Fedora 17 Update: selinux-policy-3.10.0-166.fc17

updates Sun, 06 Jan 2013 20:05:53 -0800

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-20544
2012-12-18 01:54:39
--------------------------------------------------------------------------------


Name        : selinux-policy
Product     : Fedora 17
Version     : 3.10.0
Release     : 166.fc17
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Dec  3 2013 Miroslav Grepl <[email protected]> 3.10.0-166
- Allow gpsd_t to setattr on usbtty_device
- Allow mail_munin_plugins domain to run postconf
- Dontaudit reading of domain states for mozilla-plugin-config
- Backport corenetwork.te.in fixes related to http and keystone ports
- Backport cloudform policy from F18
- ALlow logrotate sys_ptrace capability
- Allow mscan to read /etc/MailScanner/conf.d directory
- Add support for HOME_DIR/.lyx
- Add support for rt4
- Back rhsmcertd policy from F18
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Add ntp_exec() interface
- Dontaudit settatr on user tmp files for mozilla plugins
- Allow colord-sane to read proc/sys/kernel/osrelease
- Allow setroubleshoot_fixit to execute rpm
- Allow logwatch to getattr on all dirs
- Allow chrome and mozilla_plugin to create msgq and semaphores
- systemd_logind_t is looking at all files under /run/user/apache
- Allow confine users to ptrace screen
* Mon Dec 17 2012 Miroslav Grepl <[email protected]> 3.10.0-165
- Add php-fpm support
- Allow munin disk plugins to get attributes of all directories
- Fix gnome_manage_config() to allow to manage sock_file
* Fri Dec 14 2012 Miroslav Grepl <[email protected]> 3.10.0-164
- Add labeling for /var/www/openshift/{broker,console}
- Allow openshift_initrc domain to dbus chat with systemd_logind
- Allow httpd to getattr passenger log file if run_stickshift
- Add passenger_getattr_log_files interface
- Backport svirt_tcg policy
- munint wants to send sigkill to ping
- Allow munin plugins to send a signal to itself
- Allow munin to send signal to ping
* Thu Dec 13 2012 Miroslav Grepl <[email protected]> 3.10.0-163
- Allow openshift domain to read /dev/urand
- Add labeling for /var/www/openshift/console/{tmp,log} dirs
- gems seems to be placed in lots of places
- Add labeling for /usr/bin/pg_ctl
- Add labeling for HOME_DIR/irclogs
- Allow systemd-logind to manage keyring user tmp dirs. We allow it for 
user_tmp_t dirs.
- Add gnome_manage_gkeyringd_tmp_dirs() interface
- Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when 
searching for directories
- Allow xend to run scsi_id
- Allow rhsmcertd-worker to read "physical_package_id"
- Allow lpr to read /usr/share/fonts
- Allow open file from CD/DVD drive on domU
- Dontaudit attempts by openshift to read apache logs
- Add sntp support to ntp policy
- Allow tor to read /proc/sys/kernel/random/uuid
* Wed Dec  5 2012 Miroslav Grepl <[email protected]> 3.10.0-162
- Backport openvswitch policy from F18
- Allow logrotate to transition to openvswitch domain
- opendkim should be a part of milter
- Add filename transition for /etc/tuned/active_profile
- Allow condor_master to send mails
- Allow condor_master to create /tmp files/dirs
- Allow condor_mater to send sigkill to other condor domains
- Allow condor_procd sigkill capability
- tuned-adm wants to talk with tuned daemon
- Allow all application domains to use fifo_files passed in from userdomains
- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler"
- Fix mozilla_plugin_can_network_connect to allow to connect to all ports
- The host and a virtual machine can share the same printer on a usb device
- Backport thumb.te from F18
- Dontaudit leaks of locks or generic log files to systemprocesses
- Allow blueman to transition to ifconfig, dnsmasq
- Backport virt_lock_t from F18
- Allow syslogd to request the kernel to load a module
- Allow syslogd_t to read the network state information
- Add awstats_purge_apache_log boolean
- Allow ksysguardproces to read /.config/Trolltech.conf
- Allow passenger to create and append puppet log files
- Add puppet_append_log and puppet_create_log interfaces
- Allow rhsmcertd to send signal to itself
* Wed Nov 21 2012 Miroslav Grepl <[email protected]> 3.10.0-161
- Add commands needed to get mock to build from staff_t in enforcing mode
- Allow dbus-daemon to read/write inherited removable devices
- Add storage_rw_inherited_removable_device() interface
- fetchmail reads /etc/passwd
- Allow rhnsd to execute bin_t in the caller rhnsd_t domain
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
- Allow enabling Network Access Point service using blueman
- Make vmware_host_t as unconfined domain
- Allow authenticate users in webaccess via squid, using mysql as backend
- Allow firewalld to read /etc/hosts
- Backport openshift.te from F18
- Dontaudit xdm_t to getattr on BOINC lib files
- Allow chrome and mozilla plugin to connect to msnp ports
* Tue Nov 13 2012 Miroslav Grepl <[email protected]> 3.10.0-160
- Allow BOINC client to use an HTTP proxy for all connections
- Add labeling for /var/lib/zarafa-webapp
- Allow mozilla plugins to read /dev/hpet
- Allow MPD to read /dev/radnom
- Allow dnsmasq to read /etc/NetworkManager
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
- httpd needs to send signull to openshift init script
- Fix tftp_read_content() interface
* Mon Nov  5 2012 Miroslav Grepl <[email protected]> 3.10.0-159
- More fixes for passwd/group labeling
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- dbus needs to be able to read/write inherited fixed disk device_t passed 
through it
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
- Add interface to make sure rpcbind.sock is created with the correct label
- Add support for OpenShift sbin labeling
* Tue Oct 30 2012 Miroslav Grepl <[email protected]> 3.10.0-158
- Fix labeling for passwd*
* Tue Oct 23 2012 Miroslav Grepl <[email protected]> 3.10.0-157
- logwatch wants sys_nice/setsched
- Add labeling for mcollectived
- Allow openshift domains to read localization
- Allow smokeping to execute fping in the neutils_t domain
- Allow support for notifyclamd option in /etc/freshclam.conf
- Allow mozilla-plugin-config to getattr on all fs
- Add tftp_homedir boolean
- Allow nslcd to connect to ldap port without boolean
- policykit-auth wants sys_nice
- openshift user domains wants to r/w ssh tcp sockets
* Wed Oct 17 2012 Miroslav Grepl <[email protected]> 3.10.0-156
- Allow nfsd to write to mount_var_run_t
- Allow smokeping to execute bin_t
- Allow sshd_t to execute login program
- Allow prelink to read power_supply
- Allow alsa to r/w alsa config files
- Allow tuned to setsched kernel
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow initrc_t to readl all systemd unit files
- Allow mozilla_plugin_t to create .mplayer in users homedir
- Allow sshd to send syslog msgs
- Allow varnish execmem
- Allow mongodb_t to getattr on all file systems
- Allow pyzor running as spamc to manage amavis spool
- Allow rhnsd to read /usr/lib/locale
* Tue Oct 16 2012 Miroslav Grepl <[email protected]> 3.10.0-155
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
- Update httpd_run_stickshift boolean
- Allow hplip to execute bin_t
* Tue Oct  9 2012 Miroslav Grepl <[email protected]> 3.10.0-154
- fix opeshift labeling
- Allow groupadd to read SELinux file context
* Sun Oct  7 2012 Miroslav Grepl <[email protected]> 3.10.0-153
- Add openshift policy
- Add changes needed by openshift policy
- Allow vmnet-natd to request the kernel to load a module
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Access needed to allow hplip to send faxes
- abrt_dump_oops needs to read debugfs
- Add support for HTTPProxy* in /etc/freshclam.conf
* Fri Oct  5 2012 Miroslav Grepl <[email protected]> 3.10.0-152
- Add file transition for mongodb lib dirs
- Add labeling for /var/lib/mongo, /var/run/mongo
- Allow gpg to write to /etc/mail/spamassassiin directories
- Add support for hplip logs stored in /var/log/hp/tmp
- Allow winbind to read usr_t
- Add rhnsd policy
- Add labeling for /etc/owncloud/config.php
* Thu Sep 27 2012 Miroslav Grepl <[email protected]> 3.10.0-151
- Allow winbind to connect do ldap without a boolean
- Allow mozilla-plugin to connect to commplex port
- Fix tomcat template interface
- Allow thumb to use user fonts
* Mon Sep 24 2012 Miroslav Grepl <[email protected]> 3.10.0-150
- Backport tomcat fixes from F18
- Add filename transition for mongod.log
- Dontaudit jockey to search /root/.local
- Fix passenger labeling
- fix corenetwork interfaces which needs to require ephemeral_port_t
- Allow user domains to use tmpfs_t when it is created by the kernel and 
inherited by the app, IE No Open
* Mon Sep 17 2012 Miroslav Grepl <[email protected]> 3.10.0-149
- Add sanlock_use_fusefs boolean
- Add stapserver policy from F18
- Allow rhnsd to send syslog msgs
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
- ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_nacl_t
- Allow postalias to read postfix config files
- Allow tmpreaper to cleanup all files in /tmp
- Allow chown capability for zarafa domains
- Allow xauth to read /dev/urandom
- Allow tmpreaper to list admin_home dir
- Allow clamd to write/delete own pid file with clamd_var_run_t label
- Add support for gitolite3
- Allow virsh_t to getattr on virtd_exec_t
- Allow virsh can_exec on virsh_exec_t
- Look up group name by spamass-milter-postfix
- Add mozilla_plugin_can_network_connect boolean
- Fix /var/lib/sqlgrey labeling
- Add support for a new path for passenger
* Tue Aug 28 2012 Miroslav Grepl <[email protected]> 3.10.0-148
- Allow virsh to stream connect to virtd
- Add support for $HOME/.cache/libvirt
- Allow groupadd_t to search default_context
- Allow xdm_t to search dirs with xdm_unconfined_exec_t label
- Allow ksysguardproces to read/write config_usr_t
- Backport passenger policy from F18
- Allow wdmd to create wdmd_tmpfs_t
* Thu Aug 23 2012 Miroslav Grepl <[email protected]> 3.10.0-147
- Fix passenger labeling
- Add thumb_tmpfs_t files type
- Add file name transitions for ttyACM0
- Allow virtd to send dbus messages to firewalld
* Mon Aug 20 2012 Miroslav Grepl <[email protected]> 3.10.0-146
- Allow tmpreaper to delete unlabeled files
- Backport selinux_login_config fixes from F18 for sssd
- Allow thumb drives to create shared memory and semaphores
- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working
- Allow dlm_controld to execute dlm_stonith labeled as bin_t
- Allow GFS2 working on F17
- Allow thumb to gettatr on all fs
- Allow condor domains to read kernel sysctls
- Allow condor_master to connect to amqp
- Allow abrt to read mozilla_plugin config files
- Backport squid policy with support for lightsquid
- Allow useradd to modify /etc/default/useradd
- dovecot_auth_t uses ldap for user auth
- Dontaudit mozilla_plugin attempts to ipc_lock
- Allow tmpreaper to search unlabeled /tmp/kdecache-root
- Allow jockey to list the contents of modeprobe.d
- Allow web plugins to connect to the asterisk ports
* Wed Aug  8 2012 Miroslav Grepl <[email protected]> 3.10.0-145
- Allow Chrome_ChildIO to read dosfs_t
- Fix svirt to be allowed to use fusefs file system
- Sanlock needs to send Kill Signals to non root process
- Allow sendmail to read/write postfix_delivery_t
* Mon Aug  6 2012 Miroslav Grepl <[email protected]> 3.10.0-144
- Allow sendmail to read/write postfix_delivery_t
- Update sanlock policy to solve all AVC's
- Change virt interface so confined users can optionally manage virt content
- setroubleshoot was trying to getattr on sysctl and proc stuff
- Need to allow svirt_t ability to getattr on nfs_t file system
- Allow staff users to run svirt_t processes
- Add new booleans to allow staff user and unprivuser to use boxes
* Thu Aug  2 2012 Miroslav Grepl <[email protected]> 3.10.0-143
- Alias firstboot_tmp_t to tmp_t
- Add support for sqlgre
- Allow postfix to connect to spampd
- Add support for spampd and treat it as spamd_t policy
- Allow munin mail plugin to read exim.log
- Fix mta_mailserver_delivery() interface
- Allow logrotate to getattr on systemd unit files
- Allow tor to read kernel sysctls
- Add new man pages
-  Fix labeling for pingus
* Fri Jul 27 2012 Miroslav Grepl <[email protected]> 3.10.0-142
- Regenerate man pages
- Dontaudit mysqld_safe sending signull to random domains
- Add interface for mysqld to dontaudit signull to all processes
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read 
/etc/group
- Allow smbd to read cluster config
- Add additional labelinf for passenger
- Add labeling for /var/motion
- Add amavis_use_jit boolean
- Allow mongod to connet to postgresql port
* Tue Jul 24 2012 Miroslav Grepl <[email protected]> 3.10.0-141
- Allow samba_net to read /proc/net
- Allow hplip_t to send notification dbus messages to users
- Allow mailserver_deliver to read/write own pip
- Allow munin-plugin domains to read /etc/passwd
- Allow postfix_cleanup to use sockets create for smtpd
- Dovecot seems to be searching directories of every mountpoint, lets just 
dontaudit this
- Allow mozilla-plugin to read all kernel sysctls
- Allow jockey to read random/urandom
- Dontaudit dovecot to search all dirs
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- Add labelling and allow rules based on avc's from RHEL6 for amavis
* Wed Jul 18 2012 Miroslav Grepl <[email protected]> 3.10.0-140
- Add support for rhnsd daemon
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Fix rhsmcertd pid filetrans
- Allow NM to execute wpa_cli
- Allow procmail to manage /home/user/Maildir content
- Allow amavis to read clamd system state
- Allow postdrop to use unix_stream_sockets leaked into it
- Allow uucpd_t to uucpd port
* Sun Jul 15 2012 Miroslav Grepl <[email protected]> 3.10.0-139
- Add support for ecryptfs
        * ecryptfs does not support xattr
- Allow lpstat.cups to read fips_enabled file
- Allow pyzor running as spamc_t to create /root/.pyzor directory
- Add labeling for amavisd-snmp init script
- Add support for amavisd-snmp
- Allow fprintd sigkill self
- Allow xend (w/o libvirt) to start virtual machines
- Allow aiccu to read /etc/passwd
- accountsd needs to fchown some files/directories
- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
- Allow xend_t to read the /etc/passwd file
- Allow freshclam to update databases thru HTTP proxy
- Add init_access_check() interface
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Allow tuned sys_nice, sys_admin caps
- Allow amavisd to execute fsav
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
* Tue Jul 10 2012 Miroslav Grepl <[email protected]> 3.10.0-138
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix alsa_manage_home_files interface
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul  3 2012 Miroslav Grepl <[email protected]> 3.10.0-137
- Fixes for passenger running within openshift
- Add labeling for all tomcat6 dirs
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow systemd_logind_t to read/write /dev/input0
* Fri Jun 29 2012 Miroslav Grepl <[email protected]> 3.10.0-136
- Fixes to make minimal policy to be installed
* Wed Jun 27 2012 Miroslav Grepl <[email protected]> 3.10.0-135
- abrt_watch_log should be abrt_domain
- add ptrace_child access to process
- Allow mozilla_plugin to connect to gatekeeper port
- Allow dbomatic to execute ruby
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- add support for boinc.log
- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
* Tue Jun 26 2012 Miroslav Grepl <[email protected]> 3.10.0-134
- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Add tomcat policy from F18
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Add kdumpctl policy
- Move thin policy out from cloudform.pp and add a new thin policy files
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to 
httpd_cobbler_rw_content_t
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users homedir
- rhsmcertd reads the rpm database
- Add support for lightdm
* Fri Jun 22 2012 Miroslav Grepl <[email protected]> 3.10.0-133
- Dontaudit  thumb to setattr on xdm_tmp dirs
- Allow wicd to execute ldconfig
- Add /var/run/cherokee\.pid labeling
- Allow snort to create netlink_socket
- Allow setpcap for rpcd_t
- Firstboot should be just creating tmp_t dirs
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Allow firstboot to create tmp_t files/directories
- Label tuned scripts located in /etc as bin_t
- Add port definition for mxi port
- Fix labeling for /var/log/lxdm.log.old
- Allow ddclient to read /etc/passwd
- change dovecot_deliver to manage mail_home_rw_t
- Remove razor/pyzor policy
- Allow local_login_t to execute tmux
- Allow mozilla_plugin_t to execute the dynamic link/loader
* Mon Jun 18 2012 Miroslav Grepl <[email protected]> 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl <[email protected]> 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct
- When staff_t runs libvirt it reads dnsmasq_var_run_t
- Mount command now lists user_tmp looking for gvfs
- /etc/blkid is moving to /run/blkid
- Allow rw_cgroup_files to also read a symlink
-  Make sure gdm directory in ~/.cache/gdm gets created with the correct label
- Add labeling for .cache/gdm in the homedir
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
* Mon Jun 11 2012 Miroslav Grepl <[email protected]> 3.10.0-130
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
- Allow systemd_login to send signals to devicekit power
- Allow systemd_logind to signal initrc scripts to handle third party packages 
running as initrc_t
- Allow virsh to read /etc/passwd
- Allow policykit to manage kerberos rcache files
- Allow systemd-logind to send a signal to init_t
- /usr/sbin/xl2tpd wants to read /etc/group
- Allow ncftool to list of content /etc/modprobe.d
- Allow dkim-milter to listen own tcp_socke
* Fri Jun  8 2012 Miroslav Grepl <[email protected]> 3.10.0-129
- Allow collectd to read virt config
- Allow collectd setsched
- Add support for /usr/sbin/mdm*
- Fix java binaries labels when installed under /usr/lib/jvm/java
- Add labeling for /var/run/mdm
- Allow apps that can read net_conf_t files read symlinks
- Allow all domains that can search or read tmp_t, able to read a tmp_t link
- Dontaudit mozilla_plugin looking at xdm_tmp_t
- Looks like collectd needs to change it scheduling priority
- Allow uux_t to access nsswitch data
- New labeling for samba, pid dirs moved to subdirs of samba
- Allow nova_api to use nsswitch
- Allow mozilla_plugin to execute files labeled as lib_t
- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc 
chat window
- Allow winbind to create content in smbd_var_run_t directories
- Allow setroubleshoot_fixit to read the selinux policy store.  No reason to 
deny it
- Support libvirt plugin for collectd
* Wed May 30 2012 Miroslav Grepl <[email protected]> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make 
sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
-  Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow  munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <[email protected]> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <[email protected]> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file 
on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
-  Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have 
labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id 
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <[email protected]> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
-  Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems 
to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May  9 2012 Miroslav Grepl <[email protected]> 3.10.0-124
- Make systemd unit files less specific
* Mon May  7 2012 Miroslav Grepl <[email protected]> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the 
user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May  7 2012 Miroslav Grepl <[email protected]> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #857161 - Cannot use ptrace running as staff_u
        https://bugzilla.redhat.com/show_bug.cgi?id=857161
  [ 2 ] Bug #886704 - SELinux is preventing /usr/sbin/postconf from 'create' 
accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=886704
  [ 3 ] Bug #887327 - SELinux is preventing /usr/bin/perl from 'search' 
accesses on the directory /etc/munin.
        https://bugzilla.redhat.com/show_bug.cgi?id=887327
  [ 4 ] Bug #887328 - SELinux is preventing /usr/bin/perl from 'search' 
accesses on the directory /var/lib/munin.
        https://bugzilla.redhat.com/show_bug.cgi?id=887328
  [ 5 ] Bug #887999 - SELinux is preventing /usr/bin/df from 'getattr' accesses 
on the directory /sys/kernel/config.
        https://bugzilla.redhat.com/show_bug.cgi?id=887999
  [ 6 ] Bug #889156 - SELinux is preventing 
/opt/Adobe/Reader8/Reader/intellinux/bin/acroread from 'create' accesses on the 
message queue .
        https://bugzilla.redhat.com/show_bug.cgi?id=889156
  [ 7 ] Bug #889214 - SELinux is preventing /usr/lib/systemd/systemd-logind 
from 'getattr' accesses on the directory /run/user/apache.
        https://bugzilla.redhat.com/show_bug.cgi?id=889214
  [ 8 ] Bug #889448 - SELinux is preventing 
/usr/lib64/nspluginwrapper/plugin-config from 'read' accesses on the file 
/proc/<pid>/mounts.
        https://bugzilla.redhat.com/show_bug.cgi?id=889448
  [ 9 ] Bug #890241 - SELinux is preventing /usr/libexec/totem-plugin-viewer 
from 'setattr' accesses on the file ParseLock000.
        https://bugzilla.redhat.com/show_bug.cgi?id=890241
  [ 10 ] Bug #890254 - SELinux is preventing /usr/libexec/colord-sane from 
'getattr' accesses on the file /proc/sys/kernel/osrelease.
        https://bugzilla.redhat.com/show_bug.cgi?id=890254
  [ 11 ] Bug #890743 - SELinux is preventing /usr/bin/bash from 'execute' 
accesses on the file /usr/bin/bash.
        https://bugzilla.redhat.com/show_bug.cgi?id=890743
  [ 12 ] Bug #890744 - SELinux is preventing /usr/bin/python2.7 from 'read' 
accesses on the chr_file mem.
        https://bugzilla.redhat.com/show_bug.cgi?id=890744
  [ 13 ] Bug #890745 - SELinux is preventing /usr/bin/python2.7 from 
'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=890745
  [ 14 ] Bug #890862 - SELinux is preventing 
/usr/lib64/nspluginwrapper/plugin-config from 'read' accesses on the fifo_file 
/home/smoge/.lyx/lyxpipe.in.
        https://bugzilla.redhat.com/show_bug.cgi?id=890862
  [ 15 ] Bug #890887 - SELinux is preventing /usr/bin/perl from 'read' accesses 
on the directory /etc/MailScanner/conf.d.
        https://bugzilla.redhat.com/show_bug.cgi?id=890887
  [ 16 ] Bug #802328 - SELinux is preventing /usr/bin/python from 'write' 
accesses on the 目录 /dev/mqueue.
        https://bugzilla.redhat.com/show_bug.cgi?id=802328
  [ 17 ] Bug #836502 - RFE: add policy for php-fpm and alternative webservers
        https://bugzilla.redhat.com/show_bug.cgi?id=836502
  [ 18 ] Bug #844097 - SELinux is preventing /usr/bin/tor from 'search' 
accesses on the directory kernel.
        https://bugzilla.redhat.com/show_bug.cgi?id=844097
  [ 19 ] Bug #866716 - SELinux is preventing /usr/bin/brprintconf_mfcj6910dw 
from 'write' accesses on the directory /etc/opt/brother/Printers/mfcj6910dw/inf.
        https://bugzilla.redhat.com/show_bug.cgi?id=866716
  [ 20 ] Bug #868567 - SELinux is preventing /usr/sbin/sshd from 'search' 
accesses on the directory /var/lib/pgsql.
        https://bugzilla.redhat.com/show_bug.cgi?id=868567
  [ 21 ] Bug #869838 - SELinux is preventing /usr/bin/brprintconf_mfcj6910dw 
from 'rename' accesses on the file 
/etc/opt/brother/Printers/mfcj6910dw/inf/brmfcj6910dwrc.
        https://bugzilla.redhat.com/show_bug.cgi?id=869838
  [ 22 ] Bug #872345 - AWStats SELinux module lacks tunable for PurgeLogFile=1 
setup
        https://bugzilla.redhat.com/show_bug.cgi?id=872345
  [ 23 ] Bug #878997 - SELinux is preventing /usr/bin/fetchmail from write 
access on the directory /var/log
        https://bugzilla.redhat.com/show_bug.cgi?id=878997
  [ 24 ] Bug #879680 - SELinux is preventing /usr/lib/cups/backend/usb from 
'read' accesses on the chr_file 003.
        https://bugzilla.redhat.com/show_bug.cgi?id=879680
  [ 25 ] Bug #879831 - SELinux is preventing /usr/bin/rhsmcertd (deleted) from 
using the 'signal' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=879831
  [ 26 ] Bug #879853 - SELinux is preventing rsyslogd from 'read' accesses on 
the file unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=879853
  [ 27 ] Bug #879854 - SELinux is preventing rsyslogd from 'module_request' 
accesses on the system .
        https://bugzilla.redhat.com/show_bug.cgi?id=879854
  [ 28 ] Bug #879886 - SELinux is preventing /usr/bin/totem-video-thumbnailer 
from 'setattr' accesses on the directory at-spi2.
        https://bugzilla.redhat.com/show_bug.cgi?id=879886
  [ 29 ] Bug #879927 - SELinux is preventing /usr/bin/ruby from 'write' 
accesses on the directory /var/log/puppet.
        https://bugzilla.redhat.com/show_bug.cgi?id=879927
  [ 30 ] Bug #880038 - SELinux is preventing 
/usr/libexec/kde4/ksysguardprocesslist_helper from 'lock' accesses on the file 
/root/.config/Trolltech.conf.
        https://bugzilla.redhat.com/show_bug.cgi?id=880038
  [ 31 ] Bug #880624 - SELinux is preventing /usr/sbin/dnsmasq from 'name_bind' 
accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=880624
  [ 32 ] Bug #880971 - virsh console doesn't work with unconfined off
        https://bugzilla.redhat.com/show_bug.cgi?id=880971
  [ 33 ] Bug #881026 - SELinux is preventing /usr/bin/perl from 'create' 
accesses on the directory 3.003002.
        https://bugzilla.redhat.com/show_bug.cgi?id=881026
  [ 34 ] Bug #881031 - SELinux is preventing /usr/bin/perl from using the 
'dac_read_search' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=881031
  [ 35 ] Bug #881883 - SELinux is preventing /usr/bin/evince-thumbnailer from 
'setattr' accesses on the directory /var/cache/fontconfig.
        https://bugzilla.redhat.com/show_bug.cgi?id=881883
  [ 36 ] Bug #882696 - SELinux is preventing /usr/bin/nmcli from using the 
'sys_nice' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=882696
  [ 37 ] Bug #882703 - Can't pipe semodule output in scripts and such with 
unconfined off.
        https://bugzilla.redhat.com/show_bug.cgi?id=882703
  [ 38 ] Bug #882922 - SELinux policy prevents tuned daemon from communicating 
over DBus
        https://bugzilla.redhat.com/show_bug.cgi?id=882922
  [ 39 ] Bug #883370 - SELinux is preventing /usr/sbin/sendmail.sendmail from 
'read' accesses on the file /etc/mail/submit.cf.
        https://bugzilla.redhat.com/show_bug.cgi?id=883370
  [ 40 ] Bug #883372 - SELinux is preventing /usr/sbin/condor_procd from using 
the 'kill' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=883372
  [ 41 ] Bug #884358 - SELinux is preventing /usr/bin/tor from 'name_bind' 
accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=884358
  [ 42 ] Bug #884633 - sntp is not confined
        https://bugzilla.redhat.com/show_bug.cgi?id=884633
  [ 43 ] Bug #885186 - SELinux is preventing /usr/lib/xen/bin/qemu-dm from 
'open' accesses on the blk_file /dev/sr0.
        https://bugzilla.redhat.com/show_bug.cgi?id=885186
  [ 44 ] Bug #885202 - SELinux is preventing /usr/bin/lpr.cups from 'read' 
accesses on the file /usr/share/fonts/truetype/arial.ttf.
        https://bugzilla.redhat.com/show_bug.cgi?id=885202
  [ 45 ] Bug #885251 - SELinux is preventing /usr/bin/python2.7 from 'read' 
accesses on the file physical_package_id.
        https://bugzilla.redhat.com/show_bug.cgi?id=885251
  [ 46 ] Bug #885375 - SELinux is preventing systemd-logind from 'write' 
accesses on the directory keyring-BKuSyR.
        https://bugzilla.redhat.com/show_bug.cgi?id=885375
  [ 47 ] Bug #886990 - SELinux is preventing /usr/bin/perl from using the 
'sigkill' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=886990
  [ 48 ] Bug #887028 - SELinux is preventing /usr/bin/bash from using the 
'signal' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=887028
  [ 49 ] Bug #887029 - SELinux is preventing /usr/bin/perl from using the 
'signal' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=887029
  [ 50 ] Bug #887042 - SELinux is preventing /usr/bin/perl from 'create' 
accesses on the file MS.ownertest.z36Ypx.
        https://bugzilla.redhat.com/show_bug.cgi?id=887042
  [ 51 ] Bug #887409 - SELinux is preventing /usr/bin/df from 'getattr' 
accesses on the directory /sys/kernel/config.
        https://bugzilla.redhat.com/show_bug.cgi?id=887409
  [ 52 ] Bug #887632 - SELinux is preventing /usr/bin/gxine from 'unlink' 
accesses on the sock_file /home/brandon0/.config/gxine/socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=887632
  [ 53 ] Bug #760054 - SELinux policy for quantum
        https://bugzilla.redhat.com/show_bug.cgi?id=760054
  [ 54 ] Bug #844773 - SElinux Policy for OpenDKIM
        https://bugzilla.redhat.com/show_bug.cgi?id=844773
  [ 55 ] Bug #880357 - SElinux prevents ifconfig to write into gogoc.log
        https://bugzilla.redhat.com/show_bug.cgi?id=880357
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Fedora 17 Update: selinux-policy-3.10.0-166.fc17

Reply via email to