-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-11123 2010-07-14 22:19:43 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 13 Version : 3.7.19 Release : 37.fc13 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: * Wed Jul 14 2010 Miroslav Grepl <[email protected]> 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl <[email protected]> 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 09 2010 Miroslav Grepl <[email protected]> 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 01 2010 Miroslav Grepl <[email protected]> 3.7.19-34 - Fix ipsec-mgmt inteface -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 14 2010 Miroslav Grepl <[email protected]> 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl <[email protected]> 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 9 2010 Miroslav Grepl <[email protected]> 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 1 2010 Miroslav Grepl <[email protected]> 3.7.19-34 - Fix ipsec-mgmt inteface * Wed Jun 30 2010 Miroslav Grepl <[email protected]> 3.7.19-33 - Fix label for /var/lib/git - Fix labels for conflicted files - Fix cgroup_admin interface * Mon Jun 28 2010 Miroslav Grepl <[email protected]> 3.7.19-32 - Allow sectool to connect to users over unix stream socket - Add label for /var/spool/abrt-upload - Add audio_home_t type for homedir/Music files - Allow aiccu to read network config files - Allow qpidd to setsched - Allow virt domains to manage svirt_image_t fifo files - Fixes for NM-openswan - Fixes for admin interfaces * Mon Jun 21 2010 Miroslav Grepl <[email protected]> 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog - All all domains to read lib files - Allow denyhosts to send syslog messages - Allow mysql-safe setrlimit - Allow rpm to execute rpm_tmp_t - Allow dmesg to appen abrt_var_cache files - Fixed label for abrt.socket * Wed Jun 16 2010 Miroslav Grepl <[email protected]> 3.7.19-30 - Allow sysadm to run ncftool - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev * Tue Jun 15 2010 Miroslav Grepl <[email protected]> 3.7.19-29 - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote * Mon Jun 14 2010 Miroslav Grepl <[email protected]> 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy - Add mpd policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-27 - Allow ftpd ipc_lock capability - Allow audisp-remote to getcap and setcap - Allow iscsid to read and write raw memory devices - Fixes for bitlbee policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-26 - Allow krb5kdc to write krb5kdc_principal_t file - Allow hald to send generic signal to dhcp client - Fix dev_rw_vhost interface - Add /var/run/abrt.socket label * Tue Jun 8 2010 Miroslav Grepl <[email protected]> 3.7.19-25 - Fixes for cmirrord policy - Dontaudit xauth to list inotifyfs filesystem. - Allow xserver to translate contexts. - Allow kdumpgui domain sys_admin capability - Allow vpnc to relabelfrom tun_socket - Allow prelink_cron_system_t to signal - Fixes for gitolite - Allow virt domain to read symbolic links in device directories * Thu Jun 3 2010 Miroslav Grepl <[email protected]> 3.7.19-24 - Add support for /dev/vhost-net - Allow psad to read files in /usr - Allow systat to use nscd socket - Fixes for boinc policy * Tue Jun 1 2010 Miroslav Grepl <[email protected]> 3.7.19-23 - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability * Tue May 25 2010 Dan Walsh <[email protected]> 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label * Mon May 24 2010 Dan Walsh <[email protected]> 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 * Thu May 20 2010 Dan Walsh <[email protected]> 3.7.19-20 - Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool * Wed May 19 2010 Dan Walsh <[email protected]> 3.7.19-19 - Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state * Thu May 13 2010 Dan Walsh <[email protected]> 3.7.19-17 - Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport * Wed May 12 2010 Dan Walsh <[email protected]> 3.7.19-16 - Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules * Mon May 10 2010 Dan Walsh <[email protected]> 3.7.19-15 - Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663 * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-13 - Allow boinc to send mail * Wed May 5 2010 Dan Walsh <[email protected]> 3.7.19-12 - Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136 * Mon May 3 2010 Dan Walsh <[email protected]> 3.7.19-11 - Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760 -------------------------------------------------------------------------------- References: [ 1 ] Bug #611036 - SELinux is preventing /usr/bin/mpd "name_connect" access . https://bugzilla.redhat.com/show_bug.cgi?id=611036 [ 2 ] Bug #611368 - SELinux verhindert /usr/lib64/firefox-3.6/firefox "getattr" Zugriff on /dev/sdb1. https://bugzilla.redhat.com/show_bug.cgi?id=611368 [ 3 ] Bug #611369 - SELinux verhindert /usr/lib64/firefox-3.6/firefox "read" Zugriff on media. https://bugzilla.redhat.com/show_bug.cgi?id=611369 [ 4 ] Bug #611373 - SELinux is preventing /usr/local/lexmark/lxk08/bin/printdriver from loading /usr/local/lexmark/lxk08/lib/libhdctransport.so which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=611373 [ 5 ] Bug #612207 - SELinux prevents chsh from changing shell to mksh or yash https://bugzilla.redhat.com/show_bug.cgi?id=612207 [ 6 ] Bug #612225 - SELinux is preventing /sbin/portreserve "search" access on /home/arkiados/Downloads. https://bugzilla.redhat.com/show_bug.cgi?id=612225 [ 7 ] Bug #612560 - SELinux is preventing /usr/bin/boinc_client (deleted) "getattr" access on /boot. https://bugzilla.redhat.com/show_bug.cgi?id=612560 [ 8 ] Bug #611937 - SELinux verhindert /bin/bash "sys_tty_config" Zugriff . https://bugzilla.redhat.com/show_bug.cgi?id=611937 [ 9 ] Bug #611308 - MediaWiki's ulimit4.sh triggers SELinux warnings when thumbnailing https://bugzilla.redhat.com/show_bug.cgi?id=611308 [ 10 ] Bug #612726 - SELinux is preventing /usr/sbin/rpc.nfsd "setsched" access . https://bugzilla.redhat.com/show_bug.cgi?id=612726 [ 11 ] Bug #612765 - SELinux is preventing /bin/bash "ioctl" access on /var/lib/libvirt/libvirt-guests. https://bugzilla.redhat.com/show_bug.cgi?id=612765 [ 12 ] Bug #595544 - possible minor issues in netutils.te https://bugzilla.redhat.com/show_bug.cgi?id=595544 [ 13 ] Bug #613489 - O SELinux está impedindo o acesso a /usr/bin/eu-unstrip "read" on /etc/httpd/modules https://bugzilla.redhat.com/show_bug.cgi?id=613489 [ 14 ] Bug #595849 - SELinux prevents dokuwiki from working in FC12 https://bugzilla.redhat.com/show_bug.cgi?id=595849 [ 15 ] Bug #613218 - SELinux is preventing /sbin/dhclient "search" access on /var/lib/wicd. https://bugzilla.redhat.com/show_bug.cgi?id=613218 [ 16 ] Bug #614160 - SELinux is preventing /usr/sbin/sshd "write" access on sshd.pid. https://bugzilla.redhat.com/show_bug.cgi?id=614160 [ 17 ] Bug #614031 - SELinux is preventing /usr/bin/kdm "signull" access . https://bugzilla.redhat.com/show_bug.cgi?id=614031 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
