Fedora 19 Update: selinux-policy-3.12.1-59.fc19

updates at fedoraproject.org updates at fedoraproject.org
Sun Jul 7 01:34:13 UTC 2013

Fedora Update Notification
2013-07-05 00:35:47

Name        : selinux-policy
Product     : Fedora 19
Version     : 3.12.1
Release     : 59.fc19
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

Update Information:

Here is where you give an explanation of your update.

* Wed Jul  3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r

  [ 1 ] Bug #975649 - Intel firmware RAID-1 set shows as read-only on live boot (RAID-0 set does not)
  [ 2 ] Bug #978903 - SELinux is preventing /usr/bin/loginctl from 'search' accesses on the directory /sys/fs/cgroup.
  [ 3 ] Bug #979526 - SELinux is preventing /usr/sbin/mcelog from 'search' accesses on the directory /var/lib/sss.
  [ 4 ] Bug #979662 - SELinux is preventing /usr/bin/systemctl from 'read' accesses on the file utmp.
  [ 5 ] Bug #979708 - SELinux is preventing /usr/sbin/ntpd from remove_name access on the directory /var/log/ntpstats/loopstats.
  [ 6 ] Bug #979745 - SELinux is preventing /usr/bin/perl from 'create' accesses on the directory .razor.
  [ 7 ] Bug #979795 - SELinux is preventing /usr/lib64/nagios/plugins/check_mysql from 'read' accesses on the directory cpu.
  [ 8 ] Bug #980236 - SELinux is preventing /usr/bin/lockfile-create from 'write' accesses on the directory logcheck.
  [ 9 ] Bug #980243 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file meminfo.
  [ 10 ] Bug #980608 - SELinux is preventing /usr/bin/screen from using the 'sigchld' accesses on a process.
  [ 11 ] Bug #974581 - SELinux, gssproxy, rpc.gssd
  [ 12 ] Bug #978615 - Quake Live falls back to software rendering on HD 4000 graphics with setenforce 1
  [ 13 ] Bug #979624 - [RFE] Allow fail2ban to use firewall-cmd in actions scripts
  [ 14 ] Bug #979697 - IBM expenses selinux denial on ~/.IBMERS for mozilla_plugin_t
  [ 15 ] Bug #979717 - missing nsd policy, despites being in refpolicy
  [ 16 ] Bug #980087 - AVCs prevent mailman starting in enforcing mode
  [ 17 ] Bug #980629 - telepathy-rakia doesn't run in the proper domain when running as a confined user
  [ 18 ] Bug #980631 - add redis port to the policy
  [ 19 ] Bug #980633 - Tmpwatch not allowed to open cups' tmp directory

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list