-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-15977 2010-10-08 19:56:34 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 13 Version : 3.7.19 Release : 65.fc13 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Allow devicekit-power domtrans to NetworkManager - Allow passwd to use the console, all ttys and all ptys - Add firewallgui sys_rawio capability - Add label for slim.log - Allow smartd to read usr files - Allow devicekit-power transition to dhcpc - Add label for /etc/timezone - Remove transition from unconfined_t to iptables_t - Allow smbd sys_admin capability - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users - Allow boinc_project to use shm - Alllow vpnc to be able to read /root/.cert - Add mediawiki policy -------------------------------------------------------------------------------- ChangeLog: * Fri Oct 8 2010 Miroslav Grepl <[email protected]> 3.7.19-65 - Allow smbd sys_admin capability - Allow certmonger to search through directories that contain certs - Allow fail2ban the DAC Override so it can read log files owned by non root users - Allow boinc_project to use shm - Alllow vpnc to be able to read /root/.cert - Add mediawiki policy * Tue Oct 5 2010 Miroslav Grepl <[email protected]> 3.7.19-64 - Allow smartd to read usr files - Allow devicekit-power transition to dhcpc - Add label for /etc/timezone - Remove transition from unconfined_t to iptables_t * Fri Oct 1 2010 Miroslav Grepl <[email protected]> 3.7.19-63 - Allow devicekit-power domtrans to NetworkManager - Allow passwd to use the console, all ttys and all ptys - Add firewallgui sys_rawio capability - Add label for slim.log * Fri Sep 24 2010 Miroslav Grepl <[email protected]> 3.7.19-62 - Add vbetool_mmap_zero_ignore boolean * Fri Sep 24 2010 Miroslav Grepl <[email protected]> 3.7.19-61 - Move c2s to run in jabber_router_t domain - Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc - Allow nrpe to send signal and sigkill to the plugins - Fix up xguest to allow it to read hwdata and gconf_etc_t * Tue Sep 21 2010 Miroslav Grepl <[email protected]> 3.7.19-60 - Allow boinc projects to execute java * Thu Sep 16 2010 Miroslav Grepl <[email protected]> 3.7.19-59 - Add cluster_var_lib_t type and label for /var/lib/cluster * Wed Sep 15 2010 Miroslav Grepl <[email protected]> 3.7.19-58 - Add labeling for /root/.debug - Remove permissive from cmirrord domain - Dontaudit cmirrord_t sys_tty_config capability - Allow virtd to read from processes up to its clearance * Mon Sep 13 2010 Miroslav Grepl <[email protected]> 3.7.19-57 - Allow dovecot-deliver to create tmp files - Allow tor to send signals to itself - Handle /var/db/sudo - Remove allow_corosync_rw_tmpfs boolean * Thu Sep 9 2010 Miroslav Grepl <[email protected]> 3.7.19-56 - Add unconfined_mmap_zero_ignore boolean * Thu Sep 9 2010 Miroslav Grepl <[email protected]> 3.7.19-55 - Allow virt domains execute qemu_exec_t - Add support for dkim-milter - Fixes for freshclam - Allow iptables to read shorewall tmp files - Add boolean to allow icecast to connect to any port - Allow freshclam to execute shell and bin_t * Thu Sep 2 2010 Miroslav Grepl <[email protected]> 3.7.19-54 - Allow clmvd to create tmpfs files * Wed Sep 1 2010 Miroslav Grepl <[email protected]> 3.7.19-53 - Fixes for jabberd policy - Fixes for sandbox policy * Mon Aug 30 2010 Miroslav Grepl <[email protected]> 3.7.19-52 - Fix label for /bin/mountpoint - Allow fsadm to read virt blk image files * Wed Aug 25 2010 Miroslav Grepl <[email protected]> 3.7.19-51 - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket * Tue Aug 24 2010 Miroslav Grepl <[email protected]> 3.7.19-50 - Fixes for boinc policy - Fixes for shorewall policy * Fri Aug 20 2010 Miroslav Grepl <[email protected]> 3.7.19-49 - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest - Fix amavis_read_spool_files interface * Wed Aug 18 2010 Miroslav Grepl <[email protected]> 3.7.19-48 - Fixes for shorewall policy - Allow sssd chown capability - Fix label for /usr/bin/mutter - Label dead.letter as mail_home_t - Allow pcscd to read hardware state information - Fixes for ulogd policy * Fri Aug 13 2010 Miroslav Grepl <[email protected]> 3.7.19-47 - Fixes for boinc-project policy - Allow swat to read nmbd pid file - Allow fail2ban to read BIND log files - Fix cert handling from Dan - Remove transition from unconfined to ncftool domain * Wed Aug 11 2010 Miroslav Grepl <[email protected]> 3.7.19-46 - Allow ipsec-mgmt to dbus chat with unconfined - Fixes for boinc policy * Tue Aug 10 2010 Miroslav Grepl <[email protected]> 3.7.19-45 - Fixes for cgroup policy - Fixes for ncftool policy - Add ncftool_read_user_content boolean - Fix label for boinc init script - Fix label for fence_tool - Allow vhostmd to write virt content - Allow ricci domtrans ot shutdown * Thu Aug 5 2010 Miroslav Grepl <[email protected]> 3.7.19-44 - Add support for luci - Add label for /var/spool/up2date * Wed Aug 4 2010 Miroslav Grepl <[email protected]> 3.7.19-43 - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh client - Add label for dayplanner - Allow sandbox_xserver execstack * Mon Aug 2 2010 Miroslav Grepl <[email protected]> 3.7.19-42 - Allow kdump to read information from the debugging filesystem - Update boinc policy - Fixes for logwatch-mail policy * Tue Jul 27 2010 Miroslav Grepl <[email protected]> 3.7.19-41 - Allow logwatch_mail to read read the networking state information. - Add label for /usr/bin/dosbox - Allow systat sys_admin capability * Fri Jul 23 2010 Miroslav Grepl <[email protected]> 3.7.19-40 - Fixes for puppetmaster - Fix label for kadmin init script - Fixes for logwatch-mail policy - Allow arpwatch to request the kernel to load modules - Allow cron jobs to run with context of user that started them * Wed Jul 21 2010 Miroslav Grepl <[email protected]> 3.7.19-39 - Allow munin_system_plugin to read files in /usr - Do not audit insmod attempts to write virt daemon unnamed pipes - Allow corosync to read ricci lib files * Mon Jul 19 2010 Miroslav Grepl <[email protected]> 3.7.19-38 - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls - Fixes for logwatch policy * Wed Jul 14 2010 Miroslav Grepl <[email protected]> 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl <[email protected]> 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 9 2010 Miroslav Grepl <[email protected]> 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 1 2010 Miroslav Grepl <[email protected]> 3.7.19-34 - Fix ipsec-mgmt inteface * Wed Jun 30 2010 Miroslav Grepl <[email protected]> 3.7.19-33 - Fix label for /var/lib/git - Fix labels for conflicted files - Fix cgroup_admin interface * Mon Jun 28 2010 Miroslav Grepl <[email protected]> 3.7.19-32 - Allow sectool to connect to users over unix stream socket - Add label for /var/spool/abrt-upload - Add audio_home_t type for homedir/Music files - Allow aiccu to read network config files - Allow qpidd to setsched - Allow virt domains to manage svirt_image_t fifo files - Fixes for NM-openswan - Fixes for admin interfaces * Mon Jun 21 2010 Miroslav Grepl <[email protected]> 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog - All all domains to read lib files - Allow denyhosts to send syslog messages - Allow mysql-safe setrlimit - Allow rpm to execute rpm_tmp_t - Allow dmesg to appen abrt_var_cache files - Fixed label for abrt.socket * Wed Jun 16 2010 Miroslav Grepl <[email protected]> 3.7.19-30 - Allow sysadm to run ncftool - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev * Tue Jun 15 2010 Miroslav Grepl <[email protected]> 3.7.19-29 - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote * Mon Jun 14 2010 Miroslav Grepl <[email protected]> 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy - Add mpd policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-27 - Allow ftpd ipc_lock capability - Allow audisp-remote to getcap and setcap - Allow iscsid to read and write raw memory devices - Fixes for bitlbee policy * Wed Jun 9 2010 Miroslav Grepl <[email protected]> 3.7.19-26 - Allow krb5kdc to write krb5kdc_principal_t file - Allow hald to send generic signal to dhcp client - Fix dev_rw_vhost interface - Add /var/run/abrt.socket label * Tue Jun 8 2010 Miroslav Grepl <[email protected]> 3.7.19-25 - Fixes for cmirrord policy - Dontaudit xauth to list inotifyfs filesystem. - Allow xserver to translate contexts. - Allow kdumpgui domain sys_admin capability - Allow vpnc to relabelfrom tun_socket - Allow prelink_cron_system_t to signal - Fixes for gitolite - Allow virt domain to read symbolic links in device directories * Thu Jun 3 2010 Miroslav Grepl <[email protected]> 3.7.19-24 - Add support for /dev/vhost-net - Allow psad to read files in /usr - Allow systat to use nscd socket - Fixes for boinc policy * Tue Jun 1 2010 Miroslav Grepl <[email protected]> 3.7.19-23 - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability * Tue May 25 2010 Dan Walsh <[email protected]> 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label * Mon May 24 2010 Dan Walsh <[email protected]> 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 * Thu May 20 2010 Dan Walsh <[email protected]> 3.7.19-20 - Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool * Wed May 19 2010 Dan Walsh <[email protected]> 3.7.19-19 - Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state * Thu May 13 2010 Dan Walsh <[email protected]> 3.7.19-17 - Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport * Wed May 12 2010 Dan Walsh <[email protected]> 3.7.19-16 - Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules * Mon May 10 2010 Dan Walsh <[email protected]> 3.7.19-15 - Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663 * Thu May 6 2010 Dan Walsh <[email protected]> 3.7.19-13 - Allow boinc to send mail * Wed May 5 2010 Dan Walsh <[email protected]> 3.7.19-12 - Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136 * Mon May 3 2010 Dan Walsh <[email protected]> 3.7.19-11 - Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760 -------------------------------------------------------------------------------- References: [ 1 ] Bug #638150 - conflicting specifications for /usr/bin/git-shell and /usr/libexec/git-core/git-shell https://bugzilla.redhat.com/show_bug.cgi?id=638150 [ 2 ] Bug #637604 - SELinux report a program as mislabelled and purpose to correct it with the same label. https://bugzilla.redhat.com/show_bug.cgi?id=637604 [ 3 ] Bug #632812 - SELinux запрещает /sbin/ifconfig доступ к дескриптору файла netlink_rout https://bugzilla.redhat.com/show_bug.cgi?id=632812 [ 4 ] Bug #640641 - SELinux is preventing /usr/sbin/certmonger "search" access on /etc/httpd. https://bugzilla.redhat.com/show_bug.cgi?id=640641 [ 5 ] Bug #640920 - SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp. https://bugzilla.redhat.com/show_bug.cgi?id=640920 [ 6 ] Bug #640796 - SELinux is preventing /usr/bin/python "dac_override" access . https://bugzilla.redhat.com/show_bug.cgi?id=640796 [ 7 ] Bug #637367 - SELinux verhindert /sbin/sysctl "sys_rawio" Zugriff . https://bugzilla.redhat.com/show_bug.cgi?id=637367 [ 8 ] Bug #613862 - iptables -L creates zero-length output when written direct to file https://bugzilla.redhat.com/show_bug.cgi?id=613862 [ 9 ] Bug #639065 - Regular SELinux Alerts https://bugzilla.redhat.com/show_bug.cgi?id=639065 [ 10 ] Bug #635514 - O SELinux está a impedir o acesso /usr/lib/jvm/java-1.6.0-sun-1.6.0.21/jre/bin/java "add_name" on 10187 https://bugzilla.redhat.com/show_bug.cgi?id=635514 [ 11 ] Bug #637822 - selinux blocks /usr/share/smartmontools/driverdb.h from updated smartmontools https://bugzilla.redhat.com/show_bug.cgi?id=637822 [ 12 ] Bug #637583 - dhclient-eth0.pid security context may be incorrect after resume from suspend-to-ram https://bugzilla.redhat.com/show_bug.cgi?id=637583 [ 13 ] Bug #639511 - Smokeping not working on Fedora 13 https://bugzilla.redhat.com/show_bug.cgi?id=639511 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
