-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-0945 2013-01-18 19:34:29 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 18 Version : 3.11.1 Release : 71.fc18 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Tue Jan 15 2013 Miroslav Grepl <[email protected]> 3.11.1-71 - Allow udev to communicate with the logind daemon - Add labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Allow rpm_script_t to dbus communicate with certmonger_t - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interface - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling - Allow numad access discovered by Dominic - Allow gnomeclock to talk to puppet over dbus - Add support for HOME_DIR/.maildir * Thu Jan 10 2013 Miroslav Grepl <[email protected]> 3.11.1-70 - Add label for dns lib files - Allow svirt_t images to compromise_kernel when using pci-passthrough - Blueman uses ctypes which ends up triggering execmem priv. - Dontaudit attempts by thumb_t to use nscd - fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it - Allow abrt to read proc_net_t - Allw NM to transition to l2tpd - Dontaudit chrome-nacl to append gnome config files - Add gnome_dontaudit_append_config_files() - Allow svirt_tcg_t to create netlink_route_socket - Label /var/lib/unbound as named_cache_t to allow named to write to this directory - Allow postfix domains to list /tmp - Allow dnsmasq to list tftpdir_rw_t content - Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo - Allow tmpreaper to delete tmpfs files in tmp - Dontaudit access check on tmp_t files/directories - dontaudit access checks on file systems types by firewalld - Allow mail_munin_plugins domain to run postconf - Allow spamd_update to manage gnupg directory - Add missing postfix_run_postqueue() interface - Add ntp_exec() interface - Fix setroubleshoot_fixit_t policy - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Add label for Xvnc - Add interface to dontaudit access checks on tmp_t - Fix interface for dontaudit access check to include directory - interface to dontaudit access checks on file systems types - Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label. - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Additional fix for chroot_user_t backported from RHEL6 - Allow chroot_user_t to getattr on filesystems - Dontaudit vi attempting to relabel to self files - Sudo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - - Creating tmp-inst directory in a tmp_t directory should not transition - Allow init_t to write to watchdog device - Add file system definition for other vx file systems * Wed Jan 2 2013 Miroslav Grepl <[email protected]> 3.11.1-69 - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim * Thu Dec 27 2012 Miroslav Grepl <[email protected]> 3.11.1-68 - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories * Fri Dec 21 2012 Miroslav Grepl <[email protected]> 3.11.1-67 - systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe -------------------------------------------------------------------------------- References: [ 1 ] Bug #890186 - sa-update can't access pgp data in /etc/mail/spamassassin/sa-update-keys: https://bugzilla.redhat.com/show_bug.cgi?id=890186 [ 2 ] Bug #890699 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/bin/kmod. https://bugzilla.redhat.com/show_bug.cgi?id=890699 [ 3 ] Bug #891000 - SELinux is preventing /usr/sbin/gpsd from setattr access on the chr_file ttyUSB0 https://bugzilla.redhat.com/show_bug.cgi?id=891000 [ 4 ] Bug #892199 - SELinux is preventing /usr/sbin/dnsmasq from 'read' accesses on the directory /var/lib/tftpboot. https://bugzilla.redhat.com/show_bug.cgi?id=892199 [ 5 ] Bug #892307 - SELinux is preventing /usr/bin/qemu-system-i386 from 'create' accesses on the netlink_route_socket . https://bugzilla.redhat.com/show_bug.cgi?id=892307 [ 6 ] Bug #892469 - SELinux is preventing /opt/google/chrome/nacl_helper_bootstrap from 'append' accesses on the file /home/francisco/.config/mailnag/mailnag.log. https://bugzilla.redhat.com/show_bug.cgi?id=892469 [ 7 ] Bug #894634 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the sock_file socket. https://bugzilla.redhat.com/show_bug.cgi?id=894634 [ 8 ] Bug #894965 - SELinux is preventing /usr/bin/evince-thumbnailer from 'create' accesses on the directory .fontconfig. https://bugzilla.redhat.com/show_bug.cgi?id=894965 [ 9 ] Bug #894966 - SELinux is preventing /usr/bin/evince-thumbnailer from 'create' accesses on the directory fontconfig. https://bugzilla.redhat.com/show_bug.cgi?id=894966 [ 10 ] Bug #891736 - /usr/bin/Xvnc should be xserver_exec_t https://bugzilla.redhat.com/show_bug.cgi?id=891736 [ 11 ] Bug #894353 - puppet is prevented from running /usr/bin/dbus-daemon https://bugzilla.redhat.com/show_bug.cgi?id=894353 [ 12 ] Bug #813870 - SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=813870 [ 13 ] Bug #889343 - SELinux is preventing /usr/bin/python2.7 from 'search' accesses on the directory /var/lib/sss. https://bugzilla.redhat.com/show_bug.cgi?id=889343 [ 14 ] Bug #890229 - SELinux is preventing /usr/bin/motion from 'name_connect' accesses on the tcp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=890229 [ 15 ] Bug #890762 - SELinux is preventing /usr/sbin/ovs-vswitchd from 'nlmsg_write' accesses on the netlink_route_socket . https://bugzilla.redhat.com/show_bug.cgi?id=890762 [ 16 ] Bug #890788 - SELinux is preventing /usr/sbin/killall5 from using the 'sys_ptrace' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=890788 [ 17 ] Bug #890815 - RFE: Add SELinux policies for rt4 https://bugzilla.redhat.com/show_bug.cgi?id=890815 [ 18 ] Bug #890345 - selinux denied qemu access the tls cert for spice connection https://bugzilla.redhat.com/show_bug.cgi?id=890345 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
