---------------------------------------------------------------------------= ----- Fedora Update Notification FEDORA-2011-14734 2011-10-22 07:43:07 ---------------------------------------------------------------------------= -----

Name : selinux-policy Product : Fedora 14 Version : 3.9.7 Release : 46.fc14 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117

---------------------------------------------------------------------------= ----- Update Information:

- Backport puppet fixes from F16 - Add label for /etc/passwd.adjunct.* - Fixes for vdagent policy ---------------------------------------------------------------------------= ----- ChangeLog:

* Thu Oct 20 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-46 - Backport puppet fixes from F16 - Add label for /etc/passwd.adjunct.* - Fixes for vdagent policy * Mon Aug 29 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-45 - Backport f15 fixes * Thu Aug 4 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-44 - Backport dirsrv-admin changes * Mon Jun 20 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-43 - Fixes for fail2ban and iptables - Fixes for dovecot - Fixes for piranha policy * Fri May 27 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-42 - Make upgrade from F13 working - Fixes for asterisk policy - Fixes for vdagent policy * Tue May 10 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-41 - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write postfix master pipes - Remove remote_login_tmp_t and allow remote_login to create and manage use= r tmp files - Allow spamd to send mail - Allow sshd getcap - Add tgtd_var_run_t type - Allow vnstatd to read system state * Tue Apr 19 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-40 - Add support for AEOLUS project - Fixes for asterisk and setroubleshoot domains - Fix label for /usr/sbin/fping - Fix label for chrome - Fixes for foghorn policy * Mon Apr 11 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-39 - Allow foghor to read snmp lib files =

- Other fixes for foghorn policy - Make sysadm security admin =

- Fix ssh_sysadm_login boolean =

- Fix seunshare interface - Add allow_sysadm_manage_security boolean - Add label for /dev/dlm.* - Allow auditadm_screen_t and secadm_screen_t dac_override capability - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow procmail and system_mail_t to user fifo_file passed into it from po= stfix_master - Fixes for nslcd policy - Allow rgmanager to send the kill signal to all users * Fri Mar 25 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-38 - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of audit - sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems - sssd wants to read .k5login file in users homedir - Allow syslogd setrlimit, sys_nice - ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed * Mon Mar 21 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-37 - Add label for /usr/share/shorewall/getparams * Sun Mar 20 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-36 - xdm needs to read KDE config files * Fri Mar 18 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-35 - Additional fixes for gnomeclock policy * Fri Mar 18 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-34 - Add matahari policy - Allow shutdown setsched and sys_nice - Add port definition for dogtag, matahari, movaz ports - Add label for /etc/securetty - Fixes for pirahna-pulse policy - Fixes for mock policy - Add support for KDE ksysguardprocesslist_helper - Add support for a new cluster service - foghorn - Add support for xfce4-notifyd - Add support for kcmdatetimehelper - Fixes for spice-vdagent policy - Fixes for ssh-keygen policy * Fri Mar 4 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-33 - Backport sandbox and seunshare policy from F15 - Allow svirt to manage sock_file in ~/.libvirt directory - Allow sysamd to run udev in udev_t domain - Remove capability from svirt - Add lvm_exec_t label for kpartx - Add virt_home_ type files located in ~/.libvirt directory - virt creates monitor sockets in the users home dir - Allow lvm setfscreate - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports - certmonger wants to read keytab files * Fri Feb 25 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-32 - Allow amavis sigkill - Allow winbind to read network state information - Add ajaxterm ssh client session - mta search /var/lib/logcheck - sssd needs to bind to random UDP ports * Thu Feb 17 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-31 - Allow all sandbox to read selinux poilcy config files - Add reading tfptd_rw_t to tftp_read_content - Add allow_daemons_use_tcp_wrappers boolean - Allow amavis to talk to nslcd * Tue Feb 15 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-30 - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines - cgred needs fsetid - Allow cmirrord to create physical disk devices in /dev - Make NNTP gateway working with mailman * Fri Feb 4 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-29 - Revert * Change oracle_port_t to oracledb_port_t to prevent conflict wit= h satellite - Fix spec file to make this work * Wed Feb 2 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-28 - Make sandbox to work - Fix httpd_selinux man page to refer to httpd_sys_rw_content_t - Allow awstats to read squid logs - Allow dirsrv to send syslog messages * Tue Feb 1 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-27 - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Fix keyboardd interface * Thu Jan 27 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-26 - Add execmem_exec_t label for gimp - Allow nagios plugin to read /proc/meminfo - Fix label for /usr/lib/debug - Add label for /usr/lib/bjlib - Fixes for confined users - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite * Thu Jan 20 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-25 - .forward.* Needs to be labeled mail_home_t =

- .forward file can cause postfix_local to execute local content * Wed Jan 19 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-24 - Add sepgsql fixes from KaiGai Kohei * Wed Jan 19 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-23 - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the connect_db bo= olean is turned on - sandbox fixes - Allow shorewall to read iptables conf files * Fri Jan 14 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-22 - Add namespace policy - Update for screen policy to handle pipe in homedir - Fixes for polyinstatiated homedir - Allow dirsrv to use kerberos * Fri Jan 7 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-21 - Make kernel_t domain MLS trusted for lowering the level of file. - Add label for /var/lib/tftpboot/grub directory - Fixes for mpd policy - Fix amanda_search_lib interface * Tue Jan 4 2011 Miroslav Grepl mgrepl@redhat.com 3.9.7-20 - Fixes for iscsi policy - Allow dmesg to read system state - squid apache script connects to the squid port - /var/stockmaniac/templates_cache contains log files - Allow radius to communicate with postgresql - Add transition from unconfined_java_t to wine_t * Wed Dec 22 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-19 - Fixes for passenger policy - Allow staff user to execute mysql * Thu Dec 16 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-18 - Other fixes for munin plugins policy * Wed Dec 15 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-17 - Fixes for sandbox policy - Add setuid capability for vpnc - Allow sandbox to run on nfs partitions - Allow domains that transition to ping or traceroute, kill them - Allow user_t to conditionally transition to ping_t and traceroute_t * Fri Dec 10 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-16 - Allow boinc-project to read mtab - Fixes for clamscan * Mon Dec 6 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-15 - Allow mount fowner capability - Fix the label for wicd log - Allow avahi to request the kernel to load a module - Allow mpd to read alsa config * Wed Dec 1 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-14 - Allow clear dac overrides - Fix dirsrv.te to talk to rpcbind - certmonger needs to manage dirsrv data - Allow posftfix-smtpd to connect to dovecot unix domain stream socket - Allow ssh_keygen to generate files in /root/.ssh * Mon Nov 22 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-13 - Allow ddclient to fix file mode bits of ddclient conf file - Add labels for /etc/lirc directory - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0 * Thu Nov 18 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-12 - Add xdm_exec_bootloader boolean - Allow cgconfig fsetid capability - Allow logwatch and cron to mls_read_to_clearance for MLS boxes - Allow wm to send signull to all applications and receive them from users - lircd patch from field - Patch for Stephen Beahm for ulogd policy - Turn on pyzor policy * Mon Nov 15 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-11 - Allow mysqld-safe to send system log messages - Fix label for lxdm.sock - Fixes for ddclient policy - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t =

- Add label for acroread - Add dirsrv and dirsrv-admin policy - Allow saslauthd_t to create krb5_host_rcache_t files in /tmp * Wed Nov 10 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-10 - Turn on ddclient policy - Allow mount to set the attributes of all mount points - Allow bitlbee setsched - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Fixes for puppetmaster * Mon Nov 8 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-9 - Fixes for corosync policy - Add initial drbd policy - Allow mpd to be able to read samba/nfs files * Mon Nov 1 2010 Dan Walsh dwalsh@redhat.com 3.9.7-8 - Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon * Thu Oct 28 2010 Dan Walsh dwalsh@redhat.com 3.9.7-7 - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper - Add missing flask definitions - Allow udev to relabelto removable_t - Fix label on /var/log/wicd.log - Transition to initrc_t from init when executing bin_t - Add audit_access permissions to file - Make removable_t a device_node =

- Fix label on /lib/systemd/* * Fri Oct 22 2010 Dan Walsh dwalsh@redhat.com 3.9.7-6 - Fixes for systemd to manage /var/run - Dontaudit leaks by firstboot * Tue Oct 19 2010 Dan Walsh dwalsh@redhat.com 3.9.7-5 - Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin as an application_domain - Dontaudit sending signals from sandboxed domains to other domains - systemd requires init to build /tmp /var/auth and /var/lock dirs - mount wants to read devicekit_power /proc/ entries - mpd wants to connect to soundd port - Openoffice causes a setattr on a lib_t file for normal users, add dontaud= it - Treat lib_t and textrel_shlib_t directories the same - Allow mount read access on virtual images ---------------------------------------------------------------------------= ----- References:

[ 1 ] Bug #595508 - pam_mount 2.x requires cryptsetup privileges https://bugzilla.redhat.com/show_bug.cgi?id=3D595508 [ 2 ] Bug #699187 - SELinux is preventing /usr/lib/mailman/mail/mailman f= rom read access on the fifo_file fifo_file https://bugzilla.redhat.com/show_bug.cgi?id=3D699187 [ 3 ] Bug #703900 - description of allow_httpd_sys_script_anon_write refe= rences nonexistant file type context. https://bugzilla.redhat.com/show_bug.cgi?id=3D703900 [ 4 ] Bug #704262 - AVC set to not audit prevent easy policy modification= s for roundcube mail and postfix https://bugzilla.redhat.com/show_bug.cgi?id=3D704262 [ 5 ] Bug #715039 - AVCs when trying to create new 389-ds instance throug= h 389-console https://bugzilla.redhat.com/show_bug.cgi?id=3D715039 [ 6 ] Bug #637736 - SELinux prevents dnsmasq to work https://bugzilla.redhat.com/show_bug.cgi?id=3D637736 [ 7 ] Bug #689205 - SELinux is preventing /usr/bin/boinc_client from 'con= nectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0. https://bugzilla.redhat.com/show_bug.cgi?id=3D689205 [ 8 ] Bug #692827 - puppetmasterd needs name_bind and node_bind https://bugzilla.redhat.com/show_bug.cgi?id=3D692827 [ 9 ] Bug #703813 - RFE: let cobbler run puppetca (puppet cert) https://bugzilla.redhat.com/show_bug.cgi?id=3D703813 [ 10 ] Bug #727498 - SELinux is preventing /usr/bin/fetchmail from getatt= r access on the file /etc/krb5.conf. https://bugzilla.redhat.com/show_bug.cgi?id=3D727498 [ 11 ] Bug #729980 - SELinux is preventing /bin/mount from 'remove_name' = accesses on the dossier mtab~1948. https://bugzilla.redhat.com/show_bug.cgi?id=3D729980 [ 12 ] Bug #730843 - SELinux is preventing /usr/sbin/radiusd from read ac= cess on the directory /var/tmp https://bugzilla.redhat.com/show_bug.cgi?id=3D730843 [ 13 ] Bug #733896 - Selinux prevents Postfix from delivering to Dovecot = LMTP socket https://bugzilla.redhat.com/show_bug.cgi?id=3D733896 [ 14 ] Bug #735648 - SELinux is preventing /var/lib/boinc/projects/www.wo= rldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu from 'getattr' accesse= s on the file /proc/<pid>/stat. https://bugzilla.redhat.com/show_bug.cgi?id=3D735648 [ 15 ] Bug #735786 - SELinux is preventing /opt/google/chrome/chrome from= execmod access on the file /opt/google/chrome/chrome. https://bugzilla.redhat.com/show_bug.cgi?id=3D735786 [ 16 ] Bug #743545 - SELinux is preventing /usr/sbin/sshd from 'getattr' = accesses on the directory /home/piro/.gvfs. https://bugzilla.redhat.com/show_bug.cgi?id=3D743545 [ 17 ] Bug #743804 - SELinux is preventing /var/lib/boinc/projects/www.wo= rldcommunitygrid.org/wcg_dsfl_6.19_i686-pc-linux-gnu from 'getattr' accesse= s on the file /proc/<pid>/stat. https://bugzilla.redhat.com/show_bug.cgi?id=3D743804 [ 18 ] Bug #745569 - selinux prevents chromium from starting https://bugzilla.redhat.com/show_bug.cgi?id=3D745569 [ 19 ] Bug #746423 - SELinux is preventing /usr/bin/gok from 'read' acces= ses on the directory /var/ftp. https://bugzilla.redhat.com/show_bug.cgi?id=3D746423 ---------------------------------------------------------------------------= -----

This update can be installed with the "yum" update program. Use =

su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on t= he GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ---------------------------------------------------------------------------= -----