Fedora 19 Update: selinux-policy-3.12.1-66.fc19

updates at fedoraproject.org updates at fedoraproject.org
Fri Jul 26 23:07:23 UTC 2013 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-13543
2013-07-24 22:36:05
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 19
Version     : 3.12.1
Release     : 66.fc19
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages
- Add support for RTP media ports and fmpro-internal
- Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
- Add support for pcs which is a corosync and pacemaker configuration tool
* Tue Jul 16 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-65
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
* Fri Jul 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-64
- Add support for gluster ports
- Make sure that all keys located in /etc/ssh/ are labeled correctly
- Make sure apcuspd lock files get created with the correct label
- Use getcap in gluster.te
- Fix gluster policy
- add additional fixes to allow beam.smp to interact with couchdb files
- Additional fix for #974149
- Allow gluster to user gluster ports
- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
- Allow tgtd working when accessing to the passthrough device
- Fix labeling for mdadm unit files
* Wed Jul 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-63
- Add systemd support for mdadm
* Tue Jul  9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-61
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
- Allow mozilla_plugin_config_t to create tmp files
- Cleanup openvswitch policy
- Allow mozilla plugin to getattr on all executables
- Allow l2tpd_t to create fifo_files in /var/run
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
- Allow mdadm to connecto its own unix_stream_socket
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
- Allow apache to access smokeping pid files
- Allow rabbitmq_beam_t to getattr on all filesystems
- Add systemd support for iodined
- Allow nup_upsdrvctl_t to execute its entrypoint
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
- add labeling for ~/.cache/libvirt-sandbox
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs.
- Allow staff to getsched all domains, required to run htop
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
- Fix bootloader.fc
- Additional fix
- Fix with xserver_stream_connect_xdm() calling
* Wed Jul  3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #984613 - aide generates AVC denials writing to /var/log/aide/aide.log when executed from a cron job
        https://bugzilla.redhat.com/show_bug.cgi?id=984613
  [ 2 ] Bug #985755 - SELinux is preventing /usr/bin/pulseaudio from 'write' accesses on the file /var/lib/mpd/.config/pulse/e5aebeb05b1349daba80dab0d130828c-default-sink.
        https://bugzilla.redhat.com/show_bug.cgi?id=985755
  [ 3 ] Bug #986023 - SELinux prevents glusterfs mount at boot
        https://bugzilla.redhat.com/show_bug.cgi?id=986023
  [ 4 ] Bug #986110 - SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory tmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=986110
  [ 5 ] Bug #986122 - SELinux is preventing /usr/sbin/useradd from using the 'sys_chroot' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=986122
  [ 6 ] Bug #986174 - SELinux is preventing /usr/sbin/glusterfsd from module_request access on the system
        https://bugzilla.redhat.com/show_bug.cgi?id=986174
  [ 7 ] Bug #986330 - SELinux is preventing /usr/bin/systemd-tmpfiles from setattr access on the directory tmp
        https://bugzilla.redhat.com/show_bug.cgi?id=986330
  [ 8 ] Bug #986440 - SELinux is preventing /usr/libexec/kde4/lnusertemp from 'create' accesses on the lnk_file cache-asus-0.guldbrand.net.
        https://bugzilla.redhat.com/show_bug.cgi?id=986440
  [ 9 ] Bug #986569 - add portcon for salt master
        https://bugzilla.redhat.com/show_bug.cgi?id=986569
  [ 10 ] Bug #986624 - SELinux is preventing /usr/sbin/glusterfsd from 'read' accesses on the file ip_local_reserved_ports.
        https://bugzilla.redhat.com/show_bug.cgi?id=986624
  [ 11 ] Bug #986626 - SELinux is preventing /usr/sbin/glusterfsd from 'block_suspend' accesses on the capability2 .
        https://bugzilla.redhat.com/show_bug.cgi?id=986626
  [ 12 ] Bug #986627 - SELinux is preventing /usr/sbin/glusterfsd from 'read' accesses on the file unix.
        https://bugzilla.redhat.com/show_bug.cgi?id=986627
  [ 13 ] Bug #986628 - SELinux is preventing /usr/sbin/glusterfsd from using the 'sigkill' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=986628
  [ 14 ] Bug #986685 - NetworkManager-openvpn cannot view list of ciphers
        https://bugzilla.redhat.com/show_bug.cgi?id=986685
  [ 15 ] Bug #986729 - SELinux is preventing /usr/sbin/mdadm from 'read' accesses on the chr_file fw0.
        https://bugzilla.redhat.com/show_bug.cgi?id=986729
  [ 16 ] Bug #986804 - selinux stops collectds ping plug-in from working
        https://bugzilla.redhat.com/show_bug.cgi?id=986804
  [ 17 ] Bug #987052 - SELinux is preventing /usr/sbin/zebra from 'read' accesses on the chr_file random.
        https://bugzilla.redhat.com/show_bug.cgi?id=987052
  [ 18 ] Bug #987175 - SELinux is preventing /usr/libexec/postfix/flush from 'setattr' accesses on the file /var/spool/postfix/deferred/7/7E0645E00AE.
        https://bugzilla.redhat.com/show_bug.cgi?id=987175
  [ 19 ] Bug #979379 - FreeIPA's PKI cannot write to CRL publishing directory
        https://bugzilla.redhat.com/show_bug.cgi?id=979379
  [ 20 ] Bug #986893 - AVC seen when gabble try to communicate with gnome-keyring
        https://bugzilla.redhat.com/show_bug.cgi?id=986893
  [ 21 ] Bug #987629 - SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the lnk_file .#Red Hat openvpn.
        https://bugzilla.redhat.com/show_bug.cgi?id=987629
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list