--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-16371
2011-11-25 01:32:03
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 16
Version : 3.10.0
Release : 61.fc16
URL :
http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
- Allow spamd to send mail - Add ssh_home_t label for /var/lib/nocpulse/.ssh - Allow
puppetmaster to read network state - Add colord_can_network_connect boolean - Allow colord
to execute shell - Add bin_t label for "/usr/lib/iscan/network" - Allow
chrome-sandbox ptrace - winbind needs to be able to talk to ldap directly, not through
sssd - saslauthd_t needs to connect to zarafa_port_t - dnsmasq wants to read proc_net_t -
Add full DNS support for FreeIPA
--------------------------------------------------------------------------------
ChangeLog:
* Fri Nov 25 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-61
- Needs to require new version policycoreutils
* Thu Nov 24 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-60
- Needs to require new version checkpolicy
* Thu Nov 24 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-59
- Allow spamd to send mail
- Add ssh_home_t label for /var/lib/nocpulse/.ssh
- Allow puppetmaster to read network state
- Add colord_can_network_connect boolean
- Allow colord to execute shell
- Add bin_t label for "/usr/lib/iscan/network"
- Allow chrome-sandbox ptrace
- winbind needs to be able to talk to ldap directly, not through sssd
- saslauthd_t needs to connect to zarafa_port_t
- dnsmasq wants to read proc_net_t
- Add full DNS support for FreeIPA
* Mon Nov 21 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-58
- Allow mcelog_t to create dir and file in /var/run and label it correctly
- Allow dbus to manage fusefs
- Mount needs to read process state when mounting gluster file systems
- Allow collectd-web to read collectd lib files
- Allow daemons and system processes started by init to read/write the unix_stream_socket
passed in from as stdin/stdout/stderr
- Allow colord to get the attributes of tmpfs filesystem
- Add sanlock_use_nfs and sanlock_use_samba booleans
- Add bin_t label for /usr/lib/virtualbox/VBoxManage
* Wed Nov 16 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-57
- We need to treat port_t and unreserved_port_t as generic_port types
* Wed Nov 16 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-56
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
* Mon Nov 7 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-55
- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
* Fri Nov 4 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-54
- MCS fixes
- quota fixes
* Tue Nov 1 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-53
- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
- Make sure postfix content gets created with the correct label
- Allow gnomeclock to read cgroup
- Fixes for cloudform policy
* Thu Oct 27 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-51
- Begin removing qemu_t domain, we really no longer need this domain.
- systemd_passwd needs dac_overide to communicate with users TTY's
- Allow svirt_lxc domains to send kill signals within their container
* Tue Oct 25 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-50
- Allow policykit to talk to the systemd via dbus
- Move chrome_sandbox_nacl_t to permissive domains
- Additional rules for chrome_sandbox_nacl
* Tue Oct 25 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-49
- Change bootstrap name to nacl
- Chrome still needs execmem
- Missing role for chrome_sandbox_bootstrap
- Add boolean to remove execmem and execstack from virtual machines
- Dontaudit xdm_t doing an access_check on etc_t directories
* Mon Oct 24 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t
unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl <mgrepl(a)redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #756774 - libraries.if: Syntax error on line 172766 ~ [type=TILDE]
https://bugzilla.redhat.com/show_bug.cgi?id=756774
[ 2 ] Bug #698398 - mimedefang.pl's invocation of send_mail() causes an exception
https://bugzilla.redhat.com/show_bug.cgi?id=698398
[ 3 ] Bug #753307 - ldconfig mislabels /etc/ld.so.cache
https://bugzilla.redhat.com/show_bug.cgi?id=753307
[ 4 ] Bug #756071 - named still cannot access dirsvr
https://bugzilla.redhat.com/show_bug.cgi?id=756071
[ 5 ] Bug #740237 - SELinux is preventing /usr/sbin/dnsmasq from 'read' accesses
on the file unix.
https://bugzilla.redhat.com/show_bug.cgi?id=740237
[ 6 ] Bug #749516 - kcm_clock (kcontrol/dateandtime) doesn't set persistent date
https://bugzilla.redhat.com/show_bug.cgi?id=749516
[ 7 ] Bug #752907 - SELinux is preventing /opt/google/chrome/chrome-sandbox from using
the 'ptrace' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=752907
[ 8 ] Bug #753212 - gnome-shell crashes because dbus can't read icc files on
glusterfs home dir
https://bugzilla.redhat.com/show_bug.cgi?id=753212
[ 9 ] Bug #753440 - exim has denied access to "online" file in sysfs
https://bugzilla.redhat.com/show_bug.cgi?id=753440
[ 10 ] Bug #753458 - SELinux is preventing /usr/libexec/polkit-1/polkitd from
'read' accesses on the fichier online.
https://bugzilla.redhat.com/show_bug.cgi?id=753458
[ 11 ] Bug #753806 - SELinux is preventing /usr/libexec/accounts-daemon from
'read' accesses on the file cpuinfo.
https://bugzilla.redhat.com/show_bug.cgi?id=753806
[ 12 ] Bug #754230 - SELinux is preventing /bin/bash from 'execute_no_trans'
accesses on the file /usr/lib/virtualbox/VBoxManage.
https://bugzilla.redhat.com/show_bug.cgi?id=754230
[ 13 ] Bug #754862 - system-config-kdump - SELinux is preventing /usr/bin/python from
execute access on the file grubby.
https://bugzilla.redhat.com/show_bug.cgi?id=754862
[ 14 ] Bug #754938 - systemd's logging of stdout/stderr is prevented by SELinux
https://bugzilla.redhat.com/show_bug.cgi?id=754938
[ 15 ] Bug #755055 - SELinux is preventing /usr/bin/perl from 'search' accesses
on the directory lib.
https://bugzilla.redhat.com/show_bug.cgi?id=755055
[ 16 ] Bug #755297 - SELinux is preventing /usr/bin/python from 'execute'
accesses on the file /sbin/grubby.
https://bugzilla.redhat.com/show_bug.cgi?id=755297
[ 17 ] Bug #756088 - SELinux is preventing /usr/sbin/mcelog from 'create'
accesses on the file mcelog.pid.
https://bugzilla.redhat.com/show_bug.cgi?id=756088
[ 18 ] Bug #756504 - SELinux denials at puppet-server (puppetmaster) startup
https://bugzilla.redhat.com/show_bug.cgi?id=756504
[ 19 ] Bug #756656 - SELinux is preventing /usr/sbin/sshd from 'read' accesses
on the file /var/lib/nocpulse/.ssh/nocpulse-identity.
https://bugzilla.redhat.com/show_bug.cgi?id=756656
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at
http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------