-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-22197 2013-11-27 03:57:13 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 19 Version : 3.12.1 Release : 74.14.fc19 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
Here is where you give an explanation of your update -------------------------------------------------------------------------------- ChangeLog:
* Tue Nov 26 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.14 - Allow apmd to request the kernel load module - Allow sssd to request the kernel loads modules - label mate-keyring-daemon with gkeyringd_exec_t - Allow procmail_t to connect to dovecot stream sockets - Allow smoltclient to execute ldconfig - Allow condor domains to read/write condor_master udp_socket - sendmail can attempt to block suspend, but will complete successfully - Add support for texlive2013 - Allow passwd_t to connect to gnome keyring to change password - Should allow domains to lock the terminal device * Mon Nov 11 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-74.13 - Update xserver.te to make GDM working * Fri Nov 8 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.12 - Fixed userdom_dontaudit_delete_user_tmp_files - Add auth_exec_chkpwd interface - Add interface to dontaudit attempts to delete user_tmp_t files on thumbnails - Add tcp/8893 as milter port - Dontaudit leaked write descriptor to dmesg - Add rpc_kill_rpcd interface - Dontaudit attempts to write/delete user_tmp_t files - Dontaudit attempts by system_mail to modify network config - Allow ipc_lock for abrt to run journalctl. - Update zoneminder policy - Add policy for motion service - Allow glusterd_t to mounton glusterd_tmp_t - Allow glusterd to unmout al filesystems - Allow xenstored to read virt config * Tue Oct 22 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.11 - Back port piranha tmpfs fixes from RHEL6 - Fix piranha_domain_template() - Allow mozilla_plugin to bind to the vnc port if running with spice - Allow svirt_domains to read sysctl_net_t - Update ppp_manage_pid_files interface - Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files. - Allow dovecot-auth to read nologin - Allow mailserver_domains to manage and transition to mailman data - Allow thin_t to block suspend - Create resolv.conf in the pppd_var_run_t with the net_conf_t label - wicd.pid should be labeled as networkmanager_var_run_t - Label /sbin/xfs_growfs as fsadm_exec_t - Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey - Create resolv.conf in the pppd_var_run_t with the net_conf_t label - Fix labeling for /etc/strongswan/ipsec.d - Add labeling for /var/run/charon.ctl socket - Allow syslogd_t to connect to the syslog_tls port * Tue Oct 15 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.10 - Add kill capability in glusterfs policy - Add postfix_rw_spool_maildrop_files interface - Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop - Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it. - Allow init_t to read gnome home data - Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within - Allow httpd_t to read also git sys content symlinks - Remove httpd_cobbler_content * from cobbler_admin interface - allow openshift_cgroup_t to read/write inherited openshift file types - fix gnome_read_generic_data_home_files interface - Make sure if systemd_logind creates nologin file with the correct label - Allow syslog to bind to tls ports - Clean up ipsec.te - Allow init_t to read gnome home data - Allow to su_domain to read init states - Update labeling for /dev/cdc-wdm * Tue Oct 8 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.9 - Allow systemd domains to read /dev/urand - Remove duplicated interfaces - Fix port definition for ctdb ports - Dontaudit attempts for mozilla_plugin to append to /dev/random - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Match upstream labeling - Fix labeling for mgetty.* logs - glusterd binds to random unreserved ports - add type defintion for ctdbd_var_t - Fix ctdb.te - Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file - apcupsd needs to send a message to all users on the system so needs to look them up - Allow polipo_daemon to connect to flash ports - Dontaudit attempts for mozilla_plugin to append to /dev/random - Fix the label on ~/.juniper_networks - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow condor domains to list etc rw dirs - Allow cobblerd to connect to mysql - Label zarafa-search as zarafa-indexer - Openshift cgroup wants to read /etc/passwd - Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on - Fix labeling for /usr/libexec/kde4/kcmdatetimehelper - Allow tuned to search all file system directories - Allow alsa_t to sys_nice, to get top performance for sound management - Dontaudit leaked unix_stream_sockets into gnome keyring - Allow telepathy domains to inhibit pipes on telepathy domains - Allow dirsrv_t to create tmpfs_t directories - Allow openvpn_t to manage openvpn_var_log_t files. * Thu Sep 26 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.8 - Get labeling right on ipsec.secrets - Allow systemd to read dhcpc_state - Allow amanda to write to /etc/amanda/DailySet1 directory - Fix english on gssd_read_tmp boolean descriptions - Allow cloud-init to domtrans to rpm - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - Fix typo in abrt.te * Wed Sep 25 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-74.7 - Allow setroubleshoot to look at /proc - Allow telepathy domains to dbus with systemd logind - Fix handling of fifo files of rpm - Allow certwatch to write to cert_t directories - New abrt application - Allow mozilla_plugin to transition to itself - Allow mdadm_t to read images labeled svirt_image_t - Allow NetworkManager to set the kernel scheduler - Allow abrt daemon to manage abrt-watch tmp files - Allow abrt-upload-watcher to search /var/spool directory - More handling of ther kernel keyring required by kerberos * Fri Sep 20 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-74.6 - Keep initrc_domain if init_t executes bin_t * Fri Sep 20 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.5 - Fix label on pam_krb5 helper apps - Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t - Allow init_t to run crash utility - Fix label on pam_krb5 helper apps - Allow init_t to run crash utility - Call neutron interfaces instead of quantum - Allow users to communicate with journald using tmpfs files - Allow nslcd to send signull to itself - Fix virtd_lxc_t to be able to communicate with hal, need backport to rhel6 ASAP, for docker stuff - Fix missing types in virt_admin interface - Dontaudit attempts by sosreport to read shadow_t - Allow cobbler to exec rsync and communicate with sssd, using nsswitch - Add new label mpd_home_t - Label /srv/www/logs as httpd_log_t - Allow irc_t to use tcp sockets - Add labels for apache logs under miq package - Allow fetchmail to send mails - allow neutron to connect to amqp ports - Fix to use quantum port - Rename quantum to neutron - Allow virt_qemu_ga_t to read meminfo - Allow kdump_manage_crash to list the kdump_crash_t directory - Allow ldconfig to write to kdumpctl fifo files - Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys * Mon Sep 16 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.4 - fix bad labels in puppet.if - Allow tcsd to read utmp file - Define svirt_socket_t as a domain_type - Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file - Allow passenger to execute ifconfig * Wed Sep 11 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.3 - Treat usr_t just like bin_t for transitions and executions - Allow memcache to read sysfs data - openct needs to be able to create netlink_object_uevent_sockets - Allow nslcd to read /sys/devices/system/cpu - Allow mdadm to read /dev/mei - amanda_exec_t needs to be executable file - Add additional labeling for qemu-ga/fsfreeze-hook.d scripts - Allow setpgid and r/w cluster tmpfs for fenced_t - Allow block_suspend cap for samba-net - Allow mpd setcap which is needed by pulseaudio - Add antivirus_home_t type for antivirus date in HOMEDIRS - Allow glance-api to connect to amqp port - Fix wrong capabilities in rhcs policy * Fri Sep 6 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.2 - Fix lsm.fc for pid files - Allow init_t to transition to all inetd domains - Allow tgtd_t to connect to isns ports - Lots of new access required for sosreport - svirt domains neeed to create kobject_uevint_sockets - Use just init_domain instead of init_daemon_domain in inetd_core_service_domain - Cleanup related to init_domain()+inetd_domain fixes - Allow cvs to bind to the cvs_port - Allow ktalkd to bind to the ktalkd_port - Allow telnetd to bind to the telnetd_port - Allow rlogind to bind to the rlogin_port - Allow apache domain to connect to gssproxy socket - Dontaudit attempts to bind to ports < 1024 when nis is turned on - Allow cupsd_lpd_t to bind to the printer port - Allow a confined domain to executes mozilla_exec_t via dbus - Allow mdadm to getattr any file system - Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work - Allow all domains that can read gnome_config to read kde config - Call the correct interface - corenet_udp_bind_ktalkd_port() - Fix mozilla_plugin_rw_tmpfs_files() - Allow systemd running as git_systemd to bind git port - Allow firewalld to read NM state - Add interface couchdb_search_pid_dirs - Add support for couchdb in rabbitmq policy - Add boolean boinc_execmem - Add interface netowrkmanager_initrc_domtrans - Dontaudit leaks into ldconfig_t - Dontaudit inherited lock files in ifconfig o dhcpc_t - Move kernel_stream_connect into all Xwindow using users - Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls - Add interface to read authorization data in the users homedir - Allow ipsec_t to read .google authenticator data - Allow staff_t to read login config - Treat files labeld as usr_t like bin_t when it comes to transitions - Split out rlogin ports from inetd - Add interface seutil_dbus_chat_semanage - Fix selinuxutil.if * Tue Sep 3 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74.1 - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Fix polipo.te - Add trans rules for lsm pid files/dirs - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Allow sosreport to getattr everything in /dev and send rawip packets - Allow sosreport to transition to brctl - Add missing alias for amavis_etc_t - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Fix cupsd.te - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Fix to define ktalkd_unit_file_t correctly - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add support for tmp directories to openvswitch - Add logwatch_can_sendmail boolean - Allow telpathy_domains to search user homedirs and tmp dirs - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb * Thu Aug 29 2013 Lukas Vrabec lvrabec@redhat.com 3.12.1-74 - Rename svirt_lxc_file_t to svirt_sandbox_file_t - Allow virt_domain with USB devices to look at dos file systems - Dontaudit thumb_t trying to look in /proc - Change svirt_lxc_domain to svirt_sandbox_domain, and add svirt_qemu_net_t type - Rename interface virt_transition_svirt_lxc to virt_transition_svirt_sanbox - Allow ipsec_t to domtrans to iptables_t - dontaudit users running nautilus on /proc - Dontaudit hostname inheriting any terminal - Label polgengui as a bin_t - Allow semanage to create /.autorelabel file - Label systemd unit files under dracut correctly - Allow systemd domain to read /proc - Allow sssd to write to user keyrings for managing kerberos - Allow rhsmcertd to read init state - Allow fetchmail to create own pid with correct labeling - Fix rhcs_domain_template() - Allow roles which can run mock to read mock lib files to view results - Allow rpcbind to use nsswitch * Fri Aug 23 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-73 - Update rules for condor domains * Fri Aug 23 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-72 - Fix collectd_t can read /etc/passwd file - Fix lsm.if summary - Add policy for lsmd - Cleanup raid.te - Add support for abrt-upload-watch - Dontaudit access check on cert_t for httpd_t - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Allow glusterd to read domains state - Allow swift to crete cache dirs with correct labeling - Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh - Add support for .Xauthority-n * Tue Aug 20 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-71 - Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984 - Allow named to manage own log files - Add label for /usr/libexec/dcc/start-dccifd and domtrans to dccifd_t - Add virt_transition_userdomain boolean decl - Allow httpd_t to sendto unix_dgram sockets on its children - Allow nova domains to execute ifconfig - bluetooth wants to create fifo_files in /tmp - exim needs to be able to manage mailman data - Allow sysstat to getattr on all file systems - Looks like bluetoothd has moved - Allow collectd to send ping packets - Allow svirt_lxc domains to getpgid - Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff - Allow frpintd_t to read /dev/urandom - Allow asterisk_t to create sock_file in /var/run - Allow usbmuxd to use netlink_kobject - sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket - More cleanup of svirt_lxc policy - virtd_lxc_t now talks to dbus - Dontaudit leaked ptmx_t - Allow processes to use inherited fifo files - Allow openvpn_t to connect to squid ports - Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert() - Allow ssh_t to use /dev/ptmx - Make sure /run/pluto dir is created with correct labeling - Allow syslog to run shell and bin_t commands - Allow ip to relabel tun_sockets - Allow mount to create directories in files under /run - Allow processes to use inherited fifo files - Allow user roles to connect to the journal socket - xauth_t should be allowed to create xauth_home_t - selinux_set_enforce_mode needs to be used with type - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config * Thu Aug 8 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-70 - Add label for /var/crash - Allow fenced to domtrans to sanclok_t - Allow nagios to manage nagios spool files - Make tfptd as home_manager - Allow kdump to read kcore on MLS system - Allow mysqld-safe sys_nice/sys_resource caps - Allow apache to search automount tmp dirs if http_use_nfs is enabled - Allow crond to transition to named_t, for use with unbound - Allow crond to look at named_conf_t, for unbound - Allow mozilla_plugin_t to transition its home content - Allow dovecot_domain to read all system and network state - Allow semanage to read pid files - Dontaudit leaked file descriptors from user domain into thumb - Add fixes for rabbit to fix ##992920,#99293 - Make NFS home, NIS authentication and dbus-daemon working - Fix thumb_run() - winbind wants block_suspend - Fix typo in smokeping.te - Fix rabbit.te - Remove dup rule for dovecot.te - Fix abrt.te - Allow afs domains to read afs_config files - Allow login programs to read afs config - Allow virt_domain to read virt_var_run_t symlinks - Allow smokeping to send its process signals - Allow fetchmail to setuid - Add kdump_manage_crash() interface - Allow abrt domain to write abrt.socket - Add append to the dontaudit for unix_stream_socket of xdm_t leak - Allow xdm_t to create symlinks in log direcotries - Allow login programs to read afs config - Fix rules for creating pluto pid files - Fix userdom_relabel_user_tmp_files() - Label 10933 as a pop port, for dovecot * Fri Aug 2 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-69 - Add fix for pand service - Fix pegasus.te - shorewall touches own log - Allow nrpe to list /var - Add additional fixes for pegasus_openlmi_storage_t. Domtrans to demicode. A type for openlmi_storage lib files. - Dontaudit attempts by thumb_t to check access on files/dirs in user homedir * Tue Jul 30 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-68 - Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for additionals - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in passenger.te - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec * Fri Jul 26 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-67 - Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t - Label pycmpiLMI_Software-cimprovagt as rpm_exec_t - Add support for pycmpiLMI_Storage-cimprovagt - Add support for cmpiLMI_Networking-cimprovagt - Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working - Allow virtual machines and containers to run as user doains, needed for virt-sandbox - Allow buglist.cgi to read cpu info * Wed Jul 24 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-66 - Allow systemd-tmpfile to handle tmp content in print spool dir - Allow systemd-sysctl to send system log messages - Add support for RTP media ports and fmpro-internal - Make auditd working if audit is configured to perform SINGLE action on disk error - Add interfaces to handle systemd units - Make systemd-notify working if pcsd is used - Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t - Instead of having all unconfined domains get all of the named transition rules, - Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. - Add definition for the salt ports - Allow xdm_t to create link files in xdm_var_run_t - Dontaudit reads of blk files or chr files leaked into ldconfig_t - Allow sys_chroot for useradd_t - Allow net_raw cap for ipsec_t - Allow sysadm_t to reload services - Add additional fixes to make strongswan working with a simple conf - Allow sysadm_t to enable/disable init_t services - Add additional glusterd perms - Allow apache to read lnk files in the /mnt directory - Allow glusterd to ask the kernel to load a module - Fix description of ftpd_use_fusefs boolean - Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t - Allow glusterds to request load a kernel module - Allow boinc to stream connect to xserver_t - Allow sblim domains to read /etc/passwd - Allow mdadm to read usb devices - Allow collectd to use ping plugin - Make foghorn working with SNMP - Allow sssd to read ldap certs - Allow haproxy to connect to RTP media ports - Add additional trans rules for aide_db - Add labeling for /usr/lib/pcsd/pcsd - Add labeling for /var/log/pcsd - Add support for pcs which is a corosync and pacemaker configuration tool * Tue Jul 16 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-65 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1 - Allow all domains that can domtrans to shutdown, to start the power services script to shutdown - consolekit needs to be able to shut down system - Move around interfaces - Remove nfsd_rw_t and nfsd_ro_t, they don't do anything - Add additional fixes for rabbitmq_beam to allow getattr on mountpoints - Allow gconf-defaults-m to read /etc/passwd - Fix pki_rw_tomcat_cert() interface to support lnk_files * Fri Jul 12 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-64 - Add support for gluster ports - Make sure that all keys located in /etc/ssh/ are labeled correctly - Make sure apcuspd lock files get created with the correct label - Use getcap in gluster.te - Fix gluster policy - add additional fixes to allow beam.smp to interact with couchdb files - Additional fix for #974149 - Allow gluster to user gluster ports - Allow glusterd to transition to rpcd_t and add additional fixes for #980683 - Allow tgtd working when accessing to the passthrough device - Fix labeling for mdadm unit files * Wed Jul 10 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-63 - Add systemd support for mdadm * Tue Jul 9 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-62 - Fix definition of sandbox.disabled to sandbox.pp.disabled * Mon Jul 8 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-61 - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content * Mon Jul 8 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-60 - Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer - Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t - Allow mozilla_plugin_config_t to create tmp files - Cleanup openvswitch policy - Allow mozilla plugin to getattr on all executables - Allow l2tpd_t to create fifo_files in /var/run - Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory - Allow mdadm to connecto its own unix_stream_socket - FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now. - Allow apache to access smokeping pid files - Allow rabbitmq_beam_t to getattr on all filesystems - Add systemd support for iodined - Allow nup_upsdrvctl_t to execute its entrypoint - Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch - add labeling for ~/.cache/libvirt-sandbox - Add interface to allow domains transitioned to by confined users to send sigchld to screen program - Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab - Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service - Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs. - Allow staff to getsched all domains, required to run htop - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean - Fix bootloader.fc - Additional fix - Fix with xserver_stream_connect_xdm() calling * Wed Jul 3 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-59 - Add prosody policy written by Michael Scherer - Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain is and - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean * Fri Jun 28 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-58 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files - Allow ftp to bind to port 989 - Fix label of new gear directory - Add support for new directory /var/lib/openshift/gears/ - Add openshift_manage_lib_dirs() - allow virtd domains to manage setrans_var_run_t - Allow useradd to manage all openshift content - Add support so that mozilla_plugin_t can use dri devices - Allow chronyd to change the scheduler - Allow apmd to shut downthe system - Devicekit_disk_t needs to manage /etc/fstab * Wed Jun 26 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-57 - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send a signal to policykit-auth - Allow stapserver to dbus chat with avahi/systemd-logind - Fix labeling on haproxy unit file - Clean up haproxy policy - A new policy for haproxy and placed it to rhcs.te - Add support for ldirectord and treat it with cluster_t - Make sure anaconda log dir is created with var_log_t * Mon Jun 24 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-56 - Allow lvm_t to create default targets for filesystem handling - Fix labeling for razor-lightdm binaries - Allow insmod_t to read any file labeled var_lib_t - Add policy for pesign - Activate policy for cmpiLMI_Account-cimprovagt - Allow isnsd syscall=listen - /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler - Allow ctdbd to use udp/4379 - gatherd wants sys_nice and setsched - Add support for texlive2012 - Allow NM to read file_t (usb stick with no labels used to transfer keys for example) - Allow cobbler to execute apache with domain transition * Fri Jun 21 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-55 - condor_collector uses tcp/9000 - Label /usr/sbin/virtlockd as virtd_exec_t for now - Allow cobbler to execute ldconfig - Allow NM to execute ssh - Allow mdadm to read /dev/crash - Allow antivirus domains to connect to snmp port - Make amavisd-snmp working correctly - Allow nfsd_t to mounton nfsd_fs_t - Add initial snapper policy - We still need to have consolekit policy - Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow dirsrv to read network state - Fix pki_read_tomcat_lib_files - Add labeling for /usr/libexec/nm-ssh-service - Add label cert_t for /var/lib/ipa/pki-ca/publish - Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant - Allow nfsd_t to mounton nfsd_fs_t - Dontaudit sandbox apps attempting to open user_devpts_t - Allow passwd_t to change role to system_r from unconfined_r -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1016747 - SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the sock_file /home/jspeidel/.cache/keyring-9NSFQe/control. https://bugzilla.redhat.com/show_bug.cgi?id=1016747 [ 2 ] Bug #1028696 - SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog. https://bugzilla.redhat.com/show_bug.cgi?id=1028696 [ 3 ] Bug #1028772 - SELinux is preventing /usr/bin/mv from 'write' accesses on the directory /home/patachou/.texlive2013/texmf-var/fonts/pk/modeless/adobe. https://bugzilla.redhat.com/show_bug.cgi?id=1028772 [ 4 ] Bug #1029251 - SELinux is preventing /usr/sbin/sendmail.sendmail from 'block_suspend' accesses on the capability2 . https://bugzilla.redhat.com/show_bug.cgi?id=1029251 [ 5 ] Bug #1031253 - SELinux is preventing /usr/bin/mate-keyring-daemon from using the 'ipc_lock' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=1031253 [ 6 ] Bug #1032721 - Condor doesn't start with selinux enabled https://bugzilla.redhat.com/show_bug.cgi?id=1032721 [ 7 ] Bug #1033486 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/sbin/ldconfig. https://bugzilla.redhat.com/show_bug.cgi?id=1033486 [ 8 ] Bug #1028718 - GDM fails to start https://bugzilla.redhat.com/show_bug.cgi?id=1028718 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org