-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-bf377d92c7 2019-04-08 01:52:31.597658 --------------------------------------------------------------------------------

Name : selinux-policy Product : Fedora 29 Version : 3.14.2 Release : 53.fc29 URL : %{git0-base} Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117

-------------------------------------------------------------------------------- Update Information:

More info: https://koji.fedoraproject.org/koji/buildinfo?buildID=1241873 -------------------------------------------------------------------------------- ChangeLog:

* Wed Apr 3 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-53 - Add gnome_filetrans_fontconfig_home_content interface - Add permissions needed by systemd's machinectl shell/login - Update SELinux policy for xen services - Fix varnisncsa typo - Allow init start freenx-server BZ(1678025) - Allow tcpd bind to services ports BZ(1676940) - Add tcpd_wrapped_domain for telnetd BZ(1676940) - Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t - Make shell_exec_t type as entrypoint for vmtools_unconfined_t. - Allow esmtp access .esmtprc BZ(1691149) - Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t - Allow tlp_t domain to read nvme block devices BZ(1692154) - Add permissions needed by systemd's machinectl shell/login - Allow systemd_machined_t dac_override capability BZ(1670787) - Allow unconfined_domain_type to use bpf tools BZ(1694115) - Update dev_filetrans_all_named_dev() interface - Allow getty_t, local_login_t, chkpwd_t and passwd_t to use usbttys. BZ(1691582) - Allow xdm_t domain to create own tmp files BZ(1686675) * Sat Mar 23 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-52 - Allow boltd_t domain to write to sysfs_t dirs BZ(1689287) - Allow fail2ban execute journalctl BZ(1689034) - Update xen SELinux module - Improve labeling for PCP plugins - Allow varnishd_t domain to read sysfs_t files - Update sudodomains to make working confined users run sudo/su - Allow iptables_t domain to read NetworkManager state BZ(1690881) - Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293 - Grant permissions for onloadfs files of all classes. * Tue Mar 12 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-51 - Update vmtools policy - Allow virt_qemu_ga_t domain to read udev_var_run_t files - Update nagios_run_sudo boolean with few allow rules related to accessing sssd - Allow journalctl_t domain to mmap syslogd_var_run_t files - Allow smokeping process to mmap own var lib files and allow set process group. Resolves: rhbz#1661046 - Allow sbd_t domain to bypass permission checks for sending signals - Allow sbd_t domain read/write all sysctls - Allow boltd_t to stream connect to sytem dbus - Allow zabbix_t domain to create sockets labeled as zabbix_var_run_t BZ(1683820) - Allow all domains to send dbus msgs to vmtools_unconfined_t processes - Label /dev/pkey as crypt_device_t - Allow sudodomains to write to systemd_logind_sessions_t pipes. - Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. - Allow ifconfig_t domain to read /dev/random BZ(1687516) - Label /usr/sbin/nodm as xdm_exec_t same as other display managers - Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin - Label /usr/sbin/e2mmpstatus as fsadm_exec_t Resolves: rhbz#1684221 - Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. * Mon Feb 25 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-50 - Allow openvpn_t domain to set capability BZ(1680276) - Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on - Allow chronyd_t domain to send data over dgram socket - Add rolekit_dgram_send() interface - Allow dovecot_t domain to connect to mysql db - Add dac_override capability for sbd_t SELinux domain - Add dac_override capability for spamd_update_t domain - Fix bug in userdom_restricted_xwindows_user_template() template to disallow all user domains to access admin_home_t - kernel/files.fc: Label /var/run/motd.d(./*)? and /var/run/motd as pam_var_run_t - Allow nnp transition for domains fsadm_t, lvm_t and mount_t * Tue Feb 12 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-49 - Allow glusterd_t to write to automount unnamed pipe Resolves: rhbz#1674243 - Allow ddclient_t to setcap Resolves: rhbz#1674298 - Add dac_override capability to vpnc_t domain - Add dac_override capability to spamd_t domain - Allow ibacm_t domain to read system state and label all ibacm sockets and symlinks as ibacm_var_run_t in /var/run - Allow ibacm_t domain to send dgram sockets to kernel processes - Allow dovecot_t to connect to MySQL UNIX socket - Fix typo bug in sensord policy - Update ibacm_t policy after testing lastest version of this component - Allow sensord_t domain to mmap own log files - Update policy with multiple allow rules to make working installing VM in MLS policy - Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the system - Allow syslogd_t domain to send null signal to all domains on system Resolves: rhbz#1673847 - Allow systemd-logind daemon to remove shared memory during logout Resolves: rhbz#1674172 - Fix typos in userdomain policy - Update mount_read_pid_files macro to allow also list mount_var_run_t dirs - Fix typo bug in userdomain SELinux policy - Allow user domains to stop systemd user sessions during logout process - Add s_manage_fusefs_named_sockets interface - Allow systemd-journald to receive messages including a memfd * Sat Feb 2 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-48 - Allow sensord_t domain to use nsswitch and execute shell - Allow opafm_t domain to execute lib_t files - Allow opafm_t domain to manage kdump_crash_t files and dirs - Allow virt domains to read/write cephfs filesystems - Allow virtual machine to write to fixed_disk_device_t - Update kdump_manage_crash() interface to allow also manage dirs by caller domain Resolves: rhbz#1491585 - Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t - Allow vhostmd_t read libvirt configuration files - Update dbus_role_template interface to allow userdomains to accept data from userdomain dbus domains - Allow boltd_t domain to read cache_home_t files BZ(1669911) - Allow winbind_t domain to check for existence of processes labeled as systemd_hostnamed_t BZ(1669912) - Allow gpg_agent_t to create own tmpfs dirs and sockets - Add multiple interfaces for vpnc interface file - Allow openvpn_t domain to manage vpnc pidfiles BZ(1667572) - Label /var/run/fcgiwrap dir as httpd_var_run_t BZ(1655702) - In MongoDB 3.4.16, 3.6.6, 4.0.0 and later, mongod reads netstat info from proc and stores it in its diagnostic system (FTDC). See: https://jira.mongodb.org/browse/SERVER-31400 This means that we need to adjust the policy so that the mongod process is allowed to open and read /proc/net/netstat, which typically has symlinks (e.g. /proc/net/snmp). - Allow gssd_t domain to manage kernel keyrings of every domain. - Revert "Allow gssd_t domain to read/write kernel keyrings of every domain." - Add miscfiles_filetrans_named_content_letsencrypt() to optional_block - Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t - Allow staff_t user to systemctl iptables units. - Allow systemd to read selinux logind config - Allow transition from init_t domain to user_t domain during ssh login with confined user user_u Resolves: rhbz#1664448 - Add interface systemd_hostnamed_signull() - Allow init_t domain access to USB ttys BZ(1663620) - Fix userdom_admin_user_template() interface by adding bluetooth,alg,dccp create_stream_socket permissions. - Allow init_t create a directory in directories with var_log_t label - Add new interface domain_manage_all_domains_keyrings() * Tue Jan 15 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-47 - Allow plymouthd_t search efivarfs directory BZ(1664143) - Allow arpwatch send e-mail notifications BZ(1657327) - Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t - Allow gssd_t domain to read/write kernel keyrings of every domain. - Allow systemd_timedated_t domain nnp_transition BZ(1666222) - Add the fs_search_efivarfs_dir interface - Create tangd_port_t with default label tcp/7406 - Add interface domain_rw_all_domains_keyrings() - Some of the selinux-policy macros doesn't work in chroots/initial installs. BZ(1665643) * Fri Jan 11 2019 Lukas Vrabec lvrabec@redhat.com - 3.14.2-46 - Allow sensord_t to execute own binary files - Allow pcp_pmlogger_t domain to getattr all filesystem BZ(1662432) - Allow virtd_lxc_t domains use BPF BZ(1662613) - Allow openvpn_t domain to read systemd state BZ(1661065) - Dontaudit ptrace all domains for blueman_t BZ(1653671) - Change label of /usr/libexec/lm_sensors/sensord-service-wrapper from lsmd_exec_t to sensord_exec_t BZ(1662922) - Allow hddtemp_t domain to read nvme block devices BZ(1663579) - Add dac_override capability to spamd_t domain BZ(1645667) - Allow pcp_pmlogger_t to mount tracefs_t filesystem BZ(1662983) - Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441) - Allow saslauthd_t domain to mmap own pid files BZ(1653024) - Add dac_override capability for snapperd_t domain BZ(1619356) - Allow staff_t domain to read read_binfmt_misc filesystem - Add interface fs_read_binfmt_misc() - Allow init_t domain to mmap init_var_lib_t files and dontaudit leaked fd. BZ(1651008) - Make workin: systemd-run --system --pty bash BZ(1647162) - Allow ipsec_t domain dbus chat with systemd_resolved_t BZ(1662443) - Label /usr/lib/systemd/user as systemd_unit_file_t BZ(1652814) - Add rules to allow systemd to mounton systemd_timedated_var_lib_t. * Sun Dec 16 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.2-45 - Add macro-expander script to selinux-policy-devel package * Fri Dec 7 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.2-44 - Label /usr/share/spamassassin/sa-update.cron as spamd_update_exec_t - Add dac_override capability to ssad_t domains - Allow pesign_t domain to read gnome home configs - Label /usr/libexec/lm_sensors/sensord-service-wrapper as lsmd_exec_t - Allow rngd_t domains read kernel state - Allow certmonger_t domains to read bind cache - Allow ypbind_t domain to stream connect to sssd - Allow rngd_t domain to setsched - Allow sanlock_t domain to read/write sysfs_t files - Add dac_override capability to postfix_local_t domain - Allow ypbind_t to search sssd_var_lib_t dirs - Allow virt_qemu_ga_t domain to write to user_tmp_t files - Allow systemd_logind_t to dbus chat with virt_qemu_ga_t - Update sssd_manage_lib_files() interface to allow also mmap sssd_var_lib_t files - Add new interface sssd_signal() - Update xserver_filetrans_home_content() and xserver_filetrans_admin_home_content() unterfaces to allow caller domain to create .vnc dir in users homedir labeled as xdm_home_t - Update logging_filetrans_named_content() to allow caller domains of this interface to create /var/log/journal/remote directory labeled as var_log_t - Add sys_resource capability to the systemd_passwd_agent_t domain - Allow ipsec_t domains to read bind cache - kernel/files.fc: Label /run/motd as etc_t - Allow systemd to stream connect to userdomain processes - Label /var/lib/private/systemd/ as init_var_lib_t - Allow initrc_t domain to create new socket labeled as init_T - Allow audisp_remote_t domain remote logging client to read local audit events from relevant socket. - Add tracefs_t type to mountpoint attribute - Allow useradd_t and groupadd_t domains to send signals to sssd_t - Allow systemd_logind_t domain to remove directories labeled as tmpfs_t BZ(1648636) - Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils * Wed Nov 7 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.2-43 - Update pesign policy to allow pesign_t domain to read bind cache files/dirs - Add dac_override capability to mdadm_t domain - Create ibacm_tmpfs_t type for the ibacm policy - Dontaudit capability sys_admin for dhcpd_t domain - Makes rhsmcertd_t domain an exception to the constraint preventing changing the user identity in object contexts. - Allow abrt_t domain to mmap generic tmp_t files - Label /usr/sbin/wpa_cli as wpa_cli_exec_t - Allow sandbox_xserver_t domain write to user_tmp_t files - Allow certutil running as ipsec_mgmt_t domain to mmap ipsec_mgmt pid files Dontaudit ipsec_mgmt_t domain to write to the all mountpoints - Add interface files_map_generic_tmp_files() - Add dac_override capability to the syslogd_t domain - Create systemd_timedated_var_run_t label - Update systemd_timedated_t domain to allow create own pid files/access init_var_lib_t files and read dbus files BZ(1646202) - Add init_read_var_lib_lnk_files and init_read_var_lib_sock_files interfaces * Sun Nov 4 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.2-41 - Dontaudit thumb_t domain to setattr on lib_t dirs BZ(1643672) - Dontaudit cupsd_t domain to setattr lib_t dirs BZ(1636766) - Add dac_override capability to postgrey_t domain BZ(1638954) - Allow thumb_t domain to execute own tmpfs files BZ(1643698) - Allow xdm_t domain to manage dosfs_t files BZ(1645770) - Label systemd-timesyncd binary as systemd_timedated_exec_t to make it run in systemd_timedated_t domain BZ(1640801) - Improve fs_manage_ecryptfs_files to allow caller domain also mmap ecryptfs_t files BZ(1630675) - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) * Sun Nov 4 2018 Lukas Vrabec lvrabec@redhat.com - 3.14.2-41 - Add nnp transition rule for vnstatd_t domain using NoNewPrivileges systemd feature BZ(1643063) - Allow l2tpd_t domain to mmap /etc/passwd file BZ(1638948) - Add dac_override capability to ftpd_t domain - Allow gpg_t to create own tmpfs dirs and sockets - Allow rhsmcertd_t domain to relabel cert_t files - Allow nova_t domain to use pam - sysstat: grant sysstat_t the search_dir_perms set - Label systemd-user-runtime-dir binary as systemd_logind_exec_t BZ(1644313) - Allow systemd_logind_t to read fixed dist device BZ(1645631) - Allow systemd_logind_t domain to read nvme devices BZ(1645567) - Allow systemd_rfkill_t domain to comunicate via dgram sockets with syslogd BZ(1638981) - kernel/files.fc: Label /run/motd.d(/.*)? as etc_t - Allow ipsec_mgmt_t process to send signals other than SIGKILL, SIGSTOP, or SIGCHLD to the ipsec_t domains BZ(1638949) - Allow X display manager to check status and reload services which are part of x_domain attribute - Add interface miscfiles_relabel_generic_cert() - Fix userdom_write_user_tmp_dirs() to allow caller domain also read/write user_tmp_t dirs - Dontaudit sys_admin capability for netutils_t domain - Label tcp and udp ports 2611 as qpasa_agent_port_t -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1654773 - can't install a ganesha policy due to conflicts with gluster policy https://bugzilla.redhat.com/show_bug.cgi?id=1654773 [ 2 ] Bug #1694115 - SELinux is preventing systemd from 'map_create' accesses on the bpf labeled unconfined_service_t. https://bugzilla.redhat.com/show_bug.cgi?id=1694115 [ 3 ] Bug #1691582 - SELinux is preventing agetty from access on ttyUSB0. https://bugzilla.redhat.com/show_bug.cgi?id=1691582 [ 4 ] Bug #1692154 - SELinux is preventing tlp from 'getattr' accesses on the blk_file /dev/nvme0n1. https://bugzilla.redhat.com/show_bug.cgi?id=1692154 [ 5 ] Bug #1679293 - [selinux-policy-targeted] xenconsoled.service: Failed with result 'exit-code' https://bugzilla.redhat.com/show_bug.cgi?id=1679293 [ 6 ] Bug #1657005 - SELinux is preventing x86_energy_perf from 'read' accesses on the chr_file msr. https://bugzilla.redhat.com/show_bug.cgi?id=1657005 [ 7 ] Bug #1690766 - SELinux is preventing /usr/bin/vmtoolsd from 'entrypoint' accesses on the file /usr/bin/bash. https://bugzilla.redhat.com/show_bug.cgi?id=1690766 [ 8 ] Bug #1690444 - Add policy for cockpit-cert-session https://bugzilla.redhat.com/show_bug.cgi?id=1690444 [ 9 ] Bug #1689287 - SELinux is preventing boltd from 'write' accesses on the directory domain0. https://bugzilla.redhat.com/show_bug.cgi?id=1689287 [ 10 ] Bug #1657780 - SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'dac_override' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=1657780 [ 11 ] Bug #1694968 - xenstored runs as unconfined_service_t even if the program is confined https://bugzilla.redhat.com/show_bug.cgi?id=1694968 [ 12 ] Bug #1663620 - SELinux is preventing systemd-getty-g from read, write access on the chr_file ttyUSB0. https://bugzilla.redhat.com/show_bug.cgi?id=1663620 [ 13 ] Bug #1691149 - SELinux is preventing esmtp from 'read' accesses on the file .esmtprc. https://bugzilla.redhat.com/show_bug.cgi?id=1691149 [ 14 ] Bug #1631033 - Silverblue 29 /etc/libvirt has wrong selinux label https://bugzilla.redhat.com/show_bug.cgi?id=1631033 [ 15 ] Bug #1257990 - systemctl shell: failed to get shell pty https://bugzilla.redhat.com/show_bug.cgi?id=1257990 [ 16 ] Bug #1645837 - SELinux is preventing systemd-logind from 'open' accesses on the blk_file /dev/sda1. https://bugzilla.redhat.com/show_bug.cgi?id=1645837 [ 17 ] Bug #1689034 - Allow fail2ban to call journalctl https://bugzilla.redhat.com/show_bug.cgi?id=1689034 --------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-bf377d92c7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------