-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2011-10410 2011-08-05 23:28:35 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 15 Version : 3.9.16 Release : 38.fc15 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Fixes for zarafa, postfix policy - Backport collect policy -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 11 2011 Miroslav Grepl <[email protected]> 3.9.16-38 - Allow hostname read network state - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Fix syslog port definition - Allow openvpn to set its process priority when the nice parameter is used - Restorecond should be able to watch and relabel devices in /dev - Alow hddtemp to perform DNS name resolution * Fri Aug 5 2011 Miroslav Grepl <[email protected]> 3.9.16-37 - Fixes for zarafa, postfix policy - Backport collect policy * Wed Jul 27 2011 Miroslav Grepl <[email protected]> 3.9.16-36 - Backport ABRT changes - Make tmux working with scree policy - Allow root cron jobs can't run without unconfined - add interface to dontaudit writes to urand, needed by libra - Add label for /var/cache/krb5rcache directory * Wed Jul 20 2011 Miroslav Grepl <[email protected]> 3.9.16-35 - Allow jabberd_router_t to read system state - Rename oracledb_port to oracle_port - Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions - screen wants to manage sock file in screen home dirs - Make screen working with confined users - Allow gssd to search access on the directory /proc/fs/nfsd * Fri Jul 15 2011 Miroslav Grepl <[email protected]> 3.9.16-34 - More fixes for postfix policy - Allow virsh_t setsched - Add mcelog_log_t type for mcelog log file - Add virt_ptynode attribute * Mon Jul 11 2011 Miroslav Grepl <[email protected]> 3.9.16-33 - Add l2tpd policy - Fixes for abrt - Backport fail2ban_client policy * Fri Jul 1 2011 Miroslav Grepl <[email protected]> 3.9.16-32 - Allow getcap, setcap for syslogd - Fix label for /usr/lib64/opera/opera * Thu Jun 30 2011 Miroslav Grepl <[email protected]> 3.9.16-31 - Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content() - Allow init to delete all pid sockets - Allow colord to read /proc/stat - Add label for /var/www/html/wordpress/wp-content/plugins directory - Allow pppd to search /var/lock dir - puppetmaster use nsswitch: #711804 - Update abrt to match rawhide policy - allow privoxy to read network data - support gecko mozilla browser plugin - Allow chrome_sandbox to execute content in nfs homedir - postfix_qmgr needs to read /var/spool/postfix/deferred - abrt_t needs fsetid * Tue Jun 14 2011 Miroslav Grepl <[email protected]> 3.9.16-30 - Fixes for zarafa policy - Other fixes for fail2ban - Allow keyring to drop capabilities - Allow cobblerd to send syslog messages - Allow xserver to read/write the xserver_misk device - ppp also installs /var/log/ppp and /var/run/ppp directories * remove filetrans rules - fix for pppd_lock - Allow fail2ban run ldconfig - Allow lvm to read/write pipes inherited from login programs * Fri Jun 10 2011 Miroslav Grepl <[email protected]> 3.9.16-29 - Fix /var/lock labeling issue * Mon Jun 6 2011 Miroslav Grepl <[email protected]> 3.9.16-28 - Allow ssh to execute systemctl - fail2ban fixes related to /tmp directory - Allow puppetmaster to create dirs in /var/run/puppet * Thu Jun 2 2011 Miroslav Grepl <[email protected]> 3.9.16-27 - Add label for /var/lock/ppp - Fixes for colord policy - Allow sys_chroot for postfix domains * Fri May 27 2011 Miroslav Grepl <[email protected]> 3.9.16-26 - Add label for dev/ati/card* - Allowe secadm to manage selinux config files * Thu May 26 2011 Miroslav Grepl <[email protected]> 3.9.16-25 - Add Dominicks patch for dccp_socket - dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/ - Colord inherits open file descriptors from the users...' - cgred needs auth_use_nsswitch() - apcupsd lock file was missing file context specificatio... - Make cron work - Allow clamav to manage amavis spool files - Use httpd_can_sendmail boolean also for httpd_suexec_t - Add fenced_can_ssh boolean - Add dev_dontaudit_read_generic_files() for hplip - Allow xauthority to create shared memory - Make postfix user domains application_domains - Allow xend to sys_admin privs - Allow mount to read usr files - Allow logrotate to connect to init script using unix stream socket - Allow nsplugin_t to getattr on gpmctl * Tue May 17 2011 Miroslav Grepl <[email protected]> 3.9.16-24 - Allow logrotate to connect to init script using unix domain stream socket - Allow shorewall read and write inherited user domain pty/tty - virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error - Allow colord to get the attributes of fixed disk device nodes - Allow nsplugin_t to getattr on gpmctl - Allow mozilla_plugin to connect to pcscd over an unix stream socket - Allow logrotate to execute systemctl - colord wants to read files in users homedir - Remote login should create user_tmp_t content not its own tmp files - Allow psad signal - Fix cobbler_read_lib_files interface - Allow rlogind to r/w user terminals - Allow prelink_cron_system_t to relabel content and ignore obj_id - Allow gnomeclock_systemctl_t to list init_var_run_t - Dbus domains will inherit fds from the init system -------------------------------------------------------------------------------- References: [ 1 ] Bug #726303 - SELinux is preventing 72733A6D61696E20513A526567 from 'open' accesses on the file /var/log/ntpd.log. https://bugzilla.redhat.com/show_bug.cgi?id=726303 [ 2 ] Bug #728485 - SELinux is preventing /bin/hostname from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=728485 [ 3 ] Bug #728554 - SELinux is preventing /usr/sbin/lircd (deleted) from 'read' accesses on the lnk_file usb1. https://bugzilla.redhat.com/show_bug.cgi?id=728554 [ 4 ] Bug #728566 - SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /var/lib/pnp4nagios. https://bugzilla.redhat.com/show_bug.cgi?id=728566 [ 5 ] Bug #728994 - SELinux is preventing /usr/sbin/lircd from 'read' accesses on the file busnum. https://bugzilla.redhat.com/show_bug.cgi?id=728994 [ 6 ] Bug #729752 - SELinux is preventing /opt/google/chrome/chrome from 'read' accesses on the file /home/wjbealer/.gvfs/new_volume%28a3%29 on bk-hb6b5c44.local/PUBLIC/Fonts/ARIALN.TTF. https://bugzilla.redhat.com/show_bug.cgi?id=729752 [ 7 ] Bug #707157 - SELinux is preventing /usr/sbin/lircd from using the 'signal' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=707157 [ 8 ] Bug #722747 - SELinux is preventing abrt-dump-oops from 'syslog_read' accesses on the system Unknown. https://bugzilla.redhat.com/show_bug.cgi?id=722747 [ 9 ] Bug #723391 - tmux doesn't work without unconfined, but this may be a tmux behaviour issue https://bugzilla.redhat.com/show_bug.cgi?id=723391 [ 10 ] Bug #723403 - Root cron jobs can't run without unconfined https://bugzilla.redhat.com/show_bug.cgi?id=723403 [ 11 ] Bug #726180 - SELinux is preventing /usr/libexec/gdm-crash-logger from 'append' accesses on the file /var/log/gdm/:0-slave.log. https://bugzilla.redhat.com/show_bug.cgi?id=726180 [ 12 ] Bug #727052 - SELinux is preventing /bin/systemctl from using the 'signal' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=727052 [ 13 ] Bug #727999 - SELinux is preventing /usr/sbin/lircd from 'read' accesses on the directory devices. https://bugzilla.redhat.com/show_bug.cgi?id=727999 [ 14 ] Bug #725117 - SELinux is preventing /bin/hostname from read access on the chr_file /dev/null https://bugzilla.redhat.com/show_bug.cgi?id=725117 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
