Fedora 12 Update: selinux-policy-3.6.32-120.fc12
updates at fedoraproject.org
updates at fedoraproject.org
Fri Aug 20 01:48:14 UTC 2010
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-12052
2010-08-05 23:01:38
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 12
Version : 3.6.32
Release : 120.fc12
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20090730
--------------------------------------------------------------------------------
Update Information:
- Fixes for cobbler policy - Don't audit varnishd sys_tty_config capability
- Allow varnishd kill capability - Fixes for munin policy - Change label for
/var/tmp - Add clamd_use_jit boolean * Tue Dec 1 2009 Dan Walsh
<dwalsh at redhat.com> 3.6.32-52 - Major fixup of ntop policy - Fix label on
/usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session
bus - Allow modemmanager to use generic ptys, and sys_tty_config capability -
Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs
and nfs file systems - Allow kismet to read network state - Allow
cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and
allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files -
Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t
files * Wed Nov 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-51 - Mark
google shared libraries as requiring textrel_shlib - Allow svirt to
bind/connect to network ports - Add label for .libvirt directory. * Tue Nov
24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-50 - Allow modemmanager sys_admin
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-120
- Fixes for cobbler policy
- Dont audit varnishd sys_tty_config capability
- Allow varnishd kill capability
- Fixes for munin policy
- Change label for /var/tmp
- Add clamd_use_jit boolean
* Wed Jun 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-119
- Allow rpm to execute rpm tmp files
- Allow denyhosts to send syslog messages
* Fri Jun 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-118
- Fixes for abrt
* Mon May 31 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-117
- Fixes for nagios
* Fri May 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-116
- Allow denyhosts to connect to tcp port 9911
- Fixes for munin
* Tue May 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-115
- Allow avahi-autoipd to chat with NetworkManager over dbus
- Allow tgtd to read files on anon_inodefs file systems
- Add label for /var/lib/mpd directory
* Wed May 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-114
- Allow denyhosts sys_tty_config capability
- Fixes for chrony policy
- Allow ksmtuned to use terminals
- Allow lircd to write to generic usb devices
* Thu Apr 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-113
- Allow pulseaudio to read udev process state.
- Dontaudit hal leaks
* Fri Apr 16 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-112
- Fix label for /usr/share/system-config-services/gui.py
- Allow snort to read network state information
- Fix reserved port desination from Dan Walsh
* Tue Apr 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-111
- Allow shorewall to execute hostname
- Allow gpg-agent to read symbolic links in bin directories
- Allow vmware-host to read and write generic character device files
- Add munin plugin policy from F13
- Add denyhosts polict from F13
* Thu Apr 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-110
- Add label for /opt/google/chrome/chrome-sandbox
- Allow asterisk to bind and connect to sip tcp ports
* Fri Apr 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-109
- Allow hald to manage block device files
* Tue Mar 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-108
- Add label for libgpac library
- Fixes for openvpn
* Fri Mar 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-107
- Allow pppd to read and write to modem devices
* Tue Mar 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-106
- Allow mysqld_safe setsched, getsched
- Allow logrotate to transition to sssd
- Allow snort to read and write generic USB devices
- Add label for piranha log files
- Add qpidd policy from rawhide
* Fri Mar 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-105
- Fixes for nagios
* Thu Mar 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-104
- Allow logrotate to transition to asterisk
- Allow xdm to transition to shutdown
- Allow shutdown dac_override
- Allow samba sys_chroot
* Mon Mar 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-103
- Add sosreport policy
* Mon Mar 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-102
- Allow bluetooth sys_admin capability
- Fix label for libADM libraries
- Allow libvirt to set svrit_image_t label on sysfs
- Add shutdown policy from Dan Walsh
* Wed Mar 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-101
- Allow nsplugin to manage pulseaudio homedir content
* Tue Mar 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-100
- Allow pulseaudio sys_tty_config capability
- Add label for cman_tool
- Fixes for corosync policy
- Allow abrt to get the attributes of all domains
- Allow abrt to read symbolic links on a NFS filesystem
* Fri Mar 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-99
- Add back etcfile attribute
* Fri Mar 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-98
- Allow modcluster to call getpwnam
- Allow useradd sys_ptrace capability
- Fixes for pulseaudio from Dan Walsh
- Allow swat to signal winbind
- Add label for mssql and allow apache to connect to this database port if boolean set
* Wed Mar 3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-97
- Fixes for xserver from Dan Walsh
* Mon Mar 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-96
- Add cachefilesfd policy
- Update cobbler policy from F13
- Allow hald connect to usbmuxd over a unix domain
- Allow staff_t to read semanage module store
* Fri Feb 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-95
- Add fixes from Dan Walsh
* Fri Feb 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-94
- Fixes for MLS booting from Dan Walsh
* Thu Feb 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-93
- Fix wine dontaudit mmap_zero
- Add vbetool_mmap_zero_ignore boolean
- dontaudit acct using console
* Tue Feb 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-92
- Fixes for cluster policy
- Fixes for rgmanager
- Add label for /etc/pki dir in bind-chroot
- Allow system-config-firewall to send system log messages
- Remove label for Directory Server
* Wed Feb 17 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-91
- Add label for /opt/zimbra/log directory
- Add label for /usr/local/centreon/log directory
- Add label for /var/spool/bacula/log directory
- Add nagios_mail_plugin type for nagios mail plugins
- Do not audit attempts to search the network state directory for locate
- Allow ping read and write the console, all ttys and all ptys
- Allow pppd to send audit messages
- Allow modemmanager net_admin capability
- Fixes for cluster policy
* Fri Feb 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-90
- Allow dnsmasq to create log file
* Thu Feb 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-89
- Allow rpcd to read files with default file type
* Thu Feb 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-88
- Fixes for sandbox
- Allow quota to set priority of kernel threads
- Fixes for svirt
* Wed Feb 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-87
- Fixes for ipsec policy
- Allow pppd to get attributes of the modem devices
- Add label for /usr/share/e16/misc directory
* Tue Feb 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-86
- Allow mysql ipc_lock capability
- Allow passwd sys_nice capability
- Allow plymouth to read network config files
- Fixes for git
- Add label for /usr/sbin/ns-slapd
- Allow munin to list mail queue
- Add label for shorewall compiler
- Fixes for nagios plugin policy
- Allow auditctl to set priority of kernel threads
* Fri Feb 5 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-85
- Cleanup spec file
* Thu Feb 4 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-84
- Fix /var/lib labeling in post install
* Thu Feb 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-83
- Fixes for cluster policy
* Wed Feb 3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-82
- Add label for /root/.Xdefaults
- Allow xauth to read symbolic links on a NFS filesystem
- Add label for /var/run/slim.lock
- Add mcelog policy
* Tue Feb 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-81
- Allow policykit-auth to set attributes on fonts cache directory
- Add label for RealPlayer plugins
- Add label for /usr/sbin/xrdp
- Allow chrome-sandbox to read gnome homedir content
- Allow rsyslogd to connect to MySQL using a unix domain stream socket
- Allow apache to list inotifyfs filesystem
- Add label for /dev/pps device
- Fixes for chronyd policy
* Mon Feb 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-80
- Allow xdm to execute octave
- Add label for var/run/lxdm.auth
- Allow pppd sys_admin capability
- Allow cups-pdf fowner capability
- Fix path for cluster binaries
- Fixes for pulseaudio
- Add label for /var/webmin directory
- Allow prelink execmod on files in home directory
- Allow cups-config to read process state of all user domains.
- Fixes for vmware policy
- Fixes for lirc policy
- Allow amavis to read utmp
* Fri Jan 29 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-79
- Fix rpm_dontaudit_leaks
- Fix typo in rgmanager.if
- Fixes for nis policy
* Wed Jan 27 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-78
- Allow to openvpn to read utmp
- Allow xdm to read the video4linux devices
- Add label for /etc/openldap/slapd.d directory
- Allow tgtd to manage fixed disk device nodes
- Allow chsh to execute nxserver
- Allow abrt_helper to send system log messages
- Add label for /etc/zabbix/web directory
- Add label for /sbin/mke4fs
* Mon Jan 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-77
- Allow xenstored to manage files on on a XENFS filesystem
- Allow cupsd to setattr on a fonts cache directory
- Allot smolt-client to send system log messages
* Fri Jan 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-76
- Add labeling for gitweb
- Allow plymouth to read and write the /dev/ptmx
- Fixes for sanbox
- Allow nagios_services_plugin_t to read snmpd libraries
* Thu Jan 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-75
- Allow sulogin to talk to console and tty_device_t
* Wed Jan 20 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-74
- Fixes for afs
- Remove transtion from system_cronjob to gpg domain
* Tue Jan 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-73
- Add labeling for /var/lib/avahi-autoipd directory
* Tue Jan 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-72
- Fixes for memcached from Dan Walsh
- Allow podsleuth to read user tmpfs files
- Allow tftpd to read system state information in proc
- Fixes for sssd from Dan Walsh
- Allow snmpd chown capability
* Fri Jan 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-71
- Allow hotplug to transition to brctl domain
- Fixes for sftpd
* Tue Jan 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-70
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
* Mon Jan 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-69
- Fixes for iscsid
- Allow openvpn to bind to http port
- Add wine_mmap_zero_ignore boolean
* Fri Jan 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-68
- Fixes for xenconsoled
- Allow xauth to connectto xserver_t unix_stream_socket
- Add textrel_shlib_t fixes
- Add labeling for LXDM
- Allow cupsd_lpd_t to setattr fontconfig directory
- Allow abrt to getattr on all character file device nodes.
- Add labeling for the rest nagios plugins
* Wed Jan 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-67
- Allow snmbd to send itself signal
- Allow virt_domain to read /dev/random
- Allow apcupsd to send itself signull
- Allow swat to transition to nmbd
- Add textrel_shlib_t label for /usr/local/lib/codecs/
* Mon Jan 4 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-66
- Allow lircd to use tcp_socket and connect/bind to port 8675
* Wed Dec 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-65
- Allow traceroute to use all terms
- Fix mgetty use for faxes
- Dontaudit xdm listing fusefs
- Allow xguest to resolve host names
- Allow abrt to read noxattr filesystems (cdrom)
- Allow abrt_helper to send itself signals
- Allow amavis to read certs
- Allow apache to bind to port 3000 (Ruby on rails)
- Asterist uses mysql and snmp
- Allow consolekit to write wtmp file for shutdown
- Allow cups ipc_lock
- Allow hal to transition to ppp
- Fix mailman labels for 64 bit systems
- dontaudit system_mail access to leaked terminals
- Allow mysqld_safe_t to unlink mysqld pid files
- nrpe_t uses getpw calls
- Allow NetworkManager to delete ppp pid files
- Allow pptp_t to sens userdomain signals
- Allow prelude to connect to mysql
- Allow swat to start winbind server
- Fixes for snort
- Allow telnetd to setattr user terminals
- Allow qemu to read fusefs
- Allow domains that have telinit to connectto upstart unix_stream_socket
- Dontaudit ipsec_mgmt sys_tty_config
- Fix labels for postgrestgres test suite
- Other textrel_shlib_t fixes
* Wed Dec 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-64
- Update to Rawhide filesystem.if file
- Allow abrt to read nfs
- Allow cups to search fusefs
- Allow dovecot_auth to search var_log
- Fix label on ksmtuned.pid
- Dontaudit policykit looking at mount points
- Allow xdm to manage /var/cache/fontconfig
- Allow xenstored to search xenfs
* Tue Dec 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-63
- Allow sendmail setpgid
- Allow dovecot to read nfs homedirs
* Mon Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-62
- Add label for /var/ekpd
- Allow portreserve to look at bin files
- Allow gssd to ask the kernel to load modules
- If you can run mount you can run fusermount
* Mon Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-61
- Fixes for sandbox_x_server
- Fix ntop policy
- Sandbox fixes
* Fri Dec 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-60
- Fixs for cluster policy
- mysql_safe fixes
- Fixes for sssd
- Cgroup access for virtd
- Dontaudit fail2ban leaks
* Tue Dec 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-59
- Dontaudit udp_socket leaks for xauth_t
- Dontaudit rules for iceauth_t
- Let locate read symlinks on noxattr file systems
- Remove wine from unconfined domain if unconfined pp removed
- Add labels for vhostmd
- Add port 546 as a dhcpc port
- Add labeled for /dev/dahdi
- Add certmonger policy
- Allow sysadm to communicate with racoon and zebra
- Allow dbus service dbus_chat with unconfined_t
- Fixes for xguest
- Add dontaudits for abrt
- file contexts for mythtv
- Lots of fixes for asterisk
- Fix file context for certmaster
- Add log dir for dovecot
- Policy for ksmtuned
- File labeling and fixes for mysql and mysql_safe
- New plugin infrstructure for nagios
- Allow nut_upsd_t dac_override
- File context fixes for nx
- Allow oddjob_mkhomedir to create homedir
- Add pcscd_pub interfaces to be used by xdm
- Add stream connect from fenced to corosync
- Fixes for swat
- Allow fsdaemon to manage scsi devices
- Policy for tgtd
- Policy for vhostmd
- Allow ipsec to create tmp files
- Change label on fusermount
* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
- Dontaudit udp_socket leaks for xauth_t
* Wed Dec 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-57
- Allow unconfined_t to send dbus messages to setroubleshoot
- Allow confined screen app to setattr on user ttys
- remove wine_t from unconfined domain when unconfined.pp disabled
- Allow sysadm_t to communicate with racoon
- Allow xauth to be run from all unconfined user types
- Fix labeling on all /var/cache/mod_* apps
- Allow asterisk to communicate with postgresql
- Fix labeling for /var/lib/certmaster
- Add policy for ksmtuned and tgtd
- Fixes fro vhostmd
* Mon Dec 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-56
- Dontaudit exec of fusermount from xguest
- Allow licrd to use mouse_device
- Allow sysadm_t to connect to zebra stream socket
- Dontaudit policykit_auth trying to config terminal
- Allow logrotate and asterisk to execute asterisk
- Allow logrotate to read var_lib files (zope) and connect to fail2ban stream
- Allow firewallgui to communicate with unconfined_t
- Allow podsleuth to ask the kernel to load modules
- Fix labeling on vhostmd scripts
- Remove transition from unconfined_t to windbind_helper_t
- Allow abrt_helper to look at inotify
- Fix labels for mythtv
- Allow apache to signal sendmail
- allow asterisk to send mail
- Allow rpcd to get and setcap
- Add tor_bind_all_unreserved_ports boolean
- Add policy for vhostmd
- MOre textrel_shlib_t files
- Add rw_herited_term_perms
* Thu Dec 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-55
- Add fprintd_chat(unconfined_t) to fix su timeout problem
- Make xguest follow allow_execstack boolean
- Dontaudit dbus looking at nfs
* Thu Dec 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-54
- Require selinux-policy from selinux-policy-TYPE
- Add labeling to /usr/lib/win32 textrel_shlib_t
- dontaudit all leaks for abrt_helper
- Fix labeling for mythtv
- Dontaudit setroubleshoot_fix leaks
- Allow xauth_t to read usr_t
- Allow iptables to use fifo files
- Fix labeling on /var/lib/wifiroamd
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-53
- Remove transition from dhcpc_t to consoletype_t, just allow exec
- Fixes for prelink cron job
- Fix label on yumex backend
- Allow unconfined_java_t to communicate with iptables
- Allow abrt to read /tmp files
- Fix nut/ups policy
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-52
- Major fixup of ntop policy
- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22
- Allow xdm to signal session bus
- Allow modemmanager to use generic ptys, and sys_tty_config capability
- Allow abrt_helper chown access, dontaudit leaks
- Allow logwatch to list cifs and nfs file systems
- Allow kismet to read network state
- Allow cupsd_config_t to connecto unconfined unix_stream
- Fix avahi labeling and allow avahi to manage /etc/resolv.conf
- Allow sshd to read usr_t files
- Allow login programs to manage pcscd_var_run_t files
- Allow tor to read usr_t files
* Wed Nov 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-51
- Mark google shared libraries as requiring textrel_shlib
- Allow svirt to bind/connect to network ports
- Add label for .libvirt directory.
* Tue Nov 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-50
- Allow modemmanager sys_admin
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-49
- Allow sssd to read all processes domain
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-48
- Abrt connect to any port
- Dontaudit chrome-sandbox trying to getattr on all processes
- Allow passwd to execute gnome-keyring
- Allow chrome_sandbox_t to read home content inherited from the parent
- Fix eclipse labeling
- Allow mozilla to connect to flash port
- Allow pulseaudio to connect to unix_streams
- Allow sambagui to read secrets file
- Allow mount to mount unlabeled files
- ALlow abrt to use ypbind, send kill signals
- Allow arpwatch to create socket class
- Allow asterisk to read urand
- Allow corosync to communicate with user tmpfs
- Allow devicedisk to read virt images block devices
- Allow gpsd to sys_tty_config
- Fix nagios interfaces
- Policy for nagios plugins
- Fixes for nx
- Allow rtkit_daemon to read locale file
- Allow snort to create socket
- Additional perms for xauth
- lots of textrel_lib_t file context
* Tue Nov 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-47
- Make mozilla call in execmem.if optional to fix build of minimum install
- Allow uucpd to execute shells and send mail
- Fix label on libtfmessbsp.so
* Mon Nov 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-46
- abrt needs more access to rpm pid files
- Abrt wants to execute its own tmp files
- abrt needs to write sysfs
- abrt needs to search all file system dirs
- logrotate and tmpreaper need to be able to manage abrt cache
- rtkit_daemon needs to be able to setsched on lots of user apps
- networkmanager creates dirs in /var/lib
- plymouth executes lvm tools
* Fri Nov 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-45
- Allow mount on dos file systems
- fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses
* Thu Nov 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-44
- Add lighttpd file context to apache.fc
- Allow tmpreaper to read /var/cache/yum
- Allow kdump_t sys_rawio
- Add execmem_exec_t context for /usr/bin/aticonfig
- Allow dovecot-deliver to signull dovecot
- Add textrel_shlib_t to /usr/lib/libADM5avcodec.so
* Tue Nov 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-43
- Fix transition so unconfined_exemem_t creates user_tmp_t
- Allow chrome_sandbox_t to write to user_tmp_t when printing
- Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files
- Allow execmem_t to execmod files in mozilla_home_t
- Allow firewallgui to communicate with nscd
* Mon Nov 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-42
- Allow kdump to read the kernel core interface
- Dontaudit abrt read all files in home dir
- Allow kismet client to write to .kismet dir in homedir
- Turn on asterisk policy and allow logrotate to communicate with it
- Allow abrt to manage rpm cache files
- Rules to allow sysadm_t to install a kernel
- Allow local_login to read console_device_t to Z series logins
- Allow automount and devicekit_disk to search all filesystem dirs
- Allow corosync to setrlimit
- Allow hal to read modules.dep
- Fix xdm using pcscd
- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
- Eliminate transition from unconifned_t to loadkeys_t
- Dontaudit several leaks to xauth_t
- Allow xdm_t to search for man pages
- Allow xdm_dbus to append to xdm log
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #542420 - selinux sticks ":etc_t:" into symlinks labels in /etc/cron.xxxx directories
https://bugzilla.redhat.com/show_bug.cgi?id=542420
[ 2 ] Bug #542422 - SELinux is preventing /usr/bin/passwd "execute" access on /usr/bin/gnome-keyring-daemon.
https://bugzilla.redhat.com/show_bug.cgi?id=542422
[ 3 ] Bug #542466 - SELinux is preventing /usr/libexec/cups-pk-helper-mechanism "connectto" access on /var/run/cups/cups.sock.
https://bugzilla.redhat.com/show_bug.cgi?id=542466
[ 4 ] Bug #542493 - SELinux is preventing /usr/sbin/modem-manager "sys_tty_config" access.
https://bugzilla.redhat.com/show_bug.cgi?id=542493
[ 5 ] Bug #542494 - SELinux is preventing /usr/sbin/modem-manager "write" access on /dev/pts/0.
https://bugzilla.redhat.com/show_bug.cgi?id=542494
[ 6 ] Bug #542507 - SELinux is preventing /usr/bin/python from loading /usr/lib/cedega/gddb_parser32_1013.so which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=542507
[ 7 ] Bug #542630 - SELinux is preventing Xorg from loading /usr/lib/xorg/modules/extensions/libglx.so.195.22 which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=542630
[ 8 ] Bug #542654 - ntop triggers several AVC denials when starting
https://bugzilla.redhat.com/show_bug.cgi?id=542654
[ 9 ] Bug #542722 - SELinux is preventing /usr/sbin/clamav-milter "sys_tty_config" access.
https://bugzilla.redhat.com/show_bug.cgi?id=542722
[ 10 ] Bug #542770 - SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked /var/cache/yum/x86_64/12/updates-testing/packages/rhythmbox-0.12.6-1.fc12.x86_64.rpm file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=542770
[ 11 ] Bug #542773 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "getattr" access on /proc/<pid>.
https://bugzilla.redhat.com/show_bug.cgi?id=542773
[ 12 ] Bug #542880 - SELinux is preventing /usr/bin/tor "read" access on /usr/share/tor/geoip.
https://bugzilla.redhat.com/show_bug.cgi?id=542880
[ 13 ] Bug #542920 - SELinux prevented perl from reading files stored on a NFS filesytem.
https://bugzilla.redhat.com/show_bug.cgi?id=542920
[ 14 ] Bug #542935 - SELinux is preventing /usr/bin/kismet_server "read" access on psched.
https://bugzilla.redhat.com/show_bug.cgi?id=542935
[ 15 ] Bug #542936 - SELinux is preventing /usr/bin/kismet_server "create" access on kisfdsock_2427.
https://bugzilla.redhat.com/show_bug.cgi?id=542936
[ 16 ] Bug #543025 - SELinux is preventing /usr/bin/aklog "read" access on /usr/vice/etc/ThisCell.
https://bugzilla.redhat.com/show_bug.cgi?id=543025
[ 17 ] Bug #621095 - Multiple cobblerd_t denials on Fedora-13 running standard Spacewalk installation
https://bugzilla.redhat.com/show_bug.cgi?id=621095
[ 18 ] Bug #619983 - SELinux is preventing ps "getattr" access on /dev/tty4.
https://bugzilla.redhat.com/show_bug.cgi?id=619983
[ 19 ] Bug #619642 - SELinux is preventing /bin/bash "sys_tty_config" access .
https://bugzilla.redhat.com/show_bug.cgi?id=619642
[ 20 ] Bug #618221 - SELinux is preventing /usr/sbin/swat "read" access on /var/run/winbindd.pid.
https://bugzilla.redhat.com/show_bug.cgi?id=618221
[ 21 ] Bug #618030 - SELinux is preventing /usr/sbin/varnishd "kill" access .
https://bugzilla.redhat.com/show_bug.cgi?id=618030
[ 22 ] Bug #616109 - SELinux verhindert abrtd "getattr" Zugriff on /var/run/winbindd/pipe.
https://bugzilla.redhat.com/show_bug.cgi?id=616109
[ 23 ] Bug #614082 - SELinux verhindert /usr/bin/perl "signal" Zugriff .
https://bugzilla.redhat.com/show_bug.cgi?id=614082
[ 24 ] Bug #614079 - SELinux verhindert /usr/bin/who "getattr" Zugriff on /dev/tty1.
https://bugzilla.redhat.com/show_bug.cgi?id=614079
[ 25 ] Bug #614078 - SELinux verhindert /sbin/hdparm "ioctl" Zugriff on /dev/sda.
https://bugzilla.redhat.com/show_bug.cgi?id=614078
[ 26 ] Bug #612105 - Summary: SELinux is preventing /usr/libexec/gnome-settings-daemon "setattr" access to /var/cache/fontconfig. Detailed Description: SELinux denied access requested by gnome-settings-. /var/cache/fontconfig may be a mislabeled. /var/cache/fontconfig def
https://bugzilla.redhat.com/show_bug.cgi?id=612105
[ 27 ] Bug #610918 - SELinux is preventing /bin/bash "search" access to /.
https://bugzilla.redhat.com/show_bug.cgi?id=610918
[ 28 ] Bug #609657 - SELinux is preventing /usr/sbin/NetworkManager "read" access on /var/tmp.
https://bugzilla.redhat.com/show_bug.cgi?id=609657
[ 29 ] Bug #609655 - libvirt qemu:///session can't create socket on NFS homedir
https://bugzilla.redhat.com/show_bug.cgi?id=609655
[ 30 ] Bug #609410 - SELinux is preventing /usr/bin/python "read" access on /root/axelget/axelget.conf.
https://bugzilla.redhat.com/show_bug.cgi?id=609410
[ 31 ] Bug #608690 - SELinux is preventing /usr/libexec/hal-dccm "name_connect" access .
https://bugzilla.redhat.com/show_bug.cgi?id=608690
[ 32 ] Bug #607030 - SELinux is preventing /usr/bin/freshclam "execmem" access .
https://bugzilla.redhat.com/show_bug.cgi?id=607030
[ 33 ] Bug #559218 - SELinux is preventing /bin/bash "execute" access on /sbin/iptables-multi.
https://bugzilla.redhat.com/show_bug.cgi?id=559218
[ 34 ] Bug #538565 - New 'nrpe' policy prevents most NRPE checks from working
https://bugzilla.redhat.com/show_bug.cgi?id=538565
[ 35 ] Bug #539754 - SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" access on /proc/<pid>.
https://bugzilla.redhat.com/show_bug.cgi?id=539754
[ 36 ] Bug #539998 - SELinux is preventing /usr/sbin/sshd "read" access on /usr/NX/home/nx/.ssh/authorized_keys2
https://bugzilla.redhat.com/show_bug.cgi?id=539998
[ 37 ] Bug #540225 - SELinux is preventing /usr/sbin/upsd "dac_override" access.
https://bugzilla.redhat.com/show_bug.cgi?id=540225
[ 38 ] Bug #540530 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "sys_ptrace" access.
https://bugzilla.redhat.com/show_bug.cgi?id=540530
[ 39 ] Bug #540782 - SELinux is preventing /usr/sbin/modem-manager "sys_admin" access.
https://bugzilla.redhat.com/show_bug.cgi?id=540782
[ 40 ] Bug #540814 - SELinux is preventing /sbin/consoletype access to a leaked /var/lib/rpm/__db.000 file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=540814
[ 41 ] Bug #540822 - SELinux is preventing /usr/bin/qemu-kvm "transition" access on /usr/bin/qemu-kvm.
https://bugzilla.redhat.com/show_bug.cgi?id=540822
[ 42 ] Bug #540909 - SELinux is preventing /bin/mount access to a leaked /tmp/.webmin/788313_1_start.cgi file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=540909
[ 43 ] Bug #540926 - SELinux is preventing /usr/sbin/hald "getattr" access to device /dev/etherd/e1.0.
https://bugzilla.redhat.com/show_bug.cgi?id=540926
[ 44 ] Bug #540952 - SELinux is preventing /usr/bin/python "read" access on L.
https://bugzilla.redhat.com/show_bug.cgi?id=540952
[ 45 ] Bug #541065 - SELinux is preventing /usr/bin/perl from binding to port 23796.
https://bugzilla.redhat.com/show_bug.cgi?id=541065
[ 46 ] Bug #541113 - SELinux is preventing /opt/google/picasa/3.0/wine/bin/wine-preloader from loading /opt/google/picasa/3.0/wine/lib/wine/explorer.exe.so which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=541113
[ 47 ] Bug #541148 - SELinux prevented mount.ntfs from mounting on the file or directory "/media/8CCEB61DCEB5FF8E" (type "fusefs_t").
https://bugzilla.redhat.com/show_bug.cgi?id=541148
[ 48 ] Bug #541217 - SELinux is preventing /usr/sbin/modem-manager "sys_admin" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541217
[ 49 ] Bug #541244 - SELinux is preventing /usr/bin/gok "getattr" access on /var/mail.
https://bugzilla.redhat.com/show_bug.cgi?id=541244
[ 50 ] Bug #541331 - SELinux is preventing /usr/local/bin/lgmonip4700 "create" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541331
[ 51 ] Bug #541340 - SELinux is preventing /usr/libexec/ipsec/pluto "setpcap" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541340
[ 52 ] Bug #541400 - SELinux is preventing /opt/Adobe AIR/Versions/1.0/Adobe AIR Application Installer from making the program stack executable.
https://bugzilla.redhat.com/show_bug.cgi?id=541400
[ 53 ] Bug #541609 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "read" access on /proc.
https://bugzilla.redhat.com/show_bug.cgi?id=541609
[ 54 ] Bug #541658 - SELinux is preventing /usr/sbin/asterisk "setcap" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541658
[ 55 ] Bug #541669 - SELinux is preventing /usr/bin/abrt-pyhook-helper "write" access on /var/run/nscd/socket.
https://bugzilla.redhat.com/show_bug.cgi?id=541669
[ 56 ] Bug #541692 - SELinux is preventing /bin/rm "write" access on /var/lib/misc.
https://bugzilla.redhat.com/show_bug.cgi?id=541692
[ 57 ] Bug #541702 - SELinux is preventing /usr/bin/freshclam "write" access on log.
https://bugzilla.redhat.com/show_bug.cgi?id=541702
[ 58 ] Bug #541785 - SELinux is preventing /home/thanhbv/Downloads/firefox-3.6b3/firefox-bin from loading /home/thanhbv/.mozilla/firefox/insc7pg8.default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text re
https://bugzilla.redhat.com/show_bug.cgi?id=541785
[ 59 ] Bug #541821 - SELinux is preventing /sbin/consoletype access to a leaked /root/savap-install.log file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=541821
[ 60 ] Bug #541867 - SELinux is preventing /usr/bin/qemu-kvm "read" access on images.
https://bugzilla.redhat.com/show_bug.cgi?id=541867
[ 61 ] Bug #541886 - SELinux is preventing /usr/sbin/openvpn "ipc_lock" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541886
[ 62 ] Bug #541903 - SELinux is preventing /usr/bin/abrt-pyhook-helper "chown" access.
https://bugzilla.redhat.com/show_bug.cgi?id=541903
[ 63 ] Bug #541958 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /var/cache.
https://bugzilla.redhat.com/show_bug.cgi?id=541958
[ 64 ] Bug #541988 - SELinux is preventing the /usr/lib64/chromium-browser/chromium-browser from using potentially mislabeled files (/home/kka/.config/chromium/Dictionaries/en-US-1-2.bdic).
https://bugzilla.redhat.com/show_bug.cgi?id=541988
[ 65 ] Bug #542046 - SELinux is preventing /bin/bash "execute" access on /bin/bash.
https://bugzilla.redhat.com/show_bug.cgi?id=542046
[ 66 ] Bug #542060 - SELinux is preventing /usr/bin/perl "write" access on /var/log.
https://bugzilla.redhat.com/show_bug.cgi?id=542060
[ 67 ] Bug #542186 - SELinux is preventing /usr/bin/pulseaudio "signull" access.
https://bugzilla.redhat.com/show_bug.cgi?id=542186
[ 68 ] Bug #542414 - SELinux is preventing /usr/libexec/rtkit-daemon "setsched" access.
https://bugzilla.redhat.com/show_bug.cgi?id=542414
[ 69 ] Bug #542418 - SELinux is preventing /opt/google/picasa/3.0/wine/bin/wine-preloader from loading /opt/google/picasa/3.0/wine/lib/wine/cryptdlg.dll.so which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=542418
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list