-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-12210 2010-08-06 20:37:03 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 13 Version : 3.7.19 Release : 44.fc13 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Add support for luci - Add label for /var/spool/up2date - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh client - Add label for dayplanner - Allow sandbox_xserver execstack - Allow kdump to read information from the debugging filesystem - Update boinc policy - Fixes for logwatch-mail policy -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 5 2010 Miroslav Grepl <[email protected]> 3.7.19-44 - Add support for luci - Add label for /var/spool/up2date * Wed Aug 4 2010 Miroslav Grepl <[email protected]> 3.7.19-43 - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh client - Add label for dayplanner - Allow sandbox_xserver execstack * Mon Aug 2 2010 Miroslav Grepl <[email protected]> 3.7.19-42 - Allow kdump to read information from the debugging filesystem - Update boinc policy - Fixes for logwatch-mail policy * Tue Jul 27 2010 Miroslav Grepl <[email protected]> 3.7.19-41 - Allow logwatch_mail to read read the networking state information. - Add label for /usr/bin/dosbox - Allow systat sys_admin capability * Fri Jul 23 2010 Miroslav Grepl <[email protected]> 3.7.19-40 - Fixes for puppetmaster - Fix label for kadmin init script - Fixes for logwatch-mail policy - Allow arpwatch to request the kernel to load modules - Allow cron jobs to run with context of user that started them * Wed Jul 21 2010 Miroslav Grepl <[email protected]> 3.7.19-39 - Allow munin_system_plugin to read files in /usr - Do not audit insmod attempts to write virt daemon unnamed pipes - Allow corosync to read ricci lib files * Mon Jul 19 2010 Miroslav Grepl <[email protected]> 3.7.19-38 - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls - Fixes for logwatch policy * Wed Jul 14 2010 Miroslav Grepl <[email protected]> 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl <[email protected]> 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 9 2010 Miroslav Grepl <[email protected]> 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 1 2010 Miroslav Grepl <[email protected]> 3.7.19-34 - Fix ipsec-mgmt inteface * Wed Jun 30 2010 Miroslav Grepl <[email protected]> 3.7.19-33 - Fix label for /var/lib/git - Fix labels for conflicted files - Fix cgroup_admin interface * Mon Jun 28 2010 Miroslav Grepl <[email protected]> 3.7.19-32 - Allow sectool to connect to users over unix stream socket - Add label for /var/spool/abrt-upload - Add audio_home_t type for homedir/Music files - Allow aiccu to read network config files - Allow qpidd to setsched - Allow virt domains to manage svirt_image_t fifo files - Fixes for NM-openswan - Fixes for admin interfaces * Mon Jun 21 2010 Miroslav Grepl <[email protected]> 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog - All all domains to read lib files - Allow denyhosts to send syslog messages - Allow mysql-safe setrlimit - Allow rpm to execute rpm_tmp_t - Allow dmesg to appen abrt_var_cache files - Fixed label for abrt.socket * Wed Jun 16 2010 Miroslav Grepl <[email protected]> 3.7.19-30 - Allow sysadm to run ncftool - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev * Tue Jun 15 2010 Miroslav Grepl <[email protected]> 3.7.19-29 - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote * Mon Jun 14 2010 Miroslav Grepl <[email protected]> 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy - Add mpd policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-27 - Allow ftpd ipc_lock capability - Allow audisp-remote to getcap and setcap - Allow iscsid to read and write raw memory devices - Fixes for bitlbee policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-26 - Allow krb5kdc to write krb5kdc_principal_t file - Allow hald to send generic signal to dhcp client - Fix dev_rw_vhost interface - Add /var/run/abrt.socket label * Tue Jun 8 2010 Miroslav Grepl <[email protected]> 3.7.19-25 - Fixes for cmirrord policy - Dontaudit xauth to list inotifyfs filesystem. - Allow xserver to translate contexts. - Allow kdumpgui domain sys_admin capability - Allow vpnc to relabelfrom tun_socket - Allow prelink_cron_system_t to signal - Fixes for gitolite - Allow virt domain to read symbolic links in device directories * Thu Jun 3 2010 Miroslav Grepl <[email protected]> 3.7.19-24 - Add support for /dev/vhost-net - Allow psad to read files in /usr - Allow systat to use nscd socket - Fixes for boinc policy * Tue Jun 1 2010 Miroslav Grepl <[email protected]> 3.7.19-23 - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability * Tue May 25 2010 Dan Walsh <[email protected]> 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label * Mon May 24 2010 Dan Walsh <[email protected]> 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 * Thu May 20 2010 Dan Walsh <[email protected]> 3.7.19-20 - Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool * Wed May 19 2010 Dan Walsh <[email protected]> 3.7.19-19 - Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state * Thu May 13 2010 Dan Walsh <[email protected]> 3.7.19-17 - Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport * Wed May 12 2010 Dan Walsh <[email protected]> 3.7.19-16 - Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules * Mon May 10 2010 Dan Walsh <[email protected]> 3.7.19-15 - Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663 * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-13 - Allow boinc to send mail * Wed May 5 2010 Dan Walsh <[email protected]> 3.7.19-12 - Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136 * Mon May 3 2010 Dan Walsh <[email protected]> 3.7.19-11 - Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760 -------------------------------------------------------------------------------- References: [ 1 ] Bug #617790 - logwatch unable to invoke sendmail https://bugzilla.redhat.com/show_bug.cgi?id=617790 [ 2 ] Bug #621592 - SELinux is preventing /usr/sbin/smartd "mknod" access . https://bugzilla.redhat.com/show_bug.cgi?id=621592 [ 3 ] Bug #621696 - SELinux verhindert /usr/bin/perl "setattr" Zugriff on /var/cache/fontconfig. https://bugzilla.redhat.com/show_bug.cgi?id=621696 [ 4 ] Bug #613073 - SELinux is preventing /usr/bin/file "getattr" access on /lib/modules. https://bugzilla.redhat.com/show_bug.cgi?id=613073 [ 5 ] Bug #613664 - SELinux is preventing climateprediction.net (BOINC) "execmod" access to climateprediction.net https://bugzilla.redhat.com/show_bug.cgi?id=613664 [ 6 ] Bug #614922 - SELinux is preventing /usr/bin/file "getattr" access on /usr/lib/games. https://bugzilla.redhat.com/show_bug.cgi?id=614922 [ 7 ] Bug #617841 - SELinux is preventing /var/lib/boinc/projects/www.malariacontrol.net/openMalariaA_6.42_x86_64-pc-linux-gnu "search" access on /home. https://bugzilla.redhat.com/show_bug.cgi?id=617841 [ 8 ] Bug #617896 - SELinux is preventing /usr/bin/boinc_client "execstack" access . https://bugzilla.redhat.com/show_bug.cgi?id=617896 [ 9 ] Bug #618107 - SELinux is preventing /usr/sbin/postalias "write" access on /etc/postfix. https://bugzilla.redhat.com/show_bug.cgi?id=618107 [ 10 ] Bug #618384 - sandbox returns "execv: No such file or directory" https://bugzilla.redhat.com/show_bug.cgi?id=618384 [ 11 ] Bug #618850 - SELinux is preventing /usr/bin/mono from executing /usr/share/dayplanner/dayplanner. https://bugzilla.redhat.com/show_bug.cgi?id=618850 [ 12 ] Bug #618874 - SELinux is preventing /usr/bin/perl "write" access on /var/lib/munin/plugin-state. https://bugzilla.redhat.com/show_bug.cgi?id=618874 [ 13 ] Bug #618919 - SELinux hindert /var/lib/boinc/projects/climateprediction.net/famous_6.11_i686-pc-linux-gnu am Laden von /var/lib/boinc/projects/climateprediction.net/famous_se_6.11_i686-pc-linux-gnu.so, welches Textverschiebung benötigt. https://bugzilla.redhat.com/show_bug.cgi?id=618919 [ 14 ] Bug #619316 - SELinux is preventing /usr/bin/perl "write" access on /var/lib/munin/plugin-state. https://bugzilla.redhat.com/show_bug.cgi?id=619316 [ 15 ] Bug #619322 - SELinux is preventing /usr/bin/perl "read" access on /usr/share/perl5/strict.pm. https://bugzilla.redhat.com/show_bug.cgi?id=619322 [ 16 ] Bug #619898 - SELinux is preventing gdb "read" access on /usr/lib64/httpd/modules/mod_authz_groupfile.so. https://bugzilla.redhat.com/show_bug.cgi?id=619898 [ 17 ] Bug #620096 - SELinux is preventing /usr/sbin/lxdm-binary "signal" access . https://bugzilla.redhat.com/show_bug.cgi?id=620096 [ 18 ] Bug #620336 - SELinux is preventing /usr/sbin/exim "write" access on /var/log/exim. https://bugzilla.redhat.com/show_bug.cgi?id=620336 [ 19 ] Bug #620337 - SELinux is preventing /usr/sbin/exim "execute" access on /usr/sbin/exim. https://bugzilla.redhat.com/show_bug.cgi?id=620337 [ 20 ] Bug #620938 - SELinux is preventing /usr/sbin/uucico "execute" access on /usr/bin/ssh. https://bugzilla.redhat.com/show_bug.cgi?id=620938 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
