Fedora 18 Update: selinux-policy-3.11.1-71.fc18

Wed Jan 23 01:57:12 UTC 2013

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-0945
2013-01-18 19:34:29
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 18
Version     : 3.11.1
Release     : 71.fc18
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 15 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-71
- Allow udev to communicate with the logind daemon
- Add labeling for texlive bash scripts
- Add xserver_filetrans_fonts_cache_home_content() interface
- Allow rpm_script_t to dbus communicate with certmonger_t
- Add support for /var/lock/man-db.lock
- Add support for /var/tmp/abrt(/.*)?
- Add additional labeling for munin cgi scripts
- Allow httpd_t to read munin conf files
- Allow certwatch to read meminfo
- Fix nscd_dontaudit_write_sock_file() interface
- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
- Allow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling
- Allow numad access discovered by Dominic
- Allow gnomeclock to talk to puppet over dbus
- Add support for HOME_DIR/.maildir
* Thu Jan 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-70
- Add label for dns lib files
- Allow svirt_t images to compromise_kernel when using pci-passthrough
- Blueman uses ctypes which ends up triggering execmem priv.
- Dontaudit attempts by thumb_t to use nscd
- fsdaemon reads all images, if relabeled to svirt_image_t, it should be able to read it
- Allow abrt to read proc_net_t
- Allw NM to transition to l2tpd
- Dontaudit chrome-nacl to append gnome config files
- Add gnome_dontaudit_append_config_files()
- Allow svirt_tcg_t to create netlink_route_socket
- Label /var/lib/unbound as named_cache_t to allow named to write to this directory
- Allow postfix domains to list /tmp
- Allow dnsmasq to list tftpdir_rw_t content
- Allow lxc domains to read fusefs, since libvirt is mounding a fuse file system at /proc/meminfo
- Allow tmpreaper to delete tmpfs files in tmp
- Dontaudit access check on tmp_t files/directories
- dontaudit access checks on file systems types by firewalld
- Allow mail_munin_plugins domain to run postconf
- Allow spamd_update to manage gnupg directory
- Add missing postfix_run_postqueue() interface
- Add ntp_exec() interface
- Fix setroubleshoot_fixit_t policy
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Add label for Xvnc
- Add interface to dontaudit access checks on tmp_t
- Fix interface for dontaudit access check to include directory
- interface to dontaudit access checks on file systems types
- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label.
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Additional fix for chroot_user_t backported from RHEL6
- Allow chroot_user_t to getattr on filesystems
- Dontaudit vi attempting to relabel to self files
- Sudo domain is attempting to get the additributes of proc_kcore_t
- Unbound uses port 8953
- 
- Creating tmp-inst directory in a tmp_t directory should not transition
- Allow init_t to write to watchdog device
- Add file system definition for other vx file systems
* Wed Jan  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-69
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Add systemd_status_all_unit_files() interface
- Add support for nshadow
- Allow sysadm_t to administrate the postfix domains
- Add interface to setattr on isid directories for use by tmpreaper
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- Allow sshd_t sys_admin for use with afs logins
- Add labeling for /var/named/chroot/etc/localtim
* Thu Dec 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening
- Allow firewalld to execute content created in /run directory
- Allow svirt_t to read generic certs
- Dontaudit leaked ps content to mozilla plugin
- Allow sshd_t sys_admin for use with afs logins
- Allow systemd to read/write all sysctls
- init scripts are creating systemd_unit_file_t directories
* Fri Dec 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-67
- systemd_logind_t is looking at all files under /run/user/apache
- Allow systemd to manage all user tmp files
- Add labeling for /var/named/chroot/etc/localtime
- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6
- Keystone is now using a differnt port
- Allow xdm_t to use usbmuxd daemon to control sound
- Allow passwd daemon to execute gnome_exec_keyringd
- Fix chrome_sandbox policy
- Add labeling for /var/run/checkquorum-timer
- More fixes for the dspam domain, needs back port to RHEL6
- More fixes for the dspam domain, needs back port to RHEL6
- sssd needs to connect to kerberos password port if a user changes his password
- Lots of fixes from RHEL testing of dspam web
- Allow chrome and mozilla_plugin to create msgq and semaphores
- Fixes for dspam cgi scripts
- Fixes for dspam cgi scripts
- Allow confine users to ptrace screen
- Backport virt_qemu_ga_t changes from RHEL
- Fix labeling for dspam.cgi needed for RHEL6
- We need to back port this policy to RHEL6, for lxc domains
- Dontaudit attempts to set sys_resource of logrotate
- Allow corosync to read/write wdmd's tmpfs files
- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set
- Allow cron jobs to read bind config for unbound
- libvirt needs to inhibit systemd
- kdumpctl needs to delete boot_t files
- Fix duplicate gnome_config_filetrans
- virtd_lxc_t is using /dev/fuse
- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift
- apcupsd can be setup to listen to snmp trafic
- Allow transition from kdumpgui to kdumpctl
- Add fixes for munin CGI scripts
- Allow deltacloud to connect to openstack at the keystone port
- Allow domains that transition to svirt domains to be able to signal them
- Fix file context of gstreamer in .cache directory
- libvirt is communicating with logind
- NetworkManager writes to the systemd inhibit pipe
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #890186 - sa-update can't access pgp data in /etc/mail/spamassassin/sa-update-keys:
        https://bugzilla.redhat.com/show_bug.cgi?id=890186
  [ 2 ] Bug #890699 - SELinux is preventing /usr/bin/bash from 'getattr' accesses on the file /usr/bin/kmod.
        https://bugzilla.redhat.com/show_bug.cgi?id=890699
  [ 3 ] Bug #891000 - SELinux is preventing /usr/sbin/gpsd from setattr access on the chr_file ttyUSB0
        https://bugzilla.redhat.com/show_bug.cgi?id=891000
  [ 4 ] Bug #892199 - SELinux is preventing /usr/sbin/dnsmasq from 'read' accesses on the directory /var/lib/tftpboot.
        https://bugzilla.redhat.com/show_bug.cgi?id=892199
  [ 5 ] Bug #892307 - SELinux is preventing /usr/bin/qemu-system-i386 from 'create' accesses on the netlink_route_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=892307
  [ 6 ] Bug #892469 - SELinux is preventing /opt/google/chrome/nacl_helper_bootstrap from 'append' accesses on the file /home/francisco/.config/mailnag/mailnag.log.
        https://bugzilla.redhat.com/show_bug.cgi?id=892469
  [ 7 ] Bug #894634 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the sock_file socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=894634
  [ 8 ] Bug #894965 - SELinux is preventing /usr/bin/evince-thumbnailer from 'create' accesses on the directory .fontconfig.
        https://bugzilla.redhat.com/show_bug.cgi?id=894965
  [ 9 ] Bug #894966 - SELinux is preventing /usr/bin/evince-thumbnailer from 'create' accesses on the directory fontconfig.
        https://bugzilla.redhat.com/show_bug.cgi?id=894966
  [ 10 ] Bug #891736 - /usr/bin/Xvnc should be xserver_exec_t
        https://bugzilla.redhat.com/show_bug.cgi?id=891736
  [ 11 ] Bug #894353 - puppet is prevented from running /usr/bin/dbus-daemon
        https://bugzilla.redhat.com/show_bug.cgi?id=894353
  [ 12 ] Bug #813870 - SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=813870
  [ 13 ] Bug #889343 - SELinux is preventing /usr/bin/python2.7 from 'search' accesses on the directory /var/lib/sss.
        https://bugzilla.redhat.com/show_bug.cgi?id=889343
  [ 14 ] Bug #890229 - SELinux is preventing /usr/bin/motion from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=890229
  [ 15 ] Bug #890762 - SELinux is preventing /usr/sbin/ovs-vswitchd from 'nlmsg_write' accesses on the netlink_route_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=890762
  [ 16 ] Bug #890788 - SELinux is preventing /usr/sbin/killall5 from using the 'sys_ptrace' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=890788
  [ 17 ] Bug #890815 - RFE: Add SELinux policies for rt4
        https://bugzilla.redhat.com/show_bug.cgi?id=890815
  [ 18 ] Bug #890345 - selinux denied qemu access the tls cert for spice connection
        https://bugzilla.redhat.com/show_bug.cgi?id=890345
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------