-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2011-10372 2011-08-05 03:33:01 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 14 Version : 3.9.7 Release : 44.fc14 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Backport dirsrv-admin changes - Fixes for fail2ban and iptables - Fixes for dovecot - Fixes for piranha policy -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 4 2011 Miroslav Grepl <[email protected]> 3.9.7-44 - Backport dirsrv-admin changes * Mon Jun 20 2011 Miroslav Grepl <[email protected]> 3.9.7-43 - Fixes for fail2ban and iptables - Fixes for dovecot - Fixes for piranha policy * Fri May 27 2011 Miroslav Grepl <[email protected]> 3.9.7-42 - Make upgrade from F13 working - Fixes for asterisk policy - Fixes for vdagent policy * Tue May 10 2011 Miroslav Grepl <[email protected]> 3.9.7-41 - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write postfix master pipes - Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files - Allow spamd to send mail - Allow sshd getcap - Add tgtd_var_run_t type - Allow vnstatd to read system state * Tue Apr 19 2011 Miroslav Grepl <[email protected]> 3.9.7-40 - Add support for AEOLUS project - Fixes for asterisk and setroubleshoot domains - Fix label for /usr/sbin/fping - Fix label for chrome - Fixes for foghorn policy * Mon Apr 11 2011 Miroslav Grepl <[email protected]> 3.9.7-39 - Allow foghor to read snmp lib files - Other fixes for foghorn policy - Make sysadm security admin - Fix ssh_sysadm_login boolean - Fix seunshare interface - Add allow_sysadm_manage_security boolean - Add label for /dev/dlm.* - Allow auditadm_screen_t and secadm_screen_t dac_override capability - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master - Fixes for nslcd policy - Allow rgmanager to send the kill signal to all users * Fri Mar 25 2011 Miroslav Grepl <[email protected]> 3.9.7-38 - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of audit - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - Allow syslogd setrlimit, sys_nice - ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed * Mon Mar 21 2011 Miroslav Grepl <[email protected]> 3.9.7-37 - Add label for /usr/share/shorewall/getparams * Sun Mar 20 2011 Miroslav Grepl <[email protected]> 3.9.7-36 - xdm needs to read KDE config files * Fri Mar 18 2011 Miroslav Grepl <[email protected]> 3.9.7-35 - Additional fixes for gnomeclock policy * Fri Mar 18 2011 Miroslav Grepl <[email protected]> 3.9.7-34 - Add matahari policy - Allow shutdown setsched and sys_nice - Add port definition for dogtag, matahari, movaz ports - Add label for /etc/securetty - Fixes for pirahna-pulse policy - Fixes for mock policy - Add support for KDE ksysguardprocesslist_helper - Add support for a new cluster service - foghorn - Add support for xfce4-notifyd - Add support for kcmdatetimehelper - Fixes for spice-vdagent policy - Fixes for ssh-keygen policy * Fri Mar 4 2011 Miroslav Grepl <[email protected]> 3.9.7-33 - Backport sandbox and seunshare policy from F15 - Allow svirt to manage sock_file in ~/.libvirt directory - Allow sysamd to run udev in udev_t domain - Remove capability from svirt - Add lvm_exec_t label for kpartx - Add virt_home_ type files located in ~/.libvirt directory - virt creates monitor sockets in the users home dir - Allow lvm setfscreate - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports - certmonger wants to read keytab files * Fri Feb 25 2011 Miroslav Grepl <[email protected]> 3.9.7-32 - Allow amavis sigkill - Allow winbind to read network state information - Add ajaxterm ssh client session - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports * Thu Feb 17 2011 Miroslav Grepl <[email protected]> 3.9.7-31 - Allow all sandbox to read selinux poilcy config files - Add reading tfptd_rw_t to tftp_read_content - Add allow_daemons_use_tcp_wrappers boolean - Allow amavis to talk to nslcd * Tue Feb 15 2011 Miroslav Grepl <[email protected]> 3.9.7-30 - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines - cgred needs fsetid - Allow cmirrord to create physical disk devices in /dev - Make NNTP gateway working with mailman * Fri Feb 4 2011 Miroslav Grepl <[email protected]> 3.9.7-29 - Revert * Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Fix spec file to make this work * Wed Feb 2 2011 Miroslav Grepl <[email protected]> 3.9.7-28 - Make sandbox to work - Fix httpd_selinux man page to refer to httpd_sys_rw_content_t - Allow awstats to read squid logs - Allow dirsrv to send syslog messages * Tue Feb 1 2011 Miroslav Grepl <[email protected]> 3.9.7-27 - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Fix keyboardd interface * Thu Jan 27 2011 Miroslav Grepl <[email protected]> 3.9.7-26 - Add execmem_exec_t label for gimp - Allow nagios plugin to read /proc/meminfo - Fix label for /usr/lib/debug - Add label for /usr/lib/bjlib - Fixes for confined users - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite * Thu Jan 20 2011 Miroslav Grepl <[email protected]> 3.9.7-25 - .forward.* Needs to be labeled mail_home_t - .forward file can cause postfix_local to execute local content * Wed Jan 19 2011 Miroslav Grepl <[email protected]> 3.9.7-24 - Add sepgsql fixes from KaiGai Kohei * Wed Jan 19 2011 Miroslav Grepl <[email protected]> 3.9.7-23 - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - sandbox fixes - Allow shorewall to read iptables conf files * Fri Jan 14 2011 Miroslav Grepl <[email protected]> 3.9.7-22 - Add namespace policy - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Allow dirsrv to use kerberos * Fri Jan 7 2011 Miroslav Grepl <[email protected]> 3.9.7-21 - Make kernel_t domain MLS trusted for lowering the level of file. - Add label for /var/lib/tftpboot/grub directory - Fixes for mpd policy - Fix amanda_search_lib interface * Tue Jan 4 2011 Miroslav Grepl <[email protected]> 3.9.7-20 - Fixes for iscsi policy - Allow dmesg to read system state - squid apache script connects to the squid port - /var/stockmaniac/templates_cache contains log files - Allow radius to communicate with postgresql - Add transition from unconfined_java_t to wine_t * Wed Dec 22 2010 Miroslav Grepl <[email protected]> 3.9.7-19 - Fixes for passenger policy - Allow staff user to execute mysql * Thu Dec 16 2010 Miroslav Grepl <[email protected]> 3.9.7-18 - Other fixes for munin plugins policy * Wed Dec 15 2010 Miroslav Grepl <[email protected]> 3.9.7-17 - Fixes for sandbox policy - Add setuid capability for vpnc - Allow sandbox to run on nfs partitions - Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t * Fri Dec 10 2010 Miroslav Grepl <[email protected]> 3.9.7-16 - Allow boinc-project to read mtab - Fixes for clamscan * Mon Dec 6 2010 Miroslav Grepl <[email protected]> 3.9.7-15 - Allow mount fowner capability - Fix the label for wicd log - Allow avahi to request the kernel to load a module - Allow mpd to read alsa config * Wed Dec 1 2010 Miroslav Grepl <[email protected]> 3.9.7-14 - Allow clear dac overrides - Fix dirsrv.te to talk to rpcbind - certmonger needs to manage dirsrv data - Allow posftfix-smtpd to connect to dovecot unix domain stream socket - Allow ssh_keygen to generate files in /root/.ssh * Mon Nov 22 2010 Miroslav Grepl <[email protected]> 3.9.7-13 - Allow ddclient to fix file mode bits of ddclient conf file - Add labels for /etc/lirc directory - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0 * Thu Nov 18 2010 Miroslav Grepl <[email protected]> 3.9.7-12 - Add xdm_exec_bootloader boolean - Allow cgconfig fsetid capability - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Patch for Stephen Beahm for ulogd policy - Turn on pyzor policy * Mon Nov 15 2010 Miroslav Grepl <[email protected]> 3.9.7-11 - Allow mysqld-safe to send system log messages - Fix label for lxdm.sock - Fixes for ddclient policy - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Add label for acroread - Add dirsrv and dirsrv-admin policy - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp * Wed Nov 10 2010 Miroslav Grepl <[email protected]> 3.9.7-10 - Turn on ddclient policy - Allow mount to set the attributes of all mount points - Allow bitlbee setsched - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Fixes for puppetmaster * Mon Nov 8 2010 Miroslav Grepl <[email protected]> 3.9.7-9 - Fixes for corosync policy - Add initial drbd policy - Allow mpd to be able to read samba/nfs files * Mon Nov 1 2010 Dan Walsh <[email protected]> 3.9.7-8 - Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon * Thu Oct 28 2010 Dan Walsh <[email protected]> 3.9.7-7 - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node - Fix label on /lib/systemd/* * Fri Oct 22 2010 Dan Walsh <[email protected]> 3.9.7-6 - Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot * Tue Oct 19 2010 Dan Walsh <[email protected]> 3.9.7-5 - Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaudit - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images -------------------------------------------------------------------------------- References: [ 1 ] Bug #708378 - SElinux prevents /usr/sbin/rwhod from reading /dev/pts/* https://bugzilla.redhat.com/show_bug.cgi?id=708378 [ 2 ] Bug #709255 - SELinux is preventing /usr/libexec/dovecot/dovecot-lda from 'read' accesses on the sock_file /var/run/dovecot/auth-userdb. https://bugzilla.redhat.com/show_bug.cgi?id=709255 [ 3 ] Bug #709259 - SELinux is preventing /sbin/drbdadm from using the 'sys_tty_config' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=709259 [ 4 ] Bug #710056 - Firefox under sandbox & Xulrunner AVC https://bugzilla.redhat.com/show_bug.cgi?id=710056 [ 5 ] Bug #712059 - SELinux is preventing /usr/sbin/sendmail.sendmail from read, write access on the file /tmp/ffilCoFbB (deleted). https://bugzilla.redhat.com/show_bug.cgi?id=712059 [ 6 ] Bug #718053 - SELinux is preventing /usr/bin/python from 'create' accesses on the unix_dgram_socket Unknown. https://bugzilla.redhat.com/show_bug.cgi?id=718053 [ 7 ] Bug #718733 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'read' accesses on the file cpuinfo. https://bugzilla.redhat.com/show_bug.cgi?id=718733 [ 8 ] Bug #720315 - SELinux is preventing /usr/sbin/mcelog from 'create open' accesses on the file /var/log/mcelog. https://bugzilla.redhat.com/show_bug.cgi?id=720315 [ 9 ] Bug #722207 - SELinux is preventing /usr/sbin/sshd from 'read' accesses on the file /etc/localtime. https://bugzilla.redhat.com/show_bug.cgi?id=722207 [ 10 ] Bug #723788 - SELinux is preventing /usr/bin/perl from using the 'signal' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=723788 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
