--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-1050fb248b
2018-07-29 03:19:11.836712
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 28
Version : 3.14.1
Release : 36.fc28
URL : %{git0-base}
Summary : SELinux policy configuration
Description :
SELinux Base package for SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
More info:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1130751
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 25 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-36
- Allow aide to mmap all files
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Revert "Allow firewalld to create rawip sockets"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow zoneminder_t to getattr of fs_t
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
* Wed Jul 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-35
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
- Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)"
- Allow userdomain sudo domains to use generic ptys
- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)
- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t
BZ(1600690)
* Tue Jul 3 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-34
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux
Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t
files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
- Add ibacm policy
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as
kdumpgui_tmp_t
- Allow rpm to check if SELinux will check original protection mode or modified protection
mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services
- Allow crond_t domain to create netlink selinux sockets and dac_override cap.
- Allow radiusd_t domain to have dac_override capability
- Allow amanda_t domain to have setgid capability
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad
domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with
cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap
kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Allow systemd to mounton core kernel interface
- Add dac_override capability to ipsec_t domain BZ(1589534)
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files
- Allows systemd to get attribues of core kernel interface BZ(1596928)
- Allow systemd_modules_load_t to access unabeled infiniband pkeys
- Allow init_t domain to create netlink rdma sockets for ibacm policy
- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files
- Allow lvm_t domain to write files to all mls levels
- Add to su_role_template allow rule for creating netlink_selinux sockets
- Allow sysadm_t domain to mmap hwdb db
- Allow udev_t domain to mmap kernel modules
- Allow sysadm_screen_t to have capability dac_override and chown
- Allow sysadm_t domain to mmap journal
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Label /etc/systemd/system.control/ dir as systemd_unit_file_t
- Merge pull request #215 from bachradsusi/merge-conf-from-fedora
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Add snapperd_contexts to the policy
- Use system_u:system_r:unconfined_t:s0 in userhelper_context
- Remove unneeded system_u seusers mapping.
- Fedora targeted default user is unconfined_u, root is unconfined_u as well
- Update config to reflect changes in default context for SELinux users related to
pam_selinux.so which is now used in systemd-users.
- Change failsafe_context to unconfined_r:unconfined_t:s0
- Update lxc_contexts from Fedora config.tgz
- Add lxc_contexts config file
* Thu Jun 14 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-33
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Adding new boolean keepalived_connect_any()
- Allow amanda to create own amanda_tmpfs_t files
- Allow gdomap_t domain to connect to qdomap_port_t
- Merge pull request #56 from lslebodn/selinux_child
- Merge pull request #58 from milosmalik/fb-dictd-dbus
- Merge pull request #59 from milosmalik/fb-ntop-service
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t
type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Allow certmonger to sends emails
- Allow tomcat_t do mmap tomcat_tmp_t files
- Improve sge_rw_tcp_sockets interface
- Adding new interface: sge_rw_tcp_sockets()
- Update sge_execd_t domain with few rules
- Add new zabbix_run_sudo boolean
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to
dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating
netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
- Update traceroute_t domain to allow create dccp sockets
- Update ssh_keysign policy
- Allow sshd_t domain to read/write sge tcp sockets
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-32
- Add dac_override capability to sendmail_t domain
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-31
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be
enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in
/var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket
BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
* Sat May 26 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-30
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean
httpd_can_network_connect_db is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow gpg_agent_t to send msgs to syslog/journal
- Add dac_override capability to dovecot_t domain
- Allow nscd_t domain to mmap system_db_t files
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-29
- Fixed typos in devices.if file
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-28
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Allow hypervvssd_t domain to read fixed disk devices
- Allow several domains to manage ecryptfs_t filesystem
- Allow userdom_use_user_ttys for loadkeys_t domain
- Add dac_override capability to cachefiles_kernel_t domain
- Allow blueman to execute ldconfig BZ(1577581)
- Allow gpg_pinentry_t domain to read state of gpg_t processes
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t
binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature
NoNewPrivileges is used
- Associate sysctl_vm_overcommit_t with fs_t
- Allow systemd creating bluetooth sockets
- Allow ssh client to read network sysctl BZ(1574170)
- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files
* Tue May 22 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-27
- Increase dependency versions of policycoreutils and checkpolicy packages
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-26
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create
/run/gdm/custom.conf with proper xdm_var_run_t label.
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-25
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux
domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and
podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain
transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow psad_t domain to read all domains state
- Allow tomcat_t domain to connect to mongod_t tcp port
- Allow dovecot and postfix to connect to systemd stream sockets
- Make nmbd_t domain dbus system client BZ(1569856)
- Merge pull request #55 from SISheogorath/fix/tlp-policy
- Merge pull request #54 from tmzullinger/rawhide
- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro
BZ(1566168)
- Allow gssproxy_t domain to read gssd_t state BZ(1572945)
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security.
BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
- Allow users staff and sysadm to run wireshark on own domain
- Fix typos s/xserver/xdm/ for allow creating xserver misc devices
- Allow systemd-bootchart to create own tmpfs files
- Merge pull request #213 from tmzullinger/rawhide
- Allow xdm_t domain to install Nouveau drivers BZ(1570996)
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Sat Apr 28 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-24
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Fri Apr 27 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-23
- Allow dnssec_trigger_t domain to read system network state BZ(1570205)
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label
mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy
use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- gnome_data_filetrans macro should be in optional block
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
- Label /run/ebtables.lock as iptables_var_run_t
- Allow udev_t domain to manage udev_rules_t char files.
- Assign babel_port_t label to udp port 6696
- Add new interface lvm_map_config
- Merge pull request #212 from stlaz/patch-1
- Allow local_login_t reads of udev_var_run_t context
* Wed Apr 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-22
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1594271 - SELinux is preventing cups-pdf from using the
'dac_override' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1594271
[ 2 ] Bug #1594584 - SELinux is preventing lvm2-activation from 'map' accesses
on the file /etc/lvm/lvm.conf.
https://bugzilla.redhat.com/show_bug.cgi?id=1594584
[ 3 ] Bug #1582812 - SELinux is preventing load_policy from 'append' accesses on
the unix_stream_socket unix_stream_socket.
https://bugzilla.redhat.com/show_bug.cgi?id=1582812
[ 4 ] Bug #1562818 - SELinux is preventing colord from 'getattr' accesses on the
file /home/joselopez/.local/share/icc/edid-2c9488b2554b3ed4515286be48e867af.icc.
https://bugzilla.redhat.com/show_bug.cgi?id=1562818
[ 5 ] Bug #1584167 - SELinux prevents sshd from reading the file
/run/cockpit/active.motd
https://bugzilla.redhat.com/show_bug.cgi?id=1584167
[ 6 ] Bug #1594018 - SELinux is preventing upowerd from 'add_name' accesses on
the diret��rio history-rate-DELL_7P3X953I-43-06BF.dat.JNBWKZ.
https://bugzilla.redhat.com/show_bug.cgi?id=1594018
[ 7 ] Bug #1596443 - SELinux is preventing multiqueue0:src from 'read' accesses
on the file mmap_min_addr.
https://bugzilla.redhat.com/show_bug.cgi?id=1596443
[ 8 ] Bug #1589534 - SELinux is preventing charon-nm from using the
'dac_override' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1589534
[ 9 ] Bug #1594541 - SELinux is preventing dotlockfile from 'link' accesses on
the archivo .lk012504ANTRO-XPRMNT.
https://bugzilla.redhat.com/show_bug.cgi?id=1594541
[ 10 ] Bug #1553761 - SELinux is preventing gsd-smartcard from 'map' accesses on
the file /etc/pki/ca-trust/source/README.
https://bugzilla.redhat.com/show_bug.cgi?id=1553761
[ 11 ] Bug #1592223 - SELinux is preventing bluetoothd from 'listen' accesses on
the bluetooth_socket Unknown.
https://bugzilla.redhat.com/show_bug.cgi?id=1592223
[ 12 ] Bug #1594590 - SELinux is preventing rm from 'unlink' accesses on the
archivo .deliver_lock.
https://bugzilla.redhat.com/show_bug.cgi?id=1594590
[ 13 ] Bug #1593496 - SELinux is preventing upowerd from 'write' accesses on the
directory /var/lib/upower.
https://bugzilla.redhat.com/show_bug.cgi?id=1593496
[ 14 ] Bug #1585971 - SELinux is preventing dhcpcd from 'create' accesses on the
netlink_generic_socket Unknown.
https://bugzilla.redhat.com/show_bug.cgi?id=1585971
[ 15 ] Bug #1590830 - collectd write_prometheus plugin fails to start due to SELinux
restrictions
https://bugzilla.redhat.com/show_bug.cgi?id=1590830
[ 16 ] Bug #1592083 - SELinux is preventing touch from 'create' accesses on the
archivo mail.
https://bugzilla.redhat.com/show_bug.cgi?id=1592083
[ 17 ] Bug #1585358 - SELinux is preventing mpd from using the 'dac_override'
capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1585358
[ 18 ] Bug #1586329 - SELinux is preventing iw from 'write' accesses on the file
/run/tlp/lock_tlp.
https://bugzilla.redhat.com/show_bug.cgi?id=1586329
[ 19 ] Bug #1590686 - SELinux is preventing fprintd from 'read' accesses on the
directory tmp.
https://bugzilla.redhat.com/show_bug.cgi?id=1590686
[ 20 ] Bug #1592108 - SELinux is preventing (fprintd) from 'read' accesses on
the directory /var/lib/fprint.
https://bugzilla.redhat.com/show_bug.cgi?id=1592108
[ 21 ] Bug #1592640 - SELinux is preventing colord from 'map' accesses on the
arquivo /home/robinson/.local/share/icc/edid-250f1a28fe7af6f8910c63034b4f9bb3.icc.
https://bugzilla.redhat.com/show_bug.cgi?id=1592640
[ 22 ] Bug #1596941 - SELinux is preventing cockpit-ssh from 'read' accesses on
the file unix.
https://bugzilla.redhat.com/show_bug.cgi?id=1596941
[ 23 ] Bug #1594221 - conntrackd can't start due to selinux
https://bugzilla.redhat.com/show_bug.cgi?id=1594221
[ 24 ] Bug #1589339 - SELinux prevents p11_child from write permissions
https://bugzilla.redhat.com/show_bug.cgi?id=1589339
[ 25 ] Bug #1594585 - SELinux is preventing (upowerd) from 'mounton' accesses on
the directory /var/lib/upower.
https://bugzilla.redhat.com/show_bug.cgi?id=1594585
[ 26 ] Bug #1578872 - SELinux is preventing dovecot from using the
'dac_override' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1578872
[ 27 ] Bug #1593808 - SELinux is preventing statusjson.cgi from 'map' accesses
on the file /etc/nagios/cgi.cfg.
https://bugzilla.redhat.com/show_bug.cgi?id=1593808
[ 28 ] Bug #1584185 - nfs mount with krb5 fails when selinux is enforcing
https://bugzilla.redhat.com/show_bug.cgi?id=1584185
[ 29 ] Bug #1588206 - SELinux is preventing abrt-action-gen from 'map' accesses
on the file /home/fedora/.dropbox-dist/dropbox-lnx.x86_64-50.3.69/_functools.so.
https://bugzilla.redhat.com/show_bug.cgi?id=1588206
[ 30 ] Bug #1575234 - SELinux is preventing gssproxy from 'getattr' accesses on
the file /usr/sbin/rpc.gssd.
https://bugzilla.redhat.com/show_bug.cgi?id=1575234
[ 31 ] Bug #1585443 - SELinux is preventing 6F75747075743A4D792050756C7365 from
'map' accesses on the file
2F6D656D66643A70756C7365617564696F202864656C6574656429.
https://bugzilla.redhat.com/show_bug.cgi?id=1585443
[ 32 ] Bug #1596482 - SELinux is preventing pmdaproc from 'sys_ptrace' accesses
on the cap_userns Unknown.
https://bugzilla.redhat.com/show_bug.cgi?id=1596482
[ 33 ] Bug #1595889 - SELinux is preventing upowerd from 'read' accesses on the
file /var/lib/upower/history-time-empty-DELL_GR5D371-71-47253.dat.
https://bugzilla.redhat.com/show_bug.cgi?id=1595889
[ 34 ] Bug #1589483 - SELinux is preventing nm-l2tp-service from using the
'signull' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=1589483
[ 35 ] Bug #1594012 - SELinux is preventing sendmail from 'getattr' accesses on
the archivo /root/.esmtp_queue/livIOS8d/mail.
https://bugzilla.redhat.com/show_bug.cgi?id=1594012
[ 36 ] Bug #1595458 - Lots of SELinux denials for sssd_selinux_manager_t
https://bugzilla.redhat.com/show_bug.cgi?id=1595458
[ 37 ] Bug #1575369 - Conntrackd does not start up due to selinux policy
https://bugzilla.redhat.com/show_bug.cgi?id=1575369
[ 38 ] Bug #1590476 - SELinux is preventing init_t from sending dbus command to oddjob
https://bugzilla.redhat.com/show_bug.cgi?id=1590476
[ 39 ] Bug #1590446 - selinux-policy blocks motion access to v4l camera
https://bugzilla.redhat.com/show_bug.cgi?id=1590446
[ 40 ] Bug #1592555 - Zoneminder policy in SELinux still prevents Zoneminder from
working
https://bugzilla.redhat.com/show_bug.cgi?id=1592555
[ 41 ] Bug #1594554 - SELinux is preventing upowerd from 'open' accesses on the
chr_file /dev/input/event0.
https://bugzilla.redhat.com/show_bug.cgi?id=1594554
[ 42 ] Bug #1418463 - selinux policy will not allow tigervnc-server to start
https://bugzilla.redhat.com/show_bug.cgi?id=1418463
[ 43 ] Bug #1590627 - SELinux is preventing xplayer-video-t from using the
'dac_read_search' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1590627
[ 44 ] Bug #1591729 - cgit not able to access gitolite3 repositories (selinux)
https://bugzilla.redhat.com/show_bug.cgi?id=1591729
[ 45 ] Bug #1596362 - SELinux is preventing sendmail from 'read' accesses on the
carpeta .esmtp_queue.
https://bugzilla.redhat.com/show_bug.cgi?id=1596362
[ 46 ] Bug #1588726 - SELinux is preventing systemd-machine from 'sendto'
accesses on the unix_dgram_socket /run/systemd/journal/socket.
https://bugzilla.redhat.com/show_bug.cgi?id=1588726
[ 47 ] Bug #1589337 - SELinux denial - dbus / libvirt
https://bugzilla.redhat.com/show_bug.cgi?id=1589337
[ 48 ] Bug #1592084 - SELinux is preventing gdk-pixbuf-thum from using the
'dac_override' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1592084
[ 49 ] Bug #1592085 - SELinux is preventing gdk-pixbuf-thum from using the
'dac_read_search' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=1592085
[ 50 ] Bug #1592145 - SELinux is preventing qemu-ga from 'read' accesses on the
file dev.
https://bugzilla.redhat.com/show_bug.cgi?id=1592145
[ 51 ] Bug #1562382 - SELinux is preventing tlp from 'write' accesses on the
Datei lock_tlp.
https://bugzilla.redhat.com/show_bug.cgi?id=1562382
[ 52 ] Bug #1594395 - SELinux is preventing NetworkManager from 'getattr'
accesses on the file /var/lib/expressvpn/resolv.conf.
https://bugzilla.redhat.com/show_bug.cgi?id=1594395
[ 53 ] Bug #1605058 - SELinux is preventing openct-control from 'map' accesses
on the file /run/openct/status.
https://bugzilla.redhat.com/show_bug.cgi?id=1605058
[ 54 ] Bug #1599001 - SELinux is preventing df from 'getattr' accesses on the
filesystem /.
https://bugzilla.redhat.com/show_bug.cgi?id=1599001
[ 55 ] Bug #1594598 - SELinux is preventing qemu-system-aar from 'search'
accesses on the directory 1178.
https://bugzilla.redhat.com/show_bug.cgi?id=1594598
[ 56 ] Bug #1608282 - SELinux is preventing java from search access on the directory
/sys/fs/cgroup
https://bugzilla.redhat.com/show_bug.cgi?id=1608282
[ 57 ] Bug #1584892 - SELinux is preventing abrt-action-gen from 'map' accesses
on the ��������
/home/mastaiza/.local/share/torbrowser/tbb/x86_64/tor-browser_ru/Browser/libplds4.so.
https://bugzilla.redhat.com/show_bug.cgi?id=1584892
[ 58 ] Bug #1607048 - SELinux is preventing mktemp from 'write' accesses on the
directory .esmtp_queue.
https://bugzilla.redhat.com/show_bug.cgi?id=1607048
[ 59 ] Bug #1598958 - Mailman AVCs on F28
https://bugzilla.redhat.com/show_bug.cgi?id=1598958
[ 60 ] Bug #1607460 - SELinux is preventing ldconfig from 'map' accesses on the
Datei /usr/lib64/liblvm2cmd.so.2.02.
https://bugzilla.redhat.com/show_bug.cgi?id=1607460
[ 61 ] Bug #1600552 - SELinux is preventing winbindd from 'name_connect'
accesses on the tcp_socket port 49261.
https://bugzilla.redhat.com/show_bug.cgi?id=1600552
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-1050fb248b' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------