-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-6385 2012-04-22 02:44:38 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 16 Version : 3.10.0 Release : 84.fc16 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - zfs now supports xattrs - allow mozilla_plugin_t to read user_home_t socket - Allow signal for vhostmd - Add support for echo port - Allow mpd_t to manage log files - Add httpd_use_fusefs boolean - /etc/auto.* should be labeled bin_t - Allow sshd_t to signal processes that it transitions to - Rename rdate port to time port, and allow gnomeclock to connect to it - Make amavis as nsswitch domain to allow using NIS - Make procmail_t as home manager - Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file - Add port definition for l2tp ports - Make qemu-dm running in xend_t domain - Allow accountsd to read /proc data about gdm - Allow rtkit to schedule wine processes - label /var/lib/sss/mc same as pubconf - Allow NM to read system config file - Allow wdmd chown - Make sure /var/spool/postfix/lib64 is labeled as /var/spool/postfix/lib - Nagios fixes - Add storage_dev_filetrans_named_fixed_disk() for fsdaemon -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 18 2012 Miroslav Grepl <[email protected]> 3.10.0-84 - Make sure /var/spool/postfix/lib64 is labeled as /var/spool/postfix/lib - Nagios fixes * Bacport from F17 * Mon Apr 16 2012 Miroslav Grepl <[email protected]> 3.10.0-83 - Allow wdmd chown - Add storage_dev_filetrans_named_fixed_disk() for fsdaemon * Fri Apr 6 2012 Miroslav Grepl <[email protected]> 3.10.0-82 - zfs now supports xattrs - allow mozilla_plugin_t to read user_home_t socket - Allow signal for vhostmd - Add support for echo port - Allow mpd_t to manage log files - Add httpd_use_fusefs boolean - /etc/auto.* should be labeled bin_t - Allow sshd_t to signal processes that it transitions to - Rename rdate port to time port, and allow gnomeclock to connect to it - Make amavis as nsswitch domain to allow using NIS - Make procmail_t as home manager - Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file - Add port definition for l2tp ports - Make qemu-dm running in xend_t domain - Allow accountsd to read /proc data about gdm - Allow rtkit to schedule wine processes - label /var/lib/sss/mc same as pubconf - Allow NM to read system config file * Tue Mar 13 2012 Miroslav Grepl <[email protected]> 3.10.0-81 - boinc fixes - Allow vnstat to search through var_lib_t directories - Add jockey policy - Allow nscd to read kernel network state - Allow logrotate to read mysql home conten - Add own type for rdate port * Tue Mar 13 2012 Miroslav Grepl <[email protected]> 3.10.0-80 - Add own type for rdate port - Allow sssd setrlimit - Allow jaberrd-router to read kernel network state - Started to backport userdom_home_reader and userdom_home_manager concept from f17 - Allow system_mail to send log msgs * Wed Mar 7 2012 Miroslav Grepl <[email protected]> 3.10.0-79 - Allow system_mail to send log msgs - Add login_userdomain attribute - Dontaudit logrotate to getattr home content - Label httpd.event as httpd_exec_t, it is an apache daemon - Iscsi log file context specification fix - Allow sssd sys_resource capability - vsftpd reads network state - Add labeling for /var/spool/postfix/dev/log - Allow deltacloud to read kernel sysctl - Fix virt_use_execmem boolean - Allow sandbox_server to send signals * Wed Feb 29 2012 Miroslav Grepl <[email protected]> 3.10.0-78 - Allow memcache to create sock_file * Mon Feb 27 2012 Miroslav Grepl <[email protected]> 3.10.0-77 - Dontaudit sandbox to shudown unconfined_execmem stream - Allow smtpd_t to manage spool files/directories and symbolic links - Allow ksysguardproces to send system log msgs - Allow automount to execute consoletype - Allow boinc setpgid and signull - Add mysqld_home_t for ~/.my.cnf - Add unit file support to mysqld - rhev-agent package was rename to ovirt-guest-agent - move postfix_domtrans_user_mail_handler() to mta.if - Fix virt_search_images() interface - Fix iscsi policy - Add booleans to allow rsync to share nfs and cifs file sytems - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - Allow xen to search virt images directories * Mon Feb 20 2012 Miroslav Grepl <[email protected]> 3.10.0-76 - Allow denyhosts to read "unix" - Add file name transition for locale.conf.new - Allow boinc projects to gconf config files - Allow xen to search virt images directories - Add label for /dev/megaraid_sas_ioctl_node - kdump_t needs to read /etc/mtab - If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly - Allow boinc project to getattr on fs - Add filename transition also for "event20" - Allow collectd to ipc_lock - Allow systemd_tmpfiles_t to delete all file types - Add lots of rules to fix AVC's when playing with containers * Wed Feb 1 2012 Miroslav Grepl <[email protected]> 3.10.0-75 - Add logging_syslogd_use_tty boolea - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file - Allow denyhosts to use fifo files and exec shell - Allow sandbox_nacl to setsched on its process - Allow chrome_sandbox_t to send all signals to sandbox_nacl_t - Allow cupsd_lpd_t to connect to the printer port * Thu Jan 26 2012 Miroslav Grepl <[email protected]> 3.10.0-74 - Add httpd_can_connect_zabbix boolean - apcupsd_t needs to use seriel ports connected to usb devices - Allow deltacloudd dac_override, setuid, setgid caps - Add zabbix_can_network boolean - setroubleshoot needs to be able to execute rpm * Fri Jan 20 2012 Miroslav Grepl <[email protected]> 3.10.0-73 - Backport colord policy from F17 * Mon Jan 16 2012 Miroslav Grepl <[email protected]> 3.10.0-72 - Allow deltacloudd dac_override, setuid, setgid caps - Allow aisexec to execute shell - Add use_nfs_home_dirs boolean for ssh-keygen - Allow xguest execmod on execmem_exec_t - Dontaudit X domains trying to access dri device in a sandbox * Wed Jan 4 2012 Miroslav Grepl <[email protected]> 3.10.0-71 - New fix for seunshare, requires seunshare_domains to be able to mounton / * Tue Jan 3 2012 Miroslav Grepl <[email protected]> 3.10.0-70 - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins * Sun Dec 25 2011 Miroslav Grepl <[email protected]> 3.10.0-69 - Fix bug in the boinc policy * Wed Dec 21 2011 Miroslav Grepl <[email protected]> 3.10.0-68 - sssd needs sys_admin capability * Thu Dec 15 2011 Miroslav Grepl <[email protected]> 3.10.0-67 - Add httpd_can_connect_ldap() interface - NetworkManager needs to write to /sys/class/net/ib*/mode - Dont audit writes to leaked file descriptors or redirected output for nacl - Add label for /var/lib/iscan/interpreter - Add labeling for /sbin/iscsiuio - Allow all jabberd domain to read system state - Allow munin services plugins to use NSCD services - More fixes for boinc * Wed Dec 7 2011 Miroslav Grepl <[email protected]> 3.10.0-66 - Add fixes for xguest package * Tue Dec 6 2011 Miroslav Grepl <[email protected]> 3.10.0-65 - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm - Dontaudit wicd leaking - Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it - Label /etc/locale.conf correctly - Allow user_mail_t to read /dev/random - Allow postfix-smtpd to read MIMEDefang - Add label for /var/log/suphp.log - Allow swat_t to connect and read/write nmbd_t sock_file - Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf - Allow systemd-tmpfiles to change user identity in object contexts - More fixes for rhev_agentd_t consolehelper policy * Fri Dec 2 2011 Miroslav Grepl <[email protected]> 3.10.0-64 - Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly * Tue Nov 29 2011 Miroslav Grepl <[email protected]> 3.10.0-63 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files * Mon Nov 28 2011 Miroslav Grepl <[email protected]> 3.10.0-62 - Add fs_read_fusefs_dirs interface - Allow mailman to read /dev/urandom - Allow clamd to read spamd pid file - Allow mount to read /dev/urandom - Add use_fusefs_home_dirs also for system_dbus_t * Fri Nov 25 2011 Miroslav Grepl <[email protected]> 3.10.0-61 - Needs to require new version policycoreutils * Thu Nov 24 2011 Miroslav Grepl <[email protected]> 3.10.0-60 - Needs to require new version checkpolicy * Thu Nov 24 2011 Miroslav Grepl <[email protected]> 3.10.0-59 - Allow spamd to send mail - Add ssh_home_t label for /var/lib/nocpulse/.ssh - Allow puppetmaster to read network state - Add colord_can_network_connect boolean - Allow colord to execute shell - Add bin_t label for "/usr/lib/iscan/network" - Allow chrome-sandbox ptrace - winbind needs to be able to talk to ldap directly, not through sssd - saslauthd_t needs to connect to zarafa_port_t - dnsmasq wants to read proc_net_t - Add full DNS support for FreeIPA * Mon Nov 21 2011 Miroslav Grepl <[email protected]> 3.10.0-58 - Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs - Mount needs to read process state when mounting gluster file systems - Allow collectd-web to read collectd lib files - Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr - Allow colord to get the attributes of tmpfs filesystem - Add sanlock_use_nfs and sanlock_use_samba booleans - Add bin_t label for /usr/lib/virtualbox/VBoxManage * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.10.0-57 - We need to treat port_t and unreserved_port_t as generic_port types * Wed Nov 16 2011 Miroslav Grepl <[email protected]> 3.10.0-56 - Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work - Add interface to allow exec of mongod, add port definition for mongod port, 27017 - Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t - Allow spamd and clamd to steam connect to each other - Add policy label for passwd.OLD - More fixes for postfix and postfix maildro - Add ftp support for mozilla plugins - Useradd now needs to manage policy since it calls libsemanage - Fix devicekit_manage_log_files() interface - Allow colord to execute ifconfig - Allow accountsd to read /sys - Allow mysqld-safe to execute shell - Allow openct to stream connect to pcscd - Add label for /var/run/nm-dns-dnsmasq\.conf - Allow networkmanager to chat with virtd_t * Mon Nov 7 2011 Miroslav Grepl <[email protected]> 3.10.0-55 - Add more MCS fixes to make sandbox working - Make faillog MLS trusted to make sudo_$1_t working - Allow sandbox_web_client_t to read passwd_file_t - Add .mailrc file context - Remove execheap from openoffice domain - Allow chrome_sandbox_nacl_t to read cpu_info - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type * Fri Nov 4 2011 Miroslav Grepl <[email protected]> 3.10.0-54 - MCS fixes - quota fixes * Tue Nov 1 2011 Miroslav Grepl <[email protected]> 3.10.0-53 - Make nvidia* to be labeled correctly - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-52 - Check in fixed for Chrome nacl support * Thu Oct 27 2011 Miroslav Grepl <[email protected]> 3.10.0-51 - Begin removing qemu_t domain, we really no longer need this domain. - systemd_passwd needs dac_overide to communicate with users TTY's - Allow svirt_lxc domains to send kill signals within their container * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-50 - Allow policykit to talk to the systemd via dbus - Move chrome_sandbox_nacl_t to permissive domains - Additional rules for chrome_sandbox_nacl * Tue Oct 25 2011 Miroslav Grepl <[email protected]> 3.10.0-49 - Change bootstrap name to nacl - Chrome still needs execmem - Missing role for chrome_sandbox_bootstrap - Add boolean to remove execmem and execstack from virtual machines - Dontaudit xdm_t doing an access_check on etc_t directories * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-48 - Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google chrome developers asked me to add bootstrap policy for nacl stuff - Allow rhev_agentd_t to getattr on mountpoints - Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets * Mon Oct 24 2011 Miroslav Grepl <[email protected]> 3.10.0-47 - Fixes for cloudform policies which need to connect to random ports - Make sure if an admin creates modules content it creates them with the correct label - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users -------------------------------------------------------------------------------- References: [ 1 ] Bug #799591 - SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the fichier /etc/sysctl.conf. https://bugzilla.redhat.com/show_bug.cgi?id=799591 [ 2 ] Bug #794603 - /dev/megaraid_sas_ioctl_node has the incorrect fcontext for smartd https://bugzilla.redhat.com/show_bug.cgi?id=794603 [ 3 ] Bug #799818 - SELinux policy missing postfix /dev/log fcontext in chroot https://bugzilla.redhat.com/show_bug.cgi?id=799818 [ 4 ] Bug #799826 - SELinux policy missing for /root/.my.cnf for use with /etc/logrotate.d/mysqld https://bugzilla.redhat.com/show_bug.cgi?id=799826 [ 5 ] Bug #809803 - let procmail use fusefs_t files if use_fusefs_home_dirs is on https://bugzilla.redhat.com/show_bug.cgi?id=809803 [ 6 ] Bug #811012 - New default location for mpd logfile requires update to SELinux policy https://bugzilla.redhat.com/show_bug.cgi?id=811012 [ 7 ] Bug #812631 - Confusion between httpd_user_ra_content_t and httpd_user_content_ra_t https://bugzilla.redhat.com/show_bug.cgi?id=812631 [ 8 ] Bug #748838 - nagios-plugins-linux with nrpe raid fails due to selinux https://bugzilla.redhat.com/show_bug.cgi?id=748838 [ 9 ] Bug #756936 - X can't forward through ssh https://bugzilla.redhat.com/show_bug.cgi?id=756936 [ 10 ] Bug #769865 - SELinux is preventing /usr/sbin/nscd from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=769865 [ 11 ] Bug #788182 - SELinux is preventing /usr/bin/rdate from 'name_connect' accesses on the None . https://bugzilla.redhat.com/show_bug.cgi?id=788182 [ 12 ] Bug #789279 - SELinux makes BOINC fail GPU calculus https://bugzilla.redhat.com/show_bug.cgi?id=789279 [ 13 ] Bug #790381 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.1.x86_64/jre/bin/java from 'read' accesses on the None /anon_hugepage (deleted). https://bugzilla.redhat.com/show_bug.cgi?id=790381 [ 14 ] Bug #790382 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.1.x86_64/jre/bin/java from 'write' accesses on the None /var/lib/boinc. https://bugzilla.redhat.com/show_bug.cgi?id=790382 [ 15 ] Bug #790953 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.1.x86_64/jre/bin/java from 'write' accesses on the None /anon_hugepage (deleted). https://bugzilla.redhat.com/show_bug.cgi?id=790953 [ 16 ] Bug #794718 - SELinux is preventing /usr/bin/gconftool-2 from 'write' accesses on the dossier .gconf. https://bugzilla.redhat.com/show_bug.cgi?id=794718 [ 17 ] Bug #796935 - SELinux is preventing /usr/lib/virtualbox/VBoxSVC from 'remove_name' accesses on the dossier BOINC_VM.vbox. https://bugzilla.redhat.com/show_bug.cgi?id=796935 [ 18 ] Bug #797437 - SELinux is preventing /usr/lib64/virtualbox/VirtualBox from read, open access on the fichier VirtualBox. https://bugzilla.redhat.com/show_bug.cgi?id=797437 [ 19 ] Bug #798069 - SELinux is preventing /usr/bin/python from 'getattr' accesses on the None /var/cache/jockey/check. https://bugzilla.redhat.com/show_bug.cgi?id=798069 [ 20 ] Bug #799577 - SELinux is preventing /var/lib/boinc/projects/einstein.phys.uwm.edu/einsteinbinary_BRP4_1.22_i686-pc-linux-gnu__BRP4cuda32nv270 from write access on the cartella /var/lib/boinc/.nv/ComputeCache https://bugzilla.redhat.com/show_bug.cgi?id=799577 [ 21 ] Bug #802135 - SELinux is preventing /bin/rm from 'rmdir' accesses on the dossier BOINC_VM. https://bugzilla.redhat.com/show_bug.cgi?id=802135 [ 22 ] Bug #804255 - SELinux is preventing /usr/libexec/rtkit-daemon from using the 'setsched' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=804255 [ 23 ] Bug #804598 - SELinux is preventing systemd-logind https://bugzilla.redhat.com/show_bug.cgi?id=804598 [ 24 ] Bug #805359 - SELinux is preventing /usr/bin/python from 'getattr' accesses on the file /var/cache/jockey/check. https://bugzilla.redhat.com/show_bug.cgi?id=805359 [ 25 ] Bug #806348 - Policy for SSSD should allow read/getattr on /var/lib/sss/mc/* for all processes https://bugzilla.redhat.com/show_bug.cgi?id=806348 [ 26 ] Bug #806447 - SELinux is preventing chkconfig from 'getattr' accesses on the file /bin/systemd. https://bugzilla.redhat.com/show_bug.cgi?id=806447 [ 27 ] Bug #806880 - SELinux is preventing /usr/bin/smbspool from 'search' accesses on the directory nmbd. https://bugzilla.redhat.com/show_bug.cgi?id=806880 [ 28 ] Bug #807896 - Wifi signal drops for a few seconds then comes back up randomly all day https://bugzilla.redhat.com/show_bug.cgi?id=807896 [ 29 ] Bug #808297 - SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd. https://bugzilla.redhat.com/show_bug.cgi?id=808297 [ 30 ] Bug #808913 - SELinux is preventing NetworkManager from getattr access on the file /etc/sysctl.conf. https://bugzilla.redhat.com/show_bug.cgi?id=808913 [ 31 ] Bug #809015 - SELinux is preventing /usr/sbin/xl2tpd from 'name_bind' accesses on the udp_socket port 1701. https://bugzilla.redhat.com/show_bug.cgi?id=809015 [ 32 ] Bug #809228 - SELinux is preventing /bin/systemd-tmpfiles from 'getattr' accesses on the sock_file /run/lirc/lircd. https://bugzilla.redhat.com/show_bug.cgi?id=809228 [ 33 ] Bug #810670 - SELinux is preventing /opt/epson-inkjet-printer-nx420/cups/lib/filter/epson_inkjet_printer_filter from 'execute' accesses on the file /opt/epson-inkjet-printer-nx420/lib64/libEpson_Stylus_NX420.so.1.0.0. https://bugzilla.redhat.com/show_bug.cgi?id=810670 [ 34 ] Bug #811334 - SELinux constraint is preventing systemd-logind from killing unconfined_t, unconfined_execmem_t https://bugzilla.redhat.com/show_bug.cgi?id=811334 [ 35 ] Bug #811560 - SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' accesses on the file /usr/share/jockey/jockey-backend. https://bugzilla.redhat.com/show_bug.cgi?id=811560 [ 36 ] Bug #812843 - SELinux is preventing /usr/bin/rdate from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=812843 [ 37 ] Bug #813140 - SELinux is preventing /usr/sbin/libvirt-qmf from 'nlmsg_read' accesses on the netlink_route_socket . https://bugzilla.redhat.com/show_bug.cgi?id=813140 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
