Fedora 17 Update: selinux-policy-3.10.0-128.fc17
updates at fedoraproject.org
updates at fedoraproject.org
Sun Jun 3 23:32:45 UTC 2012
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8720
2012-06-01 16:18:57
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 17
Version : 3.10.0
Release : 128.fc17
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #809832 - avc on tuned-adm profile powersave
https://bugzilla.redhat.com/show_bug.cgi?id=809832
[ 2 ] Bug #819082 - Gnome-disk-utility (palimpsest) crashes when trying to attach disk image
https://bugzilla.redhat.com/show_bug.cgi?id=819082
[ 3 ] Bug #821189 - SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=821189
[ 4 ] Bug #821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=821268
[ 5 ] Bug #821420 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /var/lib/sss/mc/group. This file (which is actually the on-disk representation of a mmap() cache) needs to be readable by any process. It should only be writable by SSSD processes.
https://bugzilla.redhat.com/show_bug.cgi?id=821420
[ 6 ] Bug #822789 - avc denial on systemd-journald prevents startup when /etc/machine-id doesn't exist
https://bugzilla.redhat.com/show_bug.cgi?id=822789
[ 7 ] Bug #822854 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'read' accesses on the file pulse-shm-233641167.
https://bugzilla.redhat.com/show_bug.cgi?id=822854
[ 8 ] Bug #823000 - SELinux is preventing /usr/bin/dbus-daemon from read, write access on the file /home/elad/f17arm-latest-arm-rpi+x-mmcblk0.img.
https://bugzilla.redhat.com/show_bug.cgi?id=823000
[ 9 ] Bug #823035 - SELinux is preventing plugin-containe from 'name_connect' accesses on the tcp_socket .
https://bugzilla.redhat.com/show_bug.cgi?id=823035
[ 10 ] Bug #823211 - SELinux is preventing /usr/bin/totem from 'create' accesses on the file .grl-metadata-store.
https://bugzilla.redhat.com/show_bug.cgi?id=823211
[ 11 ] Bug #823251 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the directory .orc.
https://bugzilla.redhat.com/show_bug.cgi?id=823251
[ 12 ] Bug #823294 - SELinux is preventing /usr/sbin/gpsd from 'module_request' accesses on the system .
https://bugzilla.redhat.com/show_bug.cgi?id=823294
[ 13 ] Bug #823306 - SELinux is preventing /usr/bin/gnome-mplayer from 'execute' accesses on the file /usr/bin/mencoder.
https://bugzilla.redhat.com/show_bug.cgi?id=823306
[ 14 ] Bug #823398 - SELinux is preventing /usr/bin/mongod from 'read' accesses on the file meminfo.
https://bugzilla.redhat.com/show_bug.cgi?id=823398
[ 15 ] Bug #824097 - SELinux is preventing /usr/bin/lpstat.cups from 'write' accesses on the file /tmp/npicaitl35F.
https://bugzilla.redhat.com/show_bug.cgi?id=824097
[ 16 ] Bug #824099 - SELinux is preventing /opt/Citrix/ICAClient/wfica from 'write' accesses on the file /home/mikhail/.ICAClient/CtxFlashCache/CacheFile.cache.
https://bugzilla.redhat.com/show_bug.cgi?id=824099
[ 17 ] Bug #824438 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'add_name' accesses on the directory socket-9666-1526706912.
https://bugzilla.redhat.com/show_bug.cgi?id=824438
[ 18 ] Bug #824999 - logins directory is not created or owned by package
https://bugzilla.redhat.com/show_bug.cgi?id=824999
[ 19 ] Bug #825276 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
https://bugzilla.redhat.com/show_bug.cgi?id=825276
[ 20 ] Bug #825530 - SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda.
https://bugzilla.redhat.com/show_bug.cgi?id=825530
[ 21 ] Bug #825718 - SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sdb
https://bugzilla.redhat.com/show_bug.cgi?id=825718
[ 22 ] Bug #826064 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket .
https://bugzilla.redhat.com/show_bug.cgi?id=826064
[ 23 ] Bug #826444 - krb5 tickets not accessible for user_t/staff_t
https://bugzilla.redhat.com/show_bug.cgi?id=826444
[ 24 ] Bug #826448 - SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from read, write access on the chr_file nvidiactl.
https://bugzilla.redhat.com/show_bug.cgi?id=826448
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list