Fedora 18 Update: selinux-policy-3.11.1-90.fc18

updates at fedoraproject.org updates at fedoraproject.org
Thu Apr 18 02:53:58 UTC 2013 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-5742
2013-04-15 23:17:07
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 18
Version     : 3.11.1
Release     : 90.fc18
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-90
- Allow git_system_t to read network state
- Allow pegasas to execute mount command
- Allow nagios check disk plugins to execute bin_t
- Remove transition to mozilla_tmp_t by mozilla_t, to allow it to manage the users tmp dirs
- Allow quantum to transition to openvswitch_t
- Allow quantum to use databas
- allow quantum to stream connect to openvswitch
- Allow alsa_t signal_perms, we probaly should search for any app that can execute something without transition and give it signal_perms...
- Add dontaudit for mozilla_plugin_t looking at the xdm_t sockets
- Allow winbind to manage kerberos_rcache_host
- Allow spamd to create spamd_var_lib_t directories
- Dontaudit attempts by httpd_t attempting to read rpm database.  Customer triggered this by executing createrepo, needs back port to rhel6
- Add mising nslcd_dontaudit_write_sock_file() interface
- Fix pki_read_tomcat_lib_files() interface
- Allow certmonger to read pki-tomcat lib files
- Allow certwatch to execute bin_t
- Allow snmp to manage /var/lib/net-snmp files
- Fix for openvswitch_stream_connect()
- Add rgmanager_search_lib() interface
- Fix pki_read_tomcat_lib_files() interface
- Fix cobbler_manage_lib_files() interface
- Add xserver_dontaudit_xdm_rw_stream_sockets() interface
- Allow daemon to send dgrams to initrc_t
- Update textrel_shlib_t names
- Allow kdm to start the power service to initiate a reboot or poweroff
* Mon Apr  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-89
- Add port definition for osapi_compute port
- User accounts need to dbus chat with accountsd daemon
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Lots of access required by lvm_t to created encrypted usb device
- Allow users to dbus chat with systemd_localed
- Fix handling of .xsession-errors in xserver.if, so kde will work
- Make sure we label content under /var/run/lock as <<none>>
- Allow daemon and systemprocesses to search init_var_run_t directory
- Add boolean to allow xdm to write xauth data to the home directory
- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fix apache_read_sys_content_rw_dirs() interface
- Fix sys_nice for cups_domain
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Looks like certmaster sends mail
- Allow logrotate to read /var/log/z-push dir
- Allow fsdaemon to send signull to all domains
- yum-cron runs rpm from within it.
- Allow tuned to transition to dmidecode
- Allow firewalld to do net_admin
- Call mailman_domain
- FIx ircssi_home_t type to irssi_home_t
- Correct file transition rul for qpidd_tmp
- Fix qpidd policy
- Add mailman_domain attribute
- Allow openvswitch to execute shell
- Allow qpidd to use kerberos
- Allow mailman to use fusefs, needs back port to RHEL6
- Allow apache and its scripts to use anon_inodefs
- Realmd needs to connect to samba ports, needs back port to F18 also
- Allow adcli running as realmd_t to connect to ldap port
- Allow NetworkManager to transition to ipsec_t, for running strongswan
- Make openshift_initrc_t an lxc_domain
- Fix labeling for drupal an wp-content in subdirs of /var/www/html
- Allow abrt to read utmp_t file
- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6
- Allow gssd to manage user_tmp_t files
- Fix handling of irclogs in users homedir
- firewalld needs to be able to write to network sysctls
- fix labeling for (oo|rhc)-restorer-wrapper.sh
- Allow thumb_t to execute user home content
- cups uses usbtty_device_t devices
- These fixes were all required to build a MLS virtual Machine with single level desktops
- Allow domains to transiton using httpd_exec_t
- Allow svirt domains to manage kernel key rings
- Allow setroubleshoot to execute ldconfig
- Allow firewalld to read generate gnome data
* Wed Mar 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-88
- Allow abrt to manage mock build environments to catch build problems.
- Allow virt_domains to setsched for running gdb on itself
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
- Allow cups_t to read inhered tmpfs_t from the kernel
- Allow openshift_cron_t to look at quota
- Allow cgred to send signal perms to itself, needs back port to RHEL6
- Allow certwatch to execut /usr/bin/httpd
- Allow yppasswdd to use NIS
- Tuned wants sys_rawio capability
- Allow thumb_t to execute user home content
- Allow s-c-kdump to connect to syslogd
- Allow condor domains block_suspend and dac_override caps
- Allow condor_master to read passd
- Allow condor_master to read system state
- Allow mount to write keys for the unconfined domain
- Add unconfined_write_keys() interface
- Add labeling for /usr/share/pki
- Add additional ports as mongod_port_t for  27018, 27019, 28017, 28018 and 28019 ports
- Allow commands that are going to read mount pid files to search mount_var_run_t
* Thu Mar 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-87
- Allow commands that are going to read mount pid files to search mount_var_run_t
- Make localectl set-x11-keymap working at all
- Allow localectl to read /etc/X11/xorg.conf.d directory
- Allow mount to transition to systemd_passwd_agent
- Add tcp/9150 as tor_socks_port
- Allow systemd to list all file system directories
- Allow sytemd_tmpfiles to create wtmp file
- Allow automount to block suspend
- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
- Add support for /run/lock/opencryptoki
- Allow pkcsslotd chown capability
- Allow pkcsslotd to read passwd
* Wed Mar 13 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-86
- cups uses usbtty_device_t devices
- These fixes were all required to build a MLS virtual Machine with single level desktops
- Allow domains to transiton using httpd_exec_t
- Allow svirt domains to manage kernel key rings
- Allow setroubleshoot to execute ldconfig
- Allow firewalld to read generate gnome data
- Add fixes which were all required to build a MLS virtual Machine with single level desktops
- Need to back port this to RHEL6 for openshift
- Make systemd_localed_t as unconfined for F18
* Tue Mar 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-85
- Allow bluetooth to read machine-info
- Allow obex to request a kernel module
- Allow mozilla_plugins to list apache modules, for use with gxine
- Fix labels for POkemon in the users homedir
- Allow xguest to read mdstat
- Dontaudit virt_domains getattr on /dev/*
- Allow boinc domain to send signal to itself
- Add tcp/8891 as milter port
- Allow nsswitch domains to read sssd_var_lib_t files
- Allow ping to read network state.
- Fix typo
- Add labels to /etc/X11/xorg.d and allow systemd-timestampd_t to manage them
- Add labeling for pstorefs_t
* Fri Mar  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-84
- Make systemd_hostnamed_t as unconfined domain in F18
- Call rhcs_manage_cluster_pid_files() instead of rgmanger_manage_pid_files() interface
- Allow sshd to stream connect to an lxc domain
- Allow nsswitch_domains to read /etc/hostname
- xdm_t will try to list any directory mounted, we should just dontaudit them
- Fix systemd_filetrans_named_content() interface
- Allow postgresql to manage rgmanager pid files
- Allow postgresql to read ccs data
- Allow systemd_domain to send dbus messages to policykit
- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them
- All systemd domains that create content are reading the file_context file and setfscreate
- Systemd domains need to search through init_var_run_t
- Allow sshd to communicate with libvirt to set containers labels
- Add labeling for /var/run/hplip
- Allow iscsid to read /dev/urandom
- Allow sshd to log a user directly into a container
- Allow screen domains to configure tty and setup sock_file in ~/.screen directory, dontaudit attempts to read /etc/shadow still need to dont audit dac_override
- ALlow setroubleshoot to read default_context_t, needed to backport to F18
- Label /etc/owncloud as being an apache writable directory
- Add interface to manage pid files
- Allow NetworkManger_t to read /etc/hostname
- Allow virtual machines to setrlimit and send itself signals.
- Dontaudit chrome_sandbox_nacl_t using user terminals
- Allow gluster to manage all directories as well as files
* Mon Mar  4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-83
- Fix iptables labels
- Allow munin CGI scripts to append munin log file
- Allow munin plugin domains to read passwd
- Allow collectd CGI script to create /tmp content
- Add mising gluster boolean
- Allow collectd to create netlink_tcpdiag_socket
- Allow proceman to check the state of the network
* Thu Feb 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-82
- Allow logrotate to read /sys
- Allow mandb to setattr on man dirs
- label /usr/bin/yum-builddep as rpm_exec_t
- Remove init_daemon_run_dir from CUPS policy
- Backport cups+hplip merge from rawhide
- Allow munin CGI scritp to search munin logs
- Allow quantum to connect to amqp port
- Allow jabberd to connect to jabber_interserver_port_t
- Fix authconfig.py labeling
- Fix fcoemon policy
- Allow kdumpgui to manage bootloader_config
- Allow httpd_collectd_script to read /etc/passwd
- Allow milter domains to read /dev/random
- Allow nmbd_t to create samba_var_t directories
- Allow logrotote to getattr on all file sytems
- fcoemon wants also net_raw cap. We have net_admin cap.
- Allow gpg-agent to access fips_enabled file
- Allow collectd to read utmp
- Backport munin policy from rawhide
- Allow kadmind to read /etc/passwd
- Dontaudit append .xsession-errors file on ecryptfs for  policykit-auth
- Allow chrome_nacl to execute /dev/zero
- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelperas bin_t
- Add fs_dontaudit_append_fusefs_files() interface
- Allow systemd domains to talk to kernel_t using unix_dgram_socket
- Add miscfiles_setattr_man_pages()
- Add manage interface to be used bu kdumpgui
- Localectl needs to be able to send dbus signals to users
- Hostname needs to send syslog messages
- Add stream support for mpd, accessible from users
* Fri Feb 22 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-81
- Fix systemd_dbus_chat_timedated interface
- Allow userdomains to dbus chat with systemd-hostnamed
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Fix dbus_system_domain() interface
- Fix thumb_role() interface
- Allow cgred to list inotifyfs filesystem
- New access required for virt-sandbox
- Allow gluster to get attrs on all fs
- Allow dnsmasq to create content in /var/run/NetworkManager
* Tue Feb 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-80
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
- Add systemd support for oddjob
- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd
* Tue Feb 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-79
- Fix condor policy
- Add labeling for gnashpluginrc
- Allow chrome_nacl to execute /dev/zero
- Allow condor domains to read /proc
- mozilla_plugin_t will getattr on /core if firefox crashes
- Allow block_suspend cap2 for glusterd
- Allow nmbd to read /dev/random
- Fix glusterd labeling
- dmraid creates /var/lock/dmraid
- Allow systemd_localed to creatre unix_dgram_sockets
- Allow systemd_localed to write kernel messages.
- Also cleanup systemd definition a little.
- Backport fixes for systemd-hostname policy to F18
* Fri Feb 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-78
- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t
- Fix userdom_restricted_xwindows_user_template() interface
- User accounts need to dbus chat with accountsd daemon
- Gnome requires all users to be able to read /proc/1/
- Add support for /var/lib/systemd/linger
- Allow systemd-timestamp to set SELinux context
- Fix systemd.fc
- Switch gnomeclock_dbus_chat to systemd_dbus_chat_timedated since we have switched the name of gnomeclock
- Allow sytstemd-timedated to get status of init_t
- Add new systemd policies for hostnamed and rename gnomeclock_t to systemd_timedate_
- Allow tuned to created kobject_uevent socket
- Allow guest user to run fusermount
- Allow openshift to read /proc and locale
- Allow realmd to dbus chat with rpm
- virsh now does a setexeccon call
- Additional rules required by openshift domains
- Allow svirt_lxc_domains to use inherited terminals, needed to make virt-sandbox-service execute work
- Allow spamd_update_t to search spamc_home_t
- Avcs discovered by mounting an isci device under /mnt
- Avcs discovered by mounting an isci device under /mnt
- Allow lspci running as logrotate to read pci.ids
- Additional fix for networkmanager_read_pid_files()
- Fix networkmanager_read_pid_files() interface
- Allow all svirt domains to connect to svirt_socket_t
- Allow virsh to set SELinux context for a process.
- Allow tuned to create netlink_kobject_uevent_socket
- Add new tuned_tmp_t type
* Mon Feb 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-77
- Add basic rules for pegasus_openlmi_domain
- Add pegasus_openlmi_domain_template() interface for openlmi-*
- Allow pppd to send signull
- Allow tuned to execute ldconfig
- Fix use_ecryptfs_home_dirs boolean for chrome_sandbox_t
- Add additional fixes for ecrypts
- Allow keystone getsched and setsched
- ALlow nova-cert to connect to postgresql
- Allow keystone to connect to postgresql
- Allow glance domain to stream connect to databases
- Allow all cups domains to getattr on filesystems
- Fix pacemaker_use_execmem boolean
- Allow gpg to read fips_enabled
- FIXME: Add realmd_tmp_t until we get /var/cache/realmd
- Add support for /var/cache/realmd
- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Add additional interface for ecryptfs
* Tue Feb  5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-76
- More access required for openshift_cron_t
- Fix init_status calling
* Mon Feb  4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-75
- Fix smartmontools
- Fix userdom_restricted_xwindows_user_template() interface
- Allow Xusers to ioctl lxdm.log to make lxdm working
- Add xserver_xdm_ioctl_log() interface
- Add MLS fixes to make MLS boot/log-in working
- Add mls_socket_write_all_levels() also for syslogd
- fsck.xfs needs to read passwd
- Allow postgresql to create pg_log dir
- Allow sshd to read rsync_data_t to make rsync <backuphost> working
- Allow useradd to create homedirs in /run.  ircd-ratbox does this and we should just allow it
- Allow xdm_t to execute gstreamer home content
- Fix sssd_dontaudit_stream_connect() interface
- Allow LDA's job to deliver mail to the mailbox
- dontaudit block_suspend for mozilla_plugin_t
- Dontaudit attempts by thumb_t to read or list /proc info
- Allow l2tpd_t to all signal perms
- Allow uuidgen to read /dev/random
- Allow fsdaemon to use user pty
- Add containment of openshift cron jobs
- Allow system cron jobs to create tmp directories
- Make userhelp_conf_t a config file
- Allow mozilla-plugin-config to read power_supply info
- More fixes for rsync to make rsync <backuphost> wokring
- Allow fsdaemon to read svirt images[C
- Allow logwatch to domtrans to mdadm
* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-74
- Dontaudit r/w cache_home_t for thumb_t
- Allow rsync to getattr any file in rsync_data_t
- Allow l2tpd_t to read network manager content in /run directory
- Allow named to block_suspend capability
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- Add interface to thumb_t dbus_chat to allow it to read remote process state
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories
- comment files_relabel_non_security_files for now, it does not work with boolean
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Allow application_domains to send sigchld to login programs
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Allow colord_t to read cupsd_t state
- Add interface to colord_t dbus_chat to allow it to read remote process state
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-72
- Dontaudit net_admin capability for sendmail
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
- Allow gpg_t to manage all gnome files
- Add ~/.quakelive as mozilla_home_t content
- Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs
- Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount.
- Need to allow virtd_t to write to /proc in order to open namespace sockets for write.
- Add a couple of dontaudit rules to silence the noice
- Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_domain attribute
- Add mate-thumbnail-font as thumnailer
- Add pcscd_read_pid_files() interface
- Lots of probing avc's caused by execugting gpg from staff_t
- Looks like qpidd_t needs to read /dev/random
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm.  Would like to clean this up but for now we will allow
- Added systemd support for ksmtuned
- Added booleans
 	ksmtuned_use_nfs
 	ksmtuned_use_cifs
- Add definition for 2003 as an lmtp port
- Add filename transition for opasswd
* Tue Jan 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-71
- Allow udev to communicate with the logind daemon
- Add labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Allow rpm_script_t to dbus communicate with certmonger_t
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interface
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
- Allow numad access discovered by Dominic
- Allow gnomeclock to talk to puppet over dbus
- Add support for HOME_DIR/.maildir
* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-70
- Add label for dns lib files
- Allow svirt_t images to compromise_kernel when using pci-passthrough
- Blueman uses ctypes which ends up triggering execmem priv.
- Dontaudit attempts by thumb_t to use nscd
- fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it
- Allow abrt to read proc_net_t
- Allw NM to transition to l2tpd
- Dontaudit chrome-nacl to append gnome config files
- Add gnome_dontaudit_append_config_files()
- Allow svirt_tcg_t to create netlink_route_socket
- Label /var/lib/unbound as named_cache_t to allow named to write to this directory
- Allow postfix domains to list /tmp
- Allow dnsmasq to list tftpdir_rw_t content
- Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo
- Allow tmpreaper to delete tmpfs files in tmp
- Dontaudit access check on tmp_t files/directories
- dontaudit access checks on file systems types by firewalld
- Allow mail_munin_plugins domain to run postconf
- Allow spamd_update to manage gnupg directory
- Add missing postfix_run_postqueue() interface
- Add ntp_exec() interface
- Fix setroubleshoot_fixit_t policy
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Add label for Xvnc
- Add interface to dontaudit access checks on tmp_t
- Fix interface for dontaudit access check to include directory
- interface to dontaudit access checks on file systems types
- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Additional fix for chroot_user_t backported from RHEL6
- Allow chroot_user_t to getattr on filesystems
- Dontaudit vi attempting to relabel to self files
- Sudo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- 
- Creating tmp-inst directory in a tmp_t directory should not transition
- Allow init_t to write to watchdog device
- Add file system definition for other vx file systems
* Wed Jan  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim
* Thu Dec 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
* Fri Dec 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-67
- systemd_logind_t is looking at all files under /run/user/apache
- Allow systemd to manage all user tmp files
- Add labeling for /var/named/chroot/etc/localtime
- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6
- Keystone is now using a differnt port
- Allow xdm_t to use usbmuxd daemon to control sound
- Allow passwd daemon to execute gnome_exec_keyringd
- Fix chrome_sandbox policy
- Add labeling for /var/run/checkquorum-timer
- More fixes for the dspam domain, needs back port to RHEL6
- More fixes for the dspam domain, needs back port to RHEL6
- sssd needs to connect to kerberos password port if a user changes his password
- Lots of fixes from RHEL testing of dspam web
- Allow chrome and mozilla_plugin to create msgq and semaphores
- Fixes for dspam cgi scripts
- Fixes for dspam cgi scripts
- Allow confine users to ptrace screen
- Backport virt_qemu_ga_t changes from RHEL
- Fix labeling for dspam.cgi needed for RHEL6
- We need to back port this policy to RHEL6, for lxc domains
- Dontaudit attempts to set sys_resource of logrotate
- Allow corosync to read/write wdmd's tmpfs files
- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set
- Allow cron jobs to read bind config for unbound
- libvirt needs to inhibit systemd
- kdumpctl needs to delete boot_t files
- Fix duplicate gnome_config_filetrans
- virtd_lxc_t is using /dev/fuse
- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift
- apcupsd can be setup to listen to snmp trafic
- Allow transition from kdumpgui to kdumpctl
- Add fixes for munin CGI scripts
- Allow deltacloud to connect to openstack at the keystone port
- Allow domains that transition to svirt domains to be able to signal them
- Fix file context of gstreamer in .cache directory
- libvirt is communicating with logind
- NetworkManager writes to the systemd inhibit pipe
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #869896 - SELinux is preventing /usr/bin/abrt-action-save-package-data from 'write' accesses on the directory rpm.
        https://bugzilla.redhat.com/show_bug.cgi?id=869896
  [ 2 ] Bug #914042 - SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directory /var/log/z-push.
        https://bugzilla.redhat.com/show_bug.cgi?id=914042
  [ 3 ] Bug #924586 - SELinux is preventing /usr/lib/cups/backend/mfp from read, write access on the file /SYSVeca86420 (deleted).
        https://bugzilla.redhat.com/show_bug.cgi?id=924586
  [ 4 ] Bug #926885 - SELinux is preventing /usr/bin/cpupower from using the 'sys_rawio' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=926885
  [ 5 ] Bug #926991 - SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 and 28019
        https://bugzilla.redhat.com/show_bug.cgi?id=926991
  [ 6 ] Bug #927377 - SELinux is preventing /usr/bin/systemctl from 'search' accesses on the directory log.
        https://bugzilla.redhat.com/show_bug.cgi?id=927377
  [ 7 ] Bug #927463 - SELinux is preventing /usr/libexec/gstreamer-1.0/gst-plugin-scanner from 'execute' accesses on the file /home/ankur/ros_catkin_ws/install_isolated/lib/libopencv_calib3d.so.2.4.4.
        https://bugzilla.redhat.com/show_bug.cgi?id=927463
  [ 8 ] Bug #927525 - SELinux is preventing /usr/bin/pulseaudio from 'getattr' accesses on the file /run/systemd/users/1000.
        https://bugzilla.redhat.com/show_bug.cgi?id=927525
  [ 9 ] Bug #928095 - SELinux is preventing /usr/sbin/mount.ecryptfs_private from 'write' accesses on the key .
        https://bugzilla.redhat.com/show_bug.cgi?id=928095
  [ 10 ] Bug #929001 - Unable to disable unconfined module
        https://bugzilla.redhat.com/show_bug.cgi?id=929001
  [ 11 ] Bug #929103 - GDM login with Kerberos account and NFS4 home directory won't work until console login has been made due to SELinux policy
        https://bugzilla.redhat.com/show_bug.cgi?id=929103
  [ 12 ] Bug #929371 - SELinux is preventing /usr/bin/irssi from 'create' accesses on the directory irclogs.
        https://bugzilla.redhat.com/show_bug.cgi?id=929371
  [ 13 ] Bug #947439 - freeipa-server upgrade issues with pki-ca
        https://bugzilla.redhat.com/show_bug.cgi?id=947439
  [ 14 ] Bug #947933 - AVCs Using Kerberized QPid
        https://bugzilla.redhat.com/show_bug.cgi?id=947933
  [ 15 ] Bug #948261 - When running "tuned-adm recommend", notification "SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/dmidecode."
        https://bugzilla.redhat.com/show_bug.cgi?id=948261
  [ 16 ] Bug #949039 - SELinux is preventing /usr/bin/who from using the 'signull' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=949039
  [ 17 ] Bug #949337 - SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=949337
  [ 18 ] Bug #951079 - SELinux is preventing /usr/bin/ovs-ofctl from 'getattr' accesses on the sock_file /run/openvswitch/br-int.mgmt.
        https://bugzilla.redhat.com/show_bug.cgi?id=951079
  [ 19 ] Bug #951194 - SELinux is preventing /usr/bin/systemctl from 'read' accesses on the file utmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=951194
  [ 20 ] Bug #951260 - interface mozilla_role(xguest_r, xguest_t)  fails when loading module containing it.
        https://bugzilla.redhat.com/show_bug.cgi?id=951260
  [ 21 ] Bug #951281 - SELinux is preventing /usr/bin/systemctl from 'lock' accesses on the file /run/utmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=951281
  [ 22 ] Bug #951570 - SELinux is preventing /usr/bin/perl from 'create' accesses on the directory .spamassassin.
        https://bugzilla.redhat.com/show_bug.cgi?id=951570
  [ 23 ] Bug #951715 - AVC denials from ovs-vsctl
        https://bugzilla.redhat.com/show_bug.cgi?id=951715
  [ 24 ] Bug #951995 - SELinux is preventing /usr/bin/systemctl from 'open' accesses on the file /run/utmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=951995
  [ 25 ] Bug #950300 - bugzilla-4.2.5-1.fc18.noarch throws AVC when trying to load
        https://bugzilla.redhat.com/show_bug.cgi?id=950300
  [ 26 ] Bug #951659 - selinux-policy-targeted-3.11.1-87.fc18 blocks winbindd from unlink/write to /var/tmp/host_0
        https://bugzilla.redhat.com/show_bug.cgi?id=951659
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list