-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-46564d0139 2018-08-16 08:05:04.601782 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 28 Version : 3.14.1 Release : 40.fc28 URL : %{git0-base} Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1135126 ---- Adding support for bolt SELinux policy. -------------------------------------------------------------------------------- ChangeLog:
* Fri Aug 10 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-40 - Fix issue with aliases in apache interface file - Add same context for symlink as binary - Allow boltd_t to send logs to journal - Allow colord_use_nfs to allow colord also mmap nfs_t files - Allow mysqld_safe_t do execute itself - Allow smbd_t domain to chat via dbus with avahi daemon - cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t - Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain - Add alias httpd__script_t to _script_t to make sepolicy generate working - Allow gpg_t domain to mmap gpg_agent_tmp_t files - label /var/lib/pgsql/data/log as postgresql_log_t - Allow sysadm_t domain to accept socket - Allow systemd to manage passwd_file_t - Allow sshd_t domain to mmap user_tmp_t files * Tue Aug 7 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-39 - Rebuild with support for boltd * Tue Aug 7 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-38 - Allow kprop_t domain to read network state - Add support boltd policy - Allow kpropd domain to exec itself - Allow pdns_t to bind on tcp transproxy port - Add support for opafm service - Allow hsqldb_t domain to read cgroup files - Allow rngd_t domain to read generic certs - Allow innd_t domain to mmap own var_lib_t files - Update screen_role_temaplate interface - Allow chronyd_t domain to mmap own tmpfs files - Allow chronyd_t domain to mmap own tmpfs files - Fix typo bug in oracleasm policy module - Allow systemd to mounont boltd lib dirs - Allow sysadm_t domain to create rawip sockets - Allow sysadm_t domain to listen on socket - Update sudo_role_template() to allow caller domain also setattr generic ptys * Sun Jul 29 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-37 - Allow sblim_sfcbd_t domain to mmap own tmpfs files - Allow nfsd_t domain to read krb5 keytab files - Allow nfsd_t domain to manage fadm pid files - Allow virt_domain to create icmp sockets BZ(1609142) - Dontaudit oracleasm_t domain to request sys_admin capability - Allow iscsid_t domain to load kernel module - Allow aide to mmap all files - Revert "Allow firewalld_t do read iptables_var_run_t files" - Revert "Allow firewalld to create rawip sockets" - Allow svirt_tcg_t domain to read system state of virtd_t domains - Update rhcs contexts to reflects the latest fenced changes - Allow httpd_t domain to rw user_tmp_t files - Update logging_manage_all_logs() interface to allow caller domain map all logfiles - Fixed typo in logging_audisp_domain interface - Add interface files_mmap_all_files() * Wed Jul 25 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-36 - Allow aide to mmap all files - Revert "Allow firewalld_t do read iptables_var_run_t files" - Revert "Allow firewalld to create rawip sockets" - Allow svirt_tcg_t domain to read system state of virtd_t domains - Update rhcs contexts to reflects the latest fenced changes - Allow httpd_t domain to rw user_tmp_t files - Fix typo in openct policy - Allow winbind_t domian to connect to all ephemeral ports - Allow firewalld_t do read iptables_var_run_t files - Allow abrt_t domain to mmap data_home files - Allow glusterd_t domain to mmap user_tmp_t files - Allow mongodb_t domain to mmap own var_lib_t files - Allow firewalld to read kernel usermodehelper state - Allow modemmanager_t to read sssd public files - Allow openct_t domain to mmap own var_run_t files - Allow nnp transition for devicekit daemons - Allow firewalld to create rawip sockets - Allow firewalld to getattr proc filesystem - Dontaudit sys_admin capability for pcscd_t domain - Revert "Allow pcsd_t domain sys_admin capability" - Allow fetchmail_t domain to stream connect to sssd - Allow pcsd_t domain sys_admin capability - Allow cupsd_t to create cupsd_etc_t dirs - Allow varnishlog_t domain to list varnishd_var_lib_t dirs - Allow mongodb_t domain to read system network state BZ(1599230) - Allow zoneminder_t to getattr of fs_t - Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377) - Allow iscsid_t domain to mmap sysfs_t files - Allow httpd_t domain to mmap own cache files - Add sys_resource capability to nslcd_t domain - Fixed typo in logging_audisp_domain interface - Add interface files_mmap_all_files() - Add interface iptables_read_var_run() - Allow systemd to mounton init_var_run_t files - Update policy rules for auditd_t based on changes in audit version 3 - Allow systemd_tmpfiles_t do mmap system db files - Don't setup unlabeled_t as an entry_type - Allow unconfined_service_t to transition to container_runtime_t - Improve domain_transition_pattern to allow mmap entrypoint bin file. * Wed Jul 18 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-35 - Allow cupsd_t domain to mmap cupsd_etc_t files - Allow kadmind_t domain to mmap krb5kdc_principal_t - Allow virtlogd_t domain to read virt_etc_t link files - Allow dirsrv_t domain to read crack db - Dontaudit pegasus_t to require sys_admin capability - Allow mysqld_t domain to exec mysqld_exec_t binary files - Allow abrt_t odmain to read rhsmcertd lib files - Allow winbind_t domain to request kernel module loads - Allow tomcat_domain to read cgroup_t files - Allow varnishlog_t domain to mmap varnishd_var_lib_t files - Allow innd_t domain to mmap news_spool_t files - Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t - Allow fenced_t domain to reboot - Allow amanda_t domain to read network system state - Allow abrt_t domain to read rhsmcertd logs - Dontaudit syslogd to watching top llevel dirs when imfile module is enabled - Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)" - Allow userdomain sudo domains to use generic ptys - Allow systemd labeled as init_t to get sysvipc info BZ(1600877) - Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690) * Tue Jul 3 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-34 - Add dac_read_search capability to thumb_t domain - Add dac_override capability to cups_pdf_t domain BZ(1594271) - Add net_admin capability to connntrackd_t domain BZ(1594221) - Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234) - Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476) - Allow motion_t to mmap video devices BZ(1590446) - Add dac_override capability to mpd_t domain BZ(1585358) - Allow fsdaemon_t domain to write to mta home files BZ(1588212) - Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337) - Allow sssd_t domain to write to general cert files BZ(1589339) - Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483) - Allow cockpit_session_t to read kernel network state BZ(1596941) - Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817) - Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files - Allow chronyc_t domain to use nscd shm - Label /var/lib/tomcats dir as tomcat_var_lib_t - Allow lsmd_t domain to mmap lsmd_plugin_exec_t files - Add ibacm policy - Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t - Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t - Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services - Allow crond_t domain to create netlink selinux sockets and dac_override cap. - Allow radiusd_t domain to have dac_override capability - Allow amanda_t domain to have setgid capability - Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label - Allow abrt_t domain to write to rhsmcertd pid files - Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control - Add vhostmd_t domain to read/write to svirt images - Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files - Allow sssd_t and slpad_t domains to mmap generic certs - Allow chronyc_t domain use inherited user ttys - Allow stapserver_t domain to mmap own tmp files - Allow systemd to mounton core kernel interface - Add dac_override capability to ipsec_t domain BZ(1589534) - Allow systemd domain to mmap lvm config files BZ(1594584) - Allow systemd to write systemd_logind_inhibit_var_run_t fifo files - Allows systemd to get attribues of core kernel interface BZ(1596928) - Allow systemd_modules_load_t to access unabeled infiniband pkeys - Allow init_t domain to create netlink rdma sockets for ibacm policy - Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files - Allow lvm_t domain to write files to all mls levels - Add to su_role_template allow rule for creating netlink_selinux sockets - Allow sysadm_t domain to mmap hwdb db - Allow udev_t domain to mmap kernel modules - Allow sysadm_screen_t to have capability dac_override and chown - Allow sysadm_t domain to mmap journal - Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide - Label /etc/systemd/system.control/ dir as systemd_unit_file_t - Merge pull request #215 from bachradsusi/merge-conf-from-fedora - Allow sysadm_t and staff_t domains to use sudo io logging - Allow sysadm_t domain create sctp sockets - Add snapperd_contexts to the policy - Use system_u:system_r:unconfined_t:s0 in userhelper_context - Remove unneeded system_u seusers mapping. - Fedora targeted default user is unconfined_u, root is unconfined_u as well - Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users. - Change failsafe_context to unconfined_r:unconfined_t:s0 - Update lxc_contexts from Fedora config.tgz - Add lxc_contexts config file * Thu Jun 14 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-33 - Merge pull request #60 from vmojzis/rawhide - Allow tangd_t domain stream connect to sssd - Allow oddjob_t domain to chat with systemd via dbus - Allow freeipmi domains to mmap sysfs files - Fix typo in logwatch interface file - Allow spamd_t to manage logwatch_cache_t files/dirs - Allow dnsmasw_t domain to create own tmp files and manage mnt files - Allow fail2ban_client_t to inherit rlimit information from parent process - Allow nscd_t to read kernel sysctls - Label /var/log/conman.d as conman_log_t - Add dac_override capability to tor_t domain - Allow certmonger_t to readwrite to user_tmp_t dirs - Allow abrt_upload_watch_t domain to read general certs - Allow chornyd_t read phc2sys_t shared memory - Add several allow rules for pesign policy: - Add setgid and setuid capabilities to mysqlfd_safe_t domain - Add tomcat_can_network_connect_db boolean - Update virt_use_sanlock() boolean to read sanlock state - Add sanlock_read_state() interface - Allow zoneminder_t to getattr of fs_t - Allow rhsmcertd_t domain to send signull to postgresql_t domain - Add log file type to collectd and allow corresponding access - Allow policykit_t domain to dbus chat with dhcpc_t - Adding new boolean keepalived_connect_any() - Allow amanda to create own amanda_tmpfs_t files - Allow gdomap_t domain to connect to qdomap_port_t - Merge pull request #56 from lslebodn/selinux_child - Merge pull request #58 from milosmalik/fb-dictd-dbus - Merge pull request #59 from milosmalik/fb-ntop-service - /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type - Allow ntop_t domain to create/map various sockets/files. - Enable the dictd to communicate via D-bus. - Allow inetd_child process to chat via dbus with abrt - Allow zabbix_agent_t domain to connect to redis_port_t - Allow rhsmcertd_t domain to read xenfs_t files - Allow zabbix_agent_t to run zabbix scripts - Fix openvswith SELinux module - Fix wrong path in tlp context file BZ(1586329) - Update brltty SELinux module - Allow rabbitmq_t domain to create own tmp files/dirs - Allow policykit_t mmap policykit_auth_exec_t files - Allow ipmievd_t domain to read general certs - Add sys_ptrace capability to pcp_pmie_t domain - Allow squid domain to exec ldconfig - Update gpg SELinux policy module - Allow mailman_domain to read system network state - Allow openvswitch_t domain to read neutron state and read/write fixed disk devices - Allow antivirus_domain to read all domain system state - Allow targetd_t domain to red gconf_home_t files/dirs - Label /usr/libexec/bluetooth/obexd as obexd_exec_t - Add interface nagios_unconfined_signull() - Fix typos in zabbix.te file - Add missing requires - Allow tomcat domain sends email - Fix typo in sge policy - Allow certmonger to sends emails - Allow tomcat_t do mmap tomcat_tmp_t files - Improve sge_rw_tcp_sockets interface - Adding new interface: sge_rw_tcp_sockets() - Update sge_execd_t domain with few rules - Add new zabbix_run_sudo boolean - Allow traceroute_t domain to exec bin_t binaries - Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override - Add new interface dev_map_sysfs() - Allow sshd_keygen_t to execute plymouthd - Allow systemd_networkd_t create and relabel tun sockets - Add new interface postgresql_signull() - Merge pull request #214 from wrabcak/fb-dhcpc - Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971) - Allow confined users get AFS tokens - Allow sysadm_t domain to chat via dbus - Associate sysctl_kernel_t type with filesystem attribute - Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t - Fix typo in netutils.te file - Update traceroute_t domain to allow create dccp sockets - Update ssh_keysign policy - Allow sshd_t domain to read/write sge tcp sockets * Wed Jun 6 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-32 - Add dac_override capability to sendmail_t domain * Wed Jun 6 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-31 - Fix typo in authconfig policy - Update ctdb domain to support gNFS setup - Allow authconfig_t dbus chat with policykit - Allow lircd_t domain to read system state - Revert "Allow fsdaemon_t do send emails BZ(1582701)" - Typo in uuidd policy - Allow tangd_t domain read certs - Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107) - Allow vpnc_t domain to read generic certs BZ(1583100) - Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811) - Allow NetworkManager_ssh_t domain to be system dbud client - Allow virt_qemu_ga_t read utmp - Add capability dac_override to system_mail_t domain - Update uuidd policy to reflect last changes from base branch - Add cap dac_override to procmail_t domain - Allow sendmail to mmap etc_aliases_t files BZ(1578569) - Add new interface dbus_read_pid_sock_files() - Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled - Allow fsdaemon_t do send emails BZ(1582701) - Allow firewalld_t domain to request kernel module BZ(1573501) - Allow chronyd_t domain to send send msg via dgram socket BZ(1584757) - Add sys_admin capability to fprint_t SELinux domain - Allow cyrus_t domain to create own files under /var/run BZ(1582885) - Allow cachefiles_kernel_t domain to have capability dac_override - Update policy for ypserv_t domain - Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t - Allow cyrus to have dac_override capability - Dontaudit action when abrt-hook-ccpp is writing to nscd sockets - Fix homedir polyinstantion under mls - Fixed typo in init.if file - Allow systemd to remove generic tmpt files BZ(1583144) - Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation - Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075) - Fix typo in authlogin SELinux security module - Allod nsswitch_domain attribute to be system dbusd client BZ(1584632) - Allow audisp_t domain to mmap audisp_exec_t binary - Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file - Label tcp/udp ports 2612 as qpasa_agetn_port_t * Sat May 26 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-30 - Add dac_override to exim policy BZ(1574303) - Fix typo in conntrackd.fc file - Allow sssd_t to kill sssd_selinux_manager_t - Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on - Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp - Allow policykit_auth_t to read udev db files BZ(1574419) - Allow varnishd_t do be dbus client BZ(1582251) - Allow cyrus_t domain to mmap own pid files BZ(1582183) - Allow user_mail_t domain to mmap etc_aliases_t files - Allow gkeyringd domains to run ssh agents - Allow gpg_pinentry_t domain read ssh state - Allow gpg_agent_t to send msgs to syslog/journal - Add dac_override capability to dovecot_t domain - Allow nscd_t domain to mmap system_db_t files - Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files - Allow sysadm_u use xdm - Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495) - Add interface ssh_read_state() - Fix typo in sysnetwork.if file - Update dev_map_xserver_misc interface to allo mmaping char devices instead of files - Allow noatsecure permission for all domain transitions from systemd. - Allow systemd to read tangd db files - Fix typo in ssh.if file - Allow xdm_t domain to mmap xserver_misc_device_t files * Thu May 24 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-29 - Fixed typos in devices.if file * Thu May 24 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-28 - Allow mailman_mail_t domain to search for apache configs - Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets. - Improve procmail_domtrans() to allow mmaping procmail_exec_t - Allow ptrace arbitrary processes - Allow jabberd_router_t domain read kerberos keytabs BZ(1573945) - Allow certmonger to geattr of filesystems BZ(1578755) - Allow hypervvssd_t domain to read fixed disk devices - Allow several domains to manage ecryptfs_t filesystem - Allow userdom_use_user_ttys for loadkeys_t domain - Add dac_override capability to cachefiles_kernel_t domain - Allow blueman to execute ldconfig BZ(1577581) - Allow gpg_pinentry_t domain to read state of gpg_t processes - Allow xdm_t domain to mmap xserver_misc_device_t files - Allow xdm_t domain to execute systemd-coredump binary - Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set - Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries - Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary - Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries - Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries. - Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface - Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used - Associate sysctl_vm_overcommit_t with fs_t - Allow systemd creating bluetooth sockets - Allow ssh client to read network sysctl BZ(1574170) - Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files * Tue May 22 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-27 - Increase dependency versions of policycoreutils and checkpolicy packages * Mon May 21 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-26 - Disable secure mode environment cleansing for dirsrv_t - Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label. * Mon May 21 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-25 - Add dac_override capability to remote_login_t domain - Allow chrome_sandbox_t to mmap tmp files - Update ulogd SELinux security policy - Allow rhsmcertd_t domain send signull to apache processes - Allow systemd socket activation for modemmanager - Allow geoclue to dbus chat with systemd - Fix file contexts on conntrackd policy - Temporary fix for varnish and apache adding capability for DAC_OVERRIDE - Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets - Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t - Allow nscd_t domain to be system dbusd client - Allow abrt_t domain to read sysctl - Add dac_read_search capability for tangd - Allow systemd socket activation for rshd domain - Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t - Allow kdump_t domain to map /boot files - Allow conntrackd_t domain to send msgs to syslog - Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t - Allow swnserve_t domain to stream connect to sasl domain - Allow smbcontrol_t to create dirs with samba_var_t label - Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760) - Allow tangd to read public sssd files BZ(1509054) - Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212) - Allow ctdb_t domain modify ctdb_exec_t files - Allow firewalld_t domain to create netlink_netfilter sockets - Allow radiusd_t domain to read network sysctls - Allow pegasus_t domain to mount tracefs_t filesystem - Allow psad_t domain to read all domains state - Allow tomcat_t domain to connect to mongod_t tcp port - Allow dovecot and postfix to connect to systemd stream sockets - Make nmbd_t domain dbus system client BZ(1569856) - Merge pull request #55 from SISheogorath/fix/tlp-policy - Merge pull request #54 from tmzullinger/rawhide - Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168) - Allow gssproxy_t domain to read gssd_t state BZ(1572945) - Allow create systemd to mount pid files - Add files_map_boot_files() interface - Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760) - Fix typo xserver SELinux module - Allow systemd to mmap files with var_log_t label - Allow x_userdomains read/write to xserver session - Allow users staff and sysadm to run wireshark on own domain - Fix typos s/xserver/xdm/ for allow creating xserver misc devices - Allow systemd-bootchart to create own tmpfs files - Merge pull request #213 from tmzullinger/rawhide - Allow xdm_t domain to install Nouveau drivers BZ(1570996) - Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Sat Apr 28 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-24 - Allow unconfined_domain_type to create libs filetrans named content BZ(1513806) * Fri Apr 27 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-23 - Allow dnssec_trigger_t domain to read system network state BZ(1570205) - Add dac_override capability to mailman_mail_t domain - Add dac_override capability to radvd_t domain - Update openvswitch policy - Add dac_override capability to oddjob_homedir_t domain - Allow slapd_t domain to mmap slapd_var_run_t files - Rename tang policy to tangd - Allow virtd_t domain to relabel virt_var_lib_t files - Allow logrotate_t domain to stop services via systemd - Add tang policy - Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t - Allow snapperd_t daemon to create unlabeled dirs. - Make httpd_var_run_t mountpoint - Allow hsqldb_t domain to mmap own temp files - We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence - Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP - Add new Boolean tomcat_use_execmem - Allow nfsd_t domain to read/write sysctl fs files - Allow conman to read system state - Allow brltty_t domain to be dbusd system client - Allow zebra_t domain to bind on babel udp port - Allow freeipmi domain to read sysfs_t files - Allow targetd_t domain mmap lvm config files - Allow abrt_t domain to manage kdump crash files - gnome_data_filetrans macro should be in optional block - Allow netutils_t domain to create bluetooth sockets - Allow traceroute to bind on generic sctp node - Allow traceroute to search network sysctls - Allow systemd to use virtio console - Label /dev/op_panel and /dev/opal-prd as opal_device_t - Label /run/ebtables.lock as iptables_var_run_t - Allow udev_t domain to manage udev_rules_t char files. - Assign babel_port_t label to udp port 6696 - Add new interface lvm_map_config - Merge pull request #212 from stlaz/patch-1 - Allow local_login_t reads of udev_var_run_t context * Wed Apr 18 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.1-22 - Allow networkmanager domain to write to ecryptfs_t files BZ(1566706) - Allow l2tpd domain to stream connect to sssd BZ(1568160) - Dontaudit abrt_t to write to lib_t dirs BZ(1566784) - Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1614333 - SELinux is preventing boltd from 'write' accesses on the sock_file socket. https://bugzilla.redhat.com/show_bug.cgi?id=1614333 [ 2 ] Bug #1613969 - SELinux is preventing colord from 'map' accesses on the file /home/myuser/.local/share/icc/edid-e6a5375115240064bcc0d7209d55eed8.icc. https://bugzilla.redhat.com/show_bug.cgi?id=1613969 [ 3 ] Bug #1614763 - please fix /var/lib/pgsql/data/log label to postgresql_log_t https://bugzilla.redhat.com/show_bug.cgi?id=1614763 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-46564d0139' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------