Fedora 13 Update: selinux-policy-3.7.19-51.fc13

updates at fedoraproject.org updates at fedoraproject.org
Tue Aug 31 06:39:54 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-13536
2010-08-26 00:25:59
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 13
Version     : 3.7.19
Release     : 51.fc13
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

- Fixes for boinc policy  - Fixes for shorewall policy  - Allow seunshare fowner
capability  - Allow dovecot to manage postfix privet socket
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-51
- Allow seunshare fowner capability
- Allow dovecot to manage postfix privet socket
* Tue Aug 24 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-50
- Fixes for boinc policy
- Fixes for shorewall policy
* Fri Aug 20 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-49
- Add label for /var/cache/rpcbind directory
- Add chrome_role for xguest
- Fix amavis_read_spool_files interface
* Wed Aug 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-48
- Fixes for shorewall policy
- Allow sssd chown capability
- Fix label for /usr/bin/mutter
- Label dead.letter as mail_home_t
- Allow pcscd to read  hardware state information 
- Fixes for ulogd policy
* Fri Aug 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-47
- Fixes for boinc-project policy
- Allow swat to read nmbd pid file
- Allow fail2ban to read BIND log files
- Fix cert handling from Dan 
- Remove transition from unconfined to ncftool domain
* Wed Aug 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-46
- Allow ipsec-mgmt to dbus chat with unconfined
- Fixes for boinc policy
* Tue Aug 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-45
- Fixes for cgroup policy
- Fixes for ncftool policy
- Add ncftool_read_user_content boolean
- Fix label for boinc init script
- Fix label for fence_tool
- Allow vhostmd to write virt content
- Allow ricci domtrans ot shutdown
* Thu Aug  5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-44
- Add support for luci
- Add label for /var/spool/up2date
* Wed Aug  4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-43
- Allow ncftool to run brctl
- Fixes for ricci-modclusterd policy
- Allow uucpd to execute ssh client
- Add label for dayplanner
- Allow sandbox_xserver execstack
* Mon Aug  2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-42
- Allow kdump to read information from the debugging filesystem
- Update boinc policy
- Fixes for logwatch-mail policy
* Tue Jul 27 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-41
- Allow logwatch_mail to read read the networking state information.
- Add label for /usr/bin/dosbox
- Allow systat sys_admin capability
* Fri Jul 23 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-40
- Fixes for puppetmaster
- Fix label for kadmin init script
- Fixes for logwatch-mail policy
- Allow arpwatch to request the kernel to load modules
- Allow cron jobs to run with context of user that started them
* Wed Jul 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-39
- Allow munin_system_plugin to read files in /usr
- Do not audit insmod attempts to write virt daemon unnamed pipes
- Allow corosync to read ricci lib files
* Mon Jul 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-38
- Allow xdm_t to manage gnome homedir content
- Allow s-c-firewall to read and write virtual memory sysctls
- Fixes for logwatch policy
* Wed Jul 14 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-37
- Redefine hi_reserved_port_t to include ports from 512 to 599 
- Add label for /sbin/sushell
- Fixes for munin plugin policy
* Tue Jul 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-36
- Allow netutils to read and write USB monitor devices
- Fix label for /rhev
- Add user_setrlimit boolean
- Allow initrc to manage virt lib files
- Add support for ebtables
- Add label for /bin/mksh
- Dontaudit aiccu sys_tty_config capability
- Add httpd_setrlimit boolean
* Fri Jul  9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-35
- Add label for /bin/yash
- Fixes for rhcs and corosync policy
- Fixes for piranha-web policy
* Thu Jul  1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-34
- Fix ipsec-mgmt inteface
* Wed Jun 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-33
- Fix label for /var/lib/git
- Fix labels for conflicted files
- Fix cgroup_admin interface
* Mon Jun 28 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-32
- Allow sectool to connect to users over unix stream socket
- Add label for /var/spool/abrt-upload
- Add audio_home_t type for homedir/Music files
- Allow aiccu to read network config files
- Allow qpidd to setsched
- Allow virt domains to manage svirt_image_t fifo files
- Fixes for NM-openswan
- Fixes for admin interfaces
* Mon Jun 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-31
- Remove daemons dontaudit to search all dirs 
- Add support for epylog
- All all domains to read lib files
- Allow denyhosts to send syslog messages
- Allow mysql-safe setrlimit
- Allow rpm to execute rpm_tmp_t
- Allow dmesg to appen abrt_var_cache files
- Fixed label for abrt.socket
* Wed Jun 16 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-30
- Allow sysadm to run ncftool
- Fixes for cobbler policy
- Allow Network Manager to transition to ipsec_mgmt domain
- Add label for /usr/libexec/nm-openswan-service
- Add label for /dev
* Tue Jun 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-29
- Allow abrt sigkill
- Add ncftool policy
- Add cluster fixes
- Fixes for audisp-remote
* Mon Jun 14 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-28
- Fixes for netutils
- Cleanup of aiccu policy
- Add mpd policy
* Wed Jun  9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-27
- Allow ftpd ipc_lock capability
- Allow audisp-remote to getcap and setcap
- Allow iscsid to read and write raw memory devices
- Fixes for bitlbee policy
* Wed Jun  9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-26
- Allow krb5kdc to write krb5kdc_principal_t file
- Allow hald to send generic signal to dhcp client
- Fix dev_rw_vhost interface
- Add /var/run/abrt.socket label
* Tue Jun  8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-25
- Fixes for cmirrord policy
- Dontaudit xauth to list inotifyfs filesystem.
- Allow xserver to translate contexts.
- Allow kdumpgui domain sys_admin capability
- Allow vpnc to relabelfrom tun_socket
- Allow prelink_cron_system_t to signal
- Fixes for gitolite
- Allow virt domain to read symbolic links in device directories
* Thu Jun  3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-24
- Add support for /dev/vhost-net
- Allow psad to read files in /usr
- Allow systat to use nscd socket
- Fixes for boinc policy
* Tue Jun  1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-23
- Add cmirrord policy
- Fixes for accountsd policy
- Fixes for boinc policy
- Allow cups-pdf to set attributes on fonts cache directory
- Allow radiusd to setrlimit
- Allow nscd sys_ptrace capability
* Tue May 25 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
* Mon May 24 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
* Thu May 20 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
* Wed May 19 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
* Thu May 13 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
* Wed May 12 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
* Mon May 10 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
* Thu May  6 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-14
- Fixes for sandbox_x_net_t  to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
* Thu May  6 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-13
- Allow boinc to send mail
* Wed May  5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don't allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
* Mon May  3 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #626111 - SELinux is preventing minirosetta_2.1 "signal" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=626111
  [ 2 ] Bug #625963 - SELinux is preventing /var/lib/boinc/projects/www.gpugrid.net/acemd2_6.04_x86_64-pc-linux-gnu__cuda "read" access      on /var/lib/boinc.
        https://bugzilla.redhat.com/show_bug.cgi?id=625963
  [ 3 ] Bug #625957 - SELinux is preventing /var/lib/boinc/projects/www.rnaworld.de_rnaworld/cmswrapper_0.10_x86_64-pc-linux-gnu "sigkill" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=625957
  [ 4 ] Bug #625961 - SELinux is preventing /var/lib/boinc/projects/www.gpugrid.net/acemd2_6.04_x86_64-pc-linux-gnu__cuda "getattr" access      on /etc/nsswitch.conf.
        https://bugzilla.redhat.com/show_bug.cgi?id=625961
  [ 5 ] Bug #626167 - SELinux is preventing /usr/sbin/ssmtp "getattr" access      on /etc/aliases.
        https://bugzilla.redhat.com/show_bug.cgi?id=626167
  [ 6 ] Bug #624546 - Spam reporting through Horde application framework to Spamassassin ends up in AVC denial
        https://bugzilla.redhat.com/show_bug.cgi?id=624546
  [ 7 ] Bug #625917 - Selinux prevents httpd from using gnupg
        https://bugzilla.redhat.com/show_bug.cgi?id=625917
  [ 8 ] Bug #625780 - O SELinux está a impedir o acesso /usr/lib/cyrus-imapd/cyrus-master "fsetid"
        https://bugzilla.redhat.com/show_bug.cgi?id=625780
  [ 9 ] Bug #625781 - O SELinux está a impedir o acesso /usr/lib/cyrus-imapd/deliver "open"      on /usr/lib/cyrus-imapd/deliver
        https://bugzilla.redhat.com/show_bug.cgi?id=625781
  [ 10 ] Bug #591854 - SELinux empêche /usr/bin/vlc de charger /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du texte.
        https://bugzilla.redhat.com/show_bug.cgi?id=591854
  [ 11 ] Bug #626047 - SELinux is preventing /usr/sbin/ulogd "read" access      on hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=626047
  [ 12 ] Bug #626082 - SELinux is preventing /usr/sbin/ulogd "connect" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=626082
  [ 13 ] Bug #626114 - SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=626114
  [ 14 ] Bug #624303 - SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin "unlink" access      on catalog.cache.
        https://bugzilla.redhat.com/show_bug.cgi?id=624303
  [ 15 ] Bug #627208 - postfix_local_t cannot read usr_t files
        https://bugzilla.redhat.com/show_bug.cgi?id=627208
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list