--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2018-46564d0139
2018-08-16 08:05:04.601782
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 28
Version : 3.14.1
Release : 40.fc28
URL : %{git0-base}
Summary : SELinux policy configuration
Description :
SELinux Base package for SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1135126 ---- Adding
support for bolt SELinux policy.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Aug 10 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-40
- Fix issue with aliases in apache interface file
- Add same context for symlink as binary
- Allow boltd_t to send logs to journal
- Allow colord_use_nfs to allow colord also mmap nfs_t files
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint
do new domain
- Add alias httpd__script_t to _script_t to make sepolicy generate working
- Allow gpg_t domain to mmap gpg_agent_tmp_t files
- label /var/lib/pgsql/data/log as postgresql_log_t
- Allow sysadm_t domain to accept socket
- Allow systemd to manage passwd_file_t
- Allow sshd_t domain to mmap user_tmp_t files
* Tue Aug 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-39
- Rebuild with support for boltd
* Tue Aug 7 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-38
- Allow kprop_t domain to read network state
- Add support boltd policy
- Allow kpropd domain to exec itself
- Allow pdns_t to bind on tcp transproxy port
- Add support for opafm service
- Allow hsqldb_t domain to read cgroup files
- Allow rngd_t domain to read generic certs
- Allow innd_t domain to mmap own var_lib_t files
- Update screen_role_temaplate interface
- Allow chronyd_t domain to mmap own tmpfs files
- Allow chronyd_t domain to mmap own tmpfs files
- Fix typo bug in oracleasm policy module
- Allow systemd to mounont boltd lib dirs
- Allow sysadm_t domain to create rawip sockets
- Allow sysadm_t domain to listen on socket
- Update sudo_role_template() to allow caller domain also setattr generic ptys
* Sun Jul 29 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-37
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
- Allow nfsd_t domain to read krb5 keytab files
- Allow nfsd_t domain to manage fadm pid files
- Allow virt_domain to create icmp sockets BZ(1609142)
- Dontaudit oracleasm_t domain to request sys_admin capability
- Allow iscsid_t domain to load kernel module
- Allow aide to mmap all files
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Revert "Allow firewalld to create rawip sockets"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
* Wed Jul 25 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-36
- Allow aide to mmap all files
- Revert "Allow firewalld_t do read iptables_var_run_t files"
- Revert "Allow firewalld to create rawip sockets"
- Allow svirt_tcg_t domain to read system state of virtd_t domains
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
- Fix typo in openct policy
- Allow winbind_t domian to connect to all ephemeral ports
- Allow firewalld_t do read iptables_var_run_t files
- Allow abrt_t domain to mmap data_home files
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
- Allow firewalld to read kernel usermodehelper state
- Allow modemmanager_t to read sssd public files
- Allow openct_t domain to mmap own var_run_t files
- Allow nnp transition for devicekit daemons
- Allow firewalld to create rawip sockets
- Allow firewalld to getattr proc filesystem
- Dontaudit sys_admin capability for pcscd_t domain
- Revert "Allow pcsd_t domain sys_admin capability"
- Allow fetchmail_t domain to stream connect to sssd
- Allow pcsd_t domain sys_admin capability
- Allow cupsd_t to create cupsd_etc_t dirs
- Allow varnishlog_t domain to list varnishd_var_lib_t dirs
- Allow mongodb_t domain to read system network state BZ(1599230)
- Allow zoneminder_t to getattr of fs_t
- Allow tgtd_t domain to create dirs in /var/run labeled as tgtd_var_run_t BZ(1492377)
- Allow iscsid_t domain to mmap sysfs_t files
- Allow httpd_t domain to mmap own cache files
- Add sys_resource capability to nslcd_t domain
- Fixed typo in logging_audisp_domain interface
- Add interface files_mmap_all_files()
- Add interface iptables_read_var_run()
- Allow systemd to mounton init_var_run_t files
- Update policy rules for auditd_t based on changes in audit version 3
- Allow systemd_tmpfiles_t do mmap system db files
- Don't setup unlabeled_t as an entry_type
- Allow unconfined_service_t to transition to container_runtime_t
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
* Wed Jul 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-35
- Allow cupsd_t domain to mmap cupsd_etc_t files
- Allow kadmind_t domain to mmap krb5kdc_principal_t
- Allow virtlogd_t domain to read virt_etc_t link files
- Allow dirsrv_t domain to read crack db
- Dontaudit pegasus_t to require sys_admin capability
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
- Allow winbind_t domain to request kernel module loads
- Allow tomcat_domain to read cgroup_t files
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
- Allow innd_t domain to mmap news_spool_t files
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
- Allow fenced_t domain to reboot
- Allow amanda_t domain to read network system state
- Allow abrt_t domain to read rhsmcertd logs
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
- Revert "Allow unconfined and sysadm users to use bpftool BZ(1591440)"
- Allow userdomain sudo domains to use generic ptys
- Allow systemd labeled as init_t to get sysvipc info BZ(1600877)
- Label /sbin/xtables-legacy-multi and /sbin/xtables-nft-multi as iptables_exec_t
BZ(1600690)
* Tue Jul 3 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-34
- Add dac_read_search capability to thumb_t domain
- Add dac_override capability to cups_pdf_t domain BZ(1594271)
- Add net_admin capability to connntrackd_t domain BZ(1594221)
- Allow gssproxy_t domain to domtrans into gssd_t domain BZ(1575234)
- Fix interface init_dbus_chat in oddjob SELinux policy BZ(1590476)
- Allow motion_t to mmap video devices BZ(1590446)
- Add dac_override capability to mpd_t domain BZ(1585358)
- Allow fsdaemon_t domain to write to mta home files BZ(1588212)
- Allow virtlogd_t domain to chat via dbus with systemd_logind BZ(1589337)
- Allow sssd_t domain to write to general cert files BZ(1589339)
- Allow l2tpd_t domain to sends signull to ipsec domains BZ(1589483)
- Allow cockpit_session_t to read kernel network state BZ(1596941)
- Allow devicekit_power_t start with nnp systemd security feature with proper SELinux
Domain transition BZ(1593817)
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t
files
- Allow chronyc_t domain to use nscd shm
- Label /var/lib/tomcats dir as tomcat_var_lib_t
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
- Add ibacm policy
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
- Allow kdumpgui_t domain to allow execute and mmap all binaries labeled as
kdumpgui_tmp_t
- Allow rpm to check if SELinux will check original protection mode or modified protection
mode (read-implies-exec) for mmap/mprotect. Allow rpm to reload systemd services
- Allow crond_t domain to create netlink selinux sockets and dac_override cap.
- Allow radiusd_t domain to have dac_override capability
- Allow amanda_t domain to have setgid capability
- Allow psad domain to setrlimit. Allow psad domain to stream connect to dbus Allow psad
domain to exec journalctl_exec_t binary
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with
cupsd_etc_rw_t label
- Allow abrt_t domain to write to rhsmcertd pid files
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
- Add vhostmd_t domain to read/write to svirt images
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap
kdumpctl_tmp_t files
- Allow sssd_t and slpad_t domains to mmap generic certs
- Allow chronyc_t domain use inherited user ttys
- Allow stapserver_t domain to mmap own tmp files
- Allow systemd to mounton core kernel interface
- Add dac_override capability to ipsec_t domain BZ(1589534)
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Allow systemd to write systemd_logind_inhibit_var_run_t fifo files
- Allows systemd to get attribues of core kernel interface BZ(1596928)
- Allow systemd_modules_load_t to access unabeled infiniband pkeys
- Allow init_t domain to create netlink rdma sockets for ibacm policy
- Update corecmd_exec_shell() interface to allow caller domain to mmap shell_exec_t files
- Allow lvm_t domain to write files to all mls levels
- Add to su_role_template allow rule for creating netlink_selinux sockets
- Allow sysadm_t domain to mmap hwdb db
- Allow udev_t domain to mmap kernel modules
- Allow sysadm_screen_t to have capability dac_override and chown
- Allow sysadm_t domain to mmap journal
- Merge branch 'rawhide' of github.com:fedora-selinux/selinux-policy into rawhide
- Label /etc/systemd/system.control/ dir as systemd_unit_file_t
- Merge pull request #215 from bachradsusi/merge-conf-from-fedora
- Allow sysadm_t and staff_t domains to use sudo io logging
- Allow sysadm_t domain create sctp sockets
- Add snapperd_contexts to the policy
- Use system_u:system_r:unconfined_t:s0 in userhelper_context
- Remove unneeded system_u seusers mapping.
- Fedora targeted default user is unconfined_u, root is unconfined_u as well
- Update config to reflect changes in default context for SELinux users related to
pam_selinux.so which is now used in systemd-users.
- Change failsafe_context to unconfined_r:unconfined_t:s0
- Update lxc_contexts from Fedora config.tgz
- Add lxc_contexts config file
* Thu Jun 14 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-33
- Merge pull request #60 from vmojzis/rawhide
- Allow tangd_t domain stream connect to sssd
- Allow oddjob_t domain to chat with systemd via dbus
- Allow freeipmi domains to mmap sysfs files
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
- Allow nscd_t to read kernel sysctls
- Label /var/log/conman.d as conman_log_t
- Add dac_override capability to tor_t domain
- Allow certmonger_t to readwrite to user_tmp_t dirs
- Allow abrt_upload_watch_t domain to read general certs
- Allow chornyd_t read phc2sys_t shared memory
- Add several allow rules for pesign policy:
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
- Add tomcat_can_network_connect_db boolean
- Update virt_use_sanlock() boolean to read sanlock state
- Add sanlock_read_state() interface
- Allow zoneminder_t to getattr of fs_t
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
- Add log file type to collectd and allow corresponding access
- Allow policykit_t domain to dbus chat with dhcpc_t
- Adding new boolean keepalived_connect_any()
- Allow amanda to create own amanda_tmpfs_t files
- Allow gdomap_t domain to connect to qdomap_port_t
- Merge pull request #56 from lslebodn/selinux_child
- Merge pull request #58 from milosmalik/fb-dictd-dbus
- Merge pull request #59 from milosmalik/fb-ntop-service
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t
type
- Allow ntop_t domain to create/map various sockets/files.
- Enable the dictd to communicate via D-bus.
- Allow inetd_child process to chat via dbus with abrt
- Allow zabbix_agent_t domain to connect to redis_port_t
- Allow rhsmcertd_t domain to read xenfs_t files
- Allow zabbix_agent_t to run zabbix scripts
- Fix openvswith SELinux module
- Fix wrong path in tlp context file BZ(1586329)
- Update brltty SELinux module
- Allow rabbitmq_t domain to create own tmp files/dirs
- Allow policykit_t mmap policykit_auth_exec_t files
- Allow ipmievd_t domain to read general certs
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
- Update gpg SELinux policy module
- Allow mailman_domain to read system network state
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
- Allow antivirus_domain to read all domain system state
- Allow targetd_t domain to red gconf_home_t files/dirs
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
- Add interface nagios_unconfined_signull()
- Fix typos in zabbix.te file
- Add missing requires
- Allow tomcat domain sends email
- Fix typo in sge policy
- Allow certmonger to sends emails
- Allow tomcat_t do mmap tomcat_tmp_t files
- Improve sge_rw_tcp_sockets interface
- Adding new interface: sge_rw_tcp_sockets()
- Update sge_execd_t domain with few rules
- Add new zabbix_run_sudo boolean
- Allow traceroute_t domain to exec bin_t binaries
- Allow systemd_passwd_agent_t domain to list sysfs Allow systemd_passwd_agent_t domain to
dac_override
- Add new interface dev_map_sysfs()
- Allow sshd_keygen_t to execute plymouthd
- Allow systemd_networkd_t create and relabel tun sockets
- Add new interface postgresql_signull()
- Merge pull request #214 from wrabcak/fb-dhcpc
- Allow dhcpc_t creating own socket files inside /var/run/ Allow dhcpc_t creating
netlink_kobject_uevent_socket, netlink_generic_socket, rawip_socket BZ(1585971)
- Allow confined users get AFS tokens
- Allow sysadm_t domain to chat via dbus
- Associate sysctl_kernel_t type with filesystem attribute
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
- Fix typo in netutils.te file
- Update traceroute_t domain to allow create dccp sockets
- Update ssh_keysign policy
- Allow sshd_t domain to read/write sge tcp sockets
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-32
- Add dac_override capability to sendmail_t domain
* Wed Jun 6 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-31
- Fix typo in authconfig policy
- Update ctdb domain to support gNFS setup
- Allow authconfig_t dbus chat with policykit
- Allow lircd_t domain to read system state
- Revert "Allow fsdaemon_t do send emails BZ(1582701)"
- Typo in uuidd policy
- Allow tangd_t domain read certs
- Allow vpnc_t domain to read configfs_t files/dirs BZ(1583107)
- Allow vpnc_t domain to read generic certs BZ(1583100)
- Label /var/lib/phpMyAdmin directory as httpd_sys_rw_content_t BZ(1584811)
- Allow NetworkManager_ssh_t domain to be system dbud client
- Allow virt_qemu_ga_t read utmp
- Add capability dac_override to system_mail_t domain
- Update uuidd policy to reflect last changes from base branch
- Add cap dac_override to procmail_t domain
- Allow sendmail to mmap etc_aliases_t files BZ(1578569)
- Add new interface dbus_read_pid_sock_files()
- Allow mpd_t domain read config_home files if mpd_enable_homedirs boolean will be
enabled
- Allow fsdaemon_t do send emails BZ(1582701)
- Allow firewalld_t domain to request kernel module BZ(1573501)
- Allow chronyd_t domain to send send msg via dgram socket BZ(1584757)
- Add sys_admin capability to fprint_t SELinux domain
- Allow cyrus_t domain to create own files under /var/run BZ(1582885)
- Allow cachefiles_kernel_t domain to have capability dac_override
- Update policy for ypserv_t domain
- Allow zebra_t domain to bind on tcp/udp ports labeled as qpasa_agent_port_t
- Allow cyrus to have dac_override capability
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
- Fix homedir polyinstantion under mls
- Fixed typo in init.if file
- Allow systemd to remove generic tmpt files BZ(1583144)
- Update init_named_socket_activation() interface to also allow systemd create objects in
/var/run with proper label during socket activation
- Allow systemd-networkd and systemd-resolved services read system-dbusd socket
BZ(1579075)
- Fix typo in authlogin SELinux security module
- Allod nsswitch_domain attribute to be system dbusd client BZ(1584632)
- Allow audisp_t domain to mmap audisp_exec_t binary
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
- Label tcp/udp ports 2612 as qpasa_agetn_port_t
* Sat May 26 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-30
- Add dac_override to exim policy BZ(1574303)
- Fix typo in conntrackd.fc file
- Allow sssd_t to kill sssd_selinux_manager_t
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean
httpd_can_network_connect_db is turned on
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
- Allow policykit_auth_t to read udev db files BZ(1574419)
- Allow varnishd_t do be dbus client BZ(1582251)
- Allow cyrus_t domain to mmap own pid files BZ(1582183)
- Allow user_mail_t domain to mmap etc_aliases_t files
- Allow gkeyringd domains to run ssh agents
- Allow gpg_pinentry_t domain read ssh state
- Allow gpg_agent_t to send msgs to syslog/journal
- Add dac_override capability to dovecot_t domain
- Allow nscd_t domain to mmap system_db_t files
- Allow tangd_t domain to create tcp sockets and add new interface tangd_read_db_files
- Allow sysadm_u use xdm
- Allow xdm_t domain to listen ofor unix dgram sockets BZ(1581495)
- Add interface ssh_read_state()
- Fix typo in sysnetwork.if file
- Update dev_map_xserver_misc interface to allo mmaping char devices instead of files
- Allow noatsecure permission for all domain transitions from systemd.
- Allow systemd to read tangd db files
- Fix typo in ssh.if file
- Allow xdm_t domain to mmap xserver_misc_device_t files
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-29
- Fixed typos in devices.if file
* Thu May 24 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-28
- Allow mailman_mail_t domain to search for apache configs
- Allow mailman_cgi_t domain to ioctl an httpd with a unix domain stream sockets.
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow ptrace arbitrary processes
- Allow jabberd_router_t domain read kerberos keytabs BZ(1573945)
- Allow certmonger to geattr of filesystems BZ(1578755)
- Allow hypervvssd_t domain to read fixed disk devices
- Allow several domains to manage ecryptfs_t filesystem
- Allow userdom_use_user_ttys for loadkeys_t domain
- Add dac_override capability to cachefiles_kernel_t domain
- Allow blueman to execute ldconfig BZ(1577581)
- Allow gpg_pinentry_t domain to read state of gpg_t processes
- Allow xdm_t domain to mmap xserver_misc_device_t files
- Allow xdm_t domain to execute systemd-coredump binary
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t
binaries.
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface
- Improve running xorg with proper SELinux domain even if systemd security feature
NoNewPrivileges is used
- Associate sysctl_vm_overcommit_t with fs_t
- Allow systemd creating bluetooth sockets
- Allow ssh client to read network sysctl BZ(1574170)
- Allow systemd_resolved_t and systemd_networkd_t to read dbus pid files
* Tue May 22 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-27
- Increase dependency versions of policycoreutils and checkpolicy packages
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-26
- Disable secure mode environment cleansing for dirsrv_t
- Allow udev execute /usr/libexec/gdm-disable-wayland in xdm_t domain which allows create
/run/gdm/custom.conf with proper xdm_var_run_t label.
* Mon May 21 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-25
- Add dac_override capability to remote_login_t domain
- Allow chrome_sandbox_t to mmap tmp files
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
- Allow systemd socket activation for modemmanager
- Allow geoclue to dbus chat with systemd
- Fix file contexts on conntrackd policy
- Temporary fix for varnish and apache adding capability for DAC_OVERRIDE
- Allow lsmd_plugin_t domain to getattr lsm_t unix stream sockets
- Add label for /usr/sbin/pacemaker-remoted to have cluster_exec_t
- Allow nscd_t domain to be system dbusd client
- Allow abrt_t domain to read sysctl
- Add dac_read_search capability for tangd
- Allow systemd socket activation for rshd domain
- Add label for /usr/libexec/cyrus-imapd/master as cyrus_exec_t to have proper SELinux
domain transition from init_t to cyrus_t
- Allow kdump_t domain to map /boot files
- Allow conntrackd_t domain to send msgs to syslog
- Label /usr/sbin/nhrpd and /usr/sbin/pimd binaries as zebra_exec_t
- Allow swnserve_t domain to stream connect to sasl domain
- Allow smbcontrol_t to create dirs with samba_var_t label
- Remove execstack,execmem and execheap from domains setroubleshootd_t, locate_t and
podsleuth_t to increase security. BZ(1579760)
- Allow tangd to read public sssd files BZ(1509054)
- Allow geoclue start with nnp systemd security feature with proper SELinux Domain
transition BZ(1575212)
- Allow ctdb_t domain modify ctdb_exec_t files
- Allow firewalld_t domain to create netlink_netfilter sockets
- Allow radiusd_t domain to read network sysctls
- Allow pegasus_t domain to mount tracefs_t filesystem
- Allow psad_t domain to read all domains state
- Allow tomcat_t domain to connect to mongod_t tcp port
- Allow dovecot and postfix to connect to systemd stream sockets
- Make nmbd_t domain dbus system client BZ(1569856)
- Merge pull request #55 from SISheogorath/fix/tlp-policy
- Merge pull request #54 from tmzullinger/rawhide
- Allow also listing system_dbusd_var_run_t dirs in dbusd_read_pid_files macro
BZ(1566168)
- Allow gssproxy_t domain to read gssd_t state BZ(1572945)
- Allow create systemd to mount pid files
- Add files_map_boot_files() interface
- Remove execstack,execmem and execheap from domain fsadm_t to increase security.
BZ(1579760)
- Fix typo xserver SELinux module
- Allow systemd to mmap files with var_log_t label
- Allow x_userdomains read/write to xserver session
- Allow users staff and sysadm to run wireshark on own domain
- Fix typos s/xserver/xdm/ for allow creating xserver misc devices
- Allow systemd-bootchart to create own tmpfs files
- Merge pull request #213 from tmzullinger/rawhide
- Allow xdm_t domain to install Nouveau drivers BZ(1570996)
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Sat Apr 28 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-24
- Allow unconfined_domain_type to create libs filetrans named content BZ(1513806)
* Fri Apr 27 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-23
- Allow dnssec_trigger_t domain to read system network state BZ(1570205)
- Add dac_override capability to mailman_mail_t domain
- Add dac_override capability to radvd_t domain
- Update openvswitch policy
- Add dac_override capability to oddjob_homedir_t domain
- Allow slapd_t domain to mmap slapd_var_run_t files
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
- Allow logrotate_t domain to stop services via systemd
- Add tang policy
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label
mozilla_home_t
- Allow snapperd_t daemon to create unlabeled dirs.
- Make httpd_var_run_t mountpoint
- Allow hsqldb_t domain to mmap own temp files
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy
use httpd__content_t. Created aliasses to make it consistence
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
- Add new Boolean tomcat_use_execmem
- Allow nfsd_t domain to read/write sysctl fs files
- Allow conman to read system state
- Allow brltty_t domain to be dbusd system client
- Allow zebra_t domain to bind on babel udp port
- Allow freeipmi domain to read sysfs_t files
- Allow targetd_t domain mmap lvm config files
- Allow abrt_t domain to manage kdump crash files
- gnome_data_filetrans macro should be in optional block
- Allow netutils_t domain to create bluetooth sockets
- Allow traceroute to bind on generic sctp node
- Allow traceroute to search network sysctls
- Allow systemd to use virtio console
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
- Label /run/ebtables.lock as iptables_var_run_t
- Allow udev_t domain to manage udev_rules_t char files.
- Assign babel_port_t label to udp port 6696
- Add new interface lvm_map_config
- Merge pull request #212 from stlaz/patch-1
- Allow local_login_t reads of udev_var_run_t context
* Wed Apr 18 2018 Lukas Vrabec <lvrabec(a)redhat.com> - 3.14.1-22
- Allow networkmanager domain to write to ecryptfs_t files BZ(1566706)
- Allow l2tpd domain to stream connect to sssd BZ(1568160)
- Dontaudit abrt_t to write to lib_t dirs BZ(1566784)
- Allow NetworkManager_ssh_t domain transition to insmod_t BZ(1567630)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1614333 - SELinux is preventing boltd from 'write' accesses on the
sock_file socket.
https://bugzilla.redhat.com/show_bug.cgi?id=1614333
[ 2 ] Bug #1613969 - SELinux is preventing colord from 'map' accesses on the
file /home/myuser/.local/share/icc/edid-e6a5375115240064bcc0d7209d55eed8.icc.
https://bugzilla.redhat.com/show_bug.cgi?id=1613969
[ 3 ] Bug #1614763 - please fix /var/lib/pgsql/data/log label to postgresql_log_t
https://bugzilla.redhat.com/show_bug.cgi?id=1614763
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-46564d0139' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------