Fedora 17 Update: selinux-policy-3.10.0-132.fc17
updates at fedoraproject.org
updates at fedoraproject.org
Thu Jul 19 09:18:29 UTC 2012
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-9672
2012-06-19 23:59:39
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 17
Version : 3.10.0
Release : 132.fc17
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
- apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill - Allow glance_registry to connect to the mysqld port - Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl - Allow firefox plugins/flash to connect to port 1234 - Allow mozilla plugins to delete user_tmp_t files - Add transition name rule for printers.conf.O - Allow virt_lxc_t to read urand - Allow systemd_loigind to list gstreamer_home_dirs - Fix labeling for /usr/bin - Fixes for cloudform services * support FIPS - Allow polipo to work as web caching - Allow chfn to execute tmux
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
* support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct
- When staff_t runs libvirt it reads dnsmasq_var_run_t
- Mount command now lists user_tmp looking for gvfs
- /etc/blkid is moving to /run/blkid
- Allow rw_cgroup_files to also read a symlink
- Make sure gdm directory in ~/.cache/gdm gets created with the correct label
- Add labeling for .cache/gdm in the homedir
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
* Mon Jun 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-130
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
- Allow systemd_login to send signals to devicekit power
- Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t
- Allow virsh to read /etc/passwd
- Allow policykit to manage kerberos rcache files
- Allow systemd-logind to send a signal to init_t
- /usr/sbin/xl2tpd wants to read /etc/group
- Allow ncftool to list of content /etc/modprobe.d
- Allow dkim-milter to listen own tcp_socke
* Fri Jun 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-129
- Allow collectd to read virt config
- Allow collectd setsched
- Add support for /usr/sbin/mdm*
- Fix java binaries labels when installed under /usr/lib/jvm/java
- Add labeling for /var/run/mdm
- Allow apps that can read net_conf_t files read symlinks
- Allow all domains that can search or read tmp_t, able to read a tmp_t link
- Dontaudit mozilla_plugin looking at xdm_tmp_t
- Looks like collectd needs to change it scheduling priority
- Allow uux_t to access nsswitch data
- New labeling for samba, pid dirs moved to subdirs of samba
- Allow nova_api to use nsswitch
- Allow mozilla_plugin to execute files labeled as lib_t
- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window
- Allow winbind to create content in smbd_var_run_t directories
- Allow setroubleshoot_fixit to read the selinux policy store. No reason to deny it
- Support libvirt plugin for collectd
* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #827128 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'execute' accesses on the file /home/thomas/.orc/orcexec.yryRah (deleted).
https://bugzilla.redhat.com/show_bug.cgi?id=827128
[ 2 ] Bug #827592 - SELinux is preventing /usr/bin/chsh from 'execute' accesses on the file tmux.
https://bugzilla.redhat.com/show_bug.cgi?id=827592
[ 3 ] Bug #828062 - SELinux is preventing /usr/sbin/sysctl from 'write' accesses on the file nmi_watchdog.
https://bugzilla.redhat.com/show_bug.cgi?id=828062
[ 4 ] Bug #830611 - selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
https://bugzilla.redhat.com/show_bug.cgi?id=830611
[ 5 ] Bug #831076 - SELinux is preventing /usr/sbin/snort-plain from 'getattr' accesses on the file /etc/passwd.
https://bugzilla.redhat.com/show_bug.cgi?id=831076
[ 6 ] Bug #831281 - SELinux is preventing /usr/sbin/rpc.svcgssd from read, write access on the file nfs_0.
https://bugzilla.redhat.com/show_bug.cgi?id=831281
[ 7 ] Bug #831390 - SELinux is preventing /usr/libexec/totem-plugin-viewer from 'execute' accesses on the file /home/rk00253/.orc/orcexec.amtOjn (deleted).
https://bugzilla.redhat.com/show_bug.cgi?id=831390
[ 8 ] Bug #831474 - SELinux is preventing totem-plugin-vi from 'setattr' accesses on the directory at-spi2.
https://bugzilla.redhat.com/show_bug.cgi?id=831474
[ 9 ] Bug #831850 - SELinux prevents remote-viewer connection to Virtual machine provisioned by Ovirt Management
https://bugzilla.redhat.com/show_bug.cgi?id=831850
[ 10 ] Bug #831977 - acpid is unable to launch systemd-loginctl list-sessions
https://bugzilla.redhat.com/show_bug.cgi?id=831977
[ 11 ] Bug #832501 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
https://bugzilla.redhat.com/show_bug.cgi?id=832501
[ 12 ] Bug #832639 - SELinux is preventing /usr/sbin/rpc.statd from using the 'setpcap' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=832639
[ 13 ] Bug #832674 - SELinux is preventing libvirt_lxc from 'read' accesses on the chr_file urandom.
https://bugzilla.redhat.com/show_bug.cgi?id=832674
[ 14 ] Bug #832715 - SELinux is preventing plugin-containe from 'name_connect' accesses on the tcp_socket .
https://bugzilla.redhat.com/show_bug.cgi?id=832715
[ 15 ] Bug #832786 - cupsd rename access to /etc/cpus/printers.conf triggers an error
https://bugzilla.redhat.com/show_bug.cgi?id=832786
[ 16 ] Bug #832851 - SELinux is preventing GoogleTalkPlugi from 'unlink' accesses on the file .google-talk-plugin-edu.lock.
https://bugzilla.redhat.com/show_bug.cgi?id=832851
[ 17 ] Bug #833016 - SELinux is preventing systemd-logind from 'read' accesses on the directory .orc.
https://bugzilla.redhat.com/show_bug.cgi?id=833016
[ 18 ] Bug #830764 - httpd can no longer connect to dirsrv socket
https://bugzilla.redhat.com/show_bug.cgi?id=830764
[ 19 ] Bug #832414 - openstack-glance-2012.1-4.fc17
https://bugzilla.redhat.com/show_bug.cgi?id=832414
[ 20 ] Bug #832840 - /usr/bin/kdm is mislabeled
https://bugzilla.redhat.com/show_bug.cgi?id=832840
[ 21 ] Bug #833030 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the filesystem /.
https://bugzilla.redhat.com/show_bug.cgi?id=833030
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list