-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-0858 2010-01-20 23:46:28 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 12 Version : 3.6.32 Release : 73.fc12 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20090730 -------------------------------------------------------------------------------- Update Information: * Tue Jan 19 2010 Miroslav Grepl <[email protected]> 3.6.32-73 - Add labeling for /var/lib/avahi-autoipd directory * Tue Jan 19 2010 Miroslav Grepl <[email protected]> 3.6.32-72 - Fixes for memcached from Dan Walsh - Allow podsleuth to read user tmpfs files - Allow tftpd to read system state information in proc - Fixes for sssd from Dan Walsh - Allow snmpd chown capability * Fri Jan 15 2010 Miroslav Grepl <[email protected]> 3.6.32-71 - Allow hotplug to transition to brctl domain - Fixes for sftpd * Tue Jan 12 2010 Miroslav Grepl <[email protected]> 3.6.32-70 - Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t -------------------------------------------------------------------------------- ChangeLog: * Tue Jan 19 2010 Miroslav Grepl <[email protected]> 3.6.32-73 - Add labeling for /var/lib/avahi-autoipd directory * Tue Jan 19 2010 Miroslav Grepl <[email protected]> 3.6.32-72 - Fixes for memcached from Dan Walsh - Allow podsleuth to read user tmpfs files - Allow tftpd to read system state information in proc - Fixes for sssd from Dan Walsh - Allow snmpd chown capability * Fri Jan 15 2010 Miroslav Grepl <[email protected]> 3.6.32-71 - Allow hotplug to transition to brctl domain - Fixes for sftpd * Tue Jan 12 2010 Miroslav Grepl <[email protected]> 3.6.32-70 - Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t * Mon Jan 11 2010 Miroslav Grepl <[email protected]> 3.6.32-69 - Fixes for iscsid - Allow openvpn to bind to http port - Add wine_mmap_zero_ignore boolean * Fri Jan 8 2010 Miroslav Grepl <[email protected]> 3.6.32-68 - Fixes for xenconsoled - Allow xauth to connectto xserver_t unix_stream_socket - Add textrel_shlib_t fixes - Add labeling for LXDM - Allow cupsd_lpd_t to setattr fontconfig directory - Allow abrt to getattr on all character file device nodes. - Add labeling for the rest nagios plugins * Wed Jan 6 2010 Miroslav Grepl <[email protected]> 3.6.32-67 - Allow snmbd to send itself signal - Allow virt_domain to read /dev/random - Allow apcupsd to send itself signull - Allow swat to transition to nmbd - Add textrel_shlib_t label for /usr/local/lib/codecs/ * Mon Jan 4 2010 Dan Walsh <[email protected]> 3.6.32-66 - Allow lircd to use tcp_socket and connect/bind to port 8675 * Wed Dec 30 2009 Dan Walsh <[email protected]> 3.6.32-65 - Allow traceroute to use all terms - Fix mgetty use for faxes - Dontaudit xdm listing fusefs - Allow xguest to resolve host names - Allow abrt to read noxattr filesystems (cdrom) - Allow abrt_helper to send itself signals - Allow amavis to read certs - Allow apache to bind to port 3000 (Ruby on rails) - Asterist uses mysql and snmp - Allow consolekit to write wtmp file for shutdown - Allow cups ipc_lock - Allow hal to transition to ppp - Fix mailman labels for 64 bit systems - dontaudit system_mail access to leaked terminals - Allow mysqld_safe_t to unlink mysqld pid files - nrpe_t uses getpw calls - Allow NetworkManager to delete ppp pid files - Allow pptp_t to sens userdomain signals - Allow prelude to connect to mysql - Allow swat to start winbind server - Fixes for snort - Allow telnetd to setattr user terminals - Allow qemu to read fusefs - Allow domains that have telinit to connectto upstart unix_stream_socket - Dontaudit ipsec_mgmt sys_tty_config - Fix labels for postgrestgres test suite - Other textrel_shlib_t fixes * Wed Dec 23 2009 Dan Walsh <[email protected]> 3.6.32-64 - Update to Rawhide filesystem.if file - Allow abrt to read nfs - Allow cups to search fusefs - Allow dovecot_auth to search var_log - Fix label on ksmtuned.pid - Dontaudit policykit looking at mount points - Allow xdm to manage /var/cache/fontconfig - Allow xenstored to search xenfs * Tue Dec 22 2009 Dan Walsh <[email protected]> 3.6.32-63 - Allow sendmail setpgid - Allow dovecot to read nfs homedirs * Mon Dec 21 2009 Dan Walsh <[email protected]> 3.6.32-62 - Add label for /var/ekpd - Allow portreserve to look at bin files - Allow gssd to ask the kernel to load modules - If you can run mount you can run fusermount * Mon Dec 21 2009 Dan Walsh <[email protected]> 3.6.32-61 - Fixes for sandbox_x_server - Fix ntop policy - Sandbox fixes * Fri Dec 18 2009 Dan Walsh <[email protected]> 3.6.32-60 - Fixs for cluster policy - mysql_safe fixes - Fixes for sssd - Cgroup access for virtd - Dontaudit fail2ban leaks * Tue Dec 15 2009 Dan Walsh <[email protected]> 3.6.32-59 - Dontaudit udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read symlinks on noxattr file systems - Remove wine from unconfined domain if unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port - Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to communicate with racoon and zebra - Allow dbus service dbus_chat with unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices - Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files - Change label on fusermount * Thu Dec 10 2009 Dan Walsh <[email protected]> 3.6.32-58 - Dontaudit udp_socket leaks for xauth_t * Wed Dec 9 2009 Dan Walsh <[email protected]> 3.6.32-57 - Allow unconfined_t to send dbus messages to setroubleshoot - Allow confined screen app to setattr on user ttys - remove wine_t from unconfined domain when unconfined.pp disabled - Allow sysadm_t to communicate with racoon - Allow xauth to be run from all unconfined user types - Fix labeling on all /var/cache/mod_* apps - Allow asterisk to communicate with postgresql - Fix labeling for /var/lib/certmaster - Add policy for ksmtuned and tgtd - Fixes fro vhostmd * Mon Dec 7 2009 Dan Walsh <[email protected]> 3.6.32-56 - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms * Thu Dec 3 2009 Dan Walsh <[email protected]> 3.6.32-55 - Add fprintd_chat(unconfined_t) to fix su timeout problem - Make xguest follow allow_execstack boolean - Dontaudit dbus looking at nfs * Thu Dec 3 2009 Dan Walsh <[email protected]> 3.6.32-54 - Require selinux-policy from selinux-policy-TYPE - Add labeling to /usr/lib/win32 textrel_shlib_t - dontaudit all leaks for abrt_helper - Fix labeling for mythtv - Dontaudit setroubleshoot_fix leaks - Allow xauth_t to read usr_t - Allow iptables to use fifo files - Fix labeling on /var/lib/wifiroamd * Tue Dec 1 2009 Dan Walsh <[email protected]> 3.6.32-53 - Remove transition from dhcpc_t to consoletype_t, just allow exec - Fixes for prelink cron job - Fix label on yumex backend - Allow unconfined_java_t to communicate with iptables - Allow abrt to read /tmp files - Fix nut/ups policy * Tue Dec 1 2009 Dan Walsh <[email protected]> 3.6.32-52 - Major fixup of ntop policy - Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session bus - Allow modemmanager to use generic ptys, and sys_tty_config capability - Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs and nfs file systems - Allow kismet to read network state - Allow cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files - Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t files * Wed Nov 25 2009 Dan Walsh <[email protected]> 3.6.32-51 - Mark google shared libraries as requiring textrel_shlib - Allow svirt to bind/connect to network ports - Add label for .libvirt directory. * Tue Nov 24 2009 Dan Walsh <[email protected]> 3.6.32-50 - Allow modemmanager sys_admin * Mon Nov 23 2009 Dan Walsh <[email protected]> 3.6.32-49 - Allow sssd to read all processes domain * Mon Nov 23 2009 Dan Walsh <[email protected]> 3.6.32-48 - Abrt connect to any port - Dontaudit chrome-sandbox trying to getattr on all processes - Allow passwd to execute gnome-keyring - Allow chrome_sandbox_t to read home content inherited from the parent - Fix eclipse labeling - Allow mozilla to connect to flash port - Allow pulseaudio to connect to unix_streams - Allow sambagui to read secrets file - Allow mount to mount unlabeled files - ALlow abrt to use ypbind, send kill signals - Allow arpwatch to create socket class - Allow asterisk to read urand - Allow corosync to communicate with user tmpfs - Allow devicedisk to read virt images block devices - Allow gpsd to sys_tty_config - Fix nagios interfaces - Policy for nagios plugins - Fixes for nx - Allow rtkit_daemon to read locale file - Allow snort to create socket - Additional perms for xauth - lots of textrel_lib_t file context * Tue Nov 17 2009 Dan Walsh <[email protected]> 3.6.32-47 - Make mozilla call in execmem.if optional to fix build of minimum install - Allow uucpd to execute shells and send mail - Fix label on libtfmessbsp.so * Mon Nov 16 2009 Dan Walsh <[email protected]> 3.6.32-46 - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files - abrt needs to write sysfs - abrt needs to search all file system dirs - logrotate and tmpreaper need to be able to manage abrt cache - rtkit_daemon needs to be able to setsched on lots of user apps - networkmanager creates dirs in /var/lib - plymouth executes lvm tools * Fri Nov 13 2009 Dan Walsh <[email protected]> 3.6.32-45 - Allow mount on dos file systems - fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses * Thu Nov 12 2009 Dan Walsh <[email protected]> 3.6.32-44 - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio - Add execmem_exec_t context for /usr/bin/aticonfig - Allow dovecot-deliver to signull dovecot - Add textrel_shlib_t to /usr/lib/libADM5avcodec.so * Tue Nov 10 2009 Dan Walsh <[email protected]> 3.6.32-43 - Fix transition so unconfined_exemem_t creates user_tmp_t - Allow chrome_sandbox_t to write to user_tmp_t when printing - Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files - Allow execmem_t to execmod files in mozilla_home_t - Allow firewallgui to communicate with nscd * Mon Nov 9 2009 Dan Walsh <[email protected]> 3.6.32-42 - Allow kdump to read the kernel core interface - Dontaudit abrt read all files in home dir - Allow kismet client to write to .kismet dir in homedir - Turn on asterisk policy and allow logrotate to communicate with it - Allow abrt to manage rpm cache files - Rules to allow sysadm_t to install a kernel - Allow local_login to read console_device_t to Z series logins - Allow automount and devicekit_disk to search all filesystem dirs - Allow corosync to setrlimit - Allow hal to read modules.dep - Fix xdm using pcscd - Dontaudit gssd trying to write user_tmp_t, kerberos libary problem. - Eliminate transition from unconifned_t to loadkeys_t - Dontaudit several leaks to xauth_t - Allow xdm_t to search for man pages - Allow xdm_dbus to append to xdm log -------------------------------------------------------------------------------- References: [ 1 ] Bug #538383 - AVC message when starting VNC server https://bugzilla.redhat.com/show_bug.cgi?id=538383 [ 2 ] Bug #556183 - SELinux is preventing /usr/bin/mono "read write" access https://bugzilla.redhat.com/show_bug.cgi?id=556183 [ 3 ] Bug #556614 - blueman trigger a selinux warning due to avahi-autoipd https://bugzilla.redhat.com/show_bug.cgi?id=556614 [ 4 ] Bug #556632 - SELinux is preventing /usr/sbin/rpc.gssd "read" access on kdcinfo... https://bugzilla.redhat.com/show_bug.cgi?id=556632 [ 5 ] Bug #555054 - Selinux is blocking bridged network for qemu-kvm https://bugzilla.redhat.com/show_bug.cgi?id=555054 [ 6 ] Bug #555115 - privoxy SELinux policy frequently denies access to web pages https://bugzilla.redhat.com/show_bug.cgi?id=555115 [ 7 ] Bug #556636 - SELinux is preventing /usr/sbin/in.tftpd "read" access on meminfo https://bugzilla.redhat.com/show_bug.cgi?id=556636 [ 8 ] Bug #556688 - SELinux is preventing /usr/sbin/snmpd "chown" access https://bugzilla.redhat.com/show_bug.cgi?id=556688 [ 9 ] Bug #556851 - dhcpd ipv6 does not allow binding of udp port 547 (dhcp-server port) https://bugzilla.redhat.com/show_bug.cgi?id=556851 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
