-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-10302 2013-06-07 22:58:58 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 17 Version : 3.10.0 Release : 170.fc17 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 6 2013 Miroslav Grepl <[email protected]> 3.10.0-170 - Back port to allow l2tpd to read NM conf file - Add labeling for /run/nm-xl2tpd.conf - Add mozilla_plugin_use_gps boolean - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Add labeling for HOMEDIR/.icedtea - Allow openvpn to add own log files - Allow cobblerd to read network state - Allow abrt to read utmp_t file * Thu Apr 4 2013 Miroslav Grepl <[email protected]> 3.10.0-169 - Allow cupsd to read hplip lib files - Allow NM to create rawip socket - Allow ping to read network state. - Add tcp/8891 as milter port - New directories under ~/.cache * Tue Mar 5 2013 Miroslav Grepl <[email protected]> 3.10.0-168 - Add files_dontaudit_read_all_sockets interface - Add gnome_dontaudit_rw_inherited_config interface - Allow httpd_collectd_script to read /etc/passwd - Allow milter domains to read /dev/random - Backport readahead fixes from F18 - Allow collectd to read utmp - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Fix svnserve policy - Add additional fixes for ecrypts - Add additional interface for ecryptfs - Dontaudit leak fd for mozilla_plugin_config - Allow pppd to send signull * Mon Feb 4 2013 Miroslav Grepl <[email protected]> 3.10.0-167 - Fix dup decl for munin plugins - Allow logwatch to domtrans to mdadm - Backport blueman policy from F18 - Allow mozilla-plugin-config to read power_supply info - Allow fsdaemon to read virt images - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow sa-update to search admin home for /root/.spamassassin - Dontaudit attempts from thumb_t to connect to sssd - Add labeling and filename transition for .grl-podcasts - Allow mozilla_plugin_t to read files on hugetlbfs - Allow gnomesystemmm_t caps because of ioprio_set - Allow logrotate to domtrans to mdadm_t - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow gpg_t to manage all gnome files - Add filename transition for .quakelive - Add unconfined_munin_plugin_t - Allow httpd_t to read munin conf files - Add additional labeling for munin cgi scripts - Add labeling for texlive bash scripts - Allow NM to transition to l2tpd - Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label. * Thu Jan 3 2013 Miroslav Grepl <[email protected]> 3.10.0-166 - Allow gpsd_t to setattr on usbtty_device - Allow mail_munin_plugins domain to run postconf - Dontaudit reading of domain states for mozilla-plugin-config - Backport corenetwork.te.in fixes related to http and keystone ports - Backport cloudform policy from F18 - ALlow logrotate sys_ptrace capability - Allow mscan to read /etc/MailScanner/conf.d directory - Add support for HOME_DIR/.lyx - Add support for rt4 - Back rhsmcertd policy from F18 - zoneminder needs to connect to httpd ports where remote cameras are listening - Add ntp_exec() interface - Dontaudit settatr on user tmp files for mozilla plugins - Allow colord-sane to read proc/sys/kernel/osrelease - Allow setroubleshoot_fixit to execute rpm - Allow logwatch to getattr on all dirs - Allow chrome and mozilla_plugin to create msgq and semaphores - systemd_logind_t is looking at all files under /run/user/apache - Allow confine users to ptrace screen * Mon Dec 17 2012 Miroslav Grepl <[email protected]> 3.10.0-165 - Add php-fpm support - Allow munin disk plugins to get attributes of all directories - Fix gnome_manage_config() to allow to manage sock_file * Fri Dec 14 2012 Miroslav Grepl <[email protected]> 3.10.0-164 - Add labeling for /var/www/openshift/{broker,console} - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Add passenger_getattr_log_files interface - Backport svirt_tcg policy - munint wants to send sigkill to ping - Allow munin plugins to send a signal to itself - Allow munin to send signal to ping * Thu Dec 13 2012 Miroslav Grepl <[email protected]> 3.10.0-163 - Allow openshift domain to read /dev/urand - Add labeling for /var/www/openshift/console/{tmp,log} dirs - gems seems to be placed in lots of places - Add labeling for /usr/bin/pg_ctl - Add labeling for HOME_DIR/irclogs - Allow systemd-logind to manage keyring user tmp dirs. We allow it for user_tmp_t dirs. - Add gnome_manage_gkeyringd_tmp_dirs() interface - Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories - Allow xend to run scsi_id - Allow rhsmcertd-worker to read "physical_package_id" - Allow lpr to read /usr/share/fonts - Allow open file from CD/DVD drive on domU - Dontaudit attempts by openshift to read apache logs - Add sntp support to ntp policy - Allow tor to read /proc/sys/kernel/random/uuid * Wed Dec 5 2012 Miroslav Grepl <[email protected]> 3.10.0-162 - Backport openvswitch policy from F18 - Allow logrotate to transition to openvswitch domain - opendkim should be a part of milter - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow all application domains to use fifo_files passed in from userdomains - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - The host and a virtual machine can share the same printer on a usb device - Backport thumb.te from F18 - Dontaudit leaks of locks or generic log files to systemprocesses - Allow blueman to transition to ifconfig, dnsmasq - Backport virt_lock_t from F18 - Allow syslogd to request the kernel to load a module - Allow syslogd_t to read the network state information - Add awstats_purge_apache_log boolean - Allow ksysguardproces to read /.config/Trolltech.conf - Allow passenger to create and append puppet log files - Add puppet_append_log and puppet_create_log interfaces - Allow rhsmcertd to send signal to itself * Wed Nov 21 2012 Miroslav Grepl <[email protected]> 3.10.0-161 - Add commands needed to get mock to build from staff_t in enforcing mode - Allow dbus-daemon to read/write inherited removable devices - Add storage_rw_inherited_removable_device() interface - fetchmail reads /etc/passwd - Allow rhnsd to execute bin_t in the caller rhnsd_t domain - Allow all daemons and systemprocesses to use inherited initrc_tmp_t files - Allow enabling Network Access Point service using blueman - Make vmware_host_t as unconfined domain - Allow authenticate users in webaccess via squid, using mysql as backend - Allow firewalld to read /etc/hosts - Backport openshift.te from F18 - Dontaudit xdm_t to getattr on BOINC lib files - Allow chrome and mozilla plugin to connect to msnp ports * Tue Nov 13 2012 Miroslav Grepl <[email protected]> 3.10.0-160 - Allow BOINC client to use an HTTP proxy for all connections - Add labeling for /var/lib/zarafa-webapp - Allow mozilla plugins to read /dev/hpet - Allow MPD to read /dev/radnom - Allow dnsmasq to read /etc/NetworkManager - Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file - httpd needs to send signull to openshift init script - Fix tftp_read_content() interface * Mon Nov 5 2012 Miroslav Grepl <[email protected]> 3.10.0-159 - More fixes for passwd/group labeling - New ypbind pkg wants to search /var/run which is caused by sd_notify - dbus needs to be able to read/write inherited fixed disk device_t passed through it - Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans - Add interface to make sure rpcbind.sock is created with the correct label - Add support for OpenShift sbin labeling * Tue Oct 30 2012 Miroslav Grepl <[email protected]> 3.10.0-158 - Fix labeling for passwd* * Tue Oct 23 2012 Miroslav Grepl <[email protected]> 3.10.0-157 - logwatch wants sys_nice/setsched - Add labeling for mcollectived - Allow openshift domains to read localization - Allow smokeping to execute fping in the neutils_t domain - Allow support for notifyclamd option in /etc/freshclam.conf - Allow mozilla-plugin-config to getattr on all fs - Add tftp_homedir boolean - Allow nslcd to connect to ldap port without boolean - policykit-auth wants sys_nice - openshift user domains wants to r/w ssh tcp sockets * Wed Oct 17 2012 Miroslav Grepl <[email protected]> 3.10.0-156 - Allow nfsd to write to mount_var_run_t - Allow smokeping to execute bin_t - Allow sshd_t to execute login program - Allow prelink to read power_supply - Allow alsa to r/w alsa config files - Allow tuned to setsched kernel - Add labeling for /usr/sbin/mkhomedir_helper - Allow initrc_t to readl all systemd unit files - Allow mozilla_plugin_t to create .mplayer in users homedir - Allow sshd to send syslog msgs - Allow varnish execmem - Allow mongodb_t to getattr on all file systems - Allow pyzor running as spamc to manage amavis spool - Allow rhnsd to read /usr/lib/locale * Tue Oct 16 2012 Miroslav Grepl <[email protected]> 3.10.0-155 - Allow all openshift domains to read sysfs info - Allow openshift domains to getattr on all domains - Update httpd_run_stickshift boolean - Allow hplip to execute bin_t * Tue Oct 9 2012 Miroslav Grepl <[email protected]> 3.10.0-154 - fix opeshift labeling - Allow groupadd to read SELinux file context * Sun Oct 7 2012 Miroslav Grepl <[email protected]> 3.10.0-153 - Add openshift policy - Add changes needed by openshift policy - Allow vmnet-natd to request the kernel to load a module - Allown winbind to read /usr/share/samba/codepages/lowcase.dat - Access needed to allow hplip to send faxes - abrt_dump_oops needs to read debugfs - Add support for HTTPProxy* in /etc/freshclam.conf * Fri Oct 5 2012 Miroslav Grepl <[email protected]> 3.10.0-152 - Add file transition for mongodb lib dirs - Add labeling for /var/lib/mongo, /var/run/mongo - Allow gpg to write to /etc/mail/spamassassiin directories - Add support for hplip logs stored in /var/log/hp/tmp - Allow winbind to read usr_t - Add rhnsd policy - Add labeling for /etc/owncloud/config.php * Thu Sep 27 2012 Miroslav Grepl <[email protected]> 3.10.0-151 - Allow winbind to connect do ldap without a boolean - Allow mozilla-plugin to connect to commplex port - Fix tomcat template interface - Allow thumb to use user fonts * Mon Sep 24 2012 Miroslav Grepl <[email protected]> 3.10.0-150 - Backport tomcat fixes from F18 - Add filename transition for mongod.log - Dontaudit jockey to search /root/.local - Fix passenger labeling - fix corenetwork interfaces which needs to require ephemeral_port_t - Allow user domains to use tmpfs_t when it is created by the kernel and inherited by the app, IE No Open * Mon Sep 17 2012 Miroslav Grepl <[email protected]> 3.10.0-149 - Add sanlock_use_fusefs boolean - Add stapserver policy from F18 - Allow rhnsd to send syslog msgs - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_nacl_t - Allow postalias to read postfix config files - Allow tmpreaper to cleanup all files in /tmp - Allow chown capability for zarafa domains - Allow xauth to read /dev/urandom - Allow tmpreaper to list admin_home dir - Allow clamd to write/delete own pid file with clamd_var_run_t label - Add support for gitolite3 - Allow virsh_t to getattr on virtd_exec_t - Allow virsh can_exec on virsh_exec_t - Look up group name by spamass-milter-postfix - Add mozilla_plugin_can_network_connect boolean - Fix /var/lib/sqlgrey labeling - Add support for a new path for passenger * Tue Aug 28 2012 Miroslav Grepl <[email protected]> 3.10.0-148 - Allow virsh to stream connect to virtd - Add support for $HOME/.cache/libvirt - Allow groupadd_t to search default_context - Allow xdm_t to search dirs with xdm_unconfined_exec_t label - Allow ksysguardproces to read/write config_usr_t - Backport passenger policy from F18 - Allow wdmd to create wdmd_tmpfs_t * Thu Aug 23 2012 Miroslav Grepl <[email protected]> 3.10.0-147 - Fix passenger labeling - Add thumb_tmpfs_t files type - Add file name transitions for ttyACM0 - Allow virtd to send dbus messages to firewalld * Mon Aug 20 2012 Miroslav Grepl <[email protected]> 3.10.0-146 - Allow tmpreaper to delete unlabeled files - Backport selinux_login_config fixes from F18 for sssd - Allow thumb drives to create shared memory and semaphores - Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working - Allow dlm_controld to execute dlm_stonith labeled as bin_t - Allow GFS2 working on F17 - Allow thumb to gettatr on all fs - Allow condor domains to read kernel sysctls - Allow condor_master to connect to amqp - Allow abrt to read mozilla_plugin config files - Backport squid policy with support for lightsquid - Allow useradd to modify /etc/default/useradd - dovecot_auth_t uses ldap for user auth - Dontaudit mozilla_plugin attempts to ipc_lock - Allow tmpreaper to search unlabeled /tmp/kdecache-root - Allow jockey to list the contents of modeprobe.d - Allow web plugins to connect to the asterisk ports * Wed Aug 8 2012 Miroslav Grepl <[email protected]> 3.10.0-145 - Allow Chrome_ChildIO to read dosfs_t - Fix svirt to be allowed to use fusefs file system - Sanlock needs to send Kill Signals to non root process - Allow sendmail to read/write postfix_delivery_t * Mon Aug 6 2012 Miroslav Grepl <[email protected]> 3.10.0-144 - Allow sendmail to read/write postfix_delivery_t - Update sanlock policy to solve all AVC's - Change virt interface so confined users can optionally manage virt content - setroubleshoot was trying to getattr on sysctl and proc stuff - Need to allow svirt_t ability to getattr on nfs_t file system - Allow staff users to run svirt_t processes - Add new booleans to allow staff user and unprivuser to use boxes * Thu Aug 2 2012 Miroslav Grepl <[email protected]> 3.10.0-143 - Alias firstboot_tmp_t to tmp_t - Add support for sqlgre - Allow postfix to connect to spampd - Add support for spampd and treat it as spamd_t policy - Allow munin mail plugin to read exim.log - Fix mta_mailserver_delivery() interface - Allow logrotate to getattr on systemd unit files - Allow tor to read kernel sysctls - Add new man pages - Fix labeling for pingus * Fri Jul 27 2012 Miroslav Grepl <[email protected]> 3.10.0-142 - Regenerate man pages - Dontaudit mysqld_safe sending signull to random domains - Add interface for mysqld to dontaudit signull to all processes - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labelinf for passenger - Add labeling for /var/motion - Add amavis_use_jit boolean - Allow mongod to connet to postgresql port * Tue Jul 24 2012 Miroslav Grepl <[email protected]> 3.10.0-141 - Allow samba_net to read /proc/net - Allow hplip_t to send notification dbus messages to users - Allow mailserver_deliver to read/write own pip - Allow munin-plugin domains to read /etc/passwd - Allow postfix_cleanup to use sockets create for smtpd - Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this - Allow mozilla-plugin to read all kernel sysctls - Allow jockey to read random/urandom - Dontaudit dovecot to search all dirs - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - Add labelling and allow rules based on avc's from RHEL6 for amavis * Wed Jul 18 2012 Miroslav Grepl <[email protected]> 3.10.0-140 - Add support for rhnsd daemon - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Fix rhsmcertd pid filetrans - Allow NM to execute wpa_cli - Allow procmail to manage /home/user/Maildir content - Allow amavis to read clamd system state - Allow postdrop to use unix_stream_sockets leaked into it - Allow uucpd_t to uucpd port * Sun Jul 15 2012 Miroslav Grepl <[email protected]> 3.10.0-139 - Add support for ecryptfs * ecryptfs does not support xattr - Allow lpstat.cups to read fips_enabled file - Allow pyzor running as spamc_t to create /root/.pyzor directory - Add labeling for amavisd-snmp init script - Add support for amavisd-snmp - Allow fprintd sigkill self - Allow xend (w/o libvirt) to start virtual machines - Allow aiccu to read /etc/passwd - accountsd needs to fchown some files/directories - Add ICACLient and zibrauserdata as mozilla_filetrans_home_content - Allow xend_t to read the /etc/passwd file - Allow freshclam to update databases thru HTTP proxy - Add init_access_check() interface - Allow s-m-config to access check on systemd - Allow abrt to read public files by default - Fix amavis_create_pid_files() interface - Allow tuned sys_nice, sys_admin caps - Allow amavisd to execute fsav - Allow system_dbusd_t to stream connect to bluetooth, and use its socket * Tue Jul 10 2012 Miroslav Grepl <[email protected]> 3.10.0-138 - Add labeling for aeolus-configserver-thinwrapper - Allow thin domains to execute shell - Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files - Allow OpenMPI job to use kerberos - Make deltacloudd_t as nsswitch_domain - Allow xend_t to run lsscsi - Allow qemu-dm running as xend_t to create tun_socket - Allow jockey-backend to read pyconfig-64.h labeled as usr_t - Fix alsa_manage_home_files interface - Fix clamscan_can_scan_system boolean - Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11 * Tue Jul 3 2012 Miroslav Grepl <[email protected]> 3.10.0-137 - Fixes for passenger running within openshift - Add labeling for all tomcat6 dirs - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow systemd_logind_t to read/write /dev/input0 * Fri Jun 29 2012 Miroslav Grepl <[email protected]> 3.10.0-136 - Fixes to make minimal policy to be installed * Wed Jun 27 2012 Miroslav Grepl <[email protected]> 3.10.0-135 - abrt_watch_log should be abrt_domain - add ptrace_child access to process - Allow mozilla_plugin to connect to gatekeeper port - Allow dbomatic to execute ruby - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - add support for boinc.log - Allow httpd_smokeping_cgi_script_t to read /etc/passwd * Tue Jun 26 2012 Miroslav Grepl <[email protected]> 3.10.0-134 - Allow mozilla_plugin execmod on mozilla home files if allow_execmod - Allow dovecot_deliver_t to read dovecot_var_run_t - Add tomcat policy from F18 - Allow ldconfig and insmod to manage kdumpctl tmp files - Add kdumpctl policy - Move thin policy out from cloudform.pp and add a new thin policy files - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users homedir - rhsmcertd reads the rpm database - Add support for lightdm * Fri Jun 22 2012 Miroslav Grepl <[email protected]> 3.10.0-133 - Dontaudit thumb to setattr on xdm_tmp dirs - Allow wicd to execute ldconfig - Add /var/run/cherokee\.pid labeling - Allow snort to create netlink_socket - Allow setpcap for rpcd_t - Firstboot should be just creating tmp_t dirs - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Allow firstboot to create tmp_t files/directories - Label tuned scripts located in /etc as bin_t - Add port definition for mxi port - Fix labeling for /var/log/lxdm.log.old - Allow ddclient to read /etc/passwd - change dovecot_deliver to manage mail_home_rw_t - Remove razor/pyzor policy - Allow local_login_t to execute tmux - Allow mozilla_plugin_t to execute the dynamic link/loader * Mon Jun 18 2012 Miroslav Grepl <[email protected]> 3.10.0-132 - apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux * Fri Jun 15 2012 Miroslav Grepl <[email protected]> 3.10.0-131 - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct - When staff_t runs libvirt it reads dnsmasq_var_run_t - Mount command now lists user_tmp looking for gvfs - /etc/blkid is moving to /run/blkid - Allow rw_cgroup_files to also read a symlink - Make sure gdm directory in ~/.cache/gdm gets created with the correct label - Add labeling for .cache/gdm in the homedir - Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs - xdm now needs to execute xsession_exec_t - Need labels for /var/lib/gdm * Mon Jun 11 2012 Miroslav Grepl <[email protected]> 3.10.0-130 - Dontaudit logwatch to gettr on /dev/dm-2 - Allow policykit-auth to manage kerberos files - Allow systemd_logind_t to signal, signull, sigkill all processes - Add filetrans rules for etc_runtime files - Allow systemd_login to send signals to devicekit power - Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t - Allow virsh to read /etc/passwd - Allow policykit to manage kerberos rcache files - Allow systemd-logind to send a signal to init_t - /usr/sbin/xl2tpd wants to read /etc/group - Allow ncftool to list of content /etc/modprobe.d - Allow dkim-milter to listen own tcp_socke * Fri Jun 8 2012 Miroslav Grepl <[email protected]> 3.10.0-129 - Allow collectd to read virt config - Allow collectd setsched - Add support for /usr/sbin/mdm* - Fix java binaries labels when installed under /usr/lib/jvm/java - Add labeling for /var/run/mdm - Allow apps that can read net_conf_t files read symlinks - Allow all domains that can search or read tmp_t, able to read a tmp_t link - Dontaudit mozilla_plugin looking at xdm_tmp_t - Looks like collectd needs to change it scheduling priority - Allow uux_t to access nsswitch data - New labeling for samba, pid dirs moved to subdirs of samba - Allow nova_api to use nsswitch - Allow mozilla_plugin to execute files labeled as lib_t - Label content under HOME_DIR/zimbrauserdata as mozilla_home date - abrt is fooled into reading mozilla_plugin content, we want to dontaudit - Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window - Allow winbind to create content in smbd_var_run_t directories - Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it - Support libvirt plugin for collectd * Wed May 30 2012 Miroslav Grepl <[email protected]> 3.10.0-128 - Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils * Mon May 28 2012 Miroslav Grepl <[email protected]> 3.10.0-127 - Add policy for subversion daemon - Allow boinc to read passwd - Allow pads to read kernel network state - Fix man2html interface for sepolgen-ifgen - Remove extra /usr/lib/systemd/system/smb - Remove all /lib/systemd and replace with /usr/lib/systemd - Add policy for man2html - Fix the label of kerberos_home_t to krb5_home_t - Allow mozilla plugins to use Citrix - Allow tuned to read /proc/sys/kernel/nmi_watchdog - Allow tune /sys options via systemd's tmpfiles.d "w" type * Wed May 23 2012 Miroslav Grepl <[email protected]> 3.10.0-126 - Dontaudit lpr_t to read/write leaked mozilla tmp files - Add file name transition for .grl-podcasts directory - Allow corosync to read user tmp files - Allow fenced to create snmp lib dirs/files - More fixes for sge policy - Allow mozilla_plugin_t to execute any application - Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain - Allow mongod to read system state information - Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t - Allow polipo to manage polipo_cache dirs - Add jabbar_client port to mozilla_plugin_t - Cleanup procmail policy - system bus will pass around open file descriptors on files that do not have labels on them - Allow l2tpd_t to read system state - Allow tuned to run ls /dev - Allow sudo domains to read usr_t files - Add label to machine-id - Fix corecmd_read_bin_symlinks cut and paste error * Wed May 16 2012 Miroslav Grepl <[email protected]> 3.10.0-125 - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events * Wed May 9 2012 Miroslav Grepl <[email protected]> 3.10.0-124 - Make systemd unit files less specific * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin * Mon May 7 2012 Miroslav Grepl <[email protected]> 3.10.0-122 - Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer -------------------------------------------------------------------------------- References: [ 1 ] Bug #827905 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/sbin/ldconfig. https://bugzilla.redhat.com/show_bug.cgi?id=827905 [ 2 ] Bug #891483 - SELinux is preventing /usr/sbin/iscsiuio from 'module_request' accesses on the system . https://bugzilla.redhat.com/show_bug.cgi?id=891483 [ 3 ] Bug #915771 - SELinux is preventing /usr/sbin/collectd from using the net_admin capability. https://bugzilla.redhat.com/show_bug.cgi?id=915771 [ 4 ] Bug #928989 - SELinux is preventing /usr/bin/systemctl from 'lock' accesses on the file /run/utmp. https://bugzilla.redhat.com/show_bug.cgi?id=928989 [ 5 ] Bug #951778 - SELinux is preventing /usr/bin/perl from 'getattr' accesses on the file /usr/lib64/nagios/plugins/utils.pm. https://bugzilla.redhat.com/show_bug.cgi?id=951778 [ 6 ] Bug #962260 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=962260 [ 7 ] Bug #963631 - SELinux is preventing /usr/sbin/openvpn from read, write access on the directory /var/log/openvpn. https://bugzilla.redhat.com/show_bug.cgi?id=963631 [ 8 ] Bug #967161 - SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'write' accesses on the directory NewFiles. https://bugzilla.redhat.com/show_bug.cgi?id=967161 [ 9 ] Bug #967378 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from 'write' accesses on the file /home/frieben/.icedtea/cache/recently_used. https://bugzilla.redhat.com/show_bug.cgi?id=967378 [ 10 ] Bug #967711 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from 'create' accesses on the file jwtwebJ2.jar.info.temp. https://bugzilla.redhat.com/show_bug.cgi?id=967711 [ 11 ] Bug #967771 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from 'rmdir' accesses on the directory menu. https://bugzilla.redhat.com/show_bug.cgi?id=967771 [ 12 ] Bug #967843 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java from 'rename' accesses on the file gui_view5.jar.pack.gz.info.temp. https://bugzilla.redhat.com/show_bug.cgi?id=967843 [ 13 ] Bug #968862 - SELinux is preventing /usr/bin/systemctl from 'open' accesses on the file /run/utmp. https://bugzilla.redhat.com/show_bug.cgi?id=968862 [ 14 ] Bug #969639 - SELinux is preventing /usr/sbin/xl2tpd from 'getattr' accesses on the file /run/nm-xl2tpd.conf.7319. https://bugzilla.redhat.com/show_bug.cgi?id=969639 [ 15 ] Bug #967635 - File /usr/bin/razor-lightdm-greeter label as spamc_t but should be xdm_exec_t. https://bugzilla.redhat.com/show_bug.cgi?id=967635 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
