-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2012-7953 2012-05-16 19:26:34 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 17 Version : 3.10.0 Release : 125.fc17 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
- Make systemd unit files less specific - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - Add label for /var/run/nologin
-------------------------------------------------------------------------------- ChangeLog:
* Wed May 16 2012 Miroslav Grepl mgrepl@redhat.com 3.10.0-125 - Fix pulseaudio port definition - Add labeling for condor_starter - Allow chfn_t to creat user_tmp_files - Allow chfn_t to execute bin_t - Allow prelink_cron_system_t to getpw calls - Allow sudo domains to manage kerberos rcache files - Allow user_mail_domains to work with courie - Port definitions necessary for running jboss apps within openshift - Add support for openstack-nova-metadata-api - Add support for nova-console* - Add support for openstack-nova-xvpvncproxy - Fixes to make privsep+SELinux working if we try to use chage to change passwd - Fix auth_role() interface - Allow numad to read sysfs - Allow matahari-rpcd to execute shell - Add label for ~/.spicec - xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it - Devicekit_disk wants to read the logind sessions file when writing a cd - Add fixes for condor to make condor jobs working correctly - Change label of /var/log/rpmpkgs to cron_log_t - Access requires to allow systemd-tmpfiles --create to work. - Fix obex to be a user application started by the session bus. - Add additional filename trans rules for kerberos - Fix /var/run/heartbeat labeling - Allow apps that are managing rcache to file trans correctly - Allow openvpn to authenticate against ldap server - Containers need to listen to network starting and stopping events * Wed May 9 2012 Miroslav Grepl mgrepl@redhat.com 3.10.0-124 - Make systemd unit files less specific * Mon May 7 2012 Miroslav Grepl mgrepl@redhat.com 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean - add lxc_contexts - Allow accountsd to read /proc - Allow restorecond to getattr on all file sytems - tmpwatch now calls getpw - Allow apache daemon to transition to pwauth domain - Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t - The obex socket seems to be a stream socket - dd label for /var/run/nologin * Mon May 7 2012 Miroslav Grepl mgrepl@redhat.com 3.10.0-122 - Allow jetty running as httpd_t to read hugetlbfs files - Allow sys_nice and setsched for rhsmcertd - Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports - Allow setfiles to append to xdm_tmp_t - Add labeling for /export as a usr_t directory - Add labels for .grl files created by gstreamer -------------------------------------------------------------------------------- References:
[ 1 ] Bug #748449 - unable to access kerberos tmp file https://bugzilla.redhat.com/show_bug.cgi?id=748449 [ 2 ] Bug #819172 - SELinux is preventing /usr/bin/totem from 'name_bind' accesses on the udp_socket . https://bugzilla.redhat.com/show_bug.cgi?id=819172 [ 3 ] Bug #819173 - SELinux is preventing /usr/bin/totem from 'write' accesses on the file /home/spider/.grl-metadata-store. https://bugzilla.redhat.com/show_bug.cgi?id=819173 [ 4 ] Bug #819347 - SELinux is preventing /usr/libexec/gdm-session-worker from 'read' accesses on the file nologin. https://bugzilla.redhat.com/show_bug.cgi?id=819347 [ 5 ] Bug #819927 - SELinux is preventing restorecond from 'getattr' accesses on the filesystem /run. https://bugzilla.redhat.com/show_bug.cgi?id=819927 [ 6 ] Bug #820316 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the directory .orc. https://bugzilla.redhat.com/show_bug.cgi?id=820316 [ 7 ] Bug #820322 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'sendto' accesses on the unix_dgram_socket @google-nacl-o3d12032-12. https://bugzilla.redhat.com/show_bug.cgi?id=820322 [ 8 ] Bug #820484 - SELinux is preventing /usr/bin/spicec from 'write' accesses on the file /home/wdh/.spicec/cegui.log. https://bugzilla.redhat.com/show_bug.cgi?id=820484 [ 9 ] Bug #821182 - SELinux is preventing /usr/bin/numad from 'read' accesses on the directory cpu. https://bugzilla.redhat.com/show_bug.cgi?id=821182 [ 10 ] Bug #821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=821268 [ 11 ] Bug #822035 - SELinux is preventing totem-video-thu from 'create' accesses on the directory .gstreamer-0.10. https://bugzilla.redhat.com/show_bug.cgi?id=822035 [ 12 ] Bug #801330 - AVC denials starting OpenStack glance services https://bugzilla.redhat.com/show_bug.cgi?id=801330 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------