition from dhcpc_t to consoletype_t, just allow exec - Fixes for prelink cron job - Fix label on yumex backend - Allow unconfined_java_t to communicate with iptables - Allow abrt to read /tmp files - Fix nut/ups policy * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-52 - Major fixup of ntop policy - Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session bus - Allow modemmanager to use generic ptys, and sys_tty_config capability - Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs and nfs file systems - Allow kismet to read network state - Allow cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files - Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t files * Wed Nov 25 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-51 - Mark google shared libraries as requiring textrel_shlib - Allow svirt to bind/connect to network ports - Add label for .libvirt directory. * Tue Nov 24 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-50 - Allow modemmanager sys_admin * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-49 - Allow sssd to read all processes domain * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-48 - Abrt connect to any port - Dontaudit chrome-sandbox trying to getattr on all processes - Allow passwd to execute gnome-keyring - Allow chrome_sandbox_t to read home content inherited from the parent - Fix eclipse labeling - Allow mozilla to connect to flash port - Allow pulseaudio to connect to unix_streams - Allow sambagui to read secrets file - Allow mount to mount unlabeled files - ALlow abrt to use ypbind, send kill signals - Allow arpwatch to create socket class - Allow asterisk to read urand - Allow corosync to communicate with user tmpfs - Allow devicedisk to read virt images block devices - Allow gpsd to sys_tty_config - Fix nagios interfaces - Policy for nagios plugins - Fixes for nx - Allow rtkit_daemon to read locale file - Allow snort to create socket - Additional perms for xauth - lots of textrel_lib_t file context * Tue Nov 17 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-47 - Make mozilla call in execmem.if optional to fix build of minimum install - Allow uucpd to execute shells and send mail - Fix label on libtfmessbsp.so * Mon Nov 16 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-46 - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files - abrt needs to write sysfs - abrt needs to search all file system dirs - logrotate and tmpreaper need to be able to manage abrt cache - rtkit_daemon needs to be able to setsched on lots of user apps - networkmanager creates dirs in /var/lib - plymouth executes lvm tools * Fri Nov 13 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-45 - Allow mount on dos file systems - fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses * Thu Nov 12 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-44 - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio - Add execmem_exec_t context for /usr/bin/aticonfig - Allow dovecot-deliver to signull dovecot - Add textrel_shlib_t to /usr/lib/libADM5avcodec.so * Tue Nov 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-43 - Fix transition so unconfined_exemem_t creates user_tmp_t - Allow chrome_sandbox_t to write to user_tmp_t when printing - Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files - Allow execmem_t to execmod files in mozilla_home_t - Allow firewallgui to communicate with nscd * Mon Nov 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-42 - Allow kdump to read the kernel core interface - Dontaudit abrt read all files in home dir - Allow kismet client to write to .kismet dir in homedir - Turn on asterisk policy and allow logrotate to communicate with it - Allow abrt to manage rpm cache files - Rules to allow sysadm_t to install a kernel - Allow local_login to read console_device_t to Z series logins - Allow automount and devicekit_disk to search all filesystem dirs - Allow corosync to setrlimit - Allow hal to read modules.dep - Fix xdm using pcscd - Dontaudit gssd trying to write user_tmp_t, kerberos libary problem. - Eliminate transition from unconifned_t to loadkeys_t - Dontaudit several leaks to xauth_t - Allow xdm_t to search for man pages - Allow xdm_dbus to append to xdm log -------------------------------------------------------------------------------- References: [ 1 ] Bug #542583 - SELinux is preventing /bin/mount access to a leaked file file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=542583 [ 2 ] Bug #542654 - ntop triggers several AVC denials when starting https://bugzilla.redhat.com/show_bug.cgi?id=542654 [ 3 ] Bug #546691 - SELinux is preventing /usr/sbin/avahi-autoipd "net_raw" access. https://bugzilla.redhat.com/show_bug.cgi?id=546691 [ 4 ] Bug #547979 - SELinux is preventing /bin/bash "read" access on meminfo. https://bugzilla.redhat.com/show_bug.cgi?id=547979 [ 5 ] Bug #548051 - SELinux is preventing /bin/bash access to a leaked unix_stream_socket file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=548051 [ 6 ] Bug #548052 - SELinux is preventing /usr/bin/Xephyr "execmem" access. https://bugzilla.redhat.com/show_bug.cgi?id=548052 [ 7 ] Bug #548053 - SELinux is preventing /usr/bin/Xephyr "execute" access on /dev/zero. https://bugzilla.redhat.com/show_bug.cgi?id=548053 [ 8 ] Bug #548102 - SELinux is preventing /bin/kill "kill" access. https://bugzilla.redhat.com/show_bug.cgi?id=548102 [ 9 ] Bug #548107 - SELinux is preventing /bin/sed "create" access on sed0qskIr. https://bugzilla.redhat.com/show_bug.cgi?id=548107 [ 10 ] Bug #548206 - SELinux is preventing /usr/sbin/bluetoothd "search" access on hid. https://bugzilla.redhat.com/show_bug.cgi?id=548206 [ 11 ] Bug #548361 - SELinux is preventing /usr/bin/python "search" access on 1187. https://bugzilla.redhat.com/show_bug.cgi?id=548361 [ 12 ] Bug #548394 - SELinux is preventing /usr/bin/mplayer from loading /usr/lib/nmm/liba52.so.0.0.0 which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=548394 [ 13 ] Bug #548567 - SELinux is preventing /usr/libexec/hal-storage-mount "create" access on .hal-mtab-lock. https://bugzilla.redhat.com/show_bug.cgi?id=548567 [ 14 ] Bug #548618 - SELinux is preventing the ftp daemon from writing files outside the home directory (untitled folder). https://bugzilla.redhat.com/show_bug.cgi?id=548618 [ 15 ] Bug #548644 - SELinux is preventing /usr/lib/cyrus-imapd/cyrus-master from binding to port 4190. https://bugzilla.redhat.com/show_bug.cgi?id=548644 [ 16 ] Bug #548647 - SELinux is preventing /usr/lib/cyrus-imapd/cyrus-master "write" access on mibs. https://bugzilla.redhat.com/show_bug.cgi?id=548647 [ 17 ] Bug #548677 - SELinux is preventing /usr/bin/abrt-pyhook-helper "read" access on /proc/<pid>/mountinfo. https://bugzilla.redhat.com/show_bug.cgi?id=548677 [ 18 ] Bug #548717 - SELinux is preventing /usr/local/mpeg123/bin/mpg123 from loading /usr/local/mpeg123/lib/libmpg123.so.0.22.1 which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=548717 [ 19 ] Bug #548755 - SELinux is preventing /usr/lib/chromium-browser/chromium-browser "write" access on /home/*/.config/chromium/Default/databases/chrome-extension_ajpgkpeckebdhofmmjfgcjjiiejpodla_0/1. https://bugzilla.redhat.com/show_bug.cgi?id=548755 [ 20 ] Bug #548794 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid. https://bugzilla.redhat.com/show_bug.cgi?id=548794 [ 21 ] Bug #548901 - SELinux is preventing /bin/bash "sys_tty_config" access. https://bugzilla.redhat.com/show_bug.cgi?id=548901 [ 22 ] Bug #548972 - SELinux is preventing /bin/sed "execute" access on /bin/sed. https://bugzilla.redhat.com/show_bug.cgi?id=548972 [ 23 ] Bug #549278 - SELinux is preventing /usr/bin/perl "create" access on munin-master-processmanager-3116.sock. https://bugzilla.redhat.com/show_bug.cgi?id=549278 [ 24 ] Bug #549505 - SELinux is preventing /usr/kerberos/sbin/kpropd "unlink" access on host_0. https://bugzilla.redhat.com/show_bug.cgi?id=549505 [ 25 ] Bug #549561 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid. https://bugzilla.redhat.com/show_bug.cgi?id=549561 [ 26 ] Bug #549568 - SELinux is preventing /sbin/portreserve "getattr" access on /opt/eset/esets/sbin/esets_daemon. https://bugzilla.redhat.com/show_bug.cgi?id=549568 [ 27 ] Bug #549612 - SELinux is preventing /usr/bin/gok "getattr" access on /var/squidGuard. https://bugzilla.redhat.com/show_bug.cgi?id=549612 [ 28 ] Bug #549618 - SELinux is preventing /usr/bin/iceauth access to a leaked unix_stream_socket file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=549618 [ 29 ] Bug #549625 - SELinux is preventing /usr/bin/python "read" access on /var/lib/mock/local/repodata/filelists.sqlite.bz2. https://bugzilla.redhat.com/show_bug.cgi?id=549625 [ 30 ] Bug #549675 - SELinux is preventing /usr/lib/chromium-browser/chromium-browser from loading /usr/lib/chromium-browser/libmedia.so which requires text relocation https://bugzilla.redhat.com/show_bug.cgi?id=549675 [ 31 ] Bug #549708 - SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access. https://bugzilla.redhat.com/show_bug.cgi?id=549708 [ 32 ] Bug #549731 - SELinux is preventing /usr/lib/cups/backend/ekplp "write" access on /var/ekpd/ekplp0. https://bugzilla.redhat.com/show_bug.cgi?id=549731 [ 33 ] Bug #549770 - SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "execstack" access. https://bugzilla.redhat.com/show_bug.cgi?id=549770 [ 34 ] Bug #549819 - SELinux is preventing /usr/libexec/nmh/slocal "setpgid" access. https://bugzilla.redhat.com/show_bug.cgi?id=549819 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce