-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-4286 2012-03-21 01:54:30 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 15 Version : 3.9.16 Release : 52.fc15 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: * Tue Mar 13 2012 Miroslav Grepl <[email protected]> 3.9.16-52 - Fix livecd_run() interface - Add labeling for /var/spool/postfix/dev/log * support postfix chroot - Allow sandbox_xserver_t to send signals - These are needed with CRL fetching is enabled - Razor labeling is not used no longer - Add label for /sbin/xtables-multi - Add support for winshadow port and allow iscsid to connect to this port - Allow chrome_sandbox_t to send all signals to sandbox_nacl_t - Allow sandbox_nacl to setsched on its process - Dontaudit fail2ban looking at gnome content - fix label for /usr/lib(64)/iscan/network -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 13 2012 Miroslav Grepl <[email protected]> 3.9.16-52 - Fix livecd_run() interface - Add labeling for /var/spool/postfix/dev/log * support postfix chroot - Allow sandbox_xserver_t to send signals - These are needed with CRL fetching is enabled - Razor labeling is not used no longer - Add label for /sbin/xtables-multi - Add support for winshadow port and allow iscsid to connect to this port - Allow chrome_sandbox_t to send all signals to sandbox_nacl_t - Allow sandbox_nacl to setsched on its process - Dontaudit fail2ban looking at gnome content - fix label for /usr/lib(64)/iscan/network * Thu Jan 19 2012 Miroslav Grepl <[email protected]> 3.9.16-51 - Fix BOINC bug * Wed Dec 14 2011 Miroslav Grepl <[email protected]> 3.9.16-50 - BOinc fixes - Allow mysqld_safe to delete the mysql_db_t sock_file - Dovecot has a new fifo_file /var/run/stats-mail * Fri Dec 2 2011 Miroslav Grepl <[email protected]> 3.9.16-49 - Allow gnomeclock to send system log msgs - Users that use X and spice need to use the virtio device - squashfs supports extended attributes - Allow system_cronjob to dbus chat with NetworkManager - Allow all postfix domains to use the fifo_file - Allow squid to check the network state - Allow spamd to send mail * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.9.16-48 - Fix typo in ssh.if * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.9.16-47 - Allow spamd and clamd to steam connect to each other - Allow colord to execute ifconfig - Allow smbcontrol to signal themselves - Make faillog MLS trusted to make sudo_$1_t working * Mon Nov 7 2011 Miroslav Grepl <[email protected]> 3.9.16-46 - Backport MCS fixes from F16 - Other chrome fixes from F16 * Wed Oct 26 2011 Miroslav Grepl <[email protected]> 3.9.16-45 - Backport chrome fixes - Backport cloudform policy * Fri Oct 21 2011 Miroslav Grepl <[email protected]> 3.9.16-44 - Fixes for systemd - Add FIPS suppport for dirsrv * Tue Oct 11 2011 Miroslav Grepl <[email protected]> 3.9.16-43 - Allow sa-update to update rules - Allow sa-update to read spamd tmp file - Allow screen to read all domain state - Allow sa-update to execute shell - More fixes for sa-update running out of cron job - Allow initrc to manage cron system spool - Fixes for collectd policy - Fixes added during clean up bugzillas - Dontaudit fail2ban_client_t sys_tty_config capability - Fix for puppet which does execute check on passwd - ricci_modservice send syslog msgs - Fix dev_dontaudit_write_mtrr() interface * Tue Sep 27 2011 Miroslav Grepl <[email protected]> 3.9.16-42 - Make mta_role() active - Add additional gitweb file context labeling - Allow asterisk to connect to jabber client port - Allow sssd to read the contents of /sys/class/net/$IFACE_NAME - Allow fsdaemon dac_override * Thu Sep 22 2011 Miroslav Grepl <[email protected]> 3.9.16-41 - Add logging_syslogd_can_sendmail boolean - Add support for exim and confined users - support for ommail module to send logs via mail - Add execmem_execmod() to execmem role - Allow pptp to send generic signal to kernel threads - Fix kerberos_manage_host_rcache() interface * Mon Sep 12 2011 Miroslav Grepl <[email protected]> 3.9.16-40 - Fixes for mock * Tue Sep 6 2011 Miroslav Grepl <[email protected]> 3.9.16-39 - Backport F16 fixes - livecd fixes - systemd fixes * Thu Aug 11 2011 Miroslav Grepl <[email protected]> 3.9.16-38 - Allow hostname read network state - Allow syslog to manage all log files - Add use_fusefs_home_dirs boolean for chrome - Make vdagent working with confined users - Fix syslog port definition - Allow openvpn to set its process priority when the nice parameter is used - Restorecond should be able to watch and relabel devices in /dev - Alow hddtemp to perform DNS name resolution * Fri Aug 5 2011 Miroslav Grepl <[email protected]> 3.9.16-37 - Fixes for zarafa, postfix policy - Backport collect policy * Wed Jul 27 2011 Miroslav Grepl <[email protected]> 3.9.16-36 - Backport ABRT changes - Make tmux working with scree policy - Allow root cron jobs can't run without unconfined - add interface to dontaudit writes to urand, needed by libra - Add label for /var/cache/krb5rcache directory * Wed Jul 20 2011 Miroslav Grepl <[email protected]> 3.9.16-35 - Allow jabberd_router_t to read system state - Rename oracledb_port to oracle_port - Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions - screen wants to manage sock file in screen home dirs - Make screen working with confined users - Allow gssd to search access on the directory /proc/fs/nfsd * Fri Jul 15 2011 Miroslav Grepl <[email protected]> 3.9.16-34 - More fixes for postfix policy - Allow virsh_t setsched - Add mcelog_log_t type for mcelog log file - Add virt_ptynode attribute * Mon Jul 11 2011 Miroslav Grepl <[email protected]> 3.9.16-33 - Add l2tpd policy - Fixes for abrt - Backport fail2ban_client policy * Fri Jul 1 2011 Miroslav Grepl <[email protected]> 3.9.16-32 - Allow getcap, setcap for syslogd - Fix label for /usr/lib64/opera/opera * Thu Jun 30 2011 Miroslav Grepl <[email protected]> 3.9.16-31 - Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content() - Allow init to delete all pid sockets - Allow colord to read /proc/stat - Add label for /var/www/html/wordpress/wp-content/plugins directory - Allow pppd to search /var/lock dir - puppetmaster use nsswitch: #711804 - Update abrt to match rawhide policy - allow privoxy to read network data - support gecko mozilla browser plugin - Allow chrome_sandbox to execute content in nfs homedir - postfix_qmgr needs to read /var/spool/postfix/deferred - abrt_t needs fsetid * Tue Jun 14 2011 Miroslav Grepl <[email protected]> 3.9.16-30 - Fixes for zarafa policy - Other fixes for fail2ban - Allow keyring to drop capabilities - Allow cobblerd to send syslog messages - Allow xserver to read/write the xserver_misk device - ppp also installs /var/log/ppp and /var/run/ppp directories * remove filetrans rules - fix for pppd_lock - Allow fail2ban run ldconfig - Allow lvm to read/write pipes inherited from login programs * Fri Jun 10 2011 Miroslav Grepl <[email protected]> 3.9.16-29 - Fix /var/lock labeling issue * Mon Jun 6 2011 Miroslav Grepl <[email protected]> 3.9.16-28 - Allow ssh to execute systemctl - fail2ban fixes related to /tmp directory - Allow puppetmaster to create dirs in /var/run/puppet * Thu Jun 2 2011 Miroslav Grepl <[email protected]> 3.9.16-27 - Add label for /var/lock/ppp - Fixes for colord policy - Allow sys_chroot for postfix domains * Fri May 27 2011 Miroslav Grepl <[email protected]> 3.9.16-26 - Add label for dev/ati/card* - Allowe secadm to manage selinux config files * Thu May 26 2011 Miroslav Grepl <[email protected]> 3.9.16-25 - Add Dominicks patch for dccp_socket - dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/ - Colord inherits open file descriptors from the users...' - cgred needs auth_use_nsswitch() - apcupsd lock file was missing file context specificatio... - Make cron work - Allow clamav to manage amavis spool files - Use httpd_can_sendmail boolean also for httpd_suexec_t - Add fenced_can_ssh boolean - Add dev_dontaudit_read_generic_files() for hplip - Allow xauthority to create shared memory - Make postfix user domains application_domains - Allow xend to sys_admin privs - Allow mount to read usr files - Allow logrotate to connect to init script using unix stream socket - Allow nsplugin_t to getattr on gpmctl * Tue May 17 2011 Miroslav Grepl <[email protected]> 3.9.16-24 - Allow logrotate to connect to init script using unix domain stream socket - Allow shorewall read and write inherited user domain pty/tty - virt will attempt to us another virtualizations pulsesaudio tmpfs_t, ignore error - Allow colord to get the attributes of fixed disk device nodes - Allow nsplugin_t to getattr on gpmctl - Allow mozilla_plugin to connect to pcscd over an unix stream socket - Allow logrotate to execute systemctl - colord wants to read files in users homedir - Remote login should create user_tmp_t content not its own tmp files - Allow psad signal - Fix cobbler_read_lib_files interface - Allow rlogind to r/w user terminals - Allow prelink_cron_system_t to relabel content and ignore obj_id - Allow gnomeclock_systemctl_t to list init_var_run_t - Dbus domains will inherit fds from the init system -------------------------------------------------------------------------------- References: [ 1 ] Bug #729211 - SELinux is preventing /usr/bin/python from 'search' accesses on the directory /root/.local. https://bugzilla.redhat.com/show_bug.cgi?id=729211 [ 2 ] Bug #735598 - avc: livecd-creator/python/ldconfig script/program/process transition https://bugzilla.redhat.com/show_bug.cgi?id=735598 [ 3 ] Bug #795580 - various avcs in connection with Shorewall https://bugzilla.redhat.com/show_bug.cgi?id=795580 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
