-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-10279 2012-07-05 22:59:10 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 17 Version : 3.10.0 Release : 137.fc17 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Tue Jul 3 2012 Miroslav Grepl <[email protected]> 3.10.0-137 - Fixes for passenger running within openshift - Add labeling for all tomcat6 dirs - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow systemd_logind_t to read/write /dev/input0 * Fri Jun 29 2012 Miroslav Grepl <[email protected]> 3.10.0-136 - Fixes to make minimal policy to be installed * Wed Jun 27 2012 Miroslav Grepl <[email protected]> 3.10.0-135 - abrt_watch_log should be abrt_domain - add ptrace_child access to process - Allow mozilla_plugin to connect to gatekeeper port - Allow dbomatic to execute ruby - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - add support for boinc.log - Allow httpd_smokeping_cgi_script_t to read /etc/passwd * Tue Jun 26 2012 Miroslav Grepl <[email protected]> 3.10.0-134 - Allow mozilla_plugin execmod on mozilla home files if allow_execmod - Allow dovecot_deliver_t to read dovecot_var_run_t - Add tomcat policy from F18 - Allow ldconfig and insmod to manage kdumpctl tmp files - Add kdumpctl policy - Move thin policy out from cloudform.pp and add a new thin policy files - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users homedir - rhsmcertd reads the rpm database - Add support for lightdm * Fri Jun 22 2012 Miroslav Grepl <[email protected]> 3.10.0-133 - Dontaudit thumb to setattr on xdm_tmp dirs - Allow wicd to execute ldconfig - Add /var/run/cherokee\.pid labeling - Allow snort to create netlink_socket - Allow setpcap for rpcd_t - Firstboot should be just creating tmp_t dirs - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Allow firstboot to create tmp_t files/directories - Label tuned scripts located in /etc as bin_t - Add port definition for mxi port - Fix labeling for /var/log/lxdm.log.old - Allow ddclient to read /etc/passwd - change dovecot_deliver to manage mail_home_rw_t - Remove razor/pyzor policy - Allow local_login_t to execute tmux - Allow mozilla_plugin_t to execute the dynamic link/loader * Mon Jun 18 2012 Miroslav Grepl <[email protected]> 3.10.0-132 - apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux * Fri Jun 15 2012 Miroslav Grepl <[email protected]> 3.10.0-131 - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct - When staff_t runs libvirt it reads dnsmasq_var_run_t - Mount command now lists user_tmp looking for gvfs - /etc/blkid is moving to /run/blkid - Allow rw_cgroup_files to also read a symlink - Make sure gdm directory in ~/.cache/gdm gets created with the correct label - Add labeling for .cache/gdm in the homedir - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm * Mon Jun 11 2012 Miroslav Grepl <[email protected]> 3.10.0-130 - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files - Allow systemd_login to send signals to devicekit power - Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t - Allow virsh to read /etc/passwd - Allow policykit to manage kerberos rcache files - Allow systemd-logind to send a signal to init_t - /usr/sbin/xl2tpd wants to read /etc/group - Allow ncftool to list of content /etc/modprobe.d - Allow dkim-milter to listen own tcp_socke * Fri Jun 8 2012 Miroslav Grepl <[email protected]> 3.10.0-129 - Allow collectd to read virt config - Allow collectd setsched - Add support for /usr/sbin/mdm* - Fix java binaries labels when installed under /usr/lib/jvm/java - Add labeling for /var/run/mdm - Allow apps that can read net_conf_t files read symlinks - Allow all domains that can search or read tmp_t, able to read a tmp_t link - Dontaudit mozilla_plugin looking at xdm_tmp_t - Looks like collectd needs to change it scheduling priority - Allow uux_t to access nsswitch data - New labeling for samba, pid dirs moved to subdirs of samba - Allow nova_api to use nsswitch - Allow mozilla_plugin to execute files labeled as lib_t - Label content under HOME_DIR/zimbrauserdata as mozilla_home date - abrt is fooled into reading mozilla_plugin content, we want to dontaudit - Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window - Allow winbind to create content in smbd_var_run_t directories - Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it - Support libvirt plugin for collectd * Wed May 30 2012 Miroslav Grepl <[email protected]> 3.10.0-128 - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils * Mon May 28 2012 Miroslav Grepl <[email protected]> 3.10.0-127 - Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type * Wed May 23 2012 Miroslav Grepl <[email protected]> 3.10.0-126 - Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error * Wed May 16 2012 Miroslav Grepl <[email protected]> 3.10.0-125 - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events * Wed May 9 2012 Miroslav Grepl <[email protected]> 3.10.0-124 - Make systemd unit files less specific * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-122 - Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer -------------------------------------------------------------------------------- References: [ 1 ] Bug #835584 - SELinux is preventing /usr/bin/boinc_client from 'read' accesses on the lnk_file stderrdae.txt. https://bugzilla.redhat.com/show_bug.cgi?id=835584 [ 2 ] Bug #835995 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=835995 [ 3 ] Bug #836000 - Aeolus F17 policy updates for conductor logging and dbomatic https://bugzilla.redhat.com/show_bug.cgi?id=836000 [ 4 ] Bug #836370 - Script error when installing selinux-policy-minimum.noarch 0:3.10.0-134.fc17 https://bugzilla.redhat.com/show_bug.cgi?id=836370 [ 5 ] Bug #836743 - SELinux is preventing /usr/bin/evince-thumbnailer from read, write access on the chr_file tty2. https://bugzilla.redhat.com/show_bug.cgi?id=836743 [ 6 ] Bug #836745 - SELinux is preventing /usr/lib/systemd/systemd-logind from read, write access on the chr_file event0. https://bugzilla.redhat.com/show_bug.cgi?id=836745 [ 7 ] Bug #836836 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory devices. https://bugzilla.redhat.com/show_bug.cgi?id=836836 [ 8 ] Bug #836842 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the file /usr/bin/python2.7. https://bugzilla.redhat.com/show_bug.cgi?id=836842 [ 9 ] Bug #837161 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the file /etc/passwd. https://bugzilla.redhat.com/show_bug.cgi?id=837161 [ 10 ] Bug #834475 - SELinux: Permission ptrace_child in class process not defined in policy. https://bugzilla.redhat.com/show_bug.cgi?id=834475 [ 11 ] Bug #837149 - Tomcat 6 runs in initrc_t domain (Missing policies) https://bugzilla.redhat.com/show_bug.cgi?id=837149 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
