Fedora 16 Update: selinux-policy-3.10.0-55.fc16

updates at fedoraproject.org updates at fedoraproject.org
Thu Nov 10 17:31:05 UTC 2011 

---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-15593
2011-11-10 16:42:48
---------------------------------------------------------------------------=
-----

Name        : selinux-policy
Product     : Fedora 16
Version     : 3.10.0
Release     : 55.fc16
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

---------------------------------------------------------------------------=
-----
Update Information:

- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
---------------------------------------------------------------------------=
-----
ChangeLog:

* Mon Nov  7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-55
- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
* Fri Nov  4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-54
- MCS fixes
- quota fixes
* Tue Nov  1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-53
- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
- Make sure postfix content gets created with the correct label
- Allow gnomeclock to read cgroup
- Fixes for cloudform policy
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-51
-  Begin removing qemu_t domain, we really no longer need this domain.  =

- systemd_passwd needs dac_overide to communicate with users TTY's
- Allow svirt_lxc domains to send kill signals within their container
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-50
- Allow policykit to talk to the systemd via dbus
- Move chrome_sandbox_nacl_t to permissive domains
- Additional rules for chrome_sandbox_nacl
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-49
- Change bootstrap name to nacl
- Chrome still needs execmem
- Missing role for chrome_sandbox_bootstrap
- Add boolean to remove execmem and execstack from virtual machines
- Dontaudit xdm_t doing an access_check on etc_t directories
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write p=
ostfix_smtpd_t unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the co=
rrect label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
---------------------------------------------------------------------------=
-----
References:

  [ 1 ] Bug #750892 - unable to uninstall old kernels due to scriptlet erro=
rs
        https://bugzilla.redhat.com/show_bug.cgi?id=3D750892
  [ 2 ] Bug #747401 - spamassassin - error: GPG validation faile
        https://bugzilla.redhat.com/show_bug.cgi?id=3D747401
  [ 3 ] Bug #748069 - selinux and nvidia means gdm fails to start
        https://bugzilla.redhat.com/show_bug.cgi?id=3D748069
  [ 4 ] Bug #748921 - SELinux is preventing /bin/systemctl from 'read' acce=
sses on the file cgroup.procs.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D748921
  [ 5 ] Bug #749682 - matahari generates avcs and doesn't work properly
        https://bugzilla.redhat.com/show_bug.cgi?id=3D749682
  [ 6 ] Bug #749886 - SELinux is preventing /bin/systemctl from 'getattr' a=
ccesses on the file /sys/fs/cgroup/systemd/system/chronyd.service/cgroup.pr=
ocs.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D749886
  [ 7 ] Bug #750074 - SELinux is preventing /usr/lib64/chromium-browser/chr=
omium-browser from read, append access on the file /dev/shm/.org.chromium.C=
hromium.cymVpB (deleted).
        https://bugzilla.redhat.com/show_bug.cgi?id=3D750074
  [ 8 ] Bug #750161 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehe=
lper from 'read' accesses on the file online.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D750161
  [ 9 ] Bug #750570 - SELinux is preventing /bin/systemd-tmpfiles from 'rmd=
ir' accesses on the directory dconf.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D750570
  [ 10 ] Bug #751194 - SELinux is preventing /usr/libexec/gnome-session-che=
ck-accelerated-helper from ioctl access on the chr_file /dev/nvidiactl
        https://bugzilla.redhat.com/show_bug.cgi?id=3D751194
  [ 11 ] Bug #751379 - SELinux is preventing /sbin/ldconfig from 'read' acc=
esses on the directory /home/dzamirski/.local/share/evolution.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D751379
  [ 12 ] Bug #751585 - SELinux is preventing /opt/google/chrome/nacl_helper=
_bootstrap from 'read' accesses on the file cpuinfo_max_freq.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D751585
---------------------------------------------------------------------------=
-----

This update can be installed with the "yum" update program.  Use =

su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----

More information about the package-announce mailing list