-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2011-16698 2011-12-04 01:50:21 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 16 Version : 3.10.0 Release : 64.fc16 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 2 2011 Miroslav Grepl <[email protected]> 3.10.0-64 - Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly * Tue Nov 29 2011 Miroslav Grepl <[email protected]> 3.10.0-63 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files * Mon Nov 28 2011 Miroslav Grepl <[email protected]> 3.10.0-62 - Add fs_read_fusefs_dirs interface - Allow mailman to read /dev/urandom - Allow clamd to read spamd pid file - Allow mount to read /dev/urandom - Add use_fusefs_home_dirs also for system_dbus_t * Fri Nov 25 2011 Miroslav Grepl <[email protected]> 3.10.0-61 - Needs to require new version policycoreutils * Thu Nov 24 2011 Miroslav Grepl <[email protected]> 3.10.0-60 - Needs to require new version checkpolicy * Thu Nov 24 2011 Miroslav Grepl <[email protected]> 3.10.0-59 - Allow spamd to send mail - Add ssh_home_t label for /var/lib/nocpulse/.ssh - Allow puppetmaster to read network state - Add colord_can_network_connect boolean - Allow colord to execute shell - Add bin_t label for "/usr/lib/iscan/network" - Allow chrome-sandbox ptrace - winbind needs to be able to talk to ldap directly, not through sssd - saslauthd_t needs to connect to zarafa_port_t - dnsmasq wants to read proc_net_t - Add full DNS support for FreeIPA * Mon Nov 21 2011 Miroslav Grepl <[email protected]> 3.10.0-58 - Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.10.0-57 - We need to treat port_t and unreserved_port_t as generic_port types * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.10.0-56 - Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t * Mon Nov 7 2011 Miroslav Grepl <[email protected]> 3.10.0-55 - Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type * Fri Nov 4 2011 Miroslav Grepl <[email protected]> 3.10.0-54 - MCS fixes - quota fixes * Tue Nov 1 2011 Miroslav Grepl <[email protected]> 3.10.0-53 - Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-52 - Check in fixed for Chrome nacl support * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-51 - Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-50 - Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-49 - Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-48 - Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-47 - Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users -------------------------------------------------------------------------------- References: [ 1 ] Bug #755172 - permit openvpn to access to tor socks port https://bugzilla.redhat.com/show_bug.cgi?id=755172 [ 2 ] Bug #756689 - mailman AVC on /dev/urandom https://bugzilla.redhat.com/show_bug.cgi?id=756689 [ 3 ] Bug #757345 - selinux targeted policy is blocking spice-vdagent https://bugzilla.redhat.com/show_bug.cgi?id=757345 [ 4 ] Bug #757722 - Don't dontaudit sshd_t accessing nfs_t https://bugzilla.redhat.com/show_bug.cgi?id=757722 [ 5 ] Bug #752482 - Lots of SELinux denials for zabbix_server https://bugzilla.redhat.com/show_bug.cgi?id=752482 [ 6 ] Bug #756366 - SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the filesystem /media. https://bugzilla.redhat.com/show_bug.cgi?id=756366 [ 7 ] Bug #757169 - SELinux is preventing /usr/sbin/squid from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=757169 [ 8 ] Bug #757170 - SELinux is preventing /usr/sbin/squid from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=757170 [ 9 ] Bug #757364 - SELinux is preventing /usr/bin/python from 'read' accesses on the lnk_file selinux. https://bugzilla.redhat.com/show_bug.cgi?id=757364 [ 10 ] Bug #757634 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the fichier android-sdk_r15-linux.tgz. https://bugzilla.redhat.com/show_bug.cgi?id=757634 [ 11 ] Bug #757800 - SELinux is preventing /usr/libexec/postfix/bounce from 'read' accesses on the fifo_file fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=757800 [ 12 ] Bug #758002 - SELinux is preventing /bin/bash from 'read' accesses on the file /boot/grub2/grub.cfg. https://bugzilla.redhat.com/show_bug.cgi?id=758002 [ 13 ] Bug #758944 - SELinux is preventing /usr/bin/python from 'read' accesses on the lnk_file selinux. https://bugzilla.redhat.com/show_bug.cgi?id=758944 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
