Fedora 18 Update: selinux-policy-3.11.1-74.fc18
updates at fedoraproject.org
updates at fedoraproject.org
Fri Feb 8 02:26:34 UTC 2013
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-1693
2013-02-01 15:47:26
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 18
Version : 3.11.1
Release : 74.fc18
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-74
- Dontaudit r/w cache_home_t for thumb_t
- Allow rsync to getattr any file in rsync_data_t
- Allow l2tpd_t to read network manager content in /run directory
- Allow named to block_suspend capability
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- Add interface to thumb_t dbus_chat to allow it to read remote process state
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde
- Allow blueman_t to rwx zero_device_t, for some kind of jre
- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre
- Ftp full access should be allowed to create directories as well as files
- Add boolean to allow rsync_full_acces, so that an rsync server can write all
- over the local machine
- logrotate needs to rotate logs in openshift directories
- comment files_relabel_non_security_files for now, it does not work with boolean
- boinc_cliean wants also execmem as boinc projecs have
- Allow sa-update to search admin home for /root/.spamassassin
- Allow sa-update to search admin home for /root/.spamassassin
- Allow antivirus domain to read net sysctl
- Dontaudit attempts from thumb_t to connect to ssd
- Dontaudit attempts by readahead to read sock_files
- Dontaudit attempts by readahead to read sock_files
- Allow application_domains to send sigchld to login programs
- Change ssh_use_pts to use macro and only inherited sshd_devpts_t
- Allow confined users to read systemd_logind seat information
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-73
- Allow gnome keyring to create keyrings dir in ~/.local/share
- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
- Allow colord_t to read cupsd_t state
- Add interface to colord_t dbus_chat to allow it to read remote process state
* Mon Jan 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-72
- Dontaudit net_admin capability for sendmail
- Logwatch does access check on mdadm binary
- Add raid_access_check_mdadm() iterface
- Allow gpg_t to manage all gnome files
- Add ~/.quakelive as mozilla_home_t content
- Dontaudit mdadm_t running ps command which is causing sys_ptrace avcs
- Allow virtd_t to create stream socket perms for svirt_socket_t, so that it can use guestmount.
- Need to allow virtd_t to write to /proc in order to open namespace sockets for write.
- Add a couple of dontaudit rules to silence the noice
- Allow zarafa_deliver_t to bind to lmtp port, also consolodate signal_perms and setrlimit and kill to use zarafa_domain attribute
- Add mate-thumbnail-font as thumnailer
- Add pcscd_read_pid_files() interface
- Lots of probing avc's caused by execugting gpg from staff_t
- Looks like qpidd_t needs to read /dev/random
- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow
- Added systemd support for ksmtuned
- Added booleans
ksmtuned_use_nfs
ksmtuned_use_cifs
- Add definition for 2003 as an lmtp port
- Add filename transition for opasswd
* Tue Jan 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-71
- Allow udev to communicate with the logind daemon
- Add labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Allow rpm_script_t to dbus communicate with certmonger_t
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interface
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
- Allow numad access discovered by Dominic
- Allow gnomeclock to talk to puppet over dbus
- Add support for HOME_DIR/.maildir
* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-70
- Add label for dns lib files
- Allow svirt_t images to compromise_kernel when using pci-passthrough
- Blueman uses ctypes which ends up triggering execmem priv.
- Dontaudit attempts by thumb_t to use nscd
- fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it
- Allow abrt to read proc_net_t
- Allw NM to transition to l2tpd
- Dontaudit chrome-nacl to append gnome config files
- Add gnome_dontaudit_append_config_files()
- Allow svirt_tcg_t to create netlink_route_socket
- Label /var/lib/unbound as named_cache_t to allow named to write to this directory
- Allow postfix domains to list /tmp
- Allow dnsmasq to list tftpdir_rw_t content
- Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo
- Allow tmpreaper to delete tmpfs files in tmp
- Dontaudit access check on tmp_t files/directories
- dontaudit access checks on file systems types by firewalld
- Allow mail_munin_plugins domain to run postconf
- Allow spamd_update to manage gnupg directory
- Add missing postfix_run_postqueue() interface
- Add ntp_exec() interface
- Fix setroubleshoot_fixit_t policy
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Add label for Xvnc
- Add interface to dontaudit access checks on tmp_t
- Fix interface for dontaudit access check to include directory
- interface to dontaudit access checks on file systems types
- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Additional fix for chroot_user_t backported from RHEL6
- Allow chroot_user_t to getattr on filesystems
- Dontaudit vi attempting to relabel to self files
- Sudo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
-
- Creating tmp-inst directory in a tmp_t directory should not transition
- Allow init_t to write to watchdog device
- Add file system definition for other vx file systems
* Wed Jan 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim
* Thu Dec 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
* Fri Dec 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-67
- systemd_logind_t is looking at all files under /run/user/apache
- Allow systemd to manage all user tmp files
- Add labeling for /var/named/chroot/etc/localtime
- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6
- Keystone is now using a differnt port
- Allow xdm_t to use usbmuxd daemon to control sound
- Allow passwd daemon to execute gnome_exec_keyringd
- Fix chrome_sandbox policy
- Add labeling for /var/run/checkquorum-timer
- More fixes for the dspam domain, needs back port to RHEL6
- More fixes for the dspam domain, needs back port to RHEL6
- sssd needs to connect to kerberos password port if a user changes his password
- Lots of fixes from RHEL testing of dspam web
- Allow chrome and mozilla_plugin to create msgq and semaphores
- Fixes for dspam cgi scripts
- Fixes for dspam cgi scripts
- Allow confine users to ptrace screen
- Backport virt_qemu_ga_t changes from RHEL
- Fix labeling for dspam.cgi needed for RHEL6
- We need to back port this policy to RHEL6, for lxc domains
- Dontaudit attempts to set sys_resource of logrotate
- Allow corosync to read/write wdmd's tmpfs files
- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set
- Allow cron jobs to read bind config for unbound
- libvirt needs to inhibit systemd
- kdumpctl needs to delete boot_t files
- Fix duplicate gnome_config_filetrans
- virtd_lxc_t is using /dev/fuse
- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift
- apcupsd can be setup to listen to snmp trafic
- Allow transition from kdumpgui to kdumpctl
- Add fixes for munin CGI scripts
- Allow deltacloud to connect to openstack at the keystone port
- Allow domains that transition to svirt domains to be able to signal them
- Fix file context of gstreamer in .cache directory
- libvirt is communicating with logind
- NetworkManager writes to the systemd inhibit pipe
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #892805 - SELinux is preventing /usr/bin/evince-thumbnailer from 'write' accesses on the sock_file socket.
https://bugzilla.redhat.com/show_bug.cgi?id=892805
[ 2 ] Bug #902338 - SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the file /proc/<pid>/cgroup.
https://bugzilla.redhat.com/show_bug.cgi?id=902338
[ 3 ] Bug #902878 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file ./yum.update.
https://bugzilla.redhat.com/show_bug.cgi?id=902878
[ 4 ] Bug #902914 - SELinux is preventing /usr/lib/xulrunner/plugin-container from 'execute' accesses on the chr_file /dev/zero.
https://bugzilla.redhat.com/show_bug.cgi?id=902914
[ 5 ] Bug #902959 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'write' accesses on the directory /root.
https://bugzilla.redhat.com/show_bug.cgi?id=902959
[ 6 ] Bug #902996 - SELinux is preventing /usr/libexec/colord from 'read' accesses on the file cgroup.
https://bugzilla.redhat.com/show_bug.cgi?id=902996
[ 7 ] Bug #903047 - SELinux is preventing /usr/bin/python2.7 from 'search' accesses on the directory 9627.
https://bugzilla.redhat.com/show_bug.cgi?id=903047
[ 8 ] Bug #903062 - SELinux is preventing /usr/bin/evince-thumbnailer from 'getattr' accesses on the file /proc/<pid>/cmdline.
https://bugzilla.redhat.com/show_bug.cgi?id=903062
[ 9 ] Bug #903173 - SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.
https://bugzilla.redhat.com/show_bug.cgi?id=903173
[ 10 ] Bug #903256 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'execute' accesses on the chr_file /dev/zero.
https://bugzilla.redhat.com/show_bug.cgi?id=903256
[ 11 ] Bug #903392 - SELinux is preventing /usr/sbin/NetworkManager from 'create' accesses on the rawip_socket .
https://bugzilla.redhat.com/show_bug.cgi?id=903392
[ 12 ] Bug #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random.
https://bugzilla.redhat.com/show_bug.cgi?id=903638
[ 13 ] Bug #903816 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file glusterfsd.
https://bugzilla.redhat.com/show_bug.cgi?id=903816
[ 14 ] Bug #903828 - SELinux is preventing /usr/sbin/lightdm from using the 'sigchld' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=903828
[ 15 ] Bug #903883 - gpg-agent wants read/open access to /proc/sys/crypto/fips_enabled
https://bugzilla.redhat.com/show_bug.cgi?id=903883
[ 16 ] Bug #903886 - SELinux is preventing /usr/bin/obex-data-server from 'module_request' accesses on the system .
https://bugzilla.redhat.com/show_bug.cgi?id=903886
[ 17 ] Bug #903888 - gpg-agent wants to create ~/.cache/gpg-agent-info
https://bugzilla.redhat.com/show_bug.cgi?id=903888
[ 18 ] Bug #904199 - SELinux is preventing /usr/bin/bash from read, open access on the file /usr/sbin/mdadm.
https://bugzilla.redhat.com/show_bug.cgi?id=904199
[ 19 ] Bug #904320 - SELinux is preventing /usr/bin/gnome-shell from 'read' accesses on the file seat0.
https://bugzilla.redhat.com/show_bug.cgi?id=904320
[ 20 ] Bug #904375 - SELinux is preventing /usr/sbin/xl2tpd from 'read' accesses on the file nm-xl2tpd.conf.1882.
https://bugzilla.redhat.com/show_bug.cgi?id=904375
[ 21 ] Bug #904642 - SELinux is preventing /usr/sbin/unbound-anchor from 'block_suspend' accesses on the capability2 .
https://bugzilla.redhat.com/show_bug.cgi?id=904642
[ 22 ] Bug #904801 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'add_name' accesses on the directory qt_temp.hX1998.
https://bugzilla.redhat.com/show_bug.cgi?id=904801
[ 23 ] Bug #904854 - SELinux is preventing gst-plugin-scan from 'execmod' accesses on the file /usr/lib/libmpg123.so.0.36.4.
https://bugzilla.redhat.com/show_bug.cgi?id=904854
[ 24 ] Bug #905155 - SELinux is preventing /usr/libexec/gstreamer-1.0/gst-plugin-scanner from 'write' accesses on the file /home/livio/.nv/GLCache/0cb06c7aec977f9b313d8c987ce93ff2/48f40e2d9a44c7fa/64ed917cfedad23a.toc.
https://bugzilla.redhat.com/show_bug.cgi?id=905155
[ 25 ] Bug #905167 - SELinux is preventing /usr/bin/boinc_client from using the execmem access on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=905167
[ 26 ] Bug #905198 - SELinux is preventing /usr/lib64/xulrunner/plugin-container from 'open' accesses on the file /dev/shm/pulse-shm-2263025957.
https://bugzilla.redhat.com/show_bug.cgi?id=905198
[ 27 ] Bug #905220 - SELinux is preventing systemd-readahe from 'read' accesses on the sock_file klauncherMT1361.slave-socket.
https://bugzilla.redhat.com/show_bug.cgi?id=905220
[ 28 ] Bug #905696 - SELinux is preventing /usr/bin/perl from 'search' accesses on the directory net.
https://bugzilla.redhat.com/show_bug.cgi?id=905696
[ 29 ] Bug #902719 - selinux-policy-targeted upgradation scriptlet failure
https://bugzilla.redhat.com/show_bug.cgi?id=902719
[ 30 ] Bug #904343 - AVC message druing the expiring job of inn
https://bugzilla.redhat.com/show_bug.cgi?id=904343
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list