-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-0eac5b1bd7 2018-12-11 02:42:14.381840 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 29 Version : 3.14.2 Release : 44.fc29 URL : %{git0-base} Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: More info: https://koji.fedoraproject.org/koji/buildinfo?buildID=1170559 -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 7 2018 Lukas Vrabec <lvra...@redhat.com> - 3.14.2-44 - Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t - Add dac_override capability to ssad_t domains - Allow pesign_t domain to read gnome home configs - Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t - Allow rngd_t domains read kernel state - Allow certmonger_t domains to read bind cache - Allow ypbind_t domain to stream connect to sssd - Allow rngd_t domain to setsched - Allow sanlock_t domain to read/write sysfs_t files - Add dac_override capability to postfix_local_t domain - Allow ypbind_t to search sssd_var_lib_t dirs - Allow virt_qemu_ga_t domain to write to user_tmp_t files - Allow systemd_logind_t to dbus chat with virt_qemu_ga_t - Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files - Add new interface sssd_signal() - Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t - Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t - Add sys_resource capability to the systemd_passwd_agent_t domain - Allow ipsec_t domains to read bind cache - kernel/files.fc: Label /run/motd as etc_t - Allow systemd to stream connect to userdomain processes - Label /var/lib/private/systemd/ as init_var_lib_t - Allow initrc_t domain to create new socket labeled as init_T - Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket. - Add tracefs_t type to mountpoint attribute - Allow useradd_t and groupadd_t domains to send signals to sssd_t - Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636) - Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils * Wed Nov 7 2018 Lukas Vrabec <lvra...@redhat.com> - 3.14.2-43 - Update pesign policy to allow pesign_t domain to read bind cache files/dirs - Add dac_override capability to mdadm_t domain - Create ibacm_tmpfs_t type for the ibacm policy - Dontaudit capability sys_admin for dhcpd_t domain - Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts. - Allow abrt_t domain to mmap generic tmp_t files - Label /usr/sbin/wpa_cli as wpa_cli_exec_t - Allow sandbox_xserver_t domain write to user_tmp_t files - Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints - Add interface files_map_generic_tmp_files() - Add dac_override capability to the syslogd_t domain - Create systemd_timedated_var_run_t label - Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202) - Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces * Sun Nov 4 2018 Lukas Vrabec <lvra...@redhat.com> - 3.14.2-41 - Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672) - Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766) - Add dac_override capability to postgrey_t domain BZ(1638954) - Allow thumb_t domain to execute own tmpfs files BZ(1643698) - Allow xdm_t domain to manage dosfs_t files BZ(1645770) - Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801) - Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675) - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) * Sun Nov 4 2018 Lukas Vrabec <lvra...@redhat.com> - 3.14.2-41 - Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) - Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) - Add dac_override capability to ftpd_t domain - Allow gpg_t to create own tmpfs dirs and sockets - Allow rhsmcertd_t domain to relabel cert_t files - Allow nova_t domain to use pam - sysstat: grant sysstat_t the search_dir_perms set - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) - Allow systemd_logind_t to read fixed dist device BZ(1645631) - Allow systemd_logind_t domain to read nvme devices BZ(1645567) - Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981) - kernel/files.fc: Label /run/motd.d(/.*)? as etc_t - Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) - Allow X display manager to check status and reload services which are part of x_domain attribute - Add interface miscfiles_relabel_generic_cert() - Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs - Dontaudit sys_admin capability for netutils_t domain - Label tcp and udp ports 2611 as qpasa_agent_port_t -------------------------------------------------------------------------------- References: [ 1 ] Bug #1646202 - SELinux is preventing /usr/lib/systemd/systemd-timesyncd from 'read' accesses on the directory /run/dbus. https://bugzilla.redhat.com/show_bug.cgi?id=1646202 [ 2 ] Bug #1648636 - SELinux is preventing systemd-user-ru from 'rmdir' accesses on the katalog services. https://bugzilla.redhat.com/show_bug.cgi?id=1648636 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-0eac5b1bd7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org