-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-1337 2015-01-30 00:49:30 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 21 Version : 3.13.1 Release : 105.fc21 URL : http://github.com/TresysTechnology/refpolicy/wiki Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=604115 -------------------------------------------------------------------------------- ChangeLog:
* Thu Jan 15 2015 Lukas Vrabec lvrabec@redhat.com 3.13.1-105 - Fix labels on /etc/kde/kdm - Allow texlive managers to relabelfrom - Add iptables_var_lib_t for /var/lib/ebtables - Allow mount_ecryptfs_t to read/write pam_console data - allow mozilla plugins to connect to bluetooth devices - Allow system_mail_t to create content in /var/lib/munin - Allow prosody_t to execmem, since it is using loajit. - Allow NetworkManager to noatsecure openvpn - Allow canna go call getpw* - Allow telepathy_mission_control to create tmp files - Remove boolean gpg_agent_env_file - Allow shorewall to transition to the netutils domain - Allow bumblebee read proc_net_t. BZ (1176329) - Dontaudit attempts by thumb_t to setfscreate, this is caused by executing mv command under thumb_t domain * Thu Jan 15 2015 Lukas Vrabec lvrabec@redhat.com 3.13.1-104 - Fix unconfined_server_dbus_chat() interface - Add type for tcp/18700 port and have it as lsm_plugin_port_t. - Fix mount_entry_type() interface. - Update xserver_rw_xdm_keys() interface to have 'setattr'. - fix storage_tmp_filetrans_fixed_disk() interface. - Allow sulogin to read /dev/urandom and /dev/random. - Update radius port definition to have also tcp/18121. - Add 18120/tcp as radius port. - Label prandom as random_device_t. - Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t. - Dontaudit svirt_domains attempting to setattr on /proc - Allow systemd_passwd_agent to look at processes in /proc - Fix label on /var/lib/sddm - Allow systemd_logind_t to delete tmpfs files - Allow systemd to manage all lock files - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Allow init_t to create gnome content in homedirs - systemd_sysctl needs to have sys_rawio - userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs - Allow userdomains to use mount commands as entrypoints - bug #1178562 shows systemd_hostnamed_t reads /proc/xen - Label /usr/libexec/Xorg.bin as xserver_exec_t. - Allow sssd to send dbus all user domains. - Allow lsm plugin to read certificates. - Make snapperd as unconfined domain. - Fix labeling for keystone CGI scripts - Fix bugs in interfaces discovered by sepolicy. - Allow slapd to read /usr/share/cracklib/pw_dict.hwm. - Allow lsm plugins to connect to tcp/18700 by default. - Allow brltty mknod capability to allow create /var/run/brltty/vcsa. - Fix pcp_domain_template() interface. - Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc. - Allow glance-scrubber to connect tcp/9191. - Add conman_can_network. - Allow conman to create files/dirs in /tmp. - Allow rabbitmq_t to run hostname - Allow named to manage files in dnssec_trigger_var_run_t directory - Allow rabbitmq_t to deal with link files created with its content - Allow pcp_domains to connect to ephemeral ports, allow webd domain to dbus with avahi - Dontaudit svirt_domains attempting to setattr on /proc - Allow mdadm_t to getattr on init status files - Allow rpcd_t to write to /proc - Allow mdadm_t to create fixed_disk_device_t on /tmp file systems - Add lmt-req.lock as a apmd_lock file - Allow rpm running under sblim domain to send signull to setroubleshootd. * Mon Dec 15 2014 Lukas Vrabec lvrabec@redhat.com 3.13.1-103 - Docker has a new config/key file it writes to /etc/docker - Add support for /usr/share/vdsm/daemonAdapter - Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. - Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean. - Allow virt_qemu_ga_t to execute kmod - Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438) * Thu Dec 11 2014 Lukas Vrabec lvrabec@redhat.com 3.13.1-102 - Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258) - Allow docker daemon to start transitiant units - Add support for /var/run/gluster. - Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085) - Fix /usr/libexec/sssd/selinux_child labeling. - Label /usr/libexec/tomcat/server as tomcat_exec_t. * Tue Dec 2 2014 Lukas Vrabec lvrabec@redhat.com 3.13.1-101 - Add files_dontaudit_list_security_dirs() interface - Allow rlogind to use also rlogin ports - Dontaudit couchdb to list /var - couchdb: allow disksup to monitor the local disks - dontaudit list security dirs for samba domain. - Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946) * Tue Nov 25 2014 Lukas Vrabec lvrabec@redhat.com 3.13.1-100 - Add seutil_dontaudit_access_check_semanage_module_store() interface - Update to have all _systemctl() interface also init_reload_services() - Allow named_filetrans_domain to create ibus directory with correct labeling - Add labeling for /sbin/iw. - Label tcp port 5280 as ejabberd port. BZ(1059930) - Make /usr/bin/vncserver running as unconfined_service_t. - getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain - Label /etc/docker/certs.d as cert_t - Allow all systemd domains to search file systems - I guess there can be content under /var/lib/lockdown #1167502 - Dontaudit access check on SELinux module store for sssd - Update to have all _systemctl() interface also init_reload_services() - Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working - Allow keystone to send a generic signal to own process. - Dontaudit list user_tmp files for system_mail_t - label virt-who as virtd_exec_t - Allow rhsmcertd to send a null signal to virt-who running as virtd_t - Add virt_signull() interface - Allow .snapshots to be created in other directories, on all mountpoints - Add missing alias for _content_rw_t - Allow spamd to access razor-agent.log -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1156557 - [nagios_system_plugin_t] SELinux is preventing check_procs from getattr access on the file /usr/sbin/nrpe. https://bugzilla.redhat.com/show_bug.cgi?id=1156557 [ 2 ] Bug #1158258 - SELinux is preventing /usr/bin/python2.7 from 'ioctl' accesses on the unix_stream_socket unix_stream_socket. https://bugzilla.redhat.com/show_bug.cgi?id=1158258 [ 3 ] Bug #1167109 - /usr/bin/newaliases: No such file or directory https://bugzilla.redhat.com/show_bug.cgi?id=1167109 [ 4 ] Bug #1168112 - SELinux is preventing /usr/bin/python2.7 (deleted) from 'setattr' accesses on the directory /proc. https://bugzilla.redhat.com/show_bug.cgi?id=1168112 [ 5 ] Bug #1169836 - SELinux drops AVC related to certmonger during ipa-server-install https://bugzilla.redhat.com/show_bug.cgi?id=1169836 [ 6 ] Bug #1170083 - SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from 'getattr' accesses on the file /proc/<pid>/stat. https://bugzilla.redhat.com/show_bug.cgi?id=1170083 [ 7 ] Bug #1170084 - SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from 'search' accesses on the directory 3631. https://bugzilla.redhat.com/show_bug.cgi?id=1170084 [ 8 ] Bug #1172413 - SELinux is preventing /usr/bin/touch from 'create' accesses on the file libvirt-guests. https://bugzilla.redhat.com/show_bug.cgi?id=1172413 [ 9 ] Bug #1172774 - SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems. https://bugzilla.redhat.com/show_bug.cgi?id=1172774 [ 10 ] Bug #1174278 - ecryptfs doesn't automount Private at login since upgrade to FC21 beta https://bugzilla.redhat.com/show_bug.cgi?id=1174278 [ 11 ] Bug #1174915 - OPENSSL_ENABLE_MD5_VERIFY can not be used with NetworkManager & OpenVPN to re-enable MD5 certificate verification https://bugzilla.redhat.com/show_bug.cgi?id=1174915 [ 12 ] Bug #1175054 - SELinux is preventing /usr/bin/kdm (deleted) from 'entrypoint' accesses on the file /etc/kde/kdm/Xsetup. https://bugzilla.redhat.com/show_bug.cgi?id=1175054 [ 13 ] Bug #1175068 - SELinux is preventing /usr/sbin/hddtemp from using the 'sys_admin' capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=1175068 [ 14 ] Bug #1175258 - SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file /var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0. https://bugzilla.redhat.com/show_bug.cgi?id=1175258 [ 15 ] Bug #1175927 - SELinux is preventing umount.ecryptfs from read, write access on the file /run/console/brandoni. https://bugzilla.redhat.com/show_bug.cgi?id=1175927 [ 16 ] Bug #1175928 - SELinux is preventing login from 'entrypoint' accesses on the file /usr/sbin/mount.ecryptfs_private. https://bugzilla.redhat.com/show_bug.cgi?id=1175928 [ 17 ] Bug #1176226 - SELinux is preventing mv from using the 'setfscreate' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=1176226 [ 18 ] Bug #1176289 - SELinux is preventing /usr/bin/mv from 'relabelfrom' accesses on the file . https://bugzilla.redhat.com/show_bug.cgi?id=1176289 [ 19 ] Bug #1176327 - SELinux is preventing /usr/libexec/Xorg.bin from 'write' accesses on the directory /tmp. https://bugzilla.redhat.com/show_bug.cgi?id=1176327 [ 20 ] Bug #1176329 - SELinux is preventing bumblebeed from 'read' accesses on the file unix. https://bugzilla.redhat.com/show_bug.cgi?id=1176329 [ 21 ] Bug #1176625 - SELinux denials for shorewall https://bugzilla.redhat.com/show_bug.cgi?id=1176625 [ 22 ] Bug #1176711 - SELinux is preventing gpg-agent from 'create' accesses on the file .gpg-agent-info. https://bugzilla.redhat.com/show_bug.cgi?id=1176711 [ 23 ] Bug #1176712 - SELinux is preventing mission-control from 'write' accesses on the directory /run/user/1002. https://bugzilla.redhat.com/show_bug.cgi?id=1176712 [ 24 ] Bug #1176845 - SELinux is preventing cannaserver from 'search' accesses on the directory /var/lib/sss. https://bugzilla.redhat.com/show_bug.cgi?id=1176845 [ 25 ] Bug #1176848 - SELinux is preventing cannaserver from 'read' accesses on the file /etc/passwd. https://bugzilla.redhat.com/show_bug.cgi?id=1176848 [ 26 ] Bug #1177040 - [abrt] dnssec-trigger: subprocess.py:540:check_call:CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1 https://bugzilla.redhat.com/show_bug.cgi?id=1177040 [ 27 ] Bug #1177296 - SELinux is preventing /usr/libexec/bluetooth/bluetoothd from 'write' accesses on the file brightness. https://bugzilla.redhat.com/show_bug.cgi?id=1177296 [ 28 ] Bug #1177632 - SELinux is preventing revalidator5 from search access on the directory net. https://bugzilla.redhat.com/show_bug.cgi?id=1177632 [ 29 ] Bug #1178562 - SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'getattr' accesses on the file /proc/xen/capabilities. https://bugzilla.redhat.com/show_bug.cgi?id=1178562 [ 30 ] Bug #1178730 - SELinux is preventing Xorg.bin from 'getattr' accesses on the file /proc/<pid>/cmdline. https://bugzilla.redhat.com/show_bug.cgi?id=1178730 [ 31 ] Bug #1179488 - SELinux is preventing docker from using the 'setsched' accesses on a process. https://bugzilla.redhat.com/show_bug.cgi?id=1179488 [ 32 ] Bug #1159672 - SELinux is preventing /usr/lib/systemd/systemd-logind from 'getattr' accesses on the file /dev/shm/spice.2372. https://bugzilla.redhat.com/show_bug.cgi?id=1159672 [ 33 ] Bug #1162546 - missing SELinux policy for Xorg.bin https://bugzilla.redhat.com/show_bug.cgi?id=1162546 [ 34 ] Bug #1162712 - SELinux AVCs with pcp-webapi https://bugzilla.redhat.com/show_bug.cgi?id=1162712 [ 35 ] Bug #1167759 - selinux denies pam_mount to mount home on Fedora 21 https://bugzilla.redhat.com/show_bug.cgi?id=1167759 [ 36 ] Bug #1173486 - RPM verification reports vbetool.pp as missing https://bugzilla.redhat.com/show_bug.cgi?id=1173486 [ 37 ] Bug #1177051 - bacula-fd generates SELinux alerts when it tries to back up a FIFO. https://bugzilla.redhat.com/show_bug.cgi?id=1177051 [ 38 ] Bug #1177716 - [PATCH] couchdb_t must be allowed to sendto kernel unix dgram sockets https://bugzilla.redhat.com/show_bug.cgi?id=1177716 [ 39 ] Bug #1177717 - couchdb selinux: gconf_home_t AVC https://bugzilla.redhat.com/show_bug.cgi?id=1177717 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org