-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-12355 2012-08-21 09:28:25 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 17 Version : 3.10.0 Release : 146.fc17 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Mon Aug 20 2012 Miroslav Grepl <[email protected]> 3.10.0-146 - Allow tmpreaper to delete unlabeled files - Backport selinux_login_config fixes from F18 for sssd - Allow thumb drives to create shared memory and semaphores - Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Allow thumb to gettatr on all fs - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow abrt to read mozilla_plugin config files - Backport squid policy with support for lightsquid - Allow useradd to modify /etc/default/useradd - dovecot_auth_t uses ldap for user auth - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to search unlabeled /tmp/kdecache-root - Allow jockey to list the contents of modeprobe.d - Allow web plugins to connect to the asterisk ports * Wed Aug 8 2012 Miroslav Grepl <[email protected]> 3.10.0-145 - Allow Chrome_ChildIO to read dosfs_t - Fix svirt to be allowed to use fusefs file system - Sanlock needs to send Kill Signals to non root process - Allow sendmail to read/write postfix_delivery_t * Mon Aug 6 2012 Miroslav Grepl <[email protected]> 3.10.0-144 - Allow sendmail to read/write postfix_delivery_t - Update sanlock policy to solve all AVC's - Change virt interface so confined users can optionally manage virt content - setroubleshoot was trying to getattr on sysctl and proc stuff - Need to allow svirt_t ability to getattr on nfs_t file system - Allow staff users to run svirt_t processes - Add new booleans to allow staff user and unprivuser to use boxes * Thu Aug 2 2012 Miroslav Grepl <[email protected]> 3.10.0-143 - Alias firstboot_tmp_t to tmp_t - Add support for sqlgre - Allow postfix to connect to spampd - Add support for spampd and treat it as spamd_t policy - Allow munin mail plugin to read exim.log - Fix mta_mailserver_delivery() interface - Allow logrotate to getattr on systemd unit files - Allow tor to read kernel sysctls - Add new man pages - Fix labeling for pingus * Fri Jul 27 2012 Miroslav Grepl <[email protected]> 3.10.0-142 - Regenerate man pages - Dontaudit mysqld_safe sending signull to random domains - Add interface for mysqld to dontaudit signull to all processes - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labelinf for passenger - Add labeling for /var/motion - Add amavis_use_jit boolean - Allow mongod to connet to postgresql port * Tue Jul 24 2012 Miroslav Grepl <[email protected]> 3.10.0-141 - Allow samba_net to read /proc/net - Allow hplip_t to send notification dbus messages to users - Allow mailserver_deliver to read/write own pip - Allow munin-plugin domains to read /etc/passwd - Allow postfix_cleanup to use sockets create for smtpd - Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this - Allow mozilla-plugin to read all kernel sysctls - Allow jockey to read random/urandom - Dontaudit dovecot to search all dirs - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - Add labelling and allow rules based on avc's from RHEL6 for amavis * Wed Jul 18 2012 Miroslav Grepl <[email protected]> 3.10.0-140 - Add support for rhnsd daemon - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Fix rhsmcertd pid filetrans - Allow NM to execute wpa_cli - Allow procmail to manage /home/user/Maildir content - Allow amavis to read clamd system state - Allow postdrop to use unix_stream_sockets leaked into it - Allow uucpd_t to uucpd port * Sun Jul 15 2012 Miroslav Grepl <[email protected]> 3.10.0-139 - Add support for ecryptfs * ecryptfs does not support xattr - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labeling for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - Allow xend_t to read the /etc/passwd file - Allow freshclam to update databases thru HTTP proxy - Add init_access_check() interface - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Allow tuned sys_nice, sys_admin caps - Allow amavisd to execute fsav - Allow system_dbusd_t to stream connect to bluetooth, and use its socket * Tue Jul 10 2012 Miroslav Grepl <[email protected]> 3.10.0-138 - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix alsa_manage_home_files interface - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11 * Tue Jul 3 2012 Miroslav Grepl <[email protected]> 3.10.0-137 - Fixes for passenger running within openshift - Add labeling for all tomcat6 dirs - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow systemd_logind_t to read/write /dev/input0 * Fri Jun 29 2012 Miroslav Grepl <[email protected]> 3.10.0-136 - Fixes to make minimal policy to be installed * Wed Jun 27 2012 Miroslav Grepl <[email protected]> 3.10.0-135 - abrt_watch_log should be abrt_domain - add ptrace_child access to process - Allow mozilla_plugin to connect to gatekeeper port - Allow dbomatic to execute ruby - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - add support for boinc.log - Allow httpd_smokeping_cgi_script_t to read /etc/passwd * Tue Jun 26 2012 Miroslav Grepl <[email protected]> 3.10.0-134 - Allow mozilla_plugin execmod on mozilla home files if allow_execmod - Allow dovecot_deliver_t to read dovecot_var_run_t - Add tomcat policy from F18 - Allow ldconfig and insmod to manage kdumpctl tmp files - Add kdumpctl policy - Move thin policy out from cloudform.pp and add a new thin policy files - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users homedir - rhsmcertd reads the rpm database - Add support for lightdm * Fri Jun 22 2012 Miroslav Grepl <[email protected]> 3.10.0-133 - Dontaudit thumb to setattr on xdm_tmp dirs - Allow wicd to execute ldconfig - Add /var/run/cherokee\.pid labeling - Allow snort to create netlink_socket - Allow setpcap for rpcd_t - Firstboot should be just creating tmp_t dirs - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Allow firstboot to create tmp_t files/directories - Label tuned scripts located in /etc as bin_t - Add port definition for mxi port - Fix labeling for /var/log/lxdm.log.old - Allow ddclient to read /etc/passwd - change dovecot_deliver to manage mail_home_rw_t - Remove razor/pyzor policy - Allow local_login_t to execute tmux - Allow mozilla_plugin_t to execute the dynamic link/loader * Mon Jun 18 2012 Miroslav Grepl <[email protected]> 3.10.0-132 - apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux * Fri Jun 15 2012 Miroslav Grepl <[email protected]> 3.10.0-131 - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct - When staff_t runs libvirt it reads dnsmasq_var_run_t - Mount command now lists user_tmp looking for gvfs - /etc/blkid is moving to /run/blkid - Allow rw_cgroup_files to also read a symlink - Make sure gdm directory in ~/.cache/gdm gets created with the correct label - Add labeling for .cache/gdm in the homedir - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm * Mon Jun 11 2012 Miroslav Grepl <[email protected]> 3.10.0-130 - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files - Allow systemd_login to send signals to devicekit power - Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t - Allow virsh to read /etc/passwd - Allow policykit to manage kerberos rcache files - Allow systemd-logind to send a signal to init_t - /usr/sbin/xl2tpd wants to read /etc/group - Allow ncftool to list of content /etc/modprobe.d - Allow dkim-milter to listen own tcp_socke * Fri Jun 8 2012 Miroslav Grepl <[email protected]> 3.10.0-129 - Allow collectd to read virt config - Allow collectd setsched - Add support for /usr/sbin/mdm* - Fix java binaries labels when installed under /usr/lib/jvm/java - Add labeling for /var/run/mdm - Allow apps that can read net_conf_t files read symlinks - Allow all domains that can search or read tmp_t, able to read a tmp_t link - Dontaudit mozilla_plugin looking at xdm_tmp_t - Looks like collectd needs to change it scheduling priority - Allow uux_t to access nsswitch data - New labeling for samba, pid dirs moved to subdirs of samba - Allow nova_api to use nsswitch - Allow mozilla_plugin to execute files labeled as lib_t - Label content under HOME_DIR/zimbrauserdata as mozilla_home date - abrt is fooled into reading mozilla_plugin content, we want to dontaudit - Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window - Allow winbind to create content in smbd_var_run_t directories - Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it - Support libvirt plugin for collectd * Wed May 30 2012 Miroslav Grepl <[email protected]> 3.10.0-128 - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils * Mon May 28 2012 Miroslav Grepl <[email protected]> 3.10.0-127 - Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type * Wed May 23 2012 Miroslav Grepl <[email protected]> 3.10.0-126 - Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error * Wed May 16 2012 Miroslav Grepl <[email protected]> 3.10.0-125 - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events * Wed May 9 2012 Miroslav Grepl <[email protected]> 3.10.0-124 - Make systemd unit files less specific * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-122 - Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer -------------------------------------------------------------------------------- References: [ 1 ] Bug #846188 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from using the 'ipc_lock' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=846188 [ 2 ] Bug #847438 - SELinux is preventing /usr/libexec/dovecot/auth from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=847438 [ 3 ] Bug #847491 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=847491 [ 4 ] Bug #847507 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory /etc/modprobe.d. https://bugzilla.redhat.com/show_bug.cgi?id=847507 [ 5 ] Bug #848377 - SELinux is preventing /usr/bin/gdb from 'open' accesses on the file /usr/lib/mozilla/plugins-wrapped/nswrapper_32_32.libflashplayer.so. https://bugzilla.redhat.com/show_bug.cgi?id=848377 [ 6 ] Bug #848443 - SELinux is preventing /usr/sbin/condor_master from 'search' accesses on the directory kernel. https://bugzilla.redhat.com/show_bug.cgi?id=848443 [ 7 ] Bug #848454 - A Series of SELinux Notify Messages when starting packages https://bugzilla.redhat.com/show_bug.cgi?id=848454 [ 8 ] Bug #848496 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the shared memory . https://bugzilla.redhat.com/show_bug.cgi?id=848496 [ 9 ] Bug #848838 - SELinux is preventing /usr/bin/atril-thumbnailer from 'getattr' accesses on the filesystem /. https://bugzilla.redhat.com/show_bug.cgi?id=848838 [ 10 ] Bug #849176 - avc denials with dlm_controld https://bugzilla.redhat.com/show_bug.cgi?id=849176 [ 11 ] Bug #849523 - SELinux is preventing npviewer.bin from 'execmod' accesses on the file /usr/lib/nvidia/libnvidia-glcore.so.304.37. https://bugzilla.redhat.com/show_bug.cgi?id=849523 [ 12 ] Bug #849567 - Need update of selinux policy related to SSSD https://bugzilla.redhat.com/show_bug.cgi?id=849567 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
