---------------------------------------------------------------------------= ----- Fedora Update Notification FEDORA-2011-15593 2011-11-10 16:42:48 ---------------------------------------------------------------------------= -----
Name : selinux-policy Product : Fedora 16 Version : 3.10.0 Release : 55.fc16 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 ---------------------------------------------------------------------------= ----- Update Information: - Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type ---------------------------------------------------------------------------= ----- ChangeLog: * Mon Nov 7 2011 Miroslav Grepl <[email protected]> 3.10.0-55 - Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type * Fri Nov 4 2011 Miroslav Grepl <[email protected]> 3.10.0-54 - MCS fixes - quota fixes * Tue Nov 1 2011 Miroslav Grepl <[email protected]> 3.10.0-53 - Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-52 - Check in fixed for Chrome nacl support * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-51 - Begin removing qemu_t domain, we really no longer need this domain. = - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-50 - Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-49 - Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-48 - Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write p= ostfix_smtpd_t unix_stream_sockets * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-47 - Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the co= rrect label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users ---------------------------------------------------------------------------= ----- References: [ 1 ] Bug #750892 - unable to uninstall old kernels due to scriptlet erro= rs https://bugzilla.redhat.com/show_bug.cgi?id=3D750892 [ 2 ] Bug #747401 - spamassassin - error: GPG validation faile https://bugzilla.redhat.com/show_bug.cgi?id=3D747401 [ 3 ] Bug #748069 - selinux and nvidia means gdm fails to start https://bugzilla.redhat.com/show_bug.cgi?id=3D748069 [ 4 ] Bug #748921 - SELinux is preventing /bin/systemctl from 'read' acce= sses on the file cgroup.procs. https://bugzilla.redhat.com/show_bug.cgi?id=3D748921 [ 5 ] Bug #749682 - matahari generates avcs and doesn't work properly https://bugzilla.redhat.com/show_bug.cgi?id=3D749682 [ 6 ] Bug #749886 - SELinux is preventing /bin/systemctl from 'getattr' a= ccesses on the file /sys/fs/cgroup/systemd/system/chronyd.service/cgroup.pr= ocs. https://bugzilla.redhat.com/show_bug.cgi?id=3D749886 [ 7 ] Bug #750074 - SELinux is preventing /usr/lib64/chromium-browser/chr= omium-browser from read, append access on the file /dev/shm/.org.chromium.C= hromium.cymVpB (deleted). https://bugzilla.redhat.com/show_bug.cgi?id=3D750074 [ 8 ] Bug #750161 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehe= lper from 'read' accesses on the file online. https://bugzilla.redhat.com/show_bug.cgi?id=3D750161 [ 9 ] Bug #750570 - SELinux is preventing /bin/systemd-tmpfiles from 'rmd= ir' accesses on the directory dconf. https://bugzilla.redhat.com/show_bug.cgi?id=3D750570 [ 10 ] Bug #751194 - SELinux is preventing /usr/libexec/gnome-session-che= ck-accelerated-helper from ioctl access on the chr_file /dev/nvidiactl https://bugzilla.redhat.com/show_bug.cgi?id=3D751194 [ 11 ] Bug #751379 - SELinux is preventing /sbin/ldconfig from 'read' acc= esses on the directory /home/dzamirski/.local/share/evolution. https://bugzilla.redhat.com/show_bug.cgi?id=3D751379 [ 12 ] Bug #751585 - SELinux is preventing /opt/google/chrome/nacl_helper= _bootstrap from 'read' accesses on the file cpuinfo_max_freq. https://bugzilla.redhat.com/show_bug.cgi?id=3D751585 ---------------------------------------------------------------------------= ----- This update can be installed with the "yum" update program. Use = su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on t= he GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ---------------------------------------------------------------------------= ----- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
