Fedora 17 Update: selinux-policy-3.10.0-161.fc17

[updates at fedoraproject.org]

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-18787
2012-11-22 03:32:02
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 17
Version     : 3.10.0
Release     : 161.fc17
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Nov 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-161
- Add commands needed to get mock to build from staff_t in enforcing mode
- Allow dbus-daemon to read/write inherited removable devices
- Add storage_rw_inherited_removable_device() interface
- fetchmail reads /etc/passwd
- Allow rhnsd to execute bin_t in the caller rhnsd_t domain
- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
- Allow enabling Network Access Point service using blueman
- Make vmware_host_t as unconfined domain
- Allow authenticate users in webaccess via squid, using mysql as backend
- Allow firewalld to read /etc/hosts
- Backport openshift.te from F18
- Dontaudit xdm_t to getattr on BOINC lib files
- Allow chrome and mozilla plugin to connect to msnp ports
* Tue Nov 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-160
- Allow BOINC client to use an HTTP proxy for all connections
- Add labeling for /var/lib/zarafa-webapp
- Allow mozilla plugins to read /dev/hpet
- Allow MPD to read /dev/radnom
- Allow dnsmasq to read /etc/NetworkManager
- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file
- httpd needs to send signull to openshift init script
- Fix tftp_read_content() interface
* Mon Nov  5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-159
- More fixes for passwd/group labeling
- New ypbind pkg wants to search /var/run which is caused by sd_notify
- dbus needs to be able to read/write inherited fixed disk device_t passed through it
- Allow NM to read certs on NFS/CIFS using use_nfs_*, use_samba_* booleans
- Add interface to make sure rpcbind.sock is created with the correct label
- Add support for OpenShift sbin labeling
* Tue Oct 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-158
- Fix labeling for passwd*
* Tue Oct 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-157
- logwatch wants sys_nice/setsched
- Add labeling for mcollectived
- Allow openshift domains to read localization
- Allow smokeping to execute fping in the neutils_t domain
- Allow support for notifyclamd option in /etc/freshclam.conf
- Allow mozilla-plugin-config to getattr on all fs
- Add tftp_homedir boolean
- Allow nslcd to connect to ldap port without boolean
- policykit-auth wants sys_nice
- openshift user domains wants to r/w ssh tcp sockets
* Wed Oct 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-156
- Allow nfsd to write to mount_var_run_t
- Allow smokeping to execute bin_t
- Allow sshd_t to execute login program
- Allow prelink to read power_supply
- Allow alsa to r/w alsa config files
- Allow tuned to setsched kernel
- Add labeling for /usr/sbin/mkhomedir_helper
- Allow initrc_t to readl all systemd unit files
- Allow mozilla_plugin_t to create .mplayer in users homedir
- Allow sshd to send syslog msgs
- Allow varnish execmem
- Allow mongodb_t to getattr on all file systems
- Allow pyzor running as spamc to manage amavis spool
- Allow rhnsd to read /usr/lib/locale
* Tue Oct 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-155
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
- Update httpd_run_stickshift boolean
- Allow hplip to execute bin_t
* Tue Oct  9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-154
- fix opeshift labeling
- Allow groupadd to read SELinux file context
* Sun Oct  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-153
- Add openshift policy
- Add changes needed by openshift policy
- Allow vmnet-natd to request the kernel to load a module
- Allown winbind to read /usr/share/samba/codepages/lowcase.dat
- Access needed to allow hplip to send faxes
- abrt_dump_oops needs to read debugfs
- Add support for HTTPProxy* in /etc/freshclam.conf
* Fri Oct  5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-152
- Add file transition for mongodb lib dirs
- Add labeling for /var/lib/mongo, /var/run/mongo
- Allow gpg to write to /etc/mail/spamassassiin directories
- Add support for hplip logs stored in /var/log/hp/tmp
- Allow winbind to read usr_t
- Add rhnsd policy
- Add labeling for /etc/owncloud/config.php
* Thu Sep 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-151
- Allow winbind to connect do ldap without a boolean
- Allow mozilla-plugin to connect to commplex port
- Fix tomcat template interface
- Allow thumb to use user fonts
* Mon Sep 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-150
- Backport tomcat fixes from F18
- Add filename transition for mongod.log
- Dontaudit jockey to search /root/.local
- Fix passenger labeling
- fix corenetwork interfaces which needs to require ephemeral_port_t
- Allow user domains to use tmpfs_t when it is created by the kernel and inherited by the app, IE No Open
* Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-149
- Add sanlock_use_fusefs boolean
- Add stapserver policy from F18
- Allow rhnsd to send syslog msgs
- ABRT wants to read Xorg.0.log if if it detects problem with Xorg
- ALlow chrome_sandbox to leak unix_dram_socket into chrome_sandbox_nacl_t
- Allow postalias to read postfix config files
- Allow tmpreaper to cleanup all files in /tmp
- Allow chown capability for zarafa domains
- Allow xauth to read /dev/urandom
- Allow tmpreaper to list admin_home dir
- Allow clamd to write/delete own pid file with clamd_var_run_t label
- Add support for gitolite3
- Allow virsh_t to getattr on virtd_exec_t
- Allow virsh can_exec on virsh_exec_t
- Look up group name by spamass-milter-postfix
- Add mozilla_plugin_can_network_connect boolean
- Fix /var/lib/sqlgrey labeling
- Add support for a new path for passenger
* Tue Aug 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-148
- Allow virsh to stream connect to virtd
- Add support for $HOME/.cache/libvirt
- Allow groupadd_t to search default_context
- Allow xdm_t to search dirs with xdm_unconfined_exec_t label
- Allow ksysguardproces to read/write config_usr_t
- Backport passenger policy from F18
- Allow wdmd to create wdmd_tmpfs_t
* Thu Aug 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-147
- Fix passenger labeling
- Add thumb_tmpfs_t files type
- Add file name transitions for ttyACM0
- Allow virtd to send dbus messages to firewalld
* Mon Aug 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-146
- Allow tmpreaper to delete unlabeled files
- Backport selinux_login_config fixes from F18 for sssd
- Allow thumb drives to create shared memory and semaphores
- Make "snmpwalk -mREDHAT-CLUSTER-MIB ...." working
- Allow dlm_controld to execute dlm_stonith labeled as bin_t
- Allow GFS2 working on F17
- Allow thumb to gettatr on all fs
- Allow condor domains to read kernel sysctls
- Allow condor_master to connect to amqp
- Allow abrt to read mozilla_plugin config files
- Backport squid policy with support for lightsquid
- Allow useradd to modify /etc/default/useradd
- dovecot_auth_t uses ldap for user auth
- Dontaudit mozilla_plugin attempts to ipc_lock
- Allow tmpreaper to search unlabeled /tmp/kdecache-root
- Allow jockey to list the contents of modeprobe.d
- Allow web plugins to connect to the asterisk ports
* Wed Aug  8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-145
- Allow Chrome_ChildIO to read dosfs_t
- Fix svirt to be allowed to use fusefs file system
- Sanlock needs to send Kill Signals to non root process
- Allow sendmail to read/write postfix_delivery_t
* Mon Aug  6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-144
- Allow sendmail to read/write postfix_delivery_t
- Update sanlock policy to solve all AVC's
- Change virt interface so confined users can optionally manage virt content
- setroubleshoot was trying to getattr on sysctl and proc stuff
- Need to allow svirt_t ability to getattr on nfs_t file system
- Allow staff users to run svirt_t processes
- Add new booleans to allow staff user and unprivuser to use boxes
* Thu Aug  2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-143
- Alias firstboot_tmp_t to tmp_t
- Add support for sqlgre
- Allow postfix to connect to spampd
- Add support for spampd and treat it as spamd_t policy
- Allow munin mail plugin to read exim.log
- Fix mta_mailserver_delivery() interface
- Allow logrotate to getattr on systemd unit files
- Allow tor to read kernel sysctls
- Add new man pages
-  Fix labeling for pingus
* Fri Jul 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-142
- Regenerate man pages
- Dontaudit mysqld_safe sending signull to random domains
- Add interface for mysqld to dontaudit signull to all processes
- Allow       editparams.cgi running as httpd_bugzilla_script_t to read /etc/group
- Allow smbd to read cluster config
- Add additional labelinf for passenger
- Add labeling for /var/motion
- Add amavis_use_jit boolean
- Allow mongod to connet to postgresql port
* Tue Jul 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-141
- Allow samba_net to read /proc/net
- Allow hplip_t to send notification dbus messages to users
- Allow mailserver_deliver to read/write own pip
- Allow munin-plugin domains to read /etc/passwd
- Allow postfix_cleanup to use sockets create for smtpd
- Dovecot seems to be searching directories of every mountpoint, lets just dontaudit this
- Allow mozilla-plugin to read all kernel sysctls
- Allow jockey to read random/urandom
- Dontaudit dovecot to search all dirs
- Add aditional params to allow cachedfiles to manage its content
- gpg agent needs to read /dev/random
- Add labelling and allow rules based on avc's from RHEL6 for amavis
* Wed Jul 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-140
- Add support for rhnsd daemon
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Fix rhsmcertd pid filetrans
- Allow NM to execute wpa_cli
- Allow procmail to manage /home/user/Maildir content
- Allow amavis to read clamd system state
- Allow postdrop to use unix_stream_sockets leaked into it
- Allow uucpd_t to uucpd port
* Sun Jul 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-139
- Add support for ecryptfs
	* ecryptfs does not support xattr
- Allow lpstat.cups to read fips_enabled file
- Allow pyzor running as spamc_t to create /root/.pyzor directory
- Add labeling for amavisd-snmp init script
- Add support for amavisd-snmp
- Allow fprintd sigkill self
- Allow xend (w/o libvirt) to start virtual machines
- Allow aiccu to read /etc/passwd
- accountsd needs to fchown some files/directories
- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content
- Allow xend_t to read the /etc/passwd file
- Allow freshclam to update databases thru HTTP proxy
- Add init_access_check() interface
- Allow s-m-config to access check on systemd
- Allow abrt to read public files by default
- Fix amavis_create_pid_files() interface
- Allow tuned sys_nice, sys_admin caps
- Allow amavisd to execute fsav
- Allow system_dbusd_t to stream connect to bluetooth, and use its socket
* Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix alsa_manage_home_files interface
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
* Tue Jul  3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-137
- Fixes for passenger running within openshift
- Add labeling for all tomcat6 dirs
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow systemd_logind_t to read/write /dev/input0
* Fri Jun 29 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-136
- Fixes to make minimal policy to be installed
* Wed Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135
- abrt_watch_log should be abrt_domain
- add ptrace_child access to process
- Allow mozilla_plugin to connect to gatekeeper port
- Allow dbomatic to execute ruby
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- add support for boinc.log
- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
* Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134
- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
- Allow dovecot_deliver_t to read dovecot_var_run_t
- Add tomcat policy from F18
- Allow ldconfig and insmod to manage kdumpctl tmp files
- Add kdumpctl policy
- Move thin policy out from cloudform.pp and add a new thin policy files
- pacemaker needs to communicate with corosync streams
- abrt is now started on demand by dbus
- Allow certmonger to talk directly to Dogtag servers
- Change labeling for /var/lib/cobbler/webui_sessions to httpd_cobbler_rw_content_t
- Allow mozila_plugin to execute gstreamer home files
- Allow useradd to delete all file types stored in the users homedir
- rhsmcertd reads the rpm database
- Add support for lightdm
* Fri Jun 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-133
- Dontaudit  thumb to setattr on xdm_tmp dirs
- Allow wicd to execute ldconfig
- Add /var/run/cherokee\.pid labeling
- Allow snort to create netlink_socket
- Allow setpcap for rpcd_t
- Firstboot should be just creating tmp_t dirs
- Transition xauth files within firstboot_tmp_t
- Fix labeling of /run/media to match /media
- Allow firstboot to create tmp_t files/directories
- Label tuned scripts located in /etc as bin_t
- Add port definition for mxi port
- Fix labeling for /var/log/lxdm.log.old
- Allow ddclient to read /etc/passwd
- change dovecot_deliver to manage mail_home_rw_t
- Remove razor/pyzor policy
- Allow local_login_t to execute tmux
- Allow mozilla_plugin_t to execute the dynamic link/loader
* Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
  * support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
- Allow postfix_local to transition to dovecot_deliver
- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
- Cleanup interface definitions
- Allow apmd to change with the logind daemon
- Changes required for sanlock in rhel6
- Label /run/user/apache as httpd_tmp_t
- Allow thumb to use lib_t as execmod if boolean turned on
- Allow squid to create the squid directory in /var with the correct
- When staff_t runs libvirt it reads dnsmasq_var_run_t
- Mount command now lists user_tmp looking for gvfs
- /etc/blkid is moving to /run/blkid
- Allow rw_cgroup_files to also read a symlink
-  Make sure gdm directory in ~/.cache/gdm gets created with the correct label
- Add labeling for .cache/gdm in the homedir
- Allow mount to mount on user_tmp_t for /run/user/dwalsh/gvfs
- xdm now needs to execute xsession_exec_t
- Need labels for /var/lib/gdm
* Mon Jun 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-130
- Dontaudit logwatch to gettr on /dev/dm-2
- Allow policykit-auth to manage kerberos files
- Allow systemd_logind_t to signal, signull, sigkill all processes
- Add filetrans rules for etc_runtime files
- Allow systemd_login to send signals to devicekit power
- Allow systemd_logind to signal initrc scripts to handle third party packages running as initrc_t
- Allow virsh to read /etc/passwd
- Allow policykit to manage kerberos rcache files
- Allow systemd-logind to send a signal to init_t
- /usr/sbin/xl2tpd wants to read /etc/group
- Allow ncftool to list of content /etc/modprobe.d
- Allow dkim-milter to listen own tcp_socke
* Fri Jun  8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-129
- Allow collectd to read virt config
- Allow collectd setsched
- Add support for /usr/sbin/mdm*
- Fix java binaries labels when installed under /usr/lib/jvm/java
- Add labeling for /var/run/mdm
- Allow apps that can read net_conf_t files read symlinks
- Allow all domains that can search or read tmp_t, able to read a tmp_t link
- Dontaudit mozilla_plugin looking at xdm_tmp_t
- Looks like collectd needs to change it scheduling priority
- Allow uux_t to access nsswitch data
- New labeling for samba, pid dirs moved to subdirs of samba
- Allow nova_api to use nsswitch
- Allow mozilla_plugin to execute files labeled as lib_t
- Label content under HOME_DIR/zimbrauserdata as mozilla_home date
- abrt is fooled into reading mozilla_plugin content, we want to dontaudit
- Allow mozilla_plugin to connect to ircd ports since a plugin might be a irc chat window
- Allow winbind to create content in smbd_var_run_t directories
- Allow setroubleshoot_fixit to read the selinux policy store.  No reason to deny it
- Support libvirt plugin for collectd
* Wed May 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
-  Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow  munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
-  Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id 
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
-  Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May  9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Mon May  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May  7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #869211 - SELinux is preventing /usr/bin/python2.7 from 'getattr' accesses on the file /proc/meminfo.
        https://bugzilla.redhat.com/show_bug.cgi?id=869211
  [ 2 ] Bug #872367 - SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'read' accesses on the file /etc/passwd.
        https://bugzilla.redhat.com/show_bug.cgi?id=872367
  [ 3 ] Bug #873925 - ipset create in /etc/shorewall/init does not create the ipset when initiated by systemd
        https://bugzilla.redhat.com/show_bug.cgi?id=873925
  [ 4 ] Bug #874059 - SELinux policy prevents tuned daemon from communicating over DBus
        https://bugzilla.redhat.com/show_bug.cgi?id=874059
  [ 5 ] Bug #874296 - SELinux is preventing /usr/bin/cp from 'relabelfrom' accesses on the file /var/lib/prelink/quick.
        https://bugzilla.redhat.com/show_bug.cgi?id=874296
  [ 6 ] Bug #874394 - SELinux is preventing svnserve from 'accept' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=874394
  [ 7 ] Bug #874419 - SELinux is preventing /usr/sbin/ifconfig from 'write' accesses on the fifo_file /var/agns/fifo/agnLogd.
        https://bugzilla.redhat.com/show_bug.cgi?id=874419
  [ 8 ] Bug #874875 - SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'read' accesses on the chr_file hpet.
        https://bugzilla.redhat.com/show_bug.cgi?id=874875
  [ 9 ] Bug #874960 - SELinux is preventing /usr/bin/boinc_client from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=874960
  [ 10 ] Bug #875123 - SELinux is preventing /usr/sbin/sshd from 'search' accesses on the directory /var/ftp.
        https://bugzilla.redhat.com/show_bug.cgi?id=875123
  [ 11 ] Bug #875193 - SELinux is preventing /usr/sbin/dnsmasq from 'search' accesses on the directory /etc/NetworkManager.
        https://bugzilla.redhat.com/show_bug.cgi?id=875193
  [ 12 ] Bug #875198 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=875198
  [ 13 ] Bug #875454 - SELinux is preventing /usr/sbin/dnsmasq from read access on the directory /tftpboot
        https://bugzilla.redhat.com/show_bug.cgi?id=875454
  [ 14 ] Bug #875572 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/sbin/dmidecode.
        https://bugzilla.redhat.com/show_bug.cgi?id=875572
  [ 15 ] Bug #875853 - SELinux is preventing /usr/sbin/xenconsoled (deleted) from 'read' accesses on the file /etc/group.
        https://bugzilla.redhat.com/show_bug.cgi?id=875853
  [ 16 ] Bug #875854 - SELinux is preventing /usr/sbin/xenconsoled (deleted) from 'setattr' accesses on the chr_file 3.
        https://bugzilla.redhat.com/show_bug.cgi?id=875854
  [ 17 ] Bug #875855 - SELinux is preventing /usr/libexec/pt_chown from 'read' accesses on the file /etc/group.
        https://bugzilla.redhat.com/show_bug.cgi?id=875855
  [ 18 ] Bug #876657 - SELinux is preventing /usr/sbin/killall5 from 'getattr' accesses on the file /var/lib/boinc/projects/lhcathomeclassic.cern.ch_sixtrack/sixtrack_linux_sse3.
        https://bugzilla.redhat.com/show_bug.cgi?id=876657
  [ 19 ] Bug #877139 - SELinux is preventing firewalld from 'getattr' accesses on the file /etc/hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=877139
  [ 20 ] Bug #877680 - SELinux is preventing /usr/bin/vmnet-natd from using the 'net_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=877680
  [ 21 ] Bug #877751 - SELinux denials with blueman when enabling NAP
        https://bugzilla.redhat.com/show_bug.cgi?id=877751
  [ 22 ] Bug #878076 - AVC denial rhnsd_t executing /usr/bin/python2.7
        https://bugzilla.redhat.com/show_bug.cgi?id=878076
  [ 23 ] Bug #878390 - SELinux is preventing /usr/bin/fetchmail from read access on the file /etc/passwd
        https://bugzilla.redhat.com/show_bug.cgi?id=878390
  [ 24 ] Bug #878486 - SELinux is preventing dbus-daemon from 'write' accesses on the blk_file /dev/mmcblk0.
        https://bugzilla.redhat.com/show_bug.cgi?id=878486
  [ 25 ] Bug #875648 - Allow dnsmasq to access /etc/NetworkManager/dnsmasq.d
        https://bugzilla.redhat.com/show_bug.cgi?id=875648
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------