-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-9612 2013-05-30 02:05:59 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 18 Version : 3.11.1 Release : 97.fc18 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog:
* Tue May 28 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-97 - Fix ipsec_manage_key_file() - Fix ipsec_filetrans_key_file() - Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t - Fix labeling for ipsec.secrets - Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid - Allow l2tpd to create ipsec key files with correct labeling and manage them - Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files - Add labeling for /usr/sbin/unbound-checkconf - Allow l2tpd to read ipse-mgmt pid files - more fixes for l2tpd, NM and pppd from #967072 - Allow NM to send signals to l2tpd - Allow devicekit_disk_t to sys_config_tty - Make printing from vmware working - Allow mozilla-plugin to connect to jboss port - Add chronyd support for #965457 - Fix labeling for HOMEDIR/.icedtea * Mon May 20 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-96 - Allow also sealert to read the policy from the kernel - Dontaudit listing of users homedir by sendmail Seems like a leak - Allow postfix domains to manage postfix_var_run_t - Allow mount to append to the ssh_home_t when using sshfs * Fri May 17 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-95 - Fix pegasus_openlmi_domain_template() - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files - Change cupsd_t to be allowed to manage own log files - Allow sge_execd_t to also connect to sge ports - Make gnome-abrt wokring with staff_t - Allow sge_execd to bind sge ports. Allow kill capability and reads cgroup files - Add web browser plugins to connect to aol ports - Update antivirus_can_scan_system boolean - Allow mozilla_plugin_t to create pulseaudit_home_t directories - mdadm runs ps command which seems to getattr on random log files - Allow cobblerd to read network state - Add port definition for sge ports - Allow useradd_t to r/w var_lib_t * Tue May 7 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-94 - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Allow keystonte_t to execute rpm - Allow tcpd to execute leafnode - Allow glance-api to connect to http port to make glance image-create working- Allow NUT to use serial ports - Allow postfix-showq to read/write unix.showq in /var/spool/postfix/pid - Allow virsh to read xen lock file - Allow qemu-ga to create files in /run with proper labeling - Allow glusterd to connect to own socket in /tmp - Allow unbound net_admin capability because of setsockopt syscall - Allow mout to stream connect to rpcbind * Thu May 2 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-93 - Allow pki apache domain to create own tmp files and execute httpd_suexec - Allow NM and openvpn to acces files on encrypt /home - Allow procmail to manger user tmp files/dirs/lnk_files - Add virt_stream_connect_svirt() interface - Allow dovecot-auth to execute bin_t - Allow iscsid to request that kernel load a kernel module - Add labeling support for /var/lib/mod_security - Backport tuned policy from F19 - Dontaudit sys_tty_config for thumb_t - Add labeling for nm-l2tp-service - Allow httpd running as certwatch_t to open tcp socket - Fix allow rules for postfix_var_run - Allow cobblerd to read /etc/passwd - Add support for nginx - Allow tcpd to execute leafnode - Allow mout to stream connect to rpcbind - Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki * Fri Apr 26 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-92 - Eliminate dontaudit rules so setroubleshoot and audit2allow can tell user what to do if apache attempts to use the terminal - Add transition from cupsd_config_t to cupsd_t - Fix chrome_role_notrans() to allow also append to stream socket - Allow gkeyring_domain to create /var/run/UID/config/dbus file - system dbus seems to be blocking suspend - Label aliases db files with correct label - Allow setroubleshootd to read var_lib_t to make email_alert working - Dontaudit attemps to sys_ptrace, which I believe gpsd does not need - Allow mpd getattr on file system directories - Add rsync_etc_filetrans_config() - Label /var/lib/sepolgen as selinux_config_t so that setroubleshoot can read it - Add filetrans rules for tw devices - Allow systemd-tty-ask to write kmsg - label shared libraries in /opt/google/chrome as testrel_shlib_t * Thu Apr 18 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-91 - Allow domains to use kerberos to read file_context file - Allow mozilla_plugin to connect to port 8081 - Tighten security on virtual machines - block_suspend is caps2 - Allow realmd to run ipa, really needs to be an unconfined_domain - Allow sandbox domains to use inherted terminals - Allow pscd to use devices labeled svirt_image_t in order to use cat cards. - Add label for new alsa pid - Alsa now uses a pid file and needs to setsched - Allow nova domains to connect to mysql port - Allow quantum to connect to keystone port - Allow nova-console to talk with mysql over unix stream socket - Allow dirsrv to stream connect to uuidd - Fix transition for cobbler lib files - Label all nagios plugin as unconfined by default - Add httpd_serve_cobbler_files() - Allow mdadm to read /dev/sr0 and create tmp files - Allow certwatch to send mails - Allow livecd to transition to rpm_script_t - Add cache dir support for cobbler - label shared libraries in /opt/google/chrome as testrel_shlib_t - Fix labeling for nagios plugins - Disable support for .xsession-errors-:[digit] file name transition for now until policycoreutils fix * Mon Apr 15 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-90 - Allow git_system_t to read network state - Allow pegasas to execute mount command - Allow nagios check disk plugins to execute bin_t - Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs - Allow quantum to transition to openvswitch_t - Allow quantum to use databas - allow quantum to stream connect to openvswitch - Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms... - Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets - Allow winbind to manage kerberos_rcache_host - Allow spamd to create spamd_var_lib_t directories - Dontaudit attempts by httpd_t attempting to read rpm database. Customer triggered this by executing createrepo, needs back port to rhel6 - Add mising nslcd_dontaudit_write_sock_file() interface - Fix pki_read_tomcat_lib_files() interface - Allow certmonger to read pki-tomcat lib files - Allow certwatch to execute bin_t - Allow snmp to manage /var/lib/net-snmp files - Fix for openvswitch_stream_connect() - Add rgmanager_search_lib() interface - Fix pki_read_tomcat_lib_files() interface - Fix cobbler_manage_lib_files() interface - Add xserver_dontaudit_xdm_rw_stream_sockets() interface - Allow daemon to send dgrams to initrc_t - Update textrel_shlib_t names - Allow kdm to start the power service to initiate a reboot or poweroff * Mon Apr 8 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-89 - Add port definition for osapi_compute port - User accounts need to dbus chat with accountsd daemon - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Make sure we label content under /var/run/lock as <<none>> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean - Fix apache_read_sys_content_rw_dirs() interface - Fix sys_nice for cups_domain - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Looks like certmaster sends mail - Allow logrotate to read /var/log/z-push dir - Allow fsdaemon to send signull to all domains - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Call mailman_domain - FIx ircssi_home_t type to irssi_home_t - Correct file transition rul for qpidd_tmp - Fix qpidd policy - Add mailman_domain attribute - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Realmd needs to connect to samba ports, needs back port to F18 also - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - firewalld needs to be able to write to network sysctls - fix labeling for (oo|rhc)-restorer-wrapper.sh - Allow thumb_t to execute user home content - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data * Wed Mar 27 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-88 - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to setsched for running gdb on itself - Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 - Allow cups_t to read inhered tmpfs_t from the kernel - Allow openshift_cron_t to look at quota - Allow cgred to send signal perms to itself, needs back port to RHEL6 - Allow certwatch to execut /usr/bin/httpd - Allow yppasswdd to use NIS - Tuned wants sys_rawio capability - Allow thumb_t to execute user home content - Allow s-c-kdump to connect to syslogd - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow mount to write keys for the unconfined domain - Add unconfined_write_keys() interface - Add labeling for /usr/share/pki - Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports - Allow commands that are going to read mount pid files to search mount_var_run_t * Thu Mar 21 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-87 - Allow commands that are going to read mount pid files to search mount_var_run_t - Make localectl set-x11-keymap working at all - Allow localectl to read /etc/X11/xorg.conf.d directory - Allow mount to transition to systemd_passwd_agent - Add tcp/9150 as tor_socks_port - Allow systemd to list all file system directories - Allow sytemd_tmpfiles to create wtmp file - Allow automount to block suspend - /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6 - Add support for /run/lock/opencryptoki - Allow pkcsslotd chown capability - Allow pkcsslotd to read passwd * Wed Mar 13 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-86 - cups uses usbtty_device_t devices - These fixes were all required to build a MLS virtual Machine with single level desktops - Allow domains to transiton using httpd_exec_t - Allow svirt domains to manage kernel key rings - Allow setroubleshoot to execute ldconfig - Allow firewalld to read generate gnome data - Add fixes which were all required to build a MLS virtual Machine with single level desktops - Need to back port this to RHEL6 for openshift - Make systemd_localed_t as unconfined for F18 * Tue Mar 12 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-85 - Allow bluetooth to read machine-info - Allow obex to request a kernel module - Allow mozilla_plugins to list apache modules, for use with gxine - Fix labels for POkemon in the users homedir - Allow xguest to read mdstat - Dontaudit virt_domains getattr on /dev/* - Allow boinc domain to send signal to itself - Add tcp/8891 as milter port - Allow nsswitch domains to read sssd_var_lib_t files - Allow ping to read network state. - Fix typo - Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them - Add labeling for pstorefs_t * Fri Mar 8 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-84 - Make systemd_hostnamed_t as unconfined domain in F18 - Call rhcs_manage_cluster_pid_files() instead of rgmanger_manage_pid_files() interface - Allow sshd to stream connect to an lxc domain - Allow nsswitch_domains to read /etc/hostname - xdm_t will try to list any directory mounted, we should just dontaudit them - Fix systemd_filetrans_named_content() interface - Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data - Allow systemd_domain to send dbus messages to policykit - Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them - All systemd domains that create content are reading the file_context file and setfscreate - Systemd domains need to search through init_var_run_t - Allow sshd to communicate with libvirt to set containers labels - Add labeling for /var/run/hplip - Allow iscsid to read /dev/urandom - Allow sshd to log a user directly into a container - Allow screen domains to configure tty and setup sock_file in ~/.screen directory, dontaudit attempts to read /etc/shadow still need to dont audit dac_override - ALlow setroubleshoot to read default_context_t, needed to backport to F18 - Label /etc/owncloud as being an apache writable directory - Add interface to manage pid files - Allow NetworkManger_t to read /etc/hostname - Allow virtual machines to setrlimit and send itself signals. - Dontaudit chrome_sandbox_nacl_t using user terminals - Allow gluster to manage all directories as well as files * Mon Mar 4 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-83 - Fix iptables labels - Allow munin CGI scripts to append munin log file - Allow munin plugin domains to read passwd - Allow collectd CGI script to create /tmp content - Add mising gluster boolean - Allow collectd to create netlink_tcpdiag_socket - Allow proceman to check the state of the network * Thu Feb 28 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-82 - Allow logrotate to read /sys - Allow mandb to setattr on man dirs - label /usr/bin/yum-builddep as rpm_exec_t - Remove init_daemon_run_dir from CUPS policy - Backport cups+hplip merge from rawhide - Allow munin CGI scritp to search munin logs - Allow quantum to connect to amqp port - Allow jabberd to connect to jabber_interserver_port_t - Fix authconfig.py labeling - Fix fcoemon policy - Allow kdumpgui to manage bootloader_config - Allow httpd_collectd_script to read /etc/passwd - Allow milter domains to read /dev/random - Allow nmbd_t to create samba_var_t directories - Allow logrotote to getattr on all file sytems - fcoemon wants also net_raw cap. We have net_admin cap. - Allow gpg-agent to access fips_enabled file - Allow collectd to read utmp - Backport munin policy from rawhide - Allow kadmind to read /etc/passwd - Dontaudit append .xsession-errors file on ecryptfs for policykit-auth - Allow chrome_nacl to execute /dev/zero - Label /usr/lib64/security/pam_krb5/pam_krb5_cchelperas bin_t - Add fs_dontaudit_append_fusefs_files() interface - Allow systemd domains to talk to kernel_t using unix_dgram_socket - Add miscfiles_setattr_man_pages() - Add manage interface to be used bu kdumpgui - Localectl needs to be able to send dbus signals to users - Hostname needs to send syslog messages - Add stream support for mpd, accessible from users * Fri Feb 22 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-81 - Fix systemd_dbus_chat_timedated interface - Allow userdomains to dbus chat with systemd-hostnamed - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Fix dbus_system_domain() interface - Fix thumb_role() interface - Allow cgred to list inotifyfs filesystem - New access required for virt-sandbox - Allow gluster to get attrs on all fs - Allow dnsmasq to create content in /var/run/NetworkManager * Tue Feb 19 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-80 - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd * Tue Feb 19 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-79 - Fix condor policy - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow block_suspend cap2 for glusterd - Allow nmbd to read /dev/random - Fix glusterd labeling - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Backport fixes for systemd-hostname policy to F18 * Fri Feb 15 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-78 - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - Fix userdom_restricted_xwindows_user_template() interface - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/ - Add support for /var/lib/systemd/linger - Allow systemd-timestamp to set SELinux context - Fix systemd.fc - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_ - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Add new tuned_tmp_t type * Mon Feb 11 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-77 - Add basic rules for pegasus_openlmi_domain - Add pegasus_openlmi_domain_template() interface for openlmi-* - Allow pppd to send signull - Allow tuned to execute ldconfig - Fix use_ecryptfs_home_dirs boolean for chrome_sandbox_t - Add additional fixes for ecrypts - Allow keystone getsched and setsched - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow glance domain to stream connect to databases - Allow all cups domains to getattr on filesystems - Fix pacemaker_use_execmem boolean - Allow gpg to read fips_enabled - FIXME: Add realmd_tmp_t until we get /var/cache/realmd - Add support for /var/cache/realmd - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Add additional interface for ecryptfs * Tue Feb 5 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-76 - More access required for openshift_cron_t - Fix init_status calling * Mon Feb 4 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-75 - Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add xserver_xdm_ioctl_log() interface - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync <backuphost> working - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Dontaudit attempts by thumb_t to read or list /proc info - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow fsdaemon to use user pty - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Allow mozilla-plugin-config to read power_supply info - More fixes for rsync to make rsync <backuphost> wokring - Allow fsdaemon to read svirt images[C - Allow logwatch to domtrans to mdadm * Wed Jan 30 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-74 - Dontaudit r/w cache_home_t for thumb_t - Allow rsync to getattr any file in rsync_data_t - Allow l2tpd_t to read network manager content in /run directory - Allow named to block_suspend capability - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp - kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories - comment files_relabel_non_security_files for now, it does not work with boolean - boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Allow application_domains to send sigchld to login programs - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information * Mon Jan 21 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-73 - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow colord_t to read cupsd_t state - Add interface to colord_t dbus_chat to allow it to read remote process state * Mon Jan 21 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-72 - Dontaudit net_admin capability for sendmail - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface - Allow gpg_t to manage all gnome files - Add ~/.quakelive as mozilla_home_t content - Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs - Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount. - Need to allow virtd_t to write to /proc in order to open namespace sockets for write. - Add a couple of dontaudit rules to silence the noice - Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_domain attribute - Add mate-thumbnail-font as thumnailer - Add pcscd_read_pid_files() interface - Lots of probing avc's caused by execugting gpg from staff_t - Looks like qpidd_t needs to read /dev/random - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - Add definition for 2003 as an lmtp port - Add filename transition for opasswd * Tue Jan 15 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-71 - Allow udev to communicate with the logind daemon - Add labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Allow rpm_script_t to dbus communicate with certmonger_t - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interface - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling - Allow numad access discovered by Dominic - Allow gnomeclock to talk to puppet over dbus - Add support for HOME_DIR/.maildir * Thu Jan 10 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-70 - Add label for dns lib files - Allow svirt_t images to compromise_kernel when using pci-passthrough - Blueman uses ctypes which ends up triggering execmem priv. - Dontaudit attempts by thumb_t to use nscd - fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it - Allow abrt to read proc_net_t - Allw NM to transition to l2tpd - Dontaudit chrome-nacl to append gnome config files - Add gnome_dontaudit_append_config_files() - Allow svirt_tcg_t to create netlink_route_socket - Label /var/lib/unbound as named_cache_t to allow named to write to this directory - Allow postfix domains to list /tmp - Allow dnsmasq to list tftpdir_rw_t content - Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo - Allow tmpreaper to delete tmpfs files in tmp - Dontaudit access check on tmp_t files/directories - dontaudit access checks on file systems types by firewalld - Allow mail_munin_plugins domain to run postconf - Allow spamd_update to manage gnupg directory - Add missing postfix_run_postqueue() interface - Add ntp_exec() interface - Fix setroubleshoot_fixit_t policy - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Add label for Xvnc - Add interface to dontaudit access checks on tmp_t - Fix interface for dontaudit access check to include directory - interface to dontaudit access checks on file systems types - Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label. - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Additional fix for chroot_user_t backported from RHEL6 - Allow chroot_user_t to getattr on filesystems - Dontaudit vi attempting to relabel to self files - Sudo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - - Creating tmp-inst directory in a tmp_t directory should not transition - Allow init_t to write to watchdog device - Add file system definition for other vx file systems * Wed Jan 2 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-69 - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim * Thu Dec 27 2012 Miroslav Grepl mgrepl@redhat.com 3.11.1-68 - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories * Fri Dec 21 2012 Miroslav Grepl mgrepl@redhat.com 3.11.1-67 - systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe -------------------------------------------------------------------------------- References:
[ 1 ] Bug #957842 - SELinux is preventing cobbler from serving install image https://bugzilla.redhat.com/show_bug.cgi?id=957842 [ 2 ] Bug #966167 - SELinux is preventing /usr/java/jre1.7.0_21/bin/java from name_connect access on the tcp_socket https://bugzilla.redhat.com/show_bug.cgi?id=966167 [ 3 ] Bug #966542 - SELinux is preventing /usr/sbin/unbound-checkconf from 'read' accesses on the file example.com.key. https://bugzilla.redhat.com/show_bug.cgi?id=966542 [ 4 ] Bug #966611 - SELinux is preventing /usr/lib/udisks2/udisksd from using the 'sys_tty_config' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=966611 [ 5 ] Bug #967298 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19/jre/bin/java from 'create' accesses on the directory .icedtea. https://bugzilla.redhat.com/show_bug.cgi?id=967298 [ 6 ] Bug #965457 - chronyd can't read /dev/urandom and write to /etc/chrony.keys https://bugzilla.redhat.com/show_bug.cgi?id=965457 [ 7 ] Bug #966473 - selinux-policy-targeted 3.11.1-96.fc18 breaks printing from vmware https://bugzilla.redhat.com/show_bug.cgi?id=966473 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org