Fedora 28 Update: trinity-1.9-1.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-bfbcb9d06b
2019-02-04 11:13:12.362432
--------------------------------------------------------------------------------
Name : trinity
Product : Fedora 28
Version : 1.9
Release : 1.fc28
URL : http://codemonkey.org.uk/projects/trinity/
Summary : System call fuzz tester
Description :
Trinity makes syscalls at random, with random arguments. Where Trinity
differs from other fuzz testers is that the arguments it passes are not
purely random.
We found some bugs in the past by just passing random values, but once
the really dumb bugs were found, these dumb fuzzers would just run and
run. The problem was if a syscall took for example a file descriptor as
an argument, one of the first things it would try to do was validate
that fd. Being garbage, the kernel would just reject it as -EINVAL of
course. So on startup, Trinity creates a list of file descriptors, by
opening pipes, scanning sysfs, procfs, /dev, and creates a bunch of
sockets using random network protocols. Then when a syscall needs an
fd, it gets passed one of these at random.
File descriptors aren't the only thing Trinity knows about. Every
syscall has its arguments annotated, and where possible it tries to
provide something at least semi-sensible. "Length" arguments for example
get passed one of a whole bunch of potentially interesting values.
(Powers of 2 +/-1 are a good choice for triggering off-by-one bugs it
seems).
Trinity also shares those file descriptors between multiple threads,
which causes havoc sometimes.
If a child process successfully creates an mmap, the pointer is stored,
and fed to subsequent syscalls, sometimes with hilarious results.
--------------------------------------------------------------------------------
Update Information:
See https://github.com/kernelslacker/trinity/commits/master between the "1.8
release" and "1.9 release" commits for changes in this version.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 24 2019 Jerry James <loganjerry(a)gmail.com> - 1.9-1
- New upstream version
- Drop upstreamed -autofs, -irda, and -memfd patches
* Sat Jul 21 2018 Jerry James <loganjerry(a)gmail.com> - 1.8-3
- Add -irda patch to fix bz 1606570
* Sat Jul 14 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-bfbcb9d06b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: switchboard-plug-bluetooth-2.2.0-1.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-eae534e422
2019-02-04 11:13:12.362421
--------------------------------------------------------------------------------
Name : switchboard-plug-bluetooth
Product : Fedora 28
Version : 2.2.0
Release : 1.fc28
URL : https://github.com/elementary/switchboard-plug-bluetooth
Summary : Switchboard Bluetooth plug
Description :
The Bluetooth plug is a section in the Switchboard (System Settings)
that allows the user to manage bluetooth settings and connected
devices.
--------------------------------------------------------------------------------
Update Information:
Update to version 2.2.0. Release notes:
https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.2.0
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 24 2019 Fabio Valentini <decathorpe(a)gmail.com> - 2.2.0-1
- Update to version 2.2.0.
* Fri Oct 19 2018 Fabio Valentini <decathorpe(a)gmail.com> - 2.1.2-1
- Update to version 2.1.2.
* Fri Jun 8 2018 Fabio Valentini <decathorpe(a)gmail.com> - 0.1.1-1
- Update to version 0.1.1.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1669170 - switchboard-plug-bluetooth-2.2.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1669170
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-eae534e422' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: matrix-synapse-0.34.0.1-3.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-d38643cfa9
2019-02-04 11:13:12.362411
--------------------------------------------------------------------------------
Name : matrix-synapse
Product : Fedora 28
Version : 0.34.0.1
Release : 3.fc28
URL : https://github.com/matrix-org/synapse
Summary : A Matrix reference homeserver written in Python using Twisted
Description :
Matrix is an ambitious new ecosystem for open federated Instant Messaging and
VoIP. Synapse is a reference "homeserver" implementation of Matrix from the
core development team at matrix.org, written in Python/Twisted. It is intended
to showcase the concept of Matrix and let folks see the spec in the context of
a coded base and let you run your own homeserver and generally help bootstrap
the ecosystem.
--------------------------------------------------------------------------------
Update Information:
Change the owner of the /etc/synapse directory to the synapse user
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 24 2019 Jeremy Cline <jeremy(a)jcline.org> - 0.34.0.1-3
- synapse user should own its configuration directory (rhbz 1662672)
* Fri Jan 11 2019 Jeremy Cline <jeremy(a)jcline.org> - 0.34.0.1-1
- Update to v0.34.0.1, fixes CVE-2019-5885
* Thu Sep 6 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.33.3.1-1
- Update to v0.33.3.1
- Use the Python dependency generator.
* Thu Jun 14 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.31.2-1
- Update to v0.31.2
- https://github.com/matrix-org/synapse/releases/tag/v0.31.2
* Wed Jun 13 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.31.1-3
- Bring back the pin for pynacl
* Wed Jun 13 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.31.1-2
- Stop using Python dependency generator
* Wed Jun 13 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.31.1-1
- Update to v0.31.1
- Fix CVE-2018-12291
* Thu May 24 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.29.1-1
- Update to the latest upstream release.
- Use the Python dependency generator.
* Tue May 1 2018 Jeremy Cline <jeremy(a)jcline.org> - 0.28.1-1
- Update to the latest upstream release.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1662672 - Why synapse folder became owned by root after release upgrade ?
https://bugzilla.redhat.com/show_bug.cgi?id=1662672
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-d38643cfa9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: nmstate-0.0.4-1.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-8cff5f3955
2019-02-04 11:13:12.362400
--------------------------------------------------------------------------------
Name : nmstate
Product : Fedora 28
Version : 0.0.4
Release : 1.fc28
URL : https://github.com/nmstate/nmstate
Summary : Declarative network manager API
Description :
NMState is a library with an accompanying command line tool that manages host
networking settings in a declarative manner and aimed to satisfy enterprise
needs to manage host networking through a northbound declarative API and multi
provider support on the southbound.
--------------------------------------------------------------------------------
Update Information:
#Upgrade to release 0.0.4. Changes since 0.0.3: * Bug fixes: * nm,
device: Retry if activation fails in specific cases * nm, nmclient: Allow
mainloop to run the last action again * netapplier: Fix OVS proxy port
handling in the edit step * nm, connection: Enable autoconnect by default
* nm, device: Skip activation of an already activating device * nm, device:
Fix ActiveConnection.is_activating * nm, device: Activate based on the
device or connection object * nmstatectl: Output yaml by default *
README: Add contact information (email, IRC and Jira) * RPMs: Require
python-setuptools * nmstatectl: Remove extra newline from yaml output
* CentOS CI docker: Remove duplicate code * CentOS CI docker: Use PIP to
fetch pytest * Add Fedora CI test docker image. * Integration test:
Wait NetworkManager service * tests integ: Drop assert_rc assert helper
* netinfo.show() : Sort interface state. * Integration test: Fix bond
rollback test * Integration test: Fix vlan rollback test * Integration
test: Fix python 3 split() TypeError * Integration test: Fix python3 float
TypeError * tests: Add an nmstatectl integration test for 'set' * RPM:
Suggest NetworkManager-ovs package * README: Add package version status
* integ tests: Test rollback for bond * tox: Pin and update pytest*
versions * rpm: Include examples * README: Add Copr GIT build status
* nm.bridge: Set only specified port options * Packaging: Remove python
dependency to get version * Packaging: Store version in VERSION file *
RPM packaging: Sync back changes from Fedora packaging * packaging: Prepare
automated COPR packaging * MANIFEST: Add missing pattern to recursive-
include ---- Add missing runtime dependency for nmstatectl.
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-8cff5f3955' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: udica-0.1.3-1.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-56e17751e2
2019-02-04 11:13:12.362390
--------------------------------------------------------------------------------
Name : udica
Product : Fedora 28
Version : 0.1.3
Release : 1.fc28
URL : https://github.com/containers/udica
Summary : A tool for generating SELinux security policies for containers
Description :
Tool for generating SELinux security profiles for containers based on
inspection of container JSON file.
--------------------------------------------------------------------------------
Update Information:
- Fix capability allow rules when capabilities are specified in JSON file. - Add
additional SELinux allow rules to base container template to allow container to
read proc_type types.
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-56e17751e2' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: CImg-2.4.5-1.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-3798e5a648
2019-02-04 11:13:12.362377
--------------------------------------------------------------------------------
Name : CImg
Product : Fedora 28
Version : 2.4.5
Release : 1.fc28
URL : https://github.com/dtschump/CImg
Summary : C++ Template Image Processing Toolkit
Description :
The CImg Library is an open-source C++ toolkit for image processing.
It consists in a single header file 'CImg.h' providing a minimal set of C++
classes and methods that can be used in your own sources, to load/save,
process and display images. Very portable, efficient and easy to use,
it's a pleasant library for developping image processing algorithms in C++.
--------------------------------------------------------------------------------
Update Information:
bump version
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 22 2019 josef radinger <cheese(a)nosuchhost.net> - 1:2.4.5-1
- bump version
* Tue Oct 16 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 1:2.4.0-1
- Update to 2.4.0 release
* Tue Sep 4 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 1:2.3.6-1
- Update to 2.3.6 release
* Wed Aug 1 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 1:2.3.3-1
- Update to 2.3.3 release
* Thu Jul 12 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 202-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-3798e5a648' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: gmic-2.4.5-2.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-3798e5a648
2019-02-04 11:13:12.362377
--------------------------------------------------------------------------------
Name : gmic
Product : Fedora 28
Version : 2.4.5
Release : 2.fc28
URL : http://gmic.eu/
Summary : GREYC's Magic for Image Computing
Description :
G'MIC is an open and full-featured framework for image processing, providing
several different user interfaces to convert/manipulate/filter/visualize
generic image datasets, from 1d scalar signals to 3d+t sequences of
multi-spectral volumetric images.
--------------------------------------------------------------------------------
Update Information:
bump version
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 25 2019 josef radinger <cheese(a)nosuchhost.net> - 2.4.5-2
- frsh rebuild
* Mon Jan 21 2019 josef radinger <cheese(a)nosuchhost.net> - 2.4.5-1
- bump version
- create %{_sysconfdir}/bash_completion.d and move the file
* Tue Oct 16 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 2.4.0-1
- Update to 2.4.0 release
* Tue Sep 4 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 2.3.6-1
- Update to 2.3.6 release
- Drop BuildRoot and Group tags
- Use system CImg
- Update URL tag
* Mon Jul 23 2018 Daniel P. Berrang�� <berrange(a)redhat.com> - 2.3.3-1
- Updated to latest release / snapshots
- Add BR on gcc-c++
* Fri Jul 13 2018 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-3798e5a648' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 28 Update: selinux-policy-3.14.1-51.fc28
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-e8a902b473
2019-02-04 11:13:12.362256
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 28
Version : 3.14.1
Release : 51.fc28
URL : %{git0-base}
Summary : SELinux policy configuration
Description :
SELinux Base package for SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
More info: https://koji.fedoraproject.org/koji/buildinfo?buildID=1178909
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 11 2019 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-51
- Dontaudit ptrace all domains for blueman_t BZ(1653671)
- Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922)
- Allow hddtemp_t domain to read nvme block devices BZ(1663579)
- Add dac_override capability to spamd_t domain BZ(1645667)
- Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983)
- Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
- Dontaudit certwatch_t domain to write to all mountpoints BZ(1655357)
- Add dac_override capability for snapperd_t domain BZ(1619356)
- Allow pcp_pmlogger_t domain to send signals to rpm_script_t BZ(1651030)
- Add new interface: rpm_script_signal()
- Label for /home/$USER/.config/chromium should be chrome_sandbox_home_t instead of mozilla_home_t. BZ(1650053)
- Allow pcp_pmie_t domain to dbus chat with systemd_resolved_t domain BZ(1650997)
- Allow staff_t domain to read read_binfmt_misc filesystem
- Add interface fs_read_binfmt_misc()
- Revert "Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)"
- Make workin: systemd-run --system --pty bash BZ(1647162)
- Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443)
- Allow staff_t to rw binfmt_misc_fs_t files BZ(1658975)
* Fri Dec 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-50
- Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t
- Add dac_override capability to ssad_t domains
- Allow pesign_t domain to read gnome home configs
- Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t
- Allow rngd_t domains read kernel state
- Allow certmonger_t domains to read bind cache
- Allow ypbind_t domain to stream connect to sssd
- Allow rngd_t domain to setsched
- Allow sanlock_t domain to read/write sysfs_t files
- Add dac_override capability to postfix_local_t domain
- Allow ypbind_t to search sssd_var_lib_t dirs
- Allow virt_qemu_ga_t domain to write to user_tmp_t files
- Allow systemd_logind_t to dbus chat with virt_qemu_ga_t
- Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files
- Add new interface sssd_signal()
- Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t
- Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t
- Add sys_resource capability to the systemd_passwd_agent_t domain
- Allow ipsec_t domains to read bind cache
- kernel/files.fc: Label /run/motd as etc_t
- Allow systemd to stream connect to userdomain processes
- Label /var/lib/private/systemd/ as init_var_lib_t
- Allow initrc_t domain to create new socket labeled as init_T
- Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket.
- Add tracefs_t type to mountpoint attribute
- Allow useradd_t and groupadd_t domains to send signals to sssd_t
- Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636)
- Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
* Wed Nov 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-49
- Update pesign policy to allow pesign_t domain to read bind cache files/dirs
- Add dac_override capability to mdadm_t domain
- Create ibacm_tmpfs_t type for the ibacm policy
- Dontaudit capability sys_admin for dhcpd_t domain
- Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts.
- Allow abrt_t domain to mmap generic tmp_t files
- Label /usr/sbin/wpa_cli as wpa_cli_exec_t
- Allow sandbox_xserver_t domain write to user_tmp_t files
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints
- Add interface files_map_generic_tmp_files()
- Add dac_override capability to the syslogd_t domain
- Create systemd_timedated_var_run_t label
- Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202)
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
* Sun Nov 4 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-48
- Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672)
- Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766)
- Add dac_override capability to postgrey_t domain BZ(1638954)
- Allow thumb_t domain to execute own tmpfs files BZ(1643698)
- Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063)
- Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948)
- Add dac_override capability to ftpd_t domain
- Allow gpg_t to create own tmpfs dirs and sockets
- Allow rhsmcertd_t domain to relabel cert_t files
- Allow nova_t domain to use pam
- sysstat: grant sysstat_t the search_dir_perms set
- Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675)
- kernel/files.fc: Label /run/motd.d(/.*)? as etc_t
- Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949)
- Allow X display manager to check status and reload services which are part of x_domain attribute
- Add interface miscfiles_relabel_generic_cert()
- Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs
- Dontaudit sys_admin capability for netutils_t domain
- Label tcp and udp ports 2611 as qpasa_agent_port_t
* Tue Oct 16 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-47
- Allow boltd_t domain to dbus chat with fwupd_t domain BZ(1633786)
* Mon Oct 15 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-46
- Allow caller domains using cron_*_role to have entrypoint permission on system_cron_spool_t files BZ(1625645)
- Add interface cron_system_spool_entrypoint()
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes BZ(1637676)
- Add interfaces for boltd SELinux module
- Add dac_override capability to modemmanager_t domain BZ(1636608)
- Allow systemd to mount boltd_var_run_t dirs BZ(1636823)
- Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
* Sat Oct 13 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-45
- Update rpm macros for selinux policy from sources repository: https://github.com/fedora-selinux/selinux-policy-macros
* Thu Oct 4 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-44
- Allow dictd_t domain to mmap dictd_var_lib_t files BZ(1634650)
- Fix typo in boltd.te policy
- Allow fail2ban_t domain to mmap journal
- Add kill capability to named_t domain
- Allow neutron domain to read/write /var/run/utmp
- Create boltd_var_run_t type for boltd pid files
- Allow tomcat_domain to read /dev/random
- Allow neutron_t domain to use pam
- Add the port used by nsca (Nagios Service Check Acceptor)
- Allow getty_t domain to read cockpit_var_run_t link files
* Thu Sep 20 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-43
- Allow certmonger to manage cockpit_var_run_t pid files
- Allow cockpit_ws_t domain to manage cockpit services
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
- Add interface apache_read_tmp_dirs()
- Fix typo in cockpit interfaces we have cockpit_var_run_t files not cockpit_var_pid_t
- Add interface apcupsd_read_power_files()
- Allow systemd labeled as init_t to execute logrotate in logrotate_t domain
- Allow dac_override capability to amanda_t domain
- Allow geoclue_t domain to get attributes of fs_t filesystems
- Update selinux policy for rhnsd_t domain based on changes in spacewalk-2.8-client
- Allow cockpit_t domain to read systemd state
- Allow abrt_t domain to write to usr_t files
- Allow cockpit to create motd file in /var/run/cockpit
- Label /usr/sbin/pcsd as cluster_exec_t
- Allow pesign_t domain to getattr all fs
- Allow tomcat servers to manage usr_t files
- Dontaudit tomcat serves to append to /dev/random device
- Allow dirsrvadmin_script_t domain to read httpd tmp files
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
- Revert "Allow firewalld_t domain to read random device"
- Allow postfix domains to mmap system db files
- Allow geoclue_t domain to execute own tmp files
- Allow virt_qemu_ga_t domain to read network state BZ(1592145)
- Update ibacm_read_pid_files interface to allow also reading link files
- Allow zebra_t domain to create packet_sockets
- Allow opafm_t domain to list sysfs
- Label /usr/libexec/cyrus-imapd/cyrus-master as cyris_exec_t
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Revert "Allow polydomain to create /tmp-inst labeled as tmp_t"
- Allow systemd to read apcupsd power files
- Allow polydomain to create /tmp-inst labeled as tmp_t
- Allow systemd_resolved_t domain to bind on udp howl port
- Add new boolean use_virtualbox Resolves: rhbz#1510478
- Allow sshd_t domain to read cockpit pid files
- Allow syslogd_t domain to manage cert_t files
- Allow getattr as part of files_mounton_kernel_symbol_table.
- Fix typo "aduit" -> "audit"
- Revert "Add new interface dev_map_userio()"
- Add new interface dev_map_userio()
- Allow systemd to read ibacm pid files
* Thu Sep 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-42
- Allow tomcat services create link file in /tmp
- Label /etc/shorewall6 as shorewall_etc_t
- Allow winbind_t domain kill in user namespaces
- Allow firewalld_t domain to read random device
- Allow abrt_t domain to do execmem
- Allow geoclue_t domain to execute own var_lib_t files
- Allow openfortivpn_t domain to read system network state
- Allow dnsmasq_t domain to read networkmanager lib files
- sssd: Allow to limit capabilities using libcap
- sssd: Remove unnecessary capability
- sssd: Do not audit usage of lib nss_systemd.so
- Fix bug in nsd.fc, /var/run/nsd.ctl is socket file not file
- Add correct namespace_init_exec_t context to /etc/security/namespace.d/*
- Update nscd_socket_use to allow caller domain to mmap nscd_var_run_t files
- Allow exim_t domain to mmap bin files
- Allow mysqld_t domain to executed with nnp transition
- Allow svirt_t domain to mmap svirt_image_t block files
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
- Add read interfaces for mysqld_log_t that was added in commit df832bf
- Allow boltd_t to dbus chat with xdm_t
- Conntrackd need to load kernel module to work
- Allow mysqld sys_nice capability
- Update boltd policy based on SELinux denials from rhbz#1607974
- Allow readhead_t domain to mmap own pid files
- Allow systemd to create symlinks in for /var/lib
- Add comment to show that template call also allows changing shells
- Document userdom_change_password_template() behaviour
- update files_mounton_kernel_symbol_table() interface to allow caller domain also mounton system_map_t file
- Fix typo in logging SELinux module
- Allow usertype to mmap user_tmp_type files
- In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue
- Revert "Add execute_no_trans permission to mmap_exec_file_perms pattern"
- Allow ipsec_t domian to mmap own tmp files
- Add .gitignore file
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow audisp_remote_t domain to read auditd_etc_t
- netlabel: Remove unnecessary sssd nsswitch related macros
- Allow to use sss module in auth_use_nsswitch
- Limit communication with init_t over dbus
- Add actual modules.conf to the git repo
- Add few interfaces to optional block
- Allow sysadm_t and staff_t domain to manage systemd unit files
- Add interface dev_map_userio_dev()
- Allow ssh servers to have dac_override capability
- Allow dhcpc_t domain to read /dev/random
* Tue Aug 28 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-41
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Add interface devicekit_mounton_var_lib()
- Allow httpd_t domain to mmap tmp files
- Allow tcsd_t domain to have dac_override capability
- Allow cupsd_t to rename cupsd_etc_t files
- Allow iptables_t domain to create rawip sockets
- Allow amanda_t domain to mmap own tmpfs files
- Allow fcoemon_t domain to write to sysfs_t dirs
- Allow dovecot_auth_t domain to have dac_override capability
- Allow geoclue_t domain to mmap own tmp files
- Allow chronyc_t domain to read network state
- Allow apcupsd_t domain to execute itself
- Allow modemmanager_t domain to stream connect to sssd
- Allow chonyc_t domain to rw userdomain pipes
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Allow nagios_script_t domain to mmap nagios_spool_t files
- Allow geoclue_t domain to mmap geoclue_var_lib_t files
- Allow geoclue_t domain to map generic certs
- Update munin_manage_var_lib_files to allow manage also dirs
- Allow nsd_t domain to create new socket file in /var/run/nsd.ctl
- Fix typo in virt SELinux policy module
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow nagios_script_t domain to mmap nagios_etc_t files
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
- Allow kdumpctl_t domain to getattr fixed disk device in mls
- Fix typo in stapserver policy
- Dontaudit abrt_t domain to write to usr_t dirs
- Revert "Allow rpcbind to bind on all unreserved udp ports"
- Allow rpcbind to bind on all unreserved udp ports
- Allow virtlogd to execute itself
- Allow stapserver several actions: - execute own tmp files - mmap stapserver_var_lib_t files - create stapserver_tmpfs_t files
- Allow ypxfr_t domain to stream connect to rpcbind and allos search sssd libs
- Allos systemd to socket activate ibacm service
- Allow dirsrv_t domain to mmap user_t files
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
- Allow kdumpctl to write to files on all levels
- Allow httpd_t domain to mmap httpd_config_t files
- Allow sanlock_t domain to connectto to unix_stream_socket
- Revert "Add same context for symlink as binary"
- Allow mysql execute rsync
- Update nfsd_t policy because of ganesha features
- Allow conman to getattr devpts_t
- Allow tomcat_domain to connect to smtp ports
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
- Allow nagios_t domain to mmap nagios_log_t files
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
- Allow kdumpctl_t domain to read fixed disk storage
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow dhcpc_t domain to read /dev/random
- Allow systemd to mounton device_var_lib_t dirs
- Allow systemd to mounton kernel system table
- Label also chr_file /dev/mtd.* devices as fixed_disk_device_t
- Allow syslogd_t domain to create netlink generic sockets
- Label /dev/tpmrm[0-9]* as tpm_device_t
- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t
- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl
- Allow insmod_t domain to read iptables pid files
- Allow systemd to mounton /etc
- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry
- Allow xserver_t domain to start using systemd socket activation
- Tweak SELinux policy for systemd to allow DynamicUsers systemd feature
- Associate several proc labels to fs_t
- Update init_named_socket_activation() interface to allow systemd also create link files in /var/run
- Fix typo in syslogd policy
- Update syslogd policy to make working elasticsearch
- Label tcp and udp ports 9200 as wap_wsp_port
- Allow few domains to rw inherited kdumpctl tmp pipes
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
* Fri Aug 10 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-40
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
* Tue Aug 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-39
- Rebuild with support for boltd
* Tue Aug 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-38
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow chronyd_t domain to mmap own tmpfs files
- Fix typo bug in oracleasm policy module
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
* Sun Jul 29 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-37
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Allow iscsid_t domain to load kernel module
- Allow aide to mmap all files
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Revert "Allow firewalld to create rawip sockets"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
* Wed Jul 25 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-36
- Allow aide to mmap all files
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Revert "Allow firewalld to create rawip sockets"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow zoneminder_t to getattr of fs_t
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
* Wed Jul 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-35
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
- Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)"
- Allow userdomain sudo domains to use generic ptys
- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)
- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t BZ(1600690)
* Tue Jul 3 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-34
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
- Add ibacm policy
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as kdumpgui_tmp_t
- Allow rpm to check if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services
- Allow crond_t domain to create netlink selinux sockets and dac_override cap.
- Allow radiusd_t domain to have dac_override capability
- Allow amanda_t domain to have setgid capability
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Allow systemd to mounton core kernel interface
- Add dac_override capability to ipsec_t domain BZ(1589534)
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files
- Allows systemd to get attribues of core kernel interface BZ(1596928)
- Allow systemd_modules_load_t to access unabeled infiniband pkeys
- Allow init_t domain to create netlink rdma sockets for ibacm policy
- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files
- Allow lvm_t domain to write files to all mls levels
- Add to su_role_template allow rule for creating netlink_selinux sockets
- Allow sysadm_t domain to mmap hwdb db
- Allow udev_t domain to mmap kernel modules
- Allow sysadm_screen_t to have capability dac_override and chown
- Allow sysadm_t domain to mmap journal
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Label /etc/systemd/system.control/ dir as systemd_unit_file_t
- Merge pull request #215 from bachradsusi/merge-conf-from-fedora
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Add snapperd_contexts to the policy
- Use system_u:system_r:unconfined_t:s0 in userhelper_context
- Remove unneeded system_u seusers mapping.
- Fedora targeted default user is unconfined_u, root is unconfined_u as well
- Update config to reflect changes in default context for SELinux users related to pam_selinux.so which is now used in systemd-users.
- Change failsafe_context to unconfined_r:unconfined_t:s0
- Update lxc_contexts from Fedora config.tgz
- Add lxc_contexts config file
* Thu Jun 14 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-33
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Adding new boolean keepalived_connect_any()
- Allow amanda to create own amanda_tmpfs_t files
- Allow gdomap_t domain to connect to qdomap_port_t
- Merge pull request #56 from lslebodn/selinux_child
- Merge pull request #58 from milosmalik/fb-dictd-dbus
- Merge pull request #59 from milosmalik/fb-ntop-service
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Allow certmonger to sends emails
- Allow tomcat_t do mmap tomcat_tmp_t files
- Improve sge_rw_tcp_sockets interface
- Adding new interface: sge_rw_tcp_sockets()
- Update sge_execd_t domain with few rules
- Add new zabbix_run_sudo boolean
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
- Update traceroute_t domain to allow create dccp sockets
- Update ssh_keysign policy
- Allow sshd_t domain to read/write sge tcp sockets
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-32
- Add dac_override capability to sendmail_t domain
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-31
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in /var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
* Sat May 26 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-30
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow gpg_agent_t to send msgs to syslog/journal
- Add dac_override capability to dovecot_t domain
- Allow nscd_t domain to mmap system_db_t files
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-29
- Fixed typos in devices.if file
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-28
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Allow hypervvssd_t domain to read fixed disk devices
- Allow several domains to manage ecryptfs_t filesystem
- Allow userdom_use_user_ttys for loadkeys_t domain
- Add dac_override capability to cachefiles_kernel_t domain
- Allow blueman to execute ldconfig BZ(1577581)
- Allow gpg_pinentry_t domain to read state of gpg_t processes
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature NoNewPrivileges is used
- Associate sysctl_vm_overcommit_t with fs_t
- Allow systemd creating bluetooth sockets
- Allow ssh client to read network sysctl BZ(1574170)
- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files
* Tue May 22 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-27
- Increase dependency versions of policycoreutils and checkpolicy packages
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-26
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create /run/gdm/custom.conf with proper xdm_var_run_t label.
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-25
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow psad_t domain to read all domains state
- Allow tomcat_t domain to connect to mongod_t tcp port
- Allow dovecot and postfix to connect to systemd stream sockets
- Make nmbd_t domain dbus system client BZ(1569856)
- Merge pull request #55 from SISheogorath/fix/tlp-policy
- Merge pull request #54 from tmzullinger/rawhide
- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro BZ(1566168)
- Allow gssproxy_t domain to read gssd_t state BZ(1572945)
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security. BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
- Allow users staff and sysadm to run wireshark on own domain
- Fix typos s/xserver/xdm/ for allow creating xserver misc devices
- Allow systemd-bootchart to create own tmpfs files
- Merge pull request #213 from tmzullinger/rawhide
- Allow xdm_t domain to install Nouveau drivers BZ(1570996)
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Sat Apr 28 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-24
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Fri Apr 27 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-23
- Allow dnssec_trigger_t domain to read system network state BZ(1570205)
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- gnome_data_filetrans macro should be in optional block
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
- Label /run/ebtables.lock as iptables_var_run_t
- Allow udev_t domain to manage udev_rules_t char files.
- Assign babel_port_t label to udp port 6696
- Add new interface lvm_map_config
- Merge pull request #212 from stlaz/patch-1
- Allow local_login_t reads of udev_var_run_t context
* Wed Apr 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-22
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1645667 - mimedefang doesn't start after upgrading to f28
https://bugzilla.redhat.com/show_bug.cgi?id=1645667
[ 2 ] Bug #1575223 - SELinux is preventing bluetoothd from 'read' accesses on the file settings.
https://bugzilla.redhat.com/show_bug.cgi?id=1575223
[ 3 ] Bug #1653671 - SELinux is preventing ps from 'getattr' accesses on the Verzeichnis /proc/<pid>.
https://bugzilla.redhat.com/show_bug.cgi?id=1653671
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-e8a902b473' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 29 Update: flatpak-1.2.0-3.fc29
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-809743b754
2019-02-02 03:34:29.460607
--------------------------------------------------------------------------------
Name : flatpak
Product : Fedora 29
Version : 1.2.0
Release : 3.fc29
URL : http://flatpak.org/
Summary : Application deployment framework for desktop apps
Description :
flatpak is a system for building, distributing and running sandboxed desktop
applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for
more information.
--------------------------------------------------------------------------------
Update Information:
This update fixes the build of applications that use SVG icons on headless
machines.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 31 2019 Bastien Nocera <bnocera(a)redhat.com> - 1.2.0-3
- Require librsvg2 so SVG icons can be exported
* Tue Jan 29 2019 Kalev Lember <klember(a)redhat.com> - 1.2.0-2
- Enable libsystemd support
* Mon Jan 28 2019 David King <amigadave(a)amigadave.com> - 1.2.0-1
- Update to 1.2.0
- Enable installed tests and add to tests subpackage
* Fri Dec 14 2018 David King <amigadave(a)amigadave.com> - 1.0.6-4
- Fix OCI download progress reporting
* Fri Nov 30 2018 fedora-toolbox <otaylor(a)redhat.com> - 1.0.6-3
- Add a patch to fix OCI system remotes
- Add patch fixing permissions on icons downloaded from an OCI registry
* Fri Nov 16 2018 Kalev Lember <klember(a)redhat.com> - 1.0.6-1
- Update to 1.0.6
* Mon Nov 12 2018 Kalev Lember <klember(a)redhat.com> - 1.0.5-2
- Recommend p11-kit-server instead of just p11-kit (#1649049)
* Mon Nov 12 2018 Kalev Lember <klember(a)redhat.com> - 1.0.5-1
- Update to 1.0.5
* Fri Oct 12 2018 Kalev Lember <klember(a)redhat.com> - 1.0.4-1
- Update to 1.0.4
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-809743b754' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months
Fedora 29 Update: vim-8.1.847-2.fc29
by updates@fedoraproject.org
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-7e79b5cebe
2019-02-02 03:34:29.460595
--------------------------------------------------------------------------------
Name : vim
Product : Fedora 29
Version : 8.1.847
Release : 2.fc29
URL : http://www.vim.org/
Summary : The VIM editor
Description :
VIM (VIsual editor iMproved) is an updated and improved version of the
vi editor. Vi was the first real screen-based editor for UNIX, and is
still very popular. VIM improves on vi by adding new features:
multiple windows, multi-level undo, block highlighting and more.
--------------------------------------------------------------------------------
Update Information:
The newest upstream commit.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 30 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.847-2
- fix patch for new ruby-2.6
* Wed Jan 30 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.847-1
- patchlevel 847
* Tue Jan 29 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.837-2
- FTBFS with new ruby-2.6
* Mon Jan 28 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.837-1
- patchlevel 837
* Fri Jan 25 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.818-1
- patchlevel 818
* Tue Jan 22 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.789-1
- patchlevel 789
* Fri Jan 11 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.714-1
- patchlevel 714
* Tue Jan 8 2019 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.702-1
- patchlevel 702
* Mon Dec 10 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.575-1
- patchlevel 575
* Wed Dec 5 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.549-2
- do not strip binaries before build system strips it
* Tue Nov 27 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.549-1
- patchlevel 549
* Tue Nov 27 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.527-2
- update vim-update.sh - F27 EOL
* Fri Nov 16 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.527-1
- patchlevel 527
* Thu Nov 8 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.513-2
- #1646183 - do not forget the epoch
* Thu Nov 8 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.513-1
- patchlevel 513
* Thu Nov 8 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.511-2
- fix #1646183 properly - we need to conflict with vim-enhanced, not vim-common
* Mon Nov 5 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.511-1
- patchlevel 511
* Mon Nov 5 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.497-2
- 1646183 - Man file conflict for vim-minimal and vim-enhanced
* Fri Oct 26 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.497-1
- patchlevel 497
* Fri Oct 19 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.483-1
- patchlevel 483
* Fri Oct 19 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.451-2
- 1640972 - vimrc/virc should reflect correct augroup
* Fri Oct 5 2018 Zdenek Dohnal <zdohnal(a)redhat.com> - 2:8.1.451-1
- patchlevel 451
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-7e79b5cebe' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
5 years, 4 months