-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-8720 2012-06-01 16:18:57 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 17 Version : 3.10.0 Release : 128.fc17 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils -------------------------------------------------------------------------------- ChangeLog: * Wed May 30 2012 Miroslav Grepl <[email protected]> 3.10.0-128 - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils * Mon May 28 2012 Miroslav Grepl <[email protected]> 3.10.0-127 - Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type * Wed May 23 2012 Miroslav Grepl <[email protected]> 3.10.0-126 - Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error * Wed May 16 2012 Miroslav Grepl <[email protected]> 3.10.0-125 - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events * Wed May 9 2012 Miroslav Grepl <[email protected]> 3.10.0-124 - Make systemd unit files less specific * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-122 - Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer -------------------------------------------------------------------------------- References: [ 1 ] Bug #809832 - avc on tuned-adm profile powersave https://bugzilla.redhat.com/show_bug.cgi?id=809832 [ 2 ] Bug #819082 - Gnome-disk-utility (palimpsest) crashes when trying to attach disk image https://bugzilla.redhat.com/show_bug.cgi?id=819082 [ 3 ] Bug #821189 - SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=821189 [ 4 ] Bug #821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=821268 [ 5 ] Bug #821420 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /var/lib/sss/mc/group. This file (which is actually the on-disk representation of a mmap() cache) needs to be readable by any process. It should only be writable by SSSD processes. https://bugzilla.redhat.com/show_bug.cgi?id=821420 [ 6 ] Bug #822789 - avc denial on systemd-journald prevents startup when /etc/machine-id doesn't exist https://bugzilla.redhat.com/show_bug.cgi?id=822789 [ 7 ] Bug #822854 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'read' accesses on the file pulse-shm-233641167. https://bugzilla.redhat.com/show_bug.cgi?id=822854 [ 8 ] Bug #823000 - SELinux is preventing /usr/bin/dbus-daemon from read, write access on the file /home/elad/f17arm-latest-arm-rpi+x-mmcblk0.img. https://bugzilla.redhat.com/show_bug.cgi?id=823000 [ 9 ] Bug #823035 - SELinux is preventing plugin-containe from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=823035 [ 10 ] Bug #823211 - SELinux is preventing /usr/bin/totem from 'create' accesses on the file .grl-metadata-store. https://bugzilla.redhat.com/show_bug.cgi?id=823211 [ 11 ] Bug #823251 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the directory .orc. https://bugzilla.redhat.com/show_bug.cgi?id=823251 [ 12 ] Bug #823294 - SELinux is preventing /usr/sbin/gpsd from 'module_request' accesses on the system . https://bugzilla.redhat.com/show_bug.cgi?id=823294 [ 13 ] Bug #823306 - SELinux is preventing /usr/bin/gnome-mplayer from 'execute' accesses on the file /usr/bin/mencoder. https://bugzilla.redhat.com/show_bug.cgi?id=823306 [ 14 ] Bug #823398 - SELinux is preventing /usr/bin/mongod from 'read' accesses on the file meminfo. https://bugzilla.redhat.com/show_bug.cgi?id=823398 [ 15 ] Bug #824097 - SELinux is preventing /usr/bin/lpstat.cups from 'write' accesses on the file /tmp/npicaitl35F. https://bugzilla.redhat.com/show_bug.cgi?id=824097 [ 16 ] Bug #824099 - SELinux is preventing /opt/Citrix/ICAClient/wfica from 'write' accesses on the file /home/mikhail/.ICAClient/CtxFlashCache/CacheFile.cache. https://bugzilla.redhat.com/show_bug.cgi?id=824099 [ 17 ] Bug #824438 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'add_name' accesses on the directory socket-9666-1526706912. https://bugzilla.redhat.com/show_bug.cgi?id=824438 [ 18 ] Bug #824999 - logins directory is not created or owned by package https://bugzilla.redhat.com/show_bug.cgi?id=824999 [ 19 ] Bug #825276 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd. https://bugzilla.redhat.com/show_bug.cgi?id=825276 [ 20 ] Bug #825530 - SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda. https://bugzilla.redhat.com/show_bug.cgi?id=825530 [ 21 ] Bug #825718 - SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sdb https://bugzilla.redhat.com/show_bug.cgi?id=825718 [ 22 ] Bug #826064 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=826064 [ 23 ] Bug #826444 - krb5 tickets not accessible for user_t/staff_t https://bugzilla.redhat.com/show_bug.cgi?id=826444 [ 24 ] Bug #826448 - SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from read, write access on the chr_file nvidiactl. https://bugzilla.redhat.com/show_bug.cgi?id=826448 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
