--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-2f43f173b0
2020-06-11 18:57:11.130977
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 31
Version : 3.14.4
Release : 53.fc31
URL :
https://github.com/fedora-selinux/selinux-policy
Summary : SELinux policy configuration
Description :
SELinux Base package for SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
New F31 selinux-policy build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=45448013
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 4 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-53
- Support multiple ways of tlp invocation
- Split the arping path regexp to 2 lines to prevent from relabeling
- Allow initrc_t tlp_filetrans_named_content()
- Allow named transition for /run/tlp from a user shell
- Allow ipsec_mgmt_t mmap ipsec_conf_file_t files
* Tue May 19 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-52
- Label dirsrv systemd unit files and add dirsrv_systemctl()
- Allow nagios_plugin_domain execute programs in bin directories
- Update networkmanager_read_pid_files() to allow also list_dir_perms
- Update policy for NetworkManager_ssh_t
- Allow spamc_t domain to read network state
- Allow pdns_t domain to map files in /usr.
- Allow sys_admin capability for domain labeled systemd_bootchart_t
- Revert "Change arping path regexp to work around fixfiles incorrect handling"
- Change arping path regexp to work around fixfiles incorrect handling
- Allow strongswan use tun/tap devices and keys
* Fri Apr 3 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-51
- Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t
- Allow NetworkManager manage dhcpd unit files
- Allow openfortivpn exec shell
- Add ibacm_t ipc_lock capability
- Remove container interface calling by named_filetrans_domain.
- Modify path for arping in netutils.fc to match both bin and sbin
- Add file context entry and file transition for /var/run/pam_timestamp
- Allow ipsec_t connectto ipsec_mgmt_t
* Thu Mar 19 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-50
- Allow zabbix_t manage and filetrans temporary socket files
- Allow NetworkManager read its unit files and manage services
- Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t
- Allow sssd read systemd-resolved runtime directory
- Allow sssd read NetworkManager's runtime directory
- Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t
- Allow system_mail_t to signull pcscd_t
- Create interface pcscd_signull
- Allow postfix stream connect to cyrus through runtime socket
- Allow auditd poweroff or switch to single mode
* Sat Feb 22 2020 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-49
- Allow httpd_t domain to mmap own var_lib_t files BZ(1804853)
- Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for
netlink_route_sockets
- Update virt_read_qemu_pid_files inteface
- Make file context more variable for /usr/bin/fusermount and /bin/fusermount
* Sat Feb 15 2020 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-48
- Allow vhostmd communication with hosted virtual machines
- Add and update virt interfaces
- Update radiusd policy
- Allow systemd_private_tmp(named_tmp_t)
- Allow bacula dac_override capability
* Fri Feb 7 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-47
- Allow ipa_custodia_t create and use netlink_route_socket sockets.
- Allow networkmanager_t transition to setfiles_t
- Create init_create_dirs boolean to allow init create directories
- Create files_create_non_security_dirs() interface
* Fri Jan 31 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-46
- Added apache create log dirs macro
- Allow thumb_t connect to system_dbusd_t BZ(1795044)
- Allow saslauthd_t filetrans variable files for /tmp directory
- Allow openfortivpn_t to manage net_conf_t files.
- Introduce boolean openfortivpn_can_network_connect.
- Allow init_t to create apache log dirs.
- Add file transition for /dev/nvidia-uvm BZ(1770588)
- Update xserver_rw_session macro
* Fri Jan 24 2020 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-45
- Make stratisd_t domain unconfined for now.
- stratisd_t policy updates.
- Label /var/spool/plymouth/boot.log as plymouthd_var_log_t
- Label /stratis as stratisd_data_t
- Allow opafm_t to create and use netlink rdma sockets.
- Allow stratisd_t domain to read/write fixed disk devices and removable devices.
- Add dac_override capability to stratisd_t domain
- Added macro for stratisd to chat over dbus
- Allow init_t set the nice level of all domains BZ(1778088)
- Allow userdomain to chat with stratisd over dbus.
* Mon Jan 13 2020 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-44
- Fix typo in anaconda SELinux module
- Allow rtkit_t domain to control scheduling for your install_t processes
- Boolean: rngd_t to use executable memory
- Allow rngd_t domain to use nsswitch BZ(1787661)
- Allow exim to execute bin_t without domain trans
- Allow create udp sockets for abrt_upload_watch_t domains
- Drop label zebra_t for frr binaries
- Allow NetworkManager_t domain to get status of samba services
- Update milter policy to allow use sendmail
- Modify file context for .local directory to match exactly BZ(1637401)
- Add new file context rabbitmq_conf_t.
- Allow journalctl read init state BZ(1731753)
- Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces
- Allow pulseaudio create .config and dgram sendto to unpriv_userdomain
- Change type in transition for /var/cache/{dnf,yum} directory
- Allow cockpit_ws_t read efivarfs_t BZ(1777085)
- Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030)
- Allow named_t domain to mmap named_zone_t files BZ(1647493)
- Make boinc_var_lib_t label system mountdir attribute
- Allow stratis_t domain to request load modules
- Update fail2ban policy
- Allow spamd_update_t access antivirus_unit_file_t BZ(1774092)
- Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges
Systemd Security feature.
- Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges
Systemd Security feature.
- Allow init_t domain to create own socket files in /tmp
- Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files
- Allow userdomain dbus chat with systemd_resolved_t
- Allow init_t read and setattr on /var/lib/fprintd
- Allow systemd_domain to map files in /usr.
- Allow sysadm_t dbus chat with colord_t
- Allow confined users run fwupdmgr
- Allow confined users run machinectl
- Allow systemd labeled as init_t domain to create dirs labeled as var_t
- Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079)
* Thu Nov 28 2019 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-43
- Fix nonexisting types in rtas_errd_rw_lock interface
- Allow snmpd_t domain to trace processes in user namespace
- Allow zebra_t domain to execute zebra binaries
- Allow ksmtuned_t domain to trace processes in user namespace
- Allow systemd to read symlinks in /var/lib
- Update dev_mounton_all_device_nodes() interface
- Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro.
- Allow strongswan start using swanctl method BZ(1773381)
- Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976)
* Fri Nov 22 2019 Zdenek Pytela <zpytela(a)redhat.com> - 3.14.4-42
- Allow NetworkManager_t manage dhcpc_state_t BZ(1770698)
- Label tcp ports 24816,24817 as pulp_port_t
* Wed Nov 13 2019 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-41
- Fix typo bugs in rtas_errd_read_lock() interface
- Allow timedatex_t domain to systemctl chronyd domains
- Allow ipa_helper_t to read kr5_keytab_t files
- cockpit: Allow cockpit-session to read cockpit-tls state directory
- Allow stratisd_t domain to read nvme and fixed disk devices
- Update lldpad_t policy module
- Dontaudit tmpreaper_t getting attributes from sysctl_type files
- cockpit: Support https instance factory
- Added macro for timedatex to chat over dbus.
- Update files_manage_etc_runtime_files() interface to allow manage also dirs
- Dontaudit sys_admin capability for auditd_t domains
- Allow x_userdomain to read adjtime_t files
- Allow users using template userdom_unpriv_user_template() to run bpf tool
- Allow x_userdomain to dbus_chat with timedatex.
* Sun Nov 3 2019 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-40
- Label /var/cache/nginx as httpd_cache_t
- Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream
connect to journald
- Created dnsmasq_use_ipset boolean
- Allow capability dac_override in logwatch_mail_t domain
- Allow automount_t domain to execute ping in own SELinux domain (ping_t)
- Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t
- Allow collectd_t domain to create netlink_generic_socket sockets
- Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files
- Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command.
- Label /etc/postfix/chroot-update as postfix_exec_t
- Update tmpreaper_t policy due to fuser command
- Allow kdump_t domain to create netlink_route and udp sockets
- Allow stratisd to connect to dbus
- Allow fail2ban_t domain to create netlink netfilter sockets.
- Allow dovecot get filesystem quotas
- Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain.
BZ(1765689)
- Allow systemd-tmpfiles processes to set rlimit information
- Update files_filetrans_named_content() interface to allow caller domain to create
/oldroot /.profile with correct label etc_runtime_t
- Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system
service that manages user logins, to read files and list dirs on a DOS filesystem
* Fri Oct 25 2019 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-39
- Allow confined users to run newaliases
- Add interface mysql_dontaudit_rw_db()
- Label /var/lib/xfsdump/inventory as amanda_var_lib_t
- Allow tmpreaper_t domain to read all domains state
- Make httpd_var_lib_t label system mountdir attribute
- Update cockpit policy
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Donaudit ifconfig_t domain to read/write mysqld_db_t files
- Dontaudit domains read/write leaked pipes
* Tue Oct 22 2019 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.4-38
- Allow nagios_script_t domain list files labled sysfs_t.
- Allow jetty_t domain search and read cgroup_t files.
- Allow Gluster mount client to mount files_type
- Dontaudit and disallow sys_admin capability for keepalived_t domain
- Update numad policy to allow signull, kill, nice and trace processes
- Allow ipmievd_t to RW watchdog devices
- Update allow rules set for pads_t domain
- Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226)
- Update apache and pkcs policies to make active opencryptoki rules
- Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to
write to initrc_tmp_t fifo files
- Allow user domains to manage user session services
- Allow staff and user users to get status of user systemd session
- Update sudo_role_template() to allow caller domain to read syslog pid files
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1808530 - strongswan 5.8.x fails without certain rules
https://bugzilla.redhat.com/show_bug.cgi?id=1808530
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-2f43f173b0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------