Fedora 16 Update: selinux-policy-3.10.0-56.fc16

Mon Nov 21 00:01:27 UTC 2011

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-16003
2011-11-17 22:45:47
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 16
Version     : 3.10.0
Release     : 56.fc16
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-56
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
* Mon Nov  7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-55
- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
* Fri Nov  4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-54
- MCS fixes
- quota fixes
* Tue Nov  1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-53
- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
- Make sure postfix content gets created with the correct label
- Allow gnomeclock to read cgroup
- Fixes for cloudform policy
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-51
-  Begin removing qemu_t domain, we really no longer need this domain.  
- systemd_passwd needs dac_overide to communicate with users TTY's
- Allow svirt_lxc domains to send kill signals within their container
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-50
- Allow policykit to talk to the systemd via dbus
- Move chrome_sandbox_nacl_t to permissive domains
- Additional rules for chrome_sandbox_nacl
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-49
- Change bootstrap name to nacl
- Chrome still needs execmem
- Missing role for chrome_sandbox_bootstrap
- Add boolean to remove execmem and execstack from virtual machines
- Dontaudit xdm_t doing an access_check on etc_t directories
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #751613 - acpid fails to run pm-suspend in enforcing mode
        https://bugzilla.redhat.com/show_bug.cgi?id=751613
  [ 2 ] Bug #753307 - ldconfig mislabels /etc/ld.so.cache
        https://bugzilla.redhat.com/show_bug.cgi?id=753307
  [ 3 ] Bug #741925 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket port 54085.
        https://bugzilla.redhat.com/show_bug.cgi?id=741925
  [ 4 ] Bug #752213 - SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd.
        https://bugzilla.redhat.com/show_bug.cgi?id=752213
  [ 5 ] Bug #752366 - chrony AVCs at DHCP renewal time
        https://bugzilla.redhat.com/show_bug.cgi?id=752366
  [ 6 ] Bug #752556 - AVC denials with icecast in F16
        https://bugzilla.redhat.com/show_bug.cgi?id=752556
  [ 7 ] Bug #752987 - SELinux is preventing /usr/sbin/sendmail.sendmail from 'getattr' accesses on the unix_stream_socket unix_stream_socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=752987
  [ 8 ] Bug #753187 - SELinux is preventing /usr/bin/gnome-shell from 'execute' accesses on the file /usr/share/tucan-0.3.10/tucan.py.
        https://bugzilla.redhat.com/show_bug.cgi?id=753187
  [ 9 ] Bug #753190 - SELinux is preventing /bin/bash from 'read' accesses on the file /etc/chrony.keys.
        https://bugzilla.redhat.com/show_bug.cgi?id=753190
  [ 10 ] Bug #753395 - virsh iface-start and iface-destroy commands lead to a "very long wait" before finally succeeding
        https://bugzilla.redhat.com/show_bug.cgi?id=753395
  [ 11 ] Bug #753460 - SELinux is preventing /usr/libexec/accounts-daemon from 'read' accesses on the fichier cpuinfo.
        https://bugzilla.redhat.com/show_bug.cgi?id=753460
  [ 12 ] Bug #753521 - restorecon puts the wrong context on nm-dns-dnsmasq.conf
        https://bugzilla.redhat.com/show_bug.cgi?id=753521
  [ 13 ] Bug #753587 - SELinux is preventing /bin/bash from 'read' accesses on the archivo /bin/bash.
        https://bugzilla.redhat.com/show_bug.cgi?id=753587
  [ 14 ] Bug #753588 - SELinux is preventing /usr/sbin/ifdhandler from 'search' accesses on the directorio pcscd.
        https://bugzilla.redhat.com/show_bug.cgi?id=753588
  [ 15 ] Bug #753816 - SELinux is preventing mysqld from reading /bin/bash
        https://bugzilla.redhat.com/show_bug.cgi?id=753816
  [ 16 ] Bug #754292 - SELinux is preventing /usr/libexec/polkit-1/polkitd from 'read' accesses on the file online.
        https://bugzilla.redhat.com/show_bug.cgi?id=754292
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------