Fedora 13 Update: selinux-policy-3.7.19-33.fc13

updates at fedoraproject.org updates at fedoraproject.org
Tue Jul 6 17:09:56 UTC 2010


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10641
2010-07-01 18:08:32
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 13
Version     : 3.7.19
Release     : 33.fc13
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

* Wed Jun 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-33   - Fix label for
/var/lib/git   - Fix labels for conflicted files   - Fix cgroup_admin interface
* Mon Jun 28 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-32   - Allow sectool
to connect to users over unix stream socket   - Add label for /var/spool/abrt-
upload   - Add audio_home_t type for homedir/Music files   - Allow aiccu to read
network config files   - Allow qpidd to setsched   - Allow virt domains to
manage svirt_image_t fifo files   - Fixes for NM-openswan - Fixes for admin
interfaces     * Mon Jun 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-31
- Remove daemons dontaudit to search all dirs   - Add support for epylog   - All
all domains to read lib files   - Allow denyhosts to send syslog messages   -
Allow mysql-safe setrlimit   - Allow rpm to execute rpm_tmp_t   - Allow dmesg to
appen abrt_var_cache files   - Fixed label for abrt.socket     * Wed Jun 16 2010
Miroslav Grepl <mgrepl at redhat.com> 3.7.19-30   - Allow sysadm to run ncftool   -
Fixes for cobbler policy   - Allow Network Manager to transition to ipsec_mgmt
domain   - Add label for /usr/libexec/nm-openswan-service   - Add label for /dev
* Tue Jun 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-29   - Allow abrt
sigkill   - Add ncftool policy - Add cluster fixes   - Fixes for audisp-remote
* Thu May 6 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-13  - Allow boinc to send
mail  - Fixes for MLS Xserver  - Dontaudit leaked apache tmp file to sendmail
* Wed May 5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-12  - Allow initrc_t to
remove dhcpc_state_t  - Fix label on sa-update.cron  - Allow dhcpc to restart
chrony initrc  - Fix transition from unconfined_t -> unconfined_mount_t ->
rpcd_t  Resolves: #589136    * Mon May 3 2010 Dan Walsh <dwalsh at redhat.com>
3.7.19-11  - Fix location of oddjob_mkhomedir  Resolves: #587385  - fix labeling
on /root/.shosts and ~/.shosts  - Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-33
- Fix label for /var/lib/git
- Fix labels for conflicted files
- Fix cgroup_admin interface
* Mon Jun 28 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-32
- Allow sectool to connect to users over unix stream socket
- Add label for /var/spool/abrt-upload
- Add audio_home_t type for homedir/Music files
- Allow aiccu to read network config files
- Allow qpidd to setsched
- Allow virt domains to manage svirt_image_t fifo files
- Fixes for NM-openswan
- Fixes for admin interfaces
* Mon Jun 21 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-31
- Remove daemons dontaudit to search all dirs 
- Add support for epylog
- All all domains to read lib files
- Allow denyhosts to send syslog messages
- Allow mysql-safe setrlimit
- Allow rpm to execute rpm_tmp_t
- Allow dmesg to appen abrt_var_cache files
- Fixed label for abrt.socket
* Wed Jun 16 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-30
- Allow sysadm to run ncftool
- Fixes for cobbler policy
- Allow Network Manager to transition to ipsec_mgmt domain
- Add label for /usr/libexec/nm-openswan-service
- Add label for /dev
* Tue Jun 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-29
- Allow abrt sigkill
- Add ncftool policy
- Add cluster fixes
- Fixes for audisp-remote
* Mon Jun 14 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-28
- Fixes for netutils
- Cleanup of aiccu policy
- Add mpd policy
* Wed Jun  9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-27
- Allow ftpd ipc_lock capability
- Allow audisp-remote to getcap and setcap
- Allow iscsid to read and write raw memory devices
- Fixes for bitlbee policy
* Wed Jun  9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-26
- Allow krb5kdc to write krb5kdc_principal_t file
- Allow hald to send generic signal to dhcp client
- Fix dev_rw_vhost interface
- Add /var/run/abrt.socket label
* Tue Jun  8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-25
- Fixes for cmirrord policy
- Dontaudit xauth to list inotifyfs filesystem.
- Allow xserver to translate contexts.
- Allow kdumpgui domain sys_admin capability
- Allow vpnc to relabelfrom tun_socket
- Allow prelink_cron_system_t to signal
- Fixes for gitolite
- Allow virt domain to read symbolic links in device directories
* Thu Jun  3 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-24
- Add support for /dev/vhost-net
- Allow psad to read files in /usr
- Allow systat to use nscd socket
- Fixes for boinc policy
* Tue Jun  1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-23
- Add cmirrord policy
- Fixes for accountsd policy
- Fixes for boinc policy
- Allow cups-pdf to set attributes on fonts cache directory
- Allow radiusd to setrlimit
- Allow nscd sys_ptrace capability
* Tue May 25 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-22
- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t
- Fix /var/run/abrtd.lock label
* Mon May 24 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: 594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
* Thu May 20 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-20
- Allow mount to r/w abrt fifo file
- Allow svirt_t to getattr on hugetlbfs
- Allow abrt to create a directory under /var/spool
* Wed May 19 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-19
- Add labels for /sys
- Allow sshd to getattr on shutdown
- Fixes for munin
- Allow sssd to use the kernel key ring
- Allow tor to send syslog messages
- Allow iptabels to read usr files
- allow policykit to read all domains state
* Thu May 13 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-17
- Fix path for /var/spool/abrt
- Allow nfs_t as an entrypoint for http_sys_script_t
- Add policy for piranha
- Lots of fixes for sosreport
* Wed May 12 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-16
- Allow xm_t to read network state and get and set capabilities
- Allow policykit to getattr all processes
- Allow denyhosts to connect to tcp port 9911
- Allow pyranha to use raw ip sockets and ptrace itself
- Allow unconfined_execmem_t and gconfsd mechanism to dbus
- Allow staff to kill ping process
- Add additional MLS rules
* Mon May 10 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-15
- Allow gdm to edit ~/.gconf dir
Resolves: #590677
- Allow dovecot to create directories in /var/lib/dovecot
Partially resolves 590224
- Allow avahi to dbus chat with NetworkManager
- Fix cobbler labels
- Dontaudit iceauth_t leaks
- fix /var/lib/lxdm file context
- Allow aiccu to use tun tap devices
- Dontaudit shutdown using xserver.log
* Thu May  6 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-14
- Fixes for sandbox_x_net_t  to match access for sandbox_web_t ++
- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory
- Add dontaudit interface for bluetooth dbus
- Add chronyd_read_keys, append_keys for initrc_t
- Add log support for ksmtuned
Resolves: #586663
* Thu May  6 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-13
- Allow boinc to send mail
* Wed May  5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-12
- Allow initrc_t to remove dhcpc_state_t
- Fix label on sa-update.cron
- Allow dhcpc to restart chrony initrc
- Don't allow sandbox to send signals to its parent processes
- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t
Resolves: #589136
* Mon May  3 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #603449 - SELinux is preventing /bin/bash "ioctl" access      on /var/run/pm-utils/network/dhclient.suspend.
        https://bugzilla.redhat.com/show_bug.cgi?id=603449
  [ 2 ] Bug #590298 - SELinux is preventing /sbin/dhclient "read" access      on /var/run/pm-utils/network/dhclient.suspend.
        https://bugzilla.redhat.com/show_bug.cgi?id=590298
  [ 3 ] Bug #603450 - SELinux is preventing /sbin/consoletype "read" access      on /var/run/pm-utils/network/dhclient.suspend.
        https://bugzilla.redhat.com/show_bug.cgi?id=603450
  [ 4 ] Bug #603499 - nrpe check_mailq AVC's
        https://bugzilla.redhat.com/show_bug.cgi?id=603499
  [ 5 ] Bug #604247 - SELinux is preventing /usr/bin/perl access to a leaked /tmp/.NSPR-AFM-3516-247da78.0 (deleted) file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=604247
  [ 6 ] Bug #596444 - SELinux empêche /usr/sbin/prelink d'"read" au périphérique /etc/pki/tls/certs/Makefile.
        https://bugzilla.redhat.com/show_bug.cgi?id=596444
  [ 7 ] Bug #603993 - SELinux is preventing /usr/libexec/gvfs-fuse-daemon "read write" access      on fuse.
        https://bugzilla.redhat.com/show_bug.cgi?id=603993
  [ 8 ] Bug #603387 - SELinux is preventing /sbin/iptables-multi access to a leaked /var/log/psad/psad.iptout file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=603387
  [ 9 ] Bug #603198 - SELinux AVC denials with lirc irman
        https://bugzilla.redhat.com/show_bug.cgi?id=603198
  [ 10 ] Bug #604495 - SELinux preventing autofs mount of home directory over NFSv4 from Solaris Server
        https://bugzilla.redhat.com/show_bug.cgi?id=604495
  [ 11 ] Bug #604885 - SELinux is preventing /usr/sbin/sendmail.sendmail access to a leaked /var/spool/fcron/fcr-yw0ZTm (deleted) file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=604885
  [ 12 ] Bug #604902 - SELinux is preventing sendmail "write" access      on /var/spool/fcron/fcr-8yxZH1 (deleted).
        https://bugzilla.redhat.com/show_bug.cgi?id=604902
  [ 13 ] Bug #606581 - SELinux is preventing /usr/bin/python "sendto" access      on /tmp/sectool/519a5c5417977630c8b5c4004b8d1b34630a1576.
        https://bugzilla.redhat.com/show_bug.cgi?id=606581
  [ 14 ] Bug #606529 - SELinux is preventing /usr/bin/perl "read" access      on /root.
        https://bugzilla.redhat.com/show_bug.cgi?id=606529
  [ 15 ] Bug #558402 - SELinux is preventing /usr/sbin/openvpn "[open|lock|read]" access on /var/run/utmp
        https://bugzilla.redhat.com/show_bug.cgi?id=558402
  [ 16 ] Bug #607983 - SELinux is preventing /usr/bin/mpd "read" access      on /home/wlan/Music.
        https://bugzilla.redhat.com/show_bug.cgi?id=607983
  [ 17 ] Bug #607514 - SELinux is preventing /usr/bin/nautilus "getattr" access      on /proc/mdstat.
        https://bugzilla.redhat.com/show_bug.cgi?id=607514
  [ 18 ] Bug #605890 - SELinux is preventing /usr/sbin/aiccu "write" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=605890
  [ 19 ] Bug #605235 - SELinux is preventing /usr/sbin/qpidd "setsched" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=605235
  [ 20 ] Bug #607897 - ClamAV freshclam leaked fd
        https://bugzilla.redhat.com/show_bug.cgi?id=607897
  [ 21 ] Bug #608504 - SELinux is preventing /var/lib/boinc/projects/wuprop.boinc-af.org/data_collect_1.33_x86_64-pc-linux-gnu__nci "name_connect" access to <Unknown>.
        https://bugzilla.redhat.com/show_bug.cgi?id=608504
  [ 22 ] Bug #608483 - SELinux is preventing /usr/libexec/git-core/git-daemon "getattr" access      on /var/lib/git.
        https://bugzilla.redhat.com/show_bug.cgi?id=608483
  [ 23 ] Bug #587473 - SELinux is preventing /sbin/shutdown "signull" access     .
        https://bugzilla.redhat.com/show_bug.cgi?id=587473
  [ 24 ] Bug #588715 - O SELinux está impedindo que o /sbin/ip acesse um descritor de arquivo vazado do /var/log/pm-suspend.log.
        https://bugzilla.redhat.com/show_bug.cgi?id=588715
  [ 25 ] Bug #589336 - SELinux is preventing /usr/bin/file "getattr" access      on /usr/sbin/sendmail.sendmail.
        https://bugzilla.redhat.com/show_bug.cgi?id=589336
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list