-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-12373 2013-07-05 00:35:47 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 19 Version : 3.12.1 Release : 59.fc19 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 3 2013 Miroslav Grepl <[email protected]> 3.12.1-59 - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean * Fri Jun 28 2013 Miroslav Grepl <[email protected]> 3.12.1-58 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab * Wed Jun 26 2013 Miroslav Grepl <[email protected]> 3.12.1-57 - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t * Mon Jun 24 2013 Miroslav Grepl <[email protected]> 3.12.1-56 - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition * Fri Jun 21 2013 Miroslav Grepl <[email protected]> 3.12.1-55 - condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r -------------------------------------------------------------------------------- References: [ 1 ] Bug #975649 - Intel firmware RAID-1 set shows as read-only on live boot (RAID-0 set does not) https://bugzilla.redhat.com/show_bug.cgi?id=975649 [ 2 ] Bug #978903 - SELinux is preventing /usr/bin/loginctl from 'search' accesses on the directory /sys/fs/cgroup. https://bugzilla.redhat.com/show_bug.cgi?id=978903 [ 3 ] Bug #979526 - SELinux is preventing /usr/sbin/mcelog from 'search' accesses on the directory /var/lib/sss. https://bugzilla.redhat.com/show_bug.cgi?id=979526 [ 4 ] Bug #979662 - SELinux is preventing /usr/bin/systemctl from 'read' accesses on the file utmp. https://bugzilla.redhat.com/show_bug.cgi?id=979662 [ 5 ] Bug #979708 - SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats. https://bugzilla.redhat.com/show_bug.cgi?id=979708 [ 6 ] Bug #979745 - SELinux is preventing /usr/bin/perl from 'create' accesses on the directory .razor. https://bugzilla.redhat.com/show_bug.cgi?id=979745 [ 7 ] Bug #979795 - SELinux is preventing /usr/lib64/nagios/plugins/check_mysql from 'read' accesses on the directory cpu. https://bugzilla.redhat.com/show_bug.cgi?id=979795 [ 8 ] Bug #980236 - SELinux is preventing /usr/bin/lockfile-create from 'write' accesses on the directory logcheck. https://bugzilla.redhat.com/show_bug.cgi?id=980236 [ 9 ] Bug #980243 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file meminfo. https://bugzilla.redhat.com/show_bug.cgi?id=980243 [ 10 ] Bug #980608 - SELinux is preventing /usr/bin/screen from using the 'sigchld' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=980608 [ 11 ] Bug #974581 - SELinux, gssproxy, rpc.gssd https://bugzilla.redhat.com/show_bug.cgi?id=974581 [ 12 ] Bug #978615 - Quake Live falls back to software rendering on HD 4000 graphics with setenforce 1 https://bugzilla.redhat.com/show_bug.cgi?id=978615 [ 13 ] Bug #979624 - [RFE] Allow fail2ban to use firewall-cmd in actions scripts https://bugzilla.redhat.com/show_bug.cgi?id=979624 [ 14 ] Bug #979697 - IBM expenses selinux denial on ~/.IBMERS for mozilla_plugin_t https://bugzilla.redhat.com/show_bug.cgi?id=979697 [ 15 ] Bug #979717 - missing nsd policy, despites being in refpolicy https://bugzilla.redhat.com/show_bug.cgi?id=979717 [ 16 ] Bug #980087 - AVCs prevent mailman starting in enforcing mode https://bugzilla.redhat.com/show_bug.cgi?id=980087 [ 17 ] Bug #980629 - telepathy-rakia doesn't run in the proper domain when running as a confined user https://bugzilla.redhat.com/show_bug.cgi?id=980629 [ 18 ] Bug #980631 - add redis port to the policy https://bugzilla.redhat.com/show_bug.cgi?id=980631 [ 19 ] Bug #980633 - Tmpwatch not allowed to open cups' tmp directory https://bugzilla.redhat.com/show_bug.cgi?id=980633 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
