-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-0fec072de2 2019-08-06 01:18:14.745006 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 30 Version : 3.14.3 Release : 43.fc30 URL : https://github.com/fedora-selinux/selinux-policy Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
More info: https://koji.fedoraproject.org/koji/buildinfo?buildID=1344221 -------------------------------------------------------------------------------- ChangeLog:
* Tue Jul 30 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-43 - Allow dhcpd_t domain to read network sysctls. - Allow nut services to communicate with unconfined domains - Allow virt_domain to Support ecryptfs home dirs. - Allow domain transition lsmd_t to sensord_t - Allow httpd_t to signull mailman_cgi_t process - Allow machinectl to run pull-tar BZ(1724247) * Fri Jul 26 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-42 - Allow spamd_update_t domain to read network state of system BZ(1733172) - Allow dlm_controld_t domain to transition to the lvm_t - Allow sandbox_web_client_t domain to do sys_chroot in user namespace - Allow virtlockd process read virtlockd.conf file - Add more permissions for session dbus types to make working dbus broker with systemd user sessions - Allow sssd_t domain to read gnome config and named cache files - Allow brltty to request to load kernel module - Add svnserve_tmp_t label forl svnserve temp files to system private tmp - Allow sssd_t domain to read kernel net sysctls BZ(1732185) - Allow mysqld_t domain to domtrans to ifconfig_t domain when executing ifconfig tool - Allow cyrus work with PrivateTmp - Make cgdcbxd_t domain working with SELinux enforcing. - Make working wireshark execute byt confined users staff_t and sysadm_t - Dontaudit virt_domain to manage ~/.cache dirs BZ(1730963) - Allow svnserve_t domain to read system state - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Add interface collectd_manage_rw_content() - Allow lograte_t domain to manage collect_rw_content files and dirs - Allow ifconfig_t domain to manage vmware logs - Remove system_r role from staff_u user. - Add systemd_private_tmp_type attribute - Allow systemd to load kernel modules during boot process. - Allow sysadm_t and staff_t domains to read wireshark shared memory - Label /usr/libexec/utempter/utempter as utemper_exec_t - Allow ipsec_t domain to read/write l2tpd pipe BZ(1731197) - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources * Wed Jul 17 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-41 - Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Add interface collectd_manage_rw_content() - Allow lograte_t domain to manage collect_rw_content files and dirs - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t * Wed Jul 10 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-40 - Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager - Allow glusterd_t domain to setpgid - Allow lsmd_t domain to execute /usr/bin/debuginfo-install - Allow sbd_t domain to manage cgroup dirs - Allow opafm_t domain to modify scheduling information of another process. - Allow wireshark_t domain to create netlink netfilter sockets - Allow gpg_agent_t domain to use nsswitch - Allow httpd script types to mmap httpd rw content - Allow dkim_milter_t domain to execute shell BZ(17116937) - Allow sbd_t domain to use nsswitch - Allow rhsmcertd_t domain to send signull to all domains - Allow snort_t domain to create netlink netfilter sockets BZ(1723184) - Dontaudit blueman to read state of all domains on system BZ(1722696) - Allow boltd_t domain to use ps and get state of all domains on system. BZ(1723217) - Allow rtkit_daemon_t to uise sys_ptrace usernamespace capability BZ(1723308) - Replace "-" by "_" in types names - Change condor_domain declaration in condor_systemctl - Allow firewalld_t domain to read iptables_var_run_t files BZ(1722405) - Allow spamd_update_t domain to read state of other domains and can execute itself - Fix all interfaces which cannot by compiled because of typos - Allow X userdomains to mmap user_fonts_cache_t dirs - Allow auditd_t domain to send signals to audisp_remote_t domain - Allow systemd labeled as init_t domain to read/write faillog_t. BZ(1723132) - Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files - Add interface kernel_relabelfrom_usermodehelper() - Dontaudit unpriv_userdomain to manage boot_t files - Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509) - Allow systemd to execute bootloader grub2-set-bootflag BZ(1722531) - Allow associate efivarfs_t on sysfs_t * Tue Jun 18 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-39 - Add vnstatd_var_lib_t to mountpoint attribute BZ(1648864) - cockpit: Support split-out TLS proxy - Allow dkim_milter_t to use shell BZ(1716937) - Create explicit fc rule for mailman executable BZ(1666004) - Update interface networkmanager_manage_pid_files() to allow manage also dirs - Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701) - Add new interface bind_map_dnssec_keys() - Update virt_use_nfs() boolean to allow virt_t to mmap nfs_t files - Allow redis_t domain to read public sssd files - Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) - Allow confined users to login via cockpit - Allow nfsd_t domain to do chroot becasue of new version of nfsd - Add gpg_agent_roles to system_r roles - Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files - Allow rhsmcertd_t domain to manage rpm cache - Allow sbd_t domain to read tmpfs_t symlinks - Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs - Allow kadmind_t domain to read home config data - Allow sbd_t domain to readwrite cgroups - Allow NetworkManager_t domain to read nsfs_t files BZ(1715597) - Label /var/log/pacemaker/pacemaker as cluster_var_log_t - Allow certmonger_t domain to manage named cache files/dirs - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow crack_t domain read /et/passwd files - Label fontconfig cache and config files and directories BZ(1659905) - Allow dhcpc_t domain to manage network manager pid files - Label /usr/sbin/nft as iptables_exec_t - Allow userdomain attribute to manage cockpit_ws_t stream sockets - Allow ssh_agent_type to read/write cockpit_session_t unnamed pipes - Add interface ssh_agent_signal() * Thu May 30 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-38 - Allow pcp_pmcd_t domain to domtrans to mdadm_t domain BZ(1714800) - Allow spamd_update_t to exec itsef - Fix broken logwatch SELinux module - Allow logwatch_mail_t to manage logwatch cache files/dirs - Update wireshark_t domain to use several sockets - Dontaudit net_admin capability for confined users dbusd type - Allow kadmind_t domain to read pkcs11 module configs - Allow kadmind_t domain to read named_cache_t files - Fix bind_read_cache() interface to allow only read perms to caller domains - Grant varnishlog_t access to varnishd_etc_t - Allow nrpe_t domain to read process state of systemd_logind_t - Allow mongod_t domain to connect on https port BZ(1711922) - Allow chronyc_t domain to create own tmpfiles and allow communicate send data over unix dgram sockets - Dontaudit spamd_update_t domain to read all domains states BZ(1711799) - Allow pcp_pmie_t domain to use sys_ptrace usernamespace cap BZ(1705871) - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Revert "Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119)" - Make boinc_var_lib_t mountpoint BZ(1711682) - Allow wireshark_t domain to create fifo temp files - All NetworkManager_ssh_t rules have to be in same optional block with ssh_basic_client_template(), fixing this bug in NetworkManager policy - Allow dbus chat between NetworkManager_t and NetworkManager_ssh_t domains. BZ(1677484) - Allow sysctl_rpc_t and sysctl_irq_t to be stored on fs_t - Add interface systemd_logind_read_state() - Fix find commands in Makefiles - Allow systemd-timesyncd to read network state BZ(1694272) * Fri May 17 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-37 - Fix typo in gpg SELinux module - Update gpg policy to make ti working with confined users - Add domain transition that systemd labeled as init_t can execute spamd_update_exec_t binary to run newly created process as spamd_update_t - Remove allow rule for virt_qemu_ga_t to write/append user_tmp_t files - Label /var/run/user/*/dbus-1 as session_dbusd_tmp_t - Add dac_override capability to namespace_init_t domain - Label /usr/sbin/corosync-qdevice as cluster_exec_t - Allow NetworkManager_ssh_t domain to open communication channel with system dbus. BZ(1677484) - Label /usr/libexec/dnf-utils as debuginfo_exec_t - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Update userdomains to allow confined users to create gpg keys - Allow associate all filesystem_types with fs_t - Dontaudit syslogd_t using kill in unamespaces BZ(1711122) - Allow init_t to manage session_dbusd_tmp_t dirs - Allow systemd_gpt_generator_t to read/write to clearance - Allow su_domain_type to getattr to /dev/gpmctl - Update userdom_login_user_template() template to make working systemd user session for guest and xguest SELinux users * Fri May 17 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-36 - Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on - Allow nrpe_t domain to be dbus cliennt - Add interface sssd_signull() - Label /usr/bin/tshark as wireshark_exec_t - Fix typo in dbus_role_template() - Allow userdomains to send data over dgram sockets to userdomains dbus services BZ(1710119) - Allow userdomains dbus domain to execute dbus broker. BZ(1710113) - Allow dovedot_deliver_t setuid/setgid capabilities BZ(1709572) - Allow virt domains to access xserver devices BZ(1705685) - Allow aide to be executed by systemd with correct (aide_t) domain BZ(1648512) - Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598) - Allow pcp_pmie_t domain to use fsetid capability BZ(1708082) - Allow pcp_pmlogger_t to use setrlimit BZ(1708951) - Allow gpsd_t domain to read udev db BZ(1709025) - Add sys_ptrace capaiblity for namespace_init_t domain - Allow systemd to execute sa-update in spamd_update_t domain BZ(1705331) - Allow rhsmcertd_t domain to read rpm cache files - Label /efi same as /boot/efi boot_t BZ(1571962) - Allow transition from udev_t to tlp_t BZ(1705246) - Remove initrc_exec_t for /usr/sbin/apachectl file * Fri May 3 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-35 - Add fcontext for apachectl util to fix missing output when executed "httpd -t" from this script. * Thu May 2 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-34 - Allow iscsid_t domain to mmap modules_dep_t files - Allow ngaios to use chown capability - Dontaudit gpg_domain to create netlink_audit sockets - Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251) - Allow dirsrv_t domain to execute own tmp files BZ(1703111) - Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files - Update domain_can_mmap_files() boolean to allow also mmap lnk files - Improve userdom interfaces to drop guest_u SELinux user to use nsswitch * Fri Apr 26 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-33 - Allow transition from cockpit_session to unpriv user domains * Thu Apr 25 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-32 - Introduce deny_bluetooth boolean - Allow greylist_milter_t to read network system state BZ(1702672) - Allow freeipmi domains to mmap freeipmi_var_cache_t files - Allow rhsmcertd_t and rpm_t domains to chat over dbus - Allow thumb_t domain to delete cache_home_t files BZ(1701643) - Update gnome_role_template() to allow _gkeyringd_t domains to chat with systemd_logind over dbus - Add new interface boltd_dbus_chat() - Allow fwupd_t and modemmanager_t domains to communicate over dbus BZ(1701791) - Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750) - Allow cockpit_ws_t domain to set limits BZ(1701703) - Update Nagios policy when sudo is used - Deamon rhsmcertd is able to install certs for docker again - Introduce deny_bluetooth boolean - Don't allow a container to connect to random services - Remove file context /usr/share/spamassassin/sa-update.cron -> bin_t to label sa-update.cron as spamd_update_exec_t. - Allow systemd_logind_t and systemd_resolved_t domains to chat over dbus - Allow unconfined_t to use bpf tools - Allow x_userdomains to communicate with boltd daemon over dbus * Fri Apr 19 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.3-31 - Fix typo in cups SELinux policy - Allow iscsid_t to read modules deps BZ(1700245) - Allow cups_pdf_t domain to create cupsd_log_t dirs in /var/log BZ(1700442) - Allow httpd_rotatelogs_t to execute generic binaries - Update system_dbus policy because of dbus-broker-20-2 - Allow httpd_t doman to read/write /dev/zero device BZ(1700758) - Allow tlp_t domain to read module deps files BZ(1699459) - Add file context for /usr/lib/dotnet/dotnet - Update dev_rw_zero() interface by adding map permission - Allow bounded transition for executing init scripts --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-0fec072de2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org