-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-15239 2010-09-26 03:39:27 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 13 Version : 3.7.19 Release : 62.fc13 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
- Add labeling for /root/.debug - Remove permissive from cmirrord domain - Dontaudit cmirrord_t sys_tty_config capability - Allow virtd to read from processes up to its clearance - Allow boinc-project to execute java - Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc - Allow nrpe to send signal and sigkill to the plugins - Fix up xguest to allow it to read hwdata and gconf_etc_t
-------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 24 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-62 - Add vbetool_mmap_zero_ignore boolean * Fri Sep 24 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-61 - Move c2s to run in jabber_router_t domain - Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc - Allow nrpe to send signal and sigkill to the plugins - Fix up xguest to allow it to read hwdata and gconf_etc_t * Tue Sep 21 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-60 - Allow boinc projects to execute java * Thu Sep 16 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-59 - Add cluster_var_lib_t type and label for /var/lib/cluster * Wed Sep 15 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-58 - Add labeling for /root/.debug - Remove permissive from cmirrord domain - Dontaudit cmirrord_t sys_tty_config capability - Allow virtd to read from processes up to its clearance * Mon Sep 13 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-57 - Allow dovecot-deliver to create tmp files - Allow tor to send signals to itself - Handle /var/db/sudo - Remove allow_corosync_rw_tmpfs boolean * Thu Sep 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-56 - Add unconfined_mmap_zero_ignore boolean * Thu Sep 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-55 - Allow virt domains execute qemu_exec_t - Add support for dkim-milter - Fixes for freshclam - Allow iptables to read shorewall tmp files - Add boolean to allow icecast to connect to any port - Allow freshclam to execute shell and bin_t * Thu Sep 2 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-54 - Allow clmvd to create tmpfs files * Wed Sep 1 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-53 - Fixes for jabberd policy - Fixes for sandbox policy * Mon Aug 30 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-52 - Fix label for /bin/mountpoint - Allow fsadm to read virt blk image files * Wed Aug 25 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-51 - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket * Tue Aug 24 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-50 - Fixes for boinc policy - Fixes for shorewall policy * Fri Aug 20 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-49 - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest - Fix amavis_read_spool_files interface * Wed Aug 18 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-48 - Fixes for shorewall policy - Allow sssd chown capability - Fix label for /usr/bin/mutter - Label dead.letter as mail_home_t - Allow pcscd to read hardware state information - Fixes for ulogd policy * Fri Aug 13 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-47 - Fixes for boinc-project policy - Allow swat to read nmbd pid file - Allow fail2ban to read BIND log files - Fix cert handling from Dan - Remove transition from unconfined to ncftool domain * Wed Aug 11 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-46 - Allow ipsec-mgmt to dbus chat with unconfined - Fixes for boinc policy * Tue Aug 10 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-45 - Fixes for cgroup policy - Fixes for ncftool policy - Add ncftool_read_user_content boolean - Fix label for boinc init script - Fix label for fence_tool - Allow vhostmd to write virt content - Allow ricci domtrans ot shutdown * Thu Aug 5 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-44 - Add support for luci - Add label for /var/spool/up2date * Wed Aug 4 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-43 - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh client - Add label for dayplanner - Allow sandbox_xserver execstack * Mon Aug 2 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-42 - Allow kdump to read information from the debugging filesystem - Update boinc policy - Fixes for logwatch-mail policy * Tue Jul 27 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-41 - Allow logwatch_mail to read read the networking state information. - Add label for /usr/bin/dosbox - Allow systat sys_admin capability * Fri Jul 23 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-40 - Fixes for puppetmaster - Fix label for kadmin init script - Fixes for logwatch-mail policy - Allow arpwatch to request the kernel to load modules - Allow cron jobs to run with context of user that started them * Wed Jul 21 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-39 - Allow munin_system_plugin to read files in /usr - Do not audit insmod attempts to write virt daemon unnamed pipes - Allow corosync to read ricci lib files * Mon Jul 19 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-38 - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls - Fixes for logwatch policy * Wed Jul 14 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 1 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-34 - Fix ipsec-mgmt inteface * Wed Jun 30 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-33 - Fix label for /var/lib/git - Fix labels for conflicted files - Fix cgroup_admin interface * Mon Jun 28 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-32 - Allow sectool to connect to users over unix stream socket - Add label for /var/spool/abrt-upload - Add audio_home_t type for homedir/Music files - Allow aiccu to read network config files - Allow qpidd to setsched - Allow virt domains to manage svirt_image_t fifo files - Fixes for NM-openswan - Fixes for admin interfaces * Mon Jun 21 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog - All all domains to read lib files - Allow denyhosts to send syslog messages - Allow mysql-safe setrlimit - Allow rpm to execute rpm_tmp_t - Allow dmesg to appen abrt_var_cache files - Fixed label for abrt.socket * Wed Jun 16 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-30 - Allow sysadm to run ncftool - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev * Tue Jun 15 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-29 - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote * Mon Jun 14 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy - Add mpd policy * Wed Jun 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-27 - Allow ftpd ipc_lock capability - Allow audisp-remote to getcap and setcap - Allow iscsid to read and write raw memory devices - Fixes for bitlbee policy * Wed Jun 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-26 - Allow krb5kdc to write krb5kdc_principal_t file - Allow hald to send generic signal to dhcp client - Fix dev_rw_vhost interface - Add /var/run/abrt.socket label * Tue Jun 8 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-25 - Fixes for cmirrord policy - Dontaudit xauth to list inotifyfs filesystem. - Allow xserver to translate contexts. - Allow kdumpgui domain sys_admin capability - Allow vpnc to relabelfrom tun_socket - Allow prelink_cron_system_t to signal - Fixes for gitolite - Allow virt domain to read symbolic links in device directories * Thu Jun 3 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-24 - Add support for /dev/vhost-net - Allow psad to read files in /usr - Allow systat to use nscd socket - Fixes for boinc policy * Tue Jun 1 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-23 - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability * Tue May 25 2010 Dan Walsh dwalsh@redhat.com 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label * Mon May 24 2010 Dan Walsh dwalsh@redhat.com 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 * Thu May 20 2010 Dan Walsh dwalsh@redhat.com 3.7.19-20 - Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool * Wed May 19 2010 Dan Walsh dwalsh@redhat.com 3.7.19-19 - Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state * Thu May 13 2010 Dan Walsh dwalsh@redhat.com 3.7.19-17 - Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport * Wed May 12 2010 Dan Walsh dwalsh@redhat.com 3.7.19-16 - Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules * Mon May 10 2010 Dan Walsh dwalsh@redhat.com 3.7.19-15 - Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log * Thu May 6 2010 Dan Walsh dwalsh@redhat.com 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663 * Thu May 6 2010 Dan Walsh dwalsh@redhat.com 3.7.19-13 - Allow boinc to send mail * Wed May 5 2010 Dan Walsh dwalsh@redhat.com 3.7.19-12 - Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136 * Mon May 3 2010 Dan Walsh dwalsh@redhat.com 3.7.19-11 - Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #632460 - SELinux is preventing /bin/mailx "read" access on /var/log/vsftpd.log-20100810. https://bugzilla.redhat.com/show_bug.cgi?id=632460 [ 2 ] Bug #635514 - O SELinux está a impedir o acesso /usr/lib/jvm/java-1.6.0-sun-1.6.0.21/jre/bin/java "add_name" on 10187 https://bugzilla.redhat.com/show_bug.cgi?id=635514 [ 3 ] Bug #636812 - SELinux is preventing /usr/libexec/dovecot/deliver access to a leaked /var/log/fail2ban.log file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=636812 [ 4 ] Bug #636305 - SELinux prevents Nagios from killing long-running plugins https://bugzilla.redhat.com/show_bug.cgi?id=636305 [ 5 ] Bug #631060 - O SELinux está impedindo que o /usr/lib/vlc/vlc-cache-gen carregue /usr/lib/vlc/plugins/codec/librealvideo_plugin.so, o que requer deslocamento de texto. https://bugzilla.redhat.com/show_bug.cgi?id=631060 [ 6 ] Bug #634074 - SELinux is preventing /usr/sbin/NetworkManager "signal" access . https://bugzilla.redhat.com/show_bug.cgi?id=634074 [ 7 ] Bug #636232 - plymouth shutdown/reboot splash does not display. https://bugzilla.redhat.com/show_bug.cgi?id=636232 [ 8 ] Bug #528022 - setroubleshoot: SELinux is preventing /usr/sbin/vbetool "mmap_zero" access on <Unknown>. https://bugzilla.redhat.com/show_bug.cgi?id=528022 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org