-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-2993 2013-02-24 07:42:35 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 18 Version : 3.11.1 Release : 81.fc18 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
Here is where you give an explanation of your update. -------------------------------------------------------------------------------- ChangeLog:
* Fri Feb 22 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-81 - Fix systemd_dbus_chat_timedated interface - Allow userdomains to dbus chat with systemd-hostnamed - /usr/share/munin/plugins/plugin.sh should be labeled as bin_t - Fix dbus_system_domain() interface - Fix thumb_role() interface - Allow cgred to list inotifyfs filesystem - New access required for virt-sandbox - Allow gluster to get attrs on all fs - Allow dnsmasq to create content in /var/run/NetworkManager * Tue Feb 19 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-80 - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Add systemd support for oddjob - Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd * Tue Feb 19 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-79 - Fix condor policy - Add labeling for gnashpluginrc - Allow chrome_nacl to execute /dev/zero - Allow condor domains to read /proc - mozilla_plugin_t will getattr on /core if firefox crashes - Allow block_suspend cap2 for glusterd - Allow nmbd to read /dev/random - Fix glusterd labeling - dmraid creates /var/lock/dmraid - Allow systemd_localed to creatre unix_dgram_sockets - Allow systemd_localed to write kernel messages. - Also cleanup systemd definition a little. - Backport fixes for systemd-hostname policy to F18 * Fri Feb 15 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-78 - Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t - Fix userdom_restricted_xwindows_user_template() interface - User accounts need to dbus chat with accountsd daemon - Gnome requires all users to be able to read /proc/1/ - Add support for /var/lib/systemd/linger - Allow systemd-timestamp to set SELinux context - Fix systemd.fc - Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock - Allow sytstemd-timedated to get status of init_t - Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_ - Allow tuned to created kobject_uevent socket - Allow guest user to run fusermount - Allow openshift to read /proc and locale - Allow realmd to dbus chat with rpm - virsh now does a setexeccon call - Additional rules required by openshift domains - Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work - Allow spamd_update_t to search spamc_home_t - Avcs discovered by mounting an isci device under /mnt - Avcs discovered by mounting an isci device under /mnt - Allow lspci running as logrotate to read pci.ids - Additional fix for networkmanager_read_pid_files() - Fix networkmanager_read_pid_files() interface - Allow all svirt domains to connect to svirt_socket_t - Allow virsh to set SELinux context for a process. - Allow tuned to create netlink_kobject_uevent_socket - Add new tuned_tmp_t type * Mon Feb 11 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-77 - Add basic rules for pegasus_openlmi_domain - Add pegasus_openlmi_domain_template() interface for openlmi-* - Allow pppd to send signull - Allow tuned to execute ldconfig - Fix use_ecryptfs_home_dirs boolean for chrome_sandbox_t - Add additional fixes for ecrypts - Allow keystone getsched and setsched - ALlow nova-cert to connect to postgresql - Allow keystone to connect to postgresql - Allow glance domain to stream connect to databases - Allow all cups domains to getattr on filesystems - Fix pacemaker_use_execmem boolean - Allow gpg to read fips_enabled - FIXME: Add realmd_tmp_t until we get /var/cache/realmd - Add support for /var/cache/realmd - Add labeling for fenced_sanlock and allow sanclok transition to fenced_t - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Add additional interface for ecryptfs * Tue Feb 5 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-76 - More access required for openshift_cron_t - Fix init_status calling * Mon Feb 4 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-75 - Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface - Allow Xusers to ioctl lxdm.log to make lxdm working - Add xserver_xdm_ioctl_log() interface - Add MLS fixes to make MLS boot/log-in working - Add mls_socket_write_all_levels() also for syslogd - fsck.xfs needs to read passwd - Allow postgresql to create pg_log dir - Allow sshd to read rsync_data_t to make rsync <backuphost> working - Allow useradd to create homedirs in /run. ircd-ratbox does this and we should just allow it - Allow xdm_t to execute gstreamer home content - Fix sssd_dontaudit_stream_connect() interface - Allow LDA's job to deliver mail to the mailbox - dontaudit block_suspend for mozilla_plugin_t - Dontaudit attempts by thumb_t to read or list /proc info - Allow l2tpd_t to all signal perms - Allow uuidgen to read /dev/random - Allow fsdaemon to use user pty - Add containment of openshift cron jobs - Allow system cron jobs to create tmp directories - Make userhelp_conf_t a config file - Allow mozilla-plugin-config to read power_supply info - More fixes for rsync to make rsync <backuphost> wokring - Allow fsdaemon to read svirt images[C - Allow logwatch to domtrans to mdadm * Wed Jan 30 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-74 - Dontaudit r/w cache_home_t for thumb_t - Allow rsync to getattr any file in rsync_data_t - Allow l2tpd_t to read network manager content in /run directory - Allow named to block_suspend capability - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - Add interface to thumb_t dbus_chat to allow it to read remote process state - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp - kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories - comment files_relabel_non_security_files for now, it does not work with boolean - boinc_cliean wants also execmem as boinc projecs have - Allow sa-update to search admin home for /root/.spamassassin - Allow sa-update to search admin home for /root/.spamassassin - Allow antivirus domain to read net sysctl - Dontaudit attempts from thumb_t to connect to ssd - Dontaudit attempts by readahead to read sock_files - Dontaudit attempts by readahead to read sock_files - Allow application_domains to send sigchld to login programs - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information * Mon Jan 21 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-73 - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Allow colord_t to read cupsd_t state - Add interface to colord_t dbus_chat to allow it to read remote process state * Mon Jan 21 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-72 - Dontaudit net_admin capability for sendmail - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface - Allow gpg_t to manage all gnome files - Add ~/.quakelive as mozilla_home_t content - Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs - Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount. - Need to allow virtd_t to write to /proc in order to open namespace sockets for write. - Add a couple of dontaudit rules to silence the noice - Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_domain attribute - Add mate-thumbnail-font as thumnailer - Add pcscd_read_pid_files() interface - Lots of probing avc's caused by execugting gpg from staff_t - Looks like qpidd_t needs to read /dev/random - firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - Add definition for 2003 as an lmtp port - Add filename transition for opasswd * Tue Jan 15 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-71 - Allow udev to communicate with the logind daemon - Add labeling for texlive bash scripts - Add xserver_filetrans_fonts_cache_home_content() interface - Allow rpm_script_t to dbus communicate with certmonger_t - Add support for /var/lock/man-db.lock - Add support for /var/tmp/abrt(/.*)? - Add additional labeling for munin cgi scripts - Allow httpd_t to read munin conf files - Allow certwatch to read meminfo - Fix nscd_dontaudit_write_sock_file() interface - Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t - Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling - Allow numad access discovered by Dominic - Allow gnomeclock to talk to puppet over dbus - Add support for HOME_DIR/.maildir * Thu Jan 10 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-70 - Add label for dns lib files - Allow svirt_t images to compromise_kernel when using pci-passthrough - Blueman uses ctypes which ends up triggering execmem priv. - Dontaudit attempts by thumb_t to use nscd - fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it - Allow abrt to read proc_net_t - Allw NM to transition to l2tpd - Dontaudit chrome-nacl to append gnome config files - Add gnome_dontaudit_append_config_files() - Allow svirt_tcg_t to create netlink_route_socket - Label /var/lib/unbound as named_cache_t to allow named to write to this directory - Allow postfix domains to list /tmp - Allow dnsmasq to list tftpdir_rw_t content - Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo - Allow tmpreaper to delete tmpfs files in tmp - Dontaudit access check on tmp_t files/directories - dontaudit access checks on file systems types by firewalld - Allow mail_munin_plugins domain to run postconf - Allow spamd_update to manage gnupg directory - Add missing postfix_run_postqueue() interface - Add ntp_exec() interface - Fix setroubleshoot_fixit_t policy - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Add label for Xvnc - Add interface to dontaudit access checks on tmp_t - Fix interface for dontaudit access check to include directory - interface to dontaudit access checks on file systems types - Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label. - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Additional fix for chroot_user_t backported from RHEL6 - Allow chroot_user_t to getattr on filesystems - Dontaudit vi attempting to relabel to self files - Sudo domain is attempting to get the additributes of proc_kcore_t - Unbound uses port 8953 - - Creating tmp-inst directory in a tmp_t directory should not transition - Allow init_t to write to watchdog device - Add file system definition for other vx file systems * Wed Jan 2 2013 Miroslav Grepl mgrepl@redhat.com 3.11.1-69 - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Add systemd_status_all_unit_files() interface - Add support for nshadow - Allow sysadm_t to administrate the postfix domains - Add interface to setattr on isid directories for use by tmpreaper - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - Allow sshd_t sys_admin for use with afs logins - Add labeling for /var/named/chroot/etc/localtim * Thu Dec 27 2012 Miroslav Grepl mgrepl@redhat.com 3.11.1-68 - Allow setroubleshoot_fixit to execute rpm - zoneminder needs to connect to httpd ports where remote cameras are listening - Allow firewalld to execute content created in /run directory - Allow svirt_t to read generic certs - Dontaudit leaked ps content to mozilla plugin - Allow sshd_t sys_admin for use with afs logins - Allow systemd to read/write all sysctls - init scripts are creating systemd_unit_file_t directories * Fri Dec 21 2012 Miroslav Grepl mgrepl@redhat.com 3.11.1-67 - systemd_logind_t is looking at all files under /run/user/apache - Allow systemd to manage all user tmp files - Add labeling for /var/named/chroot/etc/localtime - Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 - Keystone is now using a differnt port - Allow xdm_t to use usbmuxd daemon to control sound - Allow passwd daemon to execute gnome_exec_keyringd - Fix chrome_sandbox policy - Add labeling for /var/run/checkquorum-timer - More fixes for the dspam domain, needs back port to RHEL6 - More fixes for the dspam domain, needs back port to RHEL6 - sssd needs to connect to kerberos password port if a user changes his password - Lots of fixes from RHEL testing of dspam web - Allow chrome and mozilla_plugin to create msgq and semaphores - Fixes for dspam cgi scripts - Fixes for dspam cgi scripts - Allow confine users to ptrace screen - Backport virt_qemu_ga_t changes from RHEL - Fix labeling for dspam.cgi needed for RHEL6 - We need to back port this policy to RHEL6, for lxc domains - Dontaudit attempts to set sys_resource of logrotate - Allow corosync to read/write wdmd's tmpfs files - I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set - Allow cron jobs to read bind config for unbound - libvirt needs to inhibit systemd - kdumpctl needs to delete boot_t files - Fix duplicate gnome_config_filetrans - virtd_lxc_t is using /dev/fuse - Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift - apcupsd can be setup to listen to snmp trafic - Allow transition from kdumpgui to kdumpctl - Add fixes for munin CGI scripts - Allow deltacloud to connect to openstack at the keystone port - Allow domains that transition to svirt domains to be able to signal them - Fix file context of gstreamer in .cache directory - libvirt is communicating with logind - NetworkManager writes to the systemd inhibit pipe -------------------------------------------------------------------------------- References:
[ 1 ] Bug #911145 - ipa.service fails to start after upgrade from fedora 17 to 18 due to selinux https://bugzilla.redhat.com/show_bug.cgi?id=911145 [ 2 ] Bug #911490 - SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'getattr' accesses on the file /core.2129. https://bugzilla.redhat.com/show_bug.cgi?id=911490 [ 3 ] Bug #911491 - SELinux is preventing /usr/sbin/dnsmasq from 'write' accesses on the directory /var/run/NetworkManager/dnsmasq.pid. https://bugzilla.redhat.com/show_bug.cgi?id=911491 [ 4 ] Bug #912435 - SELinux is preventing /usr/sbin/condor_master from 'getattr' accesses on the file /proc/cpuinfo. https://bugzilla.redhat.com/show_bug.cgi?id=912435 [ 5 ] Bug #912440 - SELinux is preventing /usr/sbin/condor_master from 'getattr' accesses on the file /etc/passwd. https://bugzilla.redhat.com/show_bug.cgi?id=912440 [ 6 ] Bug #912909 - SELinux is preventing /usr/sbin/glusterfsd (deleted) from getattr access on the filesystem / https://bugzilla.redhat.com/show_bug.cgi?id=912909 [ 7 ] Bug #913212 - selinux-policy blocking munin-node https://bugzilla.redhat.com/show_bug.cgi?id=913212 [ 8 ] Bug #913368 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the file cmdline. https://bugzilla.redhat.com/show_bug.cgi?id=913368 [ 9 ] Bug #913589 - SELinux is preventing /usr/lib/systemd/systemd-localed from 'search' accesses on the directory journal. https://bugzilla.redhat.com/show_bug.cgi?id=913589 [ 10 ] Bug #913591 - SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'getattr' accesses on the file /proc/<pid>/stat. https://bugzilla.redhat.com/show_bug.cgi?id=913591 [ 11 ] Bug #857709 - Cannot run xvfb-run in mock with SELinux set to enforcing, targeted https://bugzilla.redhat.com/show_bug.cgi?id=857709 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org