Fedora 17 Update: selinux-policy-3.10.0-125.fc17
updates at fedoraproject.org
updates at fedoraproject.org
Mon May 28 01:21:11 UTC 2012
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-7953
2012-05-16 19:26:34
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 17
Version : 3.10.0
Release : 125.fc17
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
- Make systemd unit files less specific
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- Add label for /var/run/nologin
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #748449 - unable to access kerberos tmp file
https://bugzilla.redhat.com/show_bug.cgi?id=748449
[ 2 ] Bug #819172 - SELinux is preventing /usr/bin/totem from 'name_bind' accesses on the udp_socket .
https://bugzilla.redhat.com/show_bug.cgi?id=819172
[ 3 ] Bug #819173 - SELinux is preventing /usr/bin/totem from 'write' accesses on the file /home/spider/.grl-metadata-store.
https://bugzilla.redhat.com/show_bug.cgi?id=819173
[ 4 ] Bug #819347 - SELinux is preventing /usr/libexec/gdm-session-worker from 'read' accesses on the file nologin.
https://bugzilla.redhat.com/show_bug.cgi?id=819347
[ 5 ] Bug #819927 - SELinux is preventing restorecond from 'getattr' accesses on the filesystem /run.
https://bugzilla.redhat.com/show_bug.cgi?id=819927
[ 6 ] Bug #820316 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the directory .orc.
https://bugzilla.redhat.com/show_bug.cgi?id=820316
[ 7 ] Bug #820322 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'sendto' accesses on the unix_dgram_socket @google-nacl-o3d12032-12.
https://bugzilla.redhat.com/show_bug.cgi?id=820322
[ 8 ] Bug #820484 - SELinux is preventing /usr/bin/spicec from 'write' accesses on the file /home/wdh/.spicec/cegui.log.
https://bugzilla.redhat.com/show_bug.cgi?id=820484
[ 9 ] Bug #821182 - SELinux is preventing /usr/bin/numad from 'read' accesses on the directory cpu.
https://bugzilla.redhat.com/show_bug.cgi?id=821182
[ 10 ] Bug #821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
https://bugzilla.redhat.com/show_bug.cgi?id=821268
[ 11 ] Bug #822035 - SELinux is preventing totem-video-thu from 'create' accesses on the directory .gstreamer-0.10.
https://bugzilla.redhat.com/show_bug.cgi?id=822035
[ 12 ] Bug #801330 - AVC denials starting OpenStack glance services
https://bugzilla.redhat.com/show_bug.cgi?id=801330
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list