Fedora 17 Update: selinux-policy-3.10.0-128.fc17

Sun Jun 3 23:32:45 UTC 2012

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8720
2012-06-01 16:18:57
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 17
Version     : 3.10.0
Release     : 128.fc17
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

- Fix description of authlogin_nsswitch_use_ldap - Fix transition rule for rhsmcertd_t needed for RHEL7 - Allow useradd to list nfs state data - Allow openvpn to manage its log file and directory - We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly - Allow thumb to use nvidia devices - Allow local_login to create user_tmp_t files for kerberos - Pulseaudio needs to read systemd_login /var/run content - virt should only transition named system_conf_t config files - Allow munin to execute its plugins - Allow nagios system plugin to read /etc/passwd - Allow plugin to connect to soundd port - Fix httpd_passwd to be able to ask passwords - Radius servers can use ldap for backing store - Seems to need to mount on /var/lib for xguest polyinstatiation to work. - Allow systemd_logind to list the contents of gnome keyring - VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL - Add policy for isns-utils 
--------------------------------------------------------------------------------
ChangeLog:

* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
-  Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow  munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
-  Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id 
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
-  Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May  9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Mon May  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #809832 - avc on tuned-adm profile powersave
        https://bugzilla.redhat.com/show_bug.cgi?id=809832
  [ 2 ] Bug #819082 - Gnome-disk-utility (palimpsest) crashes when trying to attach disk image
        https://bugzilla.redhat.com/show_bug.cgi?id=819082
  [ 3 ] Bug #821189 - SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=821189
  [ 4 ] Bug #821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=821268
  [ 5 ] Bug #821420 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /var/lib/sss/mc/group. This file (which is actually the on-disk representation of a mmap() cache) needs to be readable by any process. It should only be writable by SSSD processes.
        https://bugzilla.redhat.com/show_bug.cgi?id=821420
  [ 6 ] Bug #822789 - avc denial on systemd-journald prevents startup when /etc/machine-id doesn't exist
        https://bugzilla.redhat.com/show_bug.cgi?id=822789
  [ 7 ] Bug #822854 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'read' accesses on the file pulse-shm-233641167.
        https://bugzilla.redhat.com/show_bug.cgi?id=822854
  [ 8 ] Bug #823000 - SELinux is preventing /usr/bin/dbus-daemon from read, write access on the file /home/elad/f17arm-latest-arm-rpi+x-mmcblk0.img.
        https://bugzilla.redhat.com/show_bug.cgi?id=823000
  [ 9 ] Bug #823035 - SELinux is preventing plugin-containe from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=823035
  [ 10 ] Bug #823211 - SELinux is preventing /usr/bin/totem from 'create' accesses on the file .grl-metadata-store.
        https://bugzilla.redhat.com/show_bug.cgi?id=823211
  [ 11 ] Bug #823251 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the directory .orc.
        https://bugzilla.redhat.com/show_bug.cgi?id=823251
  [ 12 ] Bug #823294 - SELinux is preventing /usr/sbin/gpsd from 'module_request' accesses on the system .
        https://bugzilla.redhat.com/show_bug.cgi?id=823294
  [ 13 ] Bug #823306 - SELinux is preventing /usr/bin/gnome-mplayer from 'execute' accesses on the file /usr/bin/mencoder.
        https://bugzilla.redhat.com/show_bug.cgi?id=823306
  [ 14 ] Bug #823398 - SELinux is preventing /usr/bin/mongod from 'read' accesses on the file meminfo.
        https://bugzilla.redhat.com/show_bug.cgi?id=823398
  [ 15 ] Bug #824097 - SELinux is preventing /usr/bin/lpstat.cups from 'write' accesses on the file /tmp/npicaitl35F.
        https://bugzilla.redhat.com/show_bug.cgi?id=824097
  [ 16 ] Bug #824099 - SELinux is preventing /opt/Citrix/ICAClient/wfica from 'write' accesses on the file /home/mikhail/.ICAClient/CtxFlashCache/CacheFile.cache.
        https://bugzilla.redhat.com/show_bug.cgi?id=824099
  [ 17 ] Bug #824438 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'add_name' accesses on the directory socket-9666-1526706912.
        https://bugzilla.redhat.com/show_bug.cgi?id=824438
  [ 18 ] Bug #824999 - logins directory is not created or owned by package
        https://bugzilla.redhat.com/show_bug.cgi?id=824999
  [ 19 ] Bug #825276 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
        https://bugzilla.redhat.com/show_bug.cgi?id=825276
  [ 20 ] Bug #825530 - SELinux is preventing /usr/bin/systemd-tmpfiles from read access on the lnk_file sda.
        https://bugzilla.redhat.com/show_bug.cgi?id=825530
  [ 21 ] Bug #825718 - SELinux is preventing /usr/bin/ls from getattr access on the blk_file /dev/sdb
        https://bugzilla.redhat.com/show_bug.cgi?id=825718
  [ 22 ] Bug #826064 - SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=826064
  [ 23 ] Bug #826444 - krb5 tickets not accessible for user_t/staff_t
        https://bugzilla.redhat.com/show_bug.cgi?id=826444
  [ 24 ] Bug #826448 - SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from read, write access on the chr_file nvidiactl.
        https://bugzilla.redhat.com/show_bug.cgi?id=826448
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------