-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2011-7618 2011-05-27 19:57:12 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 14 Version : 3.9.7 Release : 42.fc14 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Make upgrade from F13 working - Fixes for asterisk policy - Fixes for vdagent policy - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write postfix master pipes - Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files - Allow spamd to send mail - Allow sshd getcap - Add tgtd_var_run_t type - Allow vnstatd to read system state -------------------------------------------------------------------------------- ChangeLog: * Fri May 27 2011 Miroslav Grepl <[email protected]> 3.9.7-42 - Make upgrade from F13 working - Fixes for asterisk policy - Fixes for vdagent policy * Tue May 10 2011 Miroslav Grepl <[email protected]> 3.9.7-41 - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write postfix master pipes - Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files - Allow spamd to send mail - Allow sshd getcap - Add tgtd_var_run_t type - Allow vnstatd to read system state * Tue Apr 19 2011 Miroslav Grepl <[email protected]> 3.9.7-40 - Add support for AEOLUS project - Fixes for asterisk and setroubleshoot domains - Fix label for /usr/sbin/fping - Fix label for chrome - Fixes for foghorn policy * Mon Apr 11 2011 Miroslav Grepl <[email protected]> 3.9.7-39 - Allow foghor to read snmp lib files - Other fixes for foghorn policy - Make sysadm security admin - Fix ssh_sysadm_login boolean - Fix seunshare interface - Add allow_sysadm_manage_security boolean - Add label for /dev/dlm.* - Allow auditadm_screen_t and secadm_screen_t dac_override capability - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master - Fixes for nslcd policy - Allow rgmanager to send the kill signal to all users * Fri Mar 25 2011 Miroslav Grepl <[email protected]> 3.9.7-38 - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of audit - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - Allow syslogd setrlimit, sys_nice - ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed * Mon Mar 21 2011 Miroslav Grepl <[email protected]> 3.9.7-37 - Add label for /usr/share/shorewall/getparams * Sun Mar 20 2011 Miroslav Grepl <[email protected]> 3.9.7-36 - xdm needs to read KDE config files * Fri Mar 18 2011 Miroslav Grepl <[email protected]> 3.9.7-35 - Additional fixes for gnomeclock policy * Fri Mar 18 2011 Miroslav Grepl <[email protected]> 3.9.7-34 - Add matahari policy - Allow shutdown setsched and sys_nice - Add port definition for dogtag, matahari, movaz ports - Add label for /etc/securetty - Fixes for pirahna-pulse policy - Fixes for mock policy - Add support for KDE ksysguardprocesslist_helper - Add support for a new cluster service - foghorn - Add support for xfce4-notifyd - Add support for kcmdatetimehelper - Fixes for spice-vdagent policy - Fixes for ssh-keygen policy * Fri Mar 4 2011 Miroslav Grepl <[email protected]> 3.9.7-33 - Backport sandbox and seunshare policy from F15 - Allow svirt to manage sock_file in ~/.libvirt directory - Allow sysamd to run udev in udev_t domain - Remove capability from svirt - Add lvm_exec_t label for kpartx - Add virt_home_ type files located in ~/.libvirt directory - virt creates monitor sockets in the users home dir - Allow lvm setfscreate - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports - certmonger wants to read keytab files * Fri Feb 25 2011 Miroslav Grepl <[email protected]> 3.9.7-32 - Allow amavis sigkill - Allow winbind to read network state information - Add ajaxterm ssh client session - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports * Thu Feb 17 2011 Miroslav Grepl <[email protected]> 3.9.7-31 - Allow all sandbox to read selinux poilcy config files - Add reading tfptd_rw_t to tftp_read_content - Add allow_daemons_use_tcp_wrappers boolean - Allow amavis to talk to nslcd * Tue Feb 15 2011 Miroslav Grepl <[email protected]> 3.9.7-30 - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines - cgred needs fsetid - Allow cmirrord to create physical disk devices in /dev - Make NNTP gateway working with mailman * Fri Feb 4 2011 Miroslav Grepl <[email protected]> 3.9.7-29 - Revert * Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Fix spec file to make this work * Wed Feb 2 2011 Miroslav Grepl <[email protected]> 3.9.7-28 - Make sandbox to work - Fix httpd_selinux man page to refer to httpd_sys_rw_content_t - Allow awstats to read squid logs - Allow dirsrv to send syslog messages * Tue Feb 1 2011 Miroslav Grepl <[email protected]> 3.9.7-27 - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Fix keyboardd interface * Thu Jan 27 2011 Miroslav Grepl <[email protected]> 3.9.7-26 - Add execmem_exec_t label for gimp - Allow nagios plugin to read /proc/meminfo - Fix label for /usr/lib/debug - Add label for /usr/lib/bjlib - Fixes for confined users - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite * Thu Jan 20 2011 Miroslav Grepl <[email protected]> 3.9.7-25 - .forward.* Needs to be labeled mail_home_t - .forward file can cause postfix_local to execute local content * Wed Jan 19 2011 Miroslav Grepl <[email protected]> 3.9.7-24 - Add sepgsql fixes from KaiGai Kohei * Wed Jan 19 2011 Miroslav Grepl <[email protected]> 3.9.7-23 - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - sandbox fixes - Allow shorewall to read iptables conf files * Fri Jan 14 2011 Miroslav Grepl <[email protected]> 3.9.7-22 - Add namespace policy - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Allow dirsrv to use kerberos * Fri Jan 7 2011 Miroslav Grepl <[email protected]> 3.9.7-21 - Make kernel_t domain MLS trusted for lowering the level of file. - Add label for /var/lib/tftpboot/grub directory - Fixes for mpd policy - Fix amanda_search_lib interface * Tue Jan 4 2011 Miroslav Grepl <[email protected]> 3.9.7-20 - Fixes for iscsi policy - Allow dmesg to read system state - squid apache script connects to the squid port - /var/stockmaniac/templates_cache contains log files - Allow radius to communicate with postgresql - Add transition from unconfined_java_t to wine_t * Wed Dec 22 2010 Miroslav Grepl <[email protected]> 3.9.7-19 - Fixes for passenger policy - Allow staff user to execute mysql * Thu Dec 16 2010 Miroslav Grepl <[email protected]> 3.9.7-18 - Other fixes for munin plugins policy * Wed Dec 15 2010 Miroslav Grepl <[email protected]> 3.9.7-17 - Fixes for sandbox policy - Add setuid capability for vpnc - Allow sandbox to run on nfs partitions - Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t * Fri Dec 10 2010 Miroslav Grepl <[email protected]> 3.9.7-16 - Allow boinc-project to read mtab - Fixes for clamscan * Mon Dec 6 2010 Miroslav Grepl <[email protected]> 3.9.7-15 - Allow mount fowner capability - Fix the label for wicd log - Allow avahi to request the kernel to load a module - Allow mpd to read alsa config * Wed Dec 1 2010 Miroslav Grepl <[email protected]> 3.9.7-14 - Allow clear dac overrides - Fix dirsrv.te to talk to rpcbind - certmonger needs to manage dirsrv data - Allow posftfix-smtpd to connect to dovecot unix domain stream socket - Allow ssh_keygen to generate files in /root/.ssh * Mon Nov 22 2010 Miroslav Grepl <[email protected]> 3.9.7-13 - Allow ddclient to fix file mode bits of ddclient conf file - Add labels for /etc/lirc directory - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0 * Thu Nov 18 2010 Miroslav Grepl <[email protected]> 3.9.7-12 - Add xdm_exec_bootloader boolean - Allow cgconfig fsetid capability - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Patch for Stephen Beahm for ulogd policy - Turn on pyzor policy * Mon Nov 15 2010 Miroslav Grepl <[email protected]> 3.9.7-11 - Allow mysqld-safe to send system log messages - Fix label for lxdm.sock - Fixes for ddclient policy - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Add label for acroread - Add dirsrv and dirsrv-admin policy - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp * Wed Nov 10 2010 Miroslav Grepl <[email protected]> 3.9.7-10 - Turn on ddclient policy - Allow mount to set the attributes of all mount points - Allow bitlbee setsched - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Fixes for puppetmaster * Mon Nov 8 2010 Miroslav Grepl <[email protected]> 3.9.7-9 - Fixes for corosync policy - Add initial drbd policy - Allow mpd to be able to read samba/nfs files * Mon Nov 1 2010 Dan Walsh <[email protected]> 3.9.7-8 - Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon * Thu Oct 28 2010 Dan Walsh <[email protected]> 3.9.7-7 - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/* * Fri Oct 22 2010 Dan Walsh <[email protected]> 3.9.7-6 - Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot * Tue Oct 19 2010 Dan Walsh <[email protected]> 3.9.7-5 - Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images -------------------------------------------------------------------------------- References: [ 1 ] Bug #666363 - SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect Unknown. https://bugzilla.redhat.com/show_bug.cgi?id=666363 [ 2 ] Bug #667278 - SELinux is preventing /usr/sbin/httpd from 'name_connect' accesses on the tcp_socket port 3050. https://bugzilla.redhat.com/show_bug.cgi?id=667278 [ 3 ] Bug #690141 - SELinux is preventing /usr/sbin/asterisk from 'search' accesses on the directory /home. https://bugzilla.redhat.com/show_bug.cgi?id=690141 [ 4 ] Bug #701058 - SELinux is preventing /usr/sbin/vnstatd from 'getattr' accesses on the file /proc/<pid>/net/dev. https://bugzilla.redhat.com/show_bug.cgi?id=701058 [ 5 ] Bug #701059 - SELinux is preventing /usr/sbin/vnstatd from 'getattr' accesses on the filesystem /. https://bugzilla.redhat.com/show_bug.cgi?id=701059 [ 6 ] Bug #701187 - SELinux is preventing /usr/libexec/postfix/qmgr from 'write' accesses on the fifo_file fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=701187 [ 7 ] Bug #701644 - SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /var/lib/munin/plugin-state. https://bugzilla.redhat.com/show_bug.cgi?id=701644 [ 8 ] Bug #701908 - SELinux is preventing /usr/kerberos/sbin/klogind from read, write access on the chr_file 7. https://bugzilla.redhat.com/show_bug.cgi?id=701908 [ 9 ] Bug #701909 - SELinux is preventing /usr/kerberos/sbin/klogind from read, write access on the file krb5cc_p2991. https://bugzilla.redhat.com/show_bug.cgi?id=701909 [ 10 ] Bug #702759 - SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'getattr' accesses on the filesystem /usr. https://bugzilla.redhat.com/show_bug.cgi?id=702759 [ 11 ] Bug #702865 - Major selinux problem after upgrade fc13 to fc14 https://bugzilla.redhat.com/show_bug.cgi?id=702865 [ 12 ] Bug #703437 - SELinux is preventing /bin/find from 'read' accesses on the directory /. https://bugzilla.redhat.com/show_bug.cgi?id=703437 [ 13 ] Bug #703450 - SELinux is preventing /usr/bin/gtk-gnash from unix_read, unix_write access on the semaphore Unknown. https://bugzilla.redhat.com/show_bug.cgi?id=703450 [ 14 ] Bug #703596 - SELinux is preventing /usr/libexec/polkit-1/polkitd from 'read' accesses on the directory /var/run/ConsoleKit. https://bugzilla.redhat.com/show_bug.cgi?id=703596 [ 15 ] Bug #703606 - SELinux is preventing /usr/lib64/xulrunner-1.9.2/plugin-container from 'getattr' accesses on the sock_file /var/run/pcscd.comm. https://bugzilla.redhat.com/show_bug.cgi?id=703606 [ 16 ] Bug #704659 - SELinux is preventing /usr/bin/qemu-kvm from 'read' accesses on the file pulse-shm-3997504744. https://bugzilla.redhat.com/show_bug.cgi?id=704659 [ 17 ] Bug #704844 - SELinux is preventing /usr/sbin/callweaver from 'write' accesses on the sock_file /var/run/callweaver/callweaver.ctl. https://bugzilla.redhat.com/show_bug.cgi?id=704844 [ 18 ] Bug #707006 - SELinux is preventing /sbin/load_policy from read, write access on the unix_stream_socket unix_stream_socket. https://bugzilla.redhat.com/show_bug.cgi?id=707006 [ 19 ] Bug #707279 - SELinux is preventing /sbin/consoletype from 'write' accesses on the fifo_file fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=707279 [ 20 ] Bug #707329 - SELinux is preventing /usr/libexec/polkit-1/polkitd from 'getattr' accesses on the file /var/run/ConsoleKit/database. https://bugzilla.redhat.com/show_bug.cgi?id=707329 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
