-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-17739 2013-09-26 23:14:09 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 19 Version : 3.12.1 Release : 74.8.fc19 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog: * Thu Sep 26 2013 Lukas Vrabec <[email protected]> 3.12.1-74.8 - Get labeling right on ipsec.secrets - Allow systemd to read dhcpc_state - Allow amanda to write to /etc/amanda/DailySet1 directory - Fix english on gssd_read_tmp boolean descriptions - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Fix typo in abrt.te * Wed Sep 25 2013 Miroslav Grepl <[email protected]> 3.12.1-74.7 - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow certwatch to write to cert_t directories - New abrt application - Allow mozilla_plugin to transition to itself - Allow mdadm_t to read images labeled svirt_image_t - Allow NetworkManager to set the kernel scheduler - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - More handling of ther kernel keyring required by kerberos * Fri Sep 20 2013 Miroslav Grepl <[email protected]> 3.12.1-74.6 - Keep initrc_domain if init_t executes bin_t * Fri Sep 20 2013 Lukas Vrabec <[email protected]> 3.12.1-74.5 - Fix label on pam_krb5 helper apps - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Fix label on pam_krb5 helper apps - Allow init_t to run crash utility - Call neutron interfaces instead of quantum - Allow users to communicate with journald using tmpfs files - Allow nslcd to send signull to itself - Fix virtd_lxc_t to be able to communicate with hal, need backport to rhel6 ASAP, for docker stuff - Fix missing types in virt_admin interface - Dontaudit attempts by sosreport to read shadow_t - Allow cobbler to exec rsync and communicate with sssd, using nsswitch - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Allow irc_t to use tcp sockets - Add labels for apache logs under miq package - Allow fetchmail to send mails - allow neutron to connect to amqp ports - Fix to use quantum port - Rename quantum to neutron - Allow virt_qemu_ga_t to read meminfo - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow ldconfig to write to kdumpctl fifo files - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys * Mon Sep 16 2013 Lukas Vrabec <[email protected]> 3.12.1-74.4 - fix bad labels in puppet.if - Allow tcsd to read utmp file - Define svirt_socket_t as a domain_type - Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file - Allow passenger to execute ifconfig * Wed Sep 11 2013 Lukas Vrabec <[email protected]> 3.12.1-74.3 - Treat usr_t just like bin_t for transitions and executions - Allow memcache to read sysfs data - openct needs to be able to create netlink_object_uevent_sockets - Allow nslcd to read /sys/devices/system/cpu - Allow mdadm to read /dev/mei - amanda_exec_t needs to be executable file - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - Allow setpgid and r/w cluster tmpfs for fenced_t - Allow block_suspend cap for samba-net - Allow mpd setcap which is needed by pulseaudio - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow glance-api to connect to amqp port - Fix wrong capabilities in rhcs policy * Fri Sep 6 2013 Lukas Vrabec <[email protected]> 3.12.1-74.2 - Fix lsm.fc for pid files - Allow init_t to transition to all inetd domains - Allow tgtd_t to connect to isns ports - Lots of new access required for sosreport - svirt domains neeed to create kobject_uevint_sockets - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - Cleanup related to init_domain()+inetd_domain fixes - Allow cvs to bind to the cvs_port - Allow ktalkd to bind to the ktalkd_port - Allow telnetd to bind to the telnetd_port - Allow rlogind to bind to the rlogin_port - Allow apache domain to connect to gssproxy socket - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow cupsd_lpd_t to bind to the printer port - Allow a confined domain to executes mozilla_exec_t via dbus - Allow mdadm to getattr any file system - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow all domains that can read gnome_config to read kde config - Call the correct interface - corenet_udp_bind_ktalkd_port() - Fix mozilla_plugin_rw_tmpfs_files() - Allow systemd running as git_systemd to bind git port - Allow firewalld to read NM state - Add interface couchdb_search_pid_dirs - Add support for couchdb in rabbitmq policy - Add boolean boinc_execmem - Add interface netowrkmanager_initrc_domtrans - Dontaudit leaks into ldconfig_t - Dontaudit inherited lock files in ifconfig o dhcpc_t - Move kernel_stream_connect into all Xwindow using users - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Add interface to read authorization data in the users homedir - Allow ipsec_t to read .google authenticator data - Allow staff_t to read login config - Treat files labeld as usr_t like bin_t when it comes to transitions - Split out rlogin ports from inetd - Add interface seutil_dbus_chat_semanage - Fix selinuxutil.if * Tue Sep 3 2013 Lukas Vrabec <[email protected]> 3.12.1-74.1 - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Fix polipo.te - Add trans rules for lsm pid files/dirs - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Allow sosreport to getattr everything in /dev and send rawip packets - Allow sosreport to transition to brctl - Add missing alias for amavis_etc_t - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Fix cupsd.te - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Fix to define ktalkd_unit_file_t correctly - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add support for tmp directories to openvswitch - Add logwatch_can_sendmail boolean - Allow telpathy_domains to search user homedirs and tmp dirs - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb * Thu Aug 29 2013 Lukas Vrabec <[email protected]> 3.12.1-74 - Rename svirt_lxc_file_t to svirt_sandbox_file_t - Allow virt_domain with USB devices to look at dos file systems - Dontaudit thumb_t trying to look in /proc - Change svirt_lxc_domain to svirt_sandbox_domain, and add svirt_qemu_net_t type - Rename interface virt_transition_svirt_lxc to virt_transition_svirt_sanbox - Allow ipsec_t to domtrans to iptables_t - dontaudit users running nautilus on /proc - Dontaudit hostname inheriting any terminal - Label polgengui as a bin_t - Allow semanage to create /.autorelabel file - Label systemd unit files under dracut correctly - Allow systemd domain to read /proc - Allow sssd to write to user keyrings for managing kerberos - Allow rhsmcertd to read init state - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch * Fri Aug 23 2013 Miroslav Grepl <[email protected]> 3.12.1-73 - Update rules for condor domains * Fri Aug 23 2013 Miroslav Grepl <[email protected]> 3.12.1-72 - Fix collectd_t can read /etc/passwd file - Fix lsm.if summary - Add policy for lsmd - Cleanup raid.te - Add support for abrt-upload-watch - Dontaudit access check on cert_t for httpd_t - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Allow glusterd to read domains state - Allow swift to crete cache dirs with correct labeling - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n * Tue Aug 20 2013 Miroslav Grepl <[email protected]> 3.12.1-71 - Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket - xauth_t should be allowed to create xauth_home_t - selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config * Thu Aug 8 2013 Miroslav Grepl <[email protected]> 3.12.1-70 - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Add fixes for rabbit to fix ##992920,#99293 - Make NFS home, NIS authentication and dbus-daemon working - Fix thumb_run() - winbind wants block_suspend - Fix typo in smokeping.te - Fix rabbit.te - Remove dup rule for dovecot.te - Fix abrt.te - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Fix rules for creating pluto pid files - Fix userdom_relabel_user_tmp_files() - Label 10933 as a pop port, for dovecot * Fri Aug 2 2013 Miroslav Grepl <[email protected]> 3.12.1-69 - Add fix for pand service - Fix pegasus.te - shorewall touches own log - Allow nrpe to list /var - Add additional fixes for pegasus_openlmi_storage_t. Domtrans to demicode. A type for openlmi_storage lib files. - Dontaudit attempts by thumb_t to check access on files/dirs in user homedir * Tue Jul 30 2013 Miroslav Grepl <[email protected]> 3.12.1-68 - Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec * Fri Jul 26 2013 Miroslav Grepl <[email protected]> 3.12.1-67 - Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info * Wed Jul 24 2013 Miroslav Grepl <[email protected]> 3.12.1-66 - Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool * Tue Jul 16 2013 Miroslav Grepl <[email protected]> 3.12.1-65 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files * Fri Jul 12 2013 Miroslav Grepl <[email protected]> 3.12.1-64 - Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files * Wed Jul 10 2013 Miroslav Grepl <[email protected]> 3.12.1-63 - Add systemd support for mdadm * Tue Jul 9 2013 Miroslav Grepl <[email protected]> 3.12.1-62 - Fix definition of sandbox.disabled to sandbox.pp.disabled * Mon Jul 8 2013 Miroslav Grepl <[email protected]> 3.12.1-61 - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content * Mon Jul 8 2013 Miroslav Grepl <[email protected]> 3.12.1-60 - Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean - Fix bootloader.fc - Additional fix - Fix with xserver_stream_connect_xdm() calling * Wed Jul 3 2013 Miroslav Grepl <[email protected]> 3.12.1-59 - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean * Fri Jun 28 2013 Miroslav Grepl <[email protected]> 3.12.1-58 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab * Wed Jun 26 2013 Miroslav Grepl <[email protected]> 3.12.1-57 - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t * Mon Jun 24 2013 Miroslav Grepl <[email protected]> 3.12.1-56 - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition * Fri Jun 21 2013 Miroslav Grepl <[email protected]> 3.12.1-55 - condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r -------------------------------------------------------------------------------- References: [ 1 ] Bug #990910 - Cloud-init executes user-data scripts with PATH unset https://bugzilla.redhat.com/show_bug.cgi?id=990910 [ 2 ] Bug #1003177 - SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket https://bugzilla.redhat.com/show_bug.cgi?id=1003177 [ 3 ] Bug #1007558 - irssi can't listen on high ports, even with relevant booleans set https://bugzilla.redhat.com/show_bug.cgi?id=1007558 [ 4 ] Bug #1007568 - SELinux is preventing /usr/libexec/gdm-session-worker from 'entrypoint' accesses on the file /usr/lib64/security/pam_krb5/pam_krb5_cchelper. https://bugzilla.redhat.com/show_bug.cgi?id=1007568 [ 5 ] Bug #1009096 - selinux and fetchmail https://bugzilla.redhat.com/show_bug.cgi?id=1009096 [ 6 ] Bug #1009808 - SELinux is preventing systemd-journal from read, write access on the file /dev/shm/journal.wsCiPG (deleted). https://bugzilla.redhat.com/show_bug.cgi?id=1009808 [ 7 ] Bug #1010537 - SELinux is preventing /usr/sbin/NetworkManager from using the 'setsched' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=1010537 [ 8 ] Bug #1011122 - SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the blk_file dm-12. https://bugzilla.redhat.com/show_bug.cgi?id=1011122 [ 9 ] Bug #1011240 - SELinux is preventing /usr/bin/gtk-gnash from using the transition access on a process https://bugzilla.redhat.com/show_bug.cgi?id=1011240 [ 10 ] Bug #1011808 - SELinux is preventing /usr/libexec/nm-l2tp-service from 'rename' accesses on the file /etc/ipsec.secrets. https://bugzilla.redhat.com/show_bug.cgi?id=1011808 [ 11 ] Bug #998763 - sosreport avcs https://bugzilla.redhat.com/show_bug.cgi?id=998763 [ 12 ] Bug #1006761 - SELinux prevent cobbler import https://bugzilla.redhat.com/show_bug.cgi?id=1006761 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
