-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-2f43f173b0 2020-06-11 18:57:11.130977 -------------------------------------------------------------------------------- Name : selinux-policy Product : Fedora 31 Version : 3.14.4 Release : 53.fc31 URL : https://github.com/fedora-selinux/selinux-policy Summary : SELinux policy configuration Description : SELinux Base package for SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 -------------------------------------------------------------------------------- Update Information: New F31 selinux-policy build: https://koji.fedoraproject.org/koji/taskinfo?taskID=45448013 -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 4 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-53 - Support multiple ways of tlp invocation - Split the arping path regexp to 2 lines to prevent from relabeling - Allow initrc_t tlp_filetrans_named_content() - Allow named transition for /run/tlp from a user shell - Allow ipsec_mgmt_t mmap ipsec_conf_file_t files * Tue May 19 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-52 - Label dirsrv systemd unit files and add dirsrv_systemctl() - Allow nagios_plugin_domain execute programs in bin directories - Update networkmanager_read_pid_files() to allow also list_dir_perms - Update policy for NetworkManager_ssh_t - Allow spamc_t domain to read network state - Allow pdns_t domain to map files in /usr. - Allow sys_admin capability for domain labeled systemd_bootchart_t - Revert "Change arping path regexp to work around fixfiles incorrect handling" - Change arping path regexp to work around fixfiles incorrect handling - Allow strongswan use tun/tap devices and keys * Fri Apr 3 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-51 - Allow NetworkManager_ssh_t to execute_no_trans for binary ssh_exec_t - Allow NetworkManager manage dhcpd unit files - Allow openfortivpn exec shell - Add ibacm_t ipc_lock capability - Remove container interface calling by named_filetrans_domain. - Modify path for arping in netutils.fc to match both bin and sbin - Add file context entry and file transition for /var/run/pam_timestamp - Allow ipsec_t connectto ipsec_mgmt_t * Thu Mar 19 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-50 - Allow zabbix_t manage and filetrans temporary socket files - Allow NetworkManager read its unit files and manage services - Label all NetworkManager fortisslvpn plugins as openfortivpn_exec_t - Allow sssd read systemd-resolved runtime directory - Allow sssd read NetworkManager's runtime directory - Mark nm-cloud-setup systemd units as NetworkManager_unit_file_t - Allow system_mail_t to signull pcscd_t - Create interface pcscd_signull - Allow postfix stream connect to cyrus through runtime socket - Allow auditd poweroff or switch to single mode * Sat Feb 22 2020 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-49 - Allow httpd_t domain to mmap own var_lib_t files BZ(1804853) - Allow ipda_custodia_t to create udp_socket and added permission nlmsg_read for netlink_route_sockets - Update virt_read_qemu_pid_files inteface - Make file context more variable for /usr/bin/fusermount and /bin/fusermount * Sat Feb 15 2020 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-48 - Allow vhostmd communication with hosted virtual machines - Add and update virt interfaces - Update radiusd policy - Allow systemd_private_tmp(named_tmp_t) - Allow bacula dac_override capability * Fri Feb 7 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-47 - Allow ipa_custodia_t create and use netlink_route_socket sockets. - Allow networkmanager_t transition to setfiles_t - Create init_create_dirs boolean to allow init create directories - Create files_create_non_security_dirs() interface * Fri Jan 31 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-46 - Added apache create log dirs macro - Allow thumb_t connect to system_dbusd_t BZ(1795044) - Allow saslauthd_t filetrans variable files for /tmp directory - Allow openfortivpn_t to manage net_conf_t files. - Introduce boolean openfortivpn_can_network_connect. - Allow init_t to create apache log dirs. - Add file transition for /dev/nvidia-uvm BZ(1770588) - Update xserver_rw_session macro * Fri Jan 24 2020 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-45 - Make stratisd_t domain unconfined for now. - stratisd_t policy updates. - Label /var/spool/plymouth/boot.log as plymouthd_var_log_t - Label /stratis as stratisd_data_t - Allow opafm_t to create and use netlink rdma sockets. - Allow stratisd_t domain to read/write fixed disk devices and removable devices. - Add dac_override capability to stratisd_t domain - Added macro for stratisd to chat over dbus - Allow init_t set the nice level of all domains BZ(1778088) - Allow userdomain to chat with stratisd over dbus. * Mon Jan 13 2020 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-44 - Fix typo in anaconda SELinux module - Allow rtkit_t domain to control scheduling for your install_t processes - Boolean: rngd_t to use executable memory - Allow rngd_t domain to use nsswitch BZ(1787661) - Allow exim to execute bin_t without domain trans - Allow create udp sockets for abrt_upload_watch_t domains - Drop label zebra_t for frr binaries - Allow NetworkManager_t domain to get status of samba services - Update milter policy to allow use sendmail - Modify file context for .local directory to match exactly BZ(1637401) - Add new file context rabbitmq_conf_t. - Allow journalctl read init state BZ(1731753) - Add fprintd_read_var_lib_dir and fprintd_setattr_var_lib_dir interfaces - Allow pulseaudio create .config and dgram sendto to unpriv_userdomain - Change type in transition for /var/cache/{dnf,yum} directory - Allow cockpit_ws_t read efivarfs_t BZ(1777085) - Allow abrt_dump_oops_t domain to create udp sockets BZ(1778030) - Allow named_t domain to mmap named_zone_t files BZ(1647493) - Make boinc_var_lib_t label system mountdir attribute - Allow stratis_t domain to request load modules - Update fail2ban policy - Allow spamd_update_t access antivirus_unit_file_t BZ(1774092) - Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow rdisc_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature. - Allow init_t domain to create own socket files in /tmp - Allow ipsec_mgmt_t domain to mmap ipsec_conf_file_t files - Allow userdomain dbus chat with systemd_resolved_t - Allow init_t read and setattr on /var/lib/fprintd - Allow systemd_domain to map files in /usr. - Allow sysadm_t dbus chat with colord_t - Allow confined users run fwupdmgr - Allow confined users run machinectl - Allow systemd labeled as init_t domain to create dirs labeled as var_t - Allow systemd labeled as init_t do read/write tpm_device_t chr files BZ(1778079) * Thu Nov 28 2019 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-43 - Fix nonexisting types in rtas_errd_rw_lock interface - Allow snmpd_t domain to trace processes in user namespace - Allow zebra_t domain to execute zebra binaries - Allow ksmtuned_t domain to trace processes in user namespace - Allow systemd to read symlinks in /var/lib - Update dev_mounton_all_device_nodes() interface - Add the miscfiles_map_generic_certs macro to the sysnet_dns_name_resolve macro. - Allow strongswan start using swanctl method BZ(1773381) - Dontaudit systemd_tmpfiles_t getattr of all file types BZ(1772976) * Fri Nov 22 2019 Zdenek Pytela <zpytela(a)redhat.com&gt; - 3.14.4-42 - Allow NetworkManager_t manage dhcpc_state_t BZ(1770698) - Label tcp ports 24816,24817 as pulp_port_t * Wed Nov 13 2019 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-41 - Fix typo bugs in rtas_errd_read_lock() interface - Allow timedatex_t domain to systemctl chronyd domains - Allow ipa_helper_t to read kr5_keytab_t files - cockpit: Allow cockpit-session to read cockpit-tls state directory - Allow stratisd_t domain to read nvme and fixed disk devices - Update lldpad_t policy module - Dontaudit tmpreaper_t getting attributes from sysctl_type files - cockpit: Support https instance factory - Added macro for timedatex to chat over dbus. - Update files_manage_etc_runtime_files() interface to allow manage also dirs - Dontaudit sys_admin capability for auditd_t domains - Allow x_userdomain to read adjtime_t files - Allow users using template userdom_unpriv_user_template() to run bpf tool - Allow x_userdomain to dbus_chat with timedatex. * Sun Nov 3 2019 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-40 - Label /var/cache/nginx as httpd_cache_t - Allow abrt_upload_watch_t domain to send dgram msgs to kernel processes and stream connect to journald - Created dnsmasq_use_ipset boolean - Allow capability dac_override in logwatch_mail_t domain - Allow automount_t domain to execute ping in own SELinux domain (ping_t) - Allow tmpreaper_t domain to getattr files labeled as mtrr_device_t - Allow collectd_t domain to create netlink_generic_socket sockets - Allow rhsmcertd_t domain to read/write rtas_errd_var_lock_t files - Allow tmpwatch process labeled as tmpreaper_t domain to execute fuser command. - Label /etc/postfix/chroot-update as postfix_exec_t - Update tmpreaper_t policy due to fuser command - Allow kdump_t domain to create netlink_route and udp sockets - Allow stratisd to connect to dbus - Allow fail2ban_t domain to create netlink netfilter sockets. - Allow dovecot get filesystem quotas - Allow networkmanager_t domain to execute chronyd binary in chronyd_t domain. BZ(1765689) - Allow systemd-tmpfiles processes to set rlimit information - Update files_filetrans_named_content() interface to allow caller domain to create /oldroot /.profile with correct label etc_runtime_t - Allow systemd_logind to read dosfs files & dirs Allow systemd-logind - a system service that manages user logins, to read files and list dirs on a DOS filesystem * Fri Oct 25 2019 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-39 - Allow confined users to run newaliases - Add interface mysql_dontaudit_rw_db() - Label /var/lib/xfsdump/inventory as amanda_var_lib_t - Allow tmpreaper_t domain to read all domains state - Make httpd_var_lib_t label system mountdir attribute - Update cockpit policy - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Donaudit ifconfig_t domain to read/write mysqld_db_t files - Dontaudit domains read/write leaked pipes * Tue Oct 22 2019 Lukas Vrabec <lvrabec(a)redhat.com&gt; - 3.14.4-38 - Allow nagios_script_t domain list files labled sysfs_t. - Allow jetty_t domain search and read cgroup_t files. - Allow Gluster mount client to mount files_type - Dontaudit and disallow sys_admin capability for keepalived_t domain - Update numad policy to allow signull, kill, nice and trace processes - Allow ipmievd_t to RW watchdog devices - Update allow rules set for pads_t domain - Allow networkmanager_t domain domain transition to chronyc_t domain BZ(1760226) - Update apache and pkcs policies to make active opencryptoki rules - Allow ldconfig_t domain to manage initrc_tmp_t link files Allow netutils_t domain to write to initrc_tmp_t fifo files - Allow user domains to manage user session services - Allow staff and user users to get status of user systemd session - Update sudo_role_template() to allow caller domain to read syslog pid files -------------------------------------------------------------------------------- References: [ 1 ] Bug #1808530 - strongswan 5.8.x fails without certain rules https://bugzilla.redhat.com/show_bug.cgi?id=1808530 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-2f43f173b0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------