Fedora 16 Update: selinux-policy-3.10.0-80.fc16

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 24 00:40:26 UTC 2012


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-2733
2012-03-01 08:59:06
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 16
Version     : 3.10.0
Release     : 80.fc16
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

- Dontaudit sandbox to shudown unconfined_execmem stream 
- Allow smtpd_t to manage spool files/directories and symbolic links
- Allow ksysguardproces to send system log msgs 
- Allow automount to execute consoletype 
- Allow boinc setpgid and signull 
- Add mysqld_home_t for ~/.my.cnf - Add unit file support to mysqld 
- rhev-agent package was rename to ovirt-guest-agent 
- move postfix_domtrans_user_mail_handler() to mta.if 
- Fix virt_search_images() interface 
- Fix iscsi policy 
- Add booleans to allow rsync to share nfs and cifs file sytems 
- Add file name transition for locale.conf.new 
- Allow boinc projects to gconf config files 
- Allow xen to search virt images directories 
- Allow memcache to create sock_file 
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-80
- Add own type for rdate port
- Allow sssd setrlimit
- Allow jaberrd-router to read kernel network state
- Started to backport userdom_home_reader and userdom_home_manager concept from f17
- Allow system_mail to send log msgs
* Wed Mar  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-79
- Allow system_mail to send log msgs
- Add login_userdomain attribute
- Dontaudit logrotate to getattr home content
- Label httpd.event as httpd_exec_t, it is an apache daemon
- Iscsi log file context specification fix
- Allow sssd sys_resource capability
- vsftpd reads network state
- Add labeling for /var/spool/postfix/dev/log
- Allow deltacloud to read kernel sysctl
- Fix virt_use_execmem boolean
- Allow sandbox_server to send signals
* Wed Feb 29 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-78
- Allow memcache to create sock_file
* Mon Feb 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
- Dontaudit sandbox to shudown unconfined_execmem stream
- Allow smtpd_t to manage spool files/directories and symbolic links
- Allow ksysguardproces to send system log msgs
- Allow automount to execute consoletype
- Allow  boinc setpgid and signull
- Add mysqld_home_t for ~/.my.cnf
- Add unit file support to mysqld
- rhev-agent package was rename to ovirt-guest-agent
- move postfix_domtrans_user_mail_handler() to mta.if
- Fix virt_search_images() interface
- Fix iscsi policy
- Add booleans to allow rsync to share nfs and cifs file sytems
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- Allow xen to search virt images directories
* Mon Feb 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76
- Allow denyhosts to read "unix"
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- Allow xen to search virt images directories
- Add label for /dev/megaraid_sas_ioctl_node
- kdump_t needs to read /etc/mtab
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
- Allow boinc project to getattr on fs
- Add filename transition also for "event20"
- Allow collectd to ipc_lock
- Allow systemd_tmpfiles_t to delete all file types
- Add lots of rules to fix AVC's when playing with containers
* Wed Feb  1 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-75
- Add logging_syslogd_use_tty boolea
- Add polipo_connect_all_unreserved bolean
- Allow zabbix to connect to ftp port
- Allow systemd-logind to be able to switch VTs
- Allow apache to communicate with memcached through a sock_file
- Allow denyhosts to use fifo files and exec shell
- Allow sandbox_nacl to setsched on its process
- Allow chrome_sandbox_t to send all signals to sandbox_nacl_t
- Allow cupsd_lpd_t to connect to the printer port
* Thu Jan 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-74
- Add httpd_can_connect_zabbix boolean
- apcupsd_t needs to use seriel ports connected to usb devices
- Allow deltacloudd dac_override, setuid, setgid  caps
- Add zabbix_can_network boolean
- setroubleshoot needs to be able to execute rpm
* Fri Jan 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-73
- Backport colord policy from F17
* Mon Jan 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-72
- Allow deltacloudd dac_override, setuid, setgid  caps
- Allow aisexec to execute shell
- Add use_nfs_home_dirs boolean for ssh-keygen
- Allow xguest execmod on execmem_exec_t
- Dontaudit X domains trying to access dri device in a sandbox
* Wed Jan  4 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-71
- New fix for seunshare, requires seunshare_domains to be able to mounton /
* Tue Jan  3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-70
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
* Sun Dec 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-69
- Fix bug in the boinc policy
* Wed Dec 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-68
- sssd needs sys_admin capability
* Thu Dec 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-67
- Add httpd_can_connect_ldap() interface
- NetworkManager needs to write to /sys/class/net/ib*/mode
- Dont audit writes to leaked file descriptors or redirected output for nacl
- Add label for /var/lib/iscan/interpreter
- Add labeling for /sbin/iscsiuio
- Allow all jabberd domain to read system state
- Allow munin services plugins to use NSCD services
- More fixes for boinc
* Wed Dec  7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-66
- Add fixes for xguest package
* Tue Dec  6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-65
- Allow abrt to getattr on blk files
- Add type for rhev-agent log file
- Fix labeling for /dev/dmfm
- Dontaudit wicd leaking
- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it
- Label /etc/locale.conf correctly
- Allow user_mail_t to read /dev/random
- Allow postfix-smtpd to read MIMEDefang
- Add label for /var/log/suphp.log
- Allow swat_t to connect and read/write nmbd_t sock_file
- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
- Allow systemd-tmpfiles to change user identity in object contexts
- More fixes for rhev_agentd_t consolehelper policy
* Fri Dec  2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-64
- Use fs_use_xattr for squashf
-  Fix procs_type interface
- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
- Dovecot has a new fifo_file /var/run/stats-mail
- Colord does not need to connect to network
- Allow system_cronjob to dbus chat with NetworkManager
- Puppet manages content, want to make sure it labels everything correctly
* Tue Nov 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-63
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
* Mon Nov 28 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-62
- Add fs_read_fusefs_dirs interface
- Allow mailman to read /dev/urandom
- Allow clamd to read spamd pid file
- Allow mount to read /dev/urandom
- Add use_fusefs_home_dirs also for system_dbus_t
* Fri Nov 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-61
- Needs to require new version policycoreutils
* Thu Nov 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-60
- Needs to require new version checkpolicy
* Thu Nov 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-59
- Allow spamd to send mail
- Add ssh_home_t label for /var/lib/nocpulse/.ssh
- Allow puppetmaster to read network state
- Add colord_can_network_connect boolean
- Allow colord to execute shell
- Add bin_t label for "/usr/lib/iscan/network"
- Allow chrome-sandbox ptrace
- winbind needs to be able to talk to ldap directly, not through sssd
- saslauthd_t needs to connect to zarafa_port_t
- dnsmasq wants to read proc_net_t
- Add full DNS support for FreeIPA
* Mon Nov 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-58
- Allow mcelog_t to create dir and file in /var/run and label it correctly
- Allow dbus to manage fusefs
- Mount needs to read process state when mounting gluster file systems
- Allow collectd-web to read collectd lib files
- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr
- Allow colord to get the attributes of tmpfs filesystem
- Add sanlock_use_nfs and sanlock_use_samba booleans
- Add bin_t label for /usr/lib/virtualbox/VBoxManage
* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-57
- We need to treat port_t and unreserved_port_t as generic_port types
* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-56
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t
* Mon Nov  7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-55
- Add more MCS fixes to make sandbox working
- Make faillog MLS trusted to make sudo_$1_t working
- Allow sandbox_web_client_t to read passwd_file_t
- Add .mailrc file context
- Remove execheap from openoffice domain
- Allow chrome_sandbox_nacl_t to read cpu_info
- Allow virtd to relabel generic usb which is need if USB device
- Fixes for virt.if interfaces to consider chr_file as image file type
* Fri Nov  4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-54
- MCS fixes
- quota fixes
* Tue Nov  1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-53
- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface
- Make filetrans rules optional so base policy will build
- Dontaudit chkpwd_t access to inherited TTYS
- Make sure postfix content gets created with the correct label
- Allow gnomeclock to read cgroup
- Fixes for cloudform policy
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-52
- Check in fixed for Chrome nacl support
* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-51
-  Begin removing qemu_t domain, we really no longer need this domain.  
- systemd_passwd needs dac_overide to communicate with users TTY's
- Allow svirt_lxc domains to send kill signals within their container
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-50
- Allow policykit to talk to the systemd via dbus
- Move chrome_sandbox_nacl_t to permissive domains
- Additional rules for chrome_sandbox_nacl
* Tue Oct 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-49
- Change bootstrap name to nacl
- Chrome still needs execmem
- Missing role for chrome_sandbox_bootstrap
- Add boolean to remove execmem and execstack from virtual machines
- Dontaudit xdm_t doing an access_check on etc_t directories
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
- Add port 8953 as a dns port used by unbound
- Fix file name transition for alsa and confined users
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #787174 - SELinux is preventing /usr/bin/mongod from 'execmem' accesses on the None .
        https://bugzilla.redhat.com/show_bug.cgi?id=787174
  [ 2 ] Bug #794603 - /dev/megaraid_sas_ioctl_node has the incorrect fcontext for smartd
        https://bugzilla.redhat.com/show_bug.cgi?id=794603
  [ 3 ] Bug #799221 - Allow PostgreSQL to talk to self over dblink -- AVC denial
        https://bugzilla.redhat.com/show_bug.cgi?id=799221
  [ 4 ] Bug #799818 - SELinux policy missing postfix /dev/log fcontext in chroot
        https://bugzilla.redhat.com/show_bug.cgi?id=799818
  [ 5 ] Bug #800458 - let dovecot use fusefs_t files if use_fusefs_home_dirs is on
        https://bugzilla.redhat.com/show_bug.cgi?id=800458
  [ 6 ] Bug #760206 - SELinux is preventing /usr/bin/rdate from 'name_connect' accesses on the tcp_socket port 37.
        https://bugzilla.redhat.com/show_bug.cgi?id=760206
  [ 7 ] Bug #789389 - selinux prevents zabbix from making smtp connections
        https://bugzilla.redhat.com/show_bug.cgi?id=789389
  [ 8 ] Bug #798413 - SELinux is preventing /sbin/killall5 from 'getattr' accesses on the None /usr/sbin/userhelper.
        https://bugzilla.redhat.com/show_bug.cgi?id=798413
  [ 9 ] Bug #798740 - SELinux is preventing /usr/sbin/vsftpd from 'read' accesses on the None unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=798740
  [ 10 ] Bug #798916 - SELinux is preventing /usr/bin/Xephyr from using the signal access on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=798916
  [ 11 ] Bug #799169 - SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execmem' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=799169
  [ 12 ] Bug #799381 - SELinux is preventing /usr/bin/ruby from 'search' accesses on the directory kernel.
        https://bugzilla.redhat.com/show_bug.cgi?id=799381
  [ 13 ] Bug #800394 - SELinux is preventing /usr/bin/router from 'read' accesses on the file unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=800394
  [ 14 ] Bug #800578 - SELinux is preventing /sbin/killall5 from 'getattr' accesses on the file /home/ahmed/.dropbox-dist/dropbox.
        https://bugzilla.redhat.com/show_bug.cgi?id=800578
  [ 15 ] Bug #800613 - SELinux is preventing /usr/sbin/ssmtp from 'connectto' accesses on the unix_stream_socket /dev/log.
        https://bugzilla.redhat.com/show_bug.cgi?id=800613
  [ 16 ] Bug #801509 - SELinux is preventing /lib/systemd/systemd-logind from 'getattr' accesses on the archivo /proc/<pid>/sessionid.
        https://bugzilla.redhat.com/show_bug.cgi?id=801509
  [ 17 ] Bug #801909 - SELinux is preventing sssd_pam from using the 'sys_resource' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=801909
  [ 18 ] Bug #802079 - SELinux is preventing /usr/bin/python from 'read' accesses on the fichier unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=802079
  [ 19 ] Bug #802468 - SELinux is preventing /lib/systemd/systemd-logind from 'getattr' accesses on the archivo /proc/<pid>/sessionid.
        https://bugzilla.redhat.com/show_bug.cgi?id=802468
  [ 20 ] Bug #795048 - SELinux is preventing /usr/libexec/libvirt_lxc from 'create' accesses on the None selinux.
        https://bugzilla.redhat.com/show_bug.cgi?id=795048
  [ 21 ] Bug #795790 - SELinux is preventing /usr/bin/mysqladmin from 'getattr' accesses on the None /root/.my.cnf.
        https://bugzilla.redhat.com/show_bug.cgi?id=795790
  [ 22 ] Bug #797293 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the None socket-1266-572660336.
        https://bugzilla.redhat.com/show_bug.cgi?id=797293
  [ 23 ] Bug #797377 - SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on the None yum_save_tx-2012-01-30-19-11HM2mED.yumtx.
        https://bugzilla.redhat.com/show_bug.cgi?id=797377
  [ 24 ] Bug #797434 - SELinux is preventing /var/lib/boinc/projects/climateprediction.net/hadrm3p_eu_um_6.09_i686-pc-linux-gnu from using the 'signull' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=797434
  [ 25 ] Bug #797435 - SELinux is preventing /usr/lib64/virtualbox/VBoxManage from using the 'setpgid' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=797435
  [ 26 ] Bug #797452 - SELinux is preventing /bin/bash from 'execute' accesses on the None /sbin/consoletype.
        https://bugzilla.redhat.com/show_bug.cgi?id=797452
  [ 27 ] Bug #797514 - SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'create' accesses on the None .
        https://bugzilla.redhat.com/show_bug.cgi?id=797514
  [ 28 ] Bug #797523 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the None yum_save_tx-2012-01-30-19-11HM2mED.yumtx.
        https://bugzilla.redhat.com/show_bug.cgi?id=797523
  [ 29 ] Bug #797732 - SELinux is preventing /opt/google/chrome/chrome from 'shutdown' accesses on the None .
        https://bugzilla.redhat.com/show_bug.cgi?id=797732
  [ 30 ] Bug #798492 - need SELinux policy for ipa_memcached service
        https://bugzilla.redhat.com/show_bug.cgi?id=798492
  [ 31 ] Bug #785759 - SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks.
        https://bugzilla.redhat.com/show_bug.cgi?id=785759
  [ 32 ] Bug #787000 - SELinux is preventing /usr/sbin/sendmail.sendmail from 'getattr' accesses on the None /home/devel.
        https://bugzilla.redhat.com/show_bug.cgi?id=787000
  [ 33 ] Bug #787220 - SELinux is preventing systemd-logind from 'open' accesses on the file sessionid.
        https://bugzilla.redhat.com/show_bug.cgi?id=787220
  [ 34 ] Bug #787355 - SELinux is preventing /usr/sbin/cherokee-worker from 'create' accesses on the None flcache.
        https://bugzilla.redhat.com/show_bug.cgi?id=787355
  [ 35 ] Bug #787932 - SELinux is preventing /usr/sbin/httpd from 'write' accesses on the None WebCalendar.
        https://bugzilla.redhat.com/show_bug.cgi?id=787932
  [ 36 ] Bug #788013 - SELinux is geeting in iscsid's way
        https://bugzilla.redhat.com/show_bug.cgi?id=788013
  [ 37 ] Bug #789326 - SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the None .patched.
        https://bugzilla.redhat.com/show_bug.cgi?id=789326
  [ 38 ] Bug #789578 - SELinux is preventing /usr/sbin/acpid from 'read' accesses on the None event20.
        https://bugzilla.redhat.com/show_bug.cgi?id=789578
  [ 39 ] Bug #790949 - SELinux is preventing /bin/bash from 'write' accesses on the None /.
        https://bugzilla.redhat.com/show_bug.cgi?id=790949
  [ 40 ] Bug #791351 - SELinux is preventing /usr/bin/gconftool-2 from 'getattr' accesses on the fichier /etc/gconf/gconf.xml.defaults/%gconf-tree.xml.
        https://bugzilla.redhat.com/show_bug.cgi?id=791351
  [ 41 ] Bug #794909 - SELinux is preventing /usr/bin/python from 'read' accesses on the None unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=794909
  [ 42 ] Bug #795025 - SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3.x86_64/jre/bin/java from 'getattr' accesses on the système de fichiers /.
        https://bugzilla.redhat.com/show_bug.cgi?id=795025
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list