-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-12990 2009-12-10 03:29:22 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 12 Version : 3.6.32 Release : 56.fc12 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20090730 -------------------------------------------------------------------------------- Update Information: - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 7 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-56 - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-55 - Add fprintd_chat(unconfined_t) to fix su timeout problem - Make xguest follow allow_execstack boolean - Dontaudit dbus looking at nfs * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-54 - Require selinux-policy from selinux-policy-TYPE - Add labeling to /usr/lib/win32 textrel_shlib_t - dontaudit all leaks for abrt_helper - Fix labeling for mythtv - Dontaudit setroubleshoot_fix leaks - Allow xauth_t to read usr_t - Allow iptables to use fifo files - Fix labeling on /var/lib/wifiroamd * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-53 - Remove transition from dhcpc_t to consoletype_t, just allow exec - Fixes for prelink cron job - Fix label on yumex backend - Allow unconfined_java_t to communicate with iptables - Allow abrt to read /tmp files - Fix nut/ups policy * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-52 - Major fixup of ntop policy - Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session bus - Allow modemmanager to use generic ptys, and sys_tty_config capability - Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs and nfs file systems - Allow kismet to read network state - Allow cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files - Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t files * Wed Nov 25 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-51 - Mark google shared libraries as requiring textrel_shlib - Allow svirt to bind/connect to network ports - Add label for .libvirt directory. * Tue Nov 24 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-50 - Allow modemmanager sys_admin * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-49 - Allow sssd to read all processes domain * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-48 - Abrt connect to any port - Dontaudit chrome-sandbox trying to getattr on all processes - Allow passwd to execute gnome-keyring - Allow chrome_sandbox_t to read home content inherited from the parent - Fix eclipse labeling - Allow mozilla to connect to flash port - Allow pulseaudio to connect to unix_streams - Allow sambagui to read secrets file - Allow mount to mount unlabeled files - ALlow abrt to use ypbind, send kill signals - Allow arpwatch to create socket class - Allow asterisk to read urand - Allow corosync to communicate with user tmpfs - Allow devicedisk to read virt images block devices - Allow gpsd to sys_tty_config - Fix nagios interfaces - Policy for nagios plugins - Fixes for nx - Allow rtkit_daemon to read locale file - Allow snort to create socket - Additional perms for xauth - lots of textrel_lib_t file context * Tue Nov 17 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-47 - Make mozilla call in execmem.if optional to fix build of minimum install - Allow uucpd to execute shells and send mail - Fix label on libtfmessbsp.so * Mon Nov 16 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-46 - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files - abrt needs to write sysfs - abrt needs to search all file system dirs - logrotate and tmpreaper need to be able to manage abrt cache - rtkit_daemon needs to be able to setsched on lots of user apps - networkmanager creates dirs in /var/lib - plymouth executes lvm tools * Fri Nov 13 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-45 - Allow mount on dos file systems - fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses * Thu Nov 12 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-44 - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio - Add execmem_exec_t context for /usr/bin/aticonfig - Allow dovecot-deliver to signull dovecot - Add textrel_shlib_t to /usr/lib/libADM5avcodec.so * Tue Nov 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-43 - Fix transition so unconfined_exemem_t creates user_tmp_t - Allow chrome_sandbox_t to write to user_tmp_t when printing - Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files - Allow execmem_t to execmod files in mozilla_home_t - Allow firewallgui to communicate with nscd * Mon Nov 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-42 - Allow kdump to read the kernel core interface - Dontaudit abrt read all files in home dir - Allow kismet client to write to .kismet dir in homedir - Turn on asterisk policy and allow logrotate to communicate with it - Allow abrt to manage rpm cache files - Rules to allow sysadm_t to install a kernel - Allow local_login to read console_device_t to Z series logins - Allow automount and devicekit_disk to search all filesystem dirs - Allow corosync to setrlimit - Allow hal to read modules.dep - Fix xdm using pcscd - Dontaudit gssd trying to write user_tmp_t, kerberos libary problem. - Eliminate transition from unconifned_t to loadkeys_t - Dontaudit several leaks to xauth_t - Allow xdm_t to search for man pages - Allow xdm_dbus to append to xdm log -------------------------------------------------------------------------------- References: [ 1 ] Bug #543872 - SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=543872 [ 2 ] Bug #544117 - SELinux is preventing /sbin/setfiles access to a leaked /tmp/xerr-root-:0 file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=544117 [ 3 ] Bug #544242 - SELinux is preventing /sbin/unix_chkpwd access to a leaked 0 file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=544242 [ 4 ] Bug #544439 - SELinux is preventing /usr/bin/xauth "read" access on /usr/share/fonts/abyssinica/Abyssinica_SIL.ttf. https://bugzilla.redhat.com/show_bug.cgi?id=544439 [ 5 ] Bug #544496 - SELinux is preventing /usr/sbin/lircd "read" access on mouse0. https://bugzilla.redhat.com/show_bug.cgi?id=544496 [ 6 ] Bug #544556 - SELinux is preventing /usr/sbin/logrotate "getattr" access on /var/lib/zope/etc/logrotate.conf. https://bugzilla.redhat.com/show_bug.cgi?id=544556 [ 7 ] Bug #544672 - SELinux is preventing /sbin/rpc.statd access to a leaked fifo_file file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=544672 [ 8 ] Bug #544678 - SELinux is preventing gdm-smartcard-w "write" access on /var/run/pcscd.events. https://bugzilla.redhat.com/show_bug.cgi?id=544678 [ 9 ] Bug #544697 - SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked inotify file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=544697 [ 10 ] Bug #544704 - SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 "sys_tty_config" access. https://bugzilla.redhat.com/show_bug.cgi?id=544704 [ 11 ] Bug #544765 - SELinux is preventing /usr/sbin/logrotate "getattr" access on /var/lib/zope/etc/logrotate.conf. https://bugzilla.redhat.com/show_bug.cgi?id=544765 [ 12 ] Bug #544787 - 'system-config-firewall' : firewallgui_t unconfined_t:dbus send_msg; https://bugzilla.redhat.com/show_bug.cgi?id=544787 [ 13 ] Bug #544811 - SELinux is preventing /usr/sbin/asterisk "execute_no_trans" access on /usr/sbin/asterisk. https://bugzilla.redhat.com/show_bug.cgi?id=544811 [ 14 ] Bug #544813 - SELinux is preventing /bin/bash "execute" access on /usr/sbin/asterisk. https://bugzilla.redhat.com/show_bug.cgi?id=544813 [ 15 ] Bug #544853 - SELinux is preventing /usr/bin/Xorg from loading /opt/VBoxGuestAdditions-3.1.0/lib/VBoxOGL.so which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=544853 [ 16 ] Bug #544994 - SELinux is preventing /usr/sbin/httpd "signal" access. https://bugzilla.redhat.com/show_bug.cgi?id=544994 [ 17 ] Bug #545083 - SELinux is preventing /usr/sbin/sendmail.postfix "execute" access on /usr/sbin/sendmail.postfix. https://bugzilla.redhat.com/show_bug.cgi?id=545083 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce