Fedora 20 Update: selinux-policy-3.12.1-116.fc20

updates at fedoraproject.org updates at fedoraproject.org
Thu Jan 16 07:14:05 UTC 2014


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-0806
2014-01-15 04:29:58
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 20
Version     : 3.12.1
Release     : 116.fc20
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Add missing files_create_var_lib_dirs()
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jan 13 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-116
- Add missing files_create_var_lib_dirs()
- Fix typo in ipsec.te
- Allow passwd to create directory in /var/lib
- Add filename trans also for event21
- Allow iptables command to read /dev/rand
- Add sigkill capabilityfor ipsec_t
- Add filename transitions for bcache devices
- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
- Add give everyone full access to all key rings
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Labeled ~/.nv/GLCache as being gstreamer output
- Allow nagios_system_plugin to read mrtg lib files
- Add mrtg_read_lib_files()
- Call rhcs_rw_cluster_tmpfs for dlm_controld
- Make authconfing as named_filetrans domain
- Allow virsh to connect to user process using stream socket
- Allow rtas_errd to read rand/urand devices and add chown capability
- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
- Add also chown cap for abrt_upload_watch_t. It already has dac_override
- Allow sosreport to manage rhsmcertd pid files
- Add rhsmcertd_manage_pid_files()
- Allow also setgid cap for rpc.gssd
- Dontaudit access check for abrt on cert_t
- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-115
- Fix semanage import handling in spec file
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-114
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Add files_write_root_dirs
- Add new openflow port label for 6653/tcp and 6633/tcp
- Add xserver_manage_xkb_libs()
- Label tcp/8891 as milter por
- Allow gnome_manage_generic_cache_files also create cache_home_t files
- Fix aide.log labeling
- Fix log labeling to have correct default label for them after logrotate
- Allow mysqld-safe write access on /root to make mysqld working
- Allow sosreport domtrans to prelikn
- Allow OpenvSwitch to connec to openflow ports
- Allow NM send dgram to lldpad
- Allow hyperv domains to execute shell
- Allow lsmd plugins stream connect to lsmd/init
- Allow sblim domains to create /run/gather with correct labeling
- Allow httpd to read ldap certs
- Allow cupsd to send dbus msgs to process with different MLS level
- Allow bumblebee to stream connect to apmd
- Allow bumblebee to run xkbcomp
- Additional allow rules to get libvirt-lxc containers working with docker
- Additional allow rules to get libvirt-lxc containers working with docker
- Allow docker to getattr on itself
- Additional rules needed for sandbox apps
- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
- httpd should be able to send signal/signull to httpd_suexec_t
- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
* Wed Jan  8 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-113
- Add neutron fixes
* Mon Jan  6 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-112
- Allow sshd to write to all process levels in order to change passwd when running at a level
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
- Allow apcuspd_t to status and start the power unit file
- Allow udev to manage kdump unit file
- Added new interface modutils_dontaudit_exec_insmod
- Allow cobbler to search dhcp_etc_t directory
- systemd_systemctl needs sys_admin capability
- Allow sytemd_tmpfiles_t to delete all directories
- passwd to create gnome-keyring passwd socket
- Add missing zabbix_var_lib_t type
- Fix filename trans for zabbixsrv in zabbix.te
- Allow fprintd_t to send syslog messages
- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
- Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow certmonger to manage home cert files
- Add userdom filename trans for user mail domains
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Allow smbd_t to signull cluster
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow virt_domains to read cert files, needs backport to RHEL7
- Allow sssd to read systemd_login_var_run_t
- Allow irc_t to execute shell and bin-t files:
- Add new access for mythtv
- Allow rsync_t to manage all non auth files
- allow modemmanger to read /dev/urand
- Allow sandbox apps to attempt to set and get capabilties
* Thu Dec 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-111
- Add labeling for /var/lib/servicelog/servicelog.db-journal
- Add support for freeipmi port
- Add sysadm_u_default_contexts
- Make new type to texlive files in homedir
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Additional fixes for docker.te
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Fix typo in docker.te
- Allow amanda to do backups over UDP
- Allow bumblebee to read /etc/group and clean up bumblebee.te
- type transitions with a filename not allowed inside conditionals
- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
- Make new type to texlive files in homedir
* Thu Dec 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-110
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
* Tue Dec 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-109
- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
- Add labeling for /usr/lib/systemd/system/mariadb.service
- Allow hyperv_domain to read sysfs
- Fix ldap_read_certs() interface to allow acess also link files
- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
- Allow tuned to run modprobe
- Allow portreserve to search /var/lib/sss dir
- Add SELinux support for the teamd package contains team network device control daemon.
- Dontaudit access check on /proc for bumblebee
- Bumblebee wants to load nvidia modules
- Fix rpm_named_filetrans_log_files and wine.te
- Add conman policy for rawhide
- DRM master and input event devices are used by  the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Added new policy for ninfod
- Added new policy for openwsman
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix kernel_dontaudit_access_check_proc()
- Add support for /dev/uhid
- Allow sulogin to get the attributes of initctl and sys_admin cap
- Add kernel_dontaudit_access_check_proc()
- Fix dev_rw_ipmi_dev()
- Fix new interface in devices.if
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
* Wed Dec  4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-108
- Allow sosreport to send a signal to ABRT
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Added support for rdisc unit file
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
* Mon Dec  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-107
- Add back setpgid/setsched for sosreport_t
* Mon Dec  2 2013 Dan Walsh <dwalsh at redhat.com> 3.12.1-106
- Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #970163 - SELinux policy for ipa-otpd
        https://bugzilla.redhat.com/show_bug.cgi?id=970163
  [ 2 ] Bug #1034275 - lots of AVC when using gpg-agent as a ssh-agent under staff_t
        https://bugzilla.redhat.com/show_bug.cgi?id=1034275
  [ 3 ] Bug #1044131 - Redirection of USB device causes error
        https://bugzilla.redhat.com/show_bug.cgi?id=1044131
  [ 4 ] Bug #1047073 - SELinux is preventing /usr/sbin/rpc.yppasswdd from write access on the file /etc/.pwd.lock.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047073
  [ 5 ] Bug #1047164 - cobbler should be allowed to restart services
        https://bugzilla.redhat.com/show_bug.cgi?id=1047164
  [ 6 ] Bug #1012335 - SELinux is preventing /usr/libexec/sssd/sssd_be from 'read' accesses on the directory /etc/openldap/certs.
        https://bugzilla.redhat.com/show_bug.cgi?id=1012335
  [ 7 ] Bug #1013466 - SELinux is preventing /usr/bin/wine-preloader from 'mmap_zero' accesses on the memprotect .
        https://bugzilla.redhat.com/show_bug.cgi?id=1013466
  [ 8 ] Bug #1022674 - avc prevents newer rpc.gssd from working
        https://bugzilla.redhat.com/show_bug.cgi?id=1022674
  [ 9 ] Bug #1025070 - SELinux is preventing /usr/bin/perl from 'read' accesses on the directory cpu.
        https://bugzilla.redhat.com/show_bug.cgi?id=1025070
  [ 10 ] Bug #1035421 - SELinux is preventing /usr/bin/journalctl from 'read' accesses on the directory journal.
        https://bugzilla.redhat.com/show_bug.cgi?id=1035421
  [ 11 ] Bug #1036430 - SELinux is preventing /usr/sbin/rpc.mountd from 'read' accesses on the blk_file bcache0.
        https://bugzilla.redhat.com/show_bug.cgi?id=1036430
  [ 12 ] Bug #1036861 - SELinux is preventing /usr/sbin/runuser from 'write' accesses on the sock_file system_bus_socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=1036861
  [ 13 ] Bug #1038746 - SELinux is preventing /usr/sbin/rsyslogd from 'open' accesses on the chr_file /dev/pts/0.
        https://bugzilla.redhat.com/show_bug.cgi?id=1038746
  [ 14 ] Bug #1039336 - SELinux is preventing /usr/sbin/bumblebeed from 'write' accesses on the file bbswitch.
        https://bugzilla.redhat.com/show_bug.cgi?id=1039336
  [ 15 ] Bug #1039337 - SELinux is preventing /usr/bin/kmod from 'search' accesses on the directory /usr/lib/modules.
        https://bugzilla.redhat.com/show_bug.cgi?id=1039337
  [ 16 ] Bug #1039338 - SELinux is preventing /usr/bin/kmod from 'getattr' accesses on the file /usr/lib/modules/3.11.10-300.fc20.x86_64/modules.dep.bin.
        https://bugzilla.redhat.com/show_bug.cgi?id=1039338
  [ 17 ] Bug #1040457 - SELinux is preventing /usr/bin/mkdir from 'create' accesses on the directory .texlive2013.
        https://bugzilla.redhat.com/show_bug.cgi?id=1040457
  [ 18 ] Bug #1040939 - SELinux is preventing /usr/bin/kmod from 'execute' accesses on the file /usr/bin/kmod.
        https://bugzilla.redhat.com/show_bug.cgi?id=1040939
  [ 19 ] Bug #1041345 - SELinux is preventing /usr/bin/gnome-keyring-daemon from using the 'setcap' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1041345
  [ 20 ] Bug #1043252 - SELinux is preventing /usr/sbin/bumblebeed from 'getattr' accesses on the file /etc/group.
        https://bugzilla.redhat.com/show_bug.cgi?id=1043252
  [ 21 ] Bug #1043258 - No SELinux alerts, but SELinux interrupt starting MariaDB 10.0.6
        https://bugzilla.redhat.com/show_bug.cgi?id=1043258
  [ 22 ] Bug #1044752 - SELinux is preventing /usr/sbin/postdrop from 'write' accesses on the directory /var/spool/postfix/maildrop.
        https://bugzilla.redhat.com/show_bug.cgi?id=1044752
  [ 23 ] Bug #1045020 - SELinux is preventing /usr/bin/kmod from 'read' accesses on the directory /etc/modprobe.d.
        https://bugzilla.redhat.com/show_bug.cgi?id=1045020
  [ 24 ] Bug #1045331 - policy for openvswitch openflow controller connection is missing
        https://bugzilla.redhat.com/show_bug.cgi?id=1045331
  [ 25 ] Bug #1045801 - SELinux is preventing /usr/bin/Xorg from 'search' accesses on the directory 19108.
        https://bugzilla.redhat.com/show_bug.cgi?id=1045801
  [ 26 ] Bug #1045952 - SELinux is preventing /usr/sbin/bumblebeed from 'getattr' accesses on the file /etc/resolv.conf.
        https://bugzilla.redhat.com/show_bug.cgi?id=1045952
  [ 27 ] Bug #1046010 - SELinux is preventing /usr/bin/Xorg from 'getattr' accesses on the file /run/udev/data/+input:input22.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046010
  [ 28 ] Bug #1046118 - SELinux is preventing /usr/bin/xkbcomp from 'getattr' accesses on the file /var/lib/xkb/server-8.xkm.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046118
  [ 29 ] Bug #1046437 - SELinux is preventing /usr/bin/gnome-keyring-daemon from 'create' accesses on the sock_file control.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046437
  [ 30 ] Bug #1046480 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/bin/bash.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046480
  [ 31 ] Bug #1046614 - SELinux is preventing /usr/bin/systemd-tmpfiles from 'rmdir' accesses on the directory backup.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046614
  [ 32 ] Bug #1046748 - sosreport application denied access to /usr/bin/timeout
        https://bugzilla.redhat.com/show_bug.cgi?id=1046748
  [ 33 ] Bug #1046858 - SELinux is preventing /usr/sbin/bumblebeed from 'execute' accesses on the file /usr/bin/kmod.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046858
  [ 34 ] Bug #1046860 - SELinux is preventing /usr/sbin/bumblebeed from 'read' accesses on the file /etc/group.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046860
  [ 35 ] Bug #1046864 - SELinux is preventing /usr/sbin/httpd from 'write' accesses on the directory /var/www/html/simple-php-photo-gallery/uploads.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046864
  [ 36 ] Bug #1046918 - SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the 'sys_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046918
  [ 37 ] Bug #1046952 - SELinux is preventing /usr/bin/mailx from 'ioctl' accesses on the file /home/tbecker/rsync_backup.log.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046952
  [ 38 ] Bug #1046978 - SELinux is preventing /usr/bin/Xorg from read, write access on the chr_file vga_arbiter.
        https://bugzilla.redhat.com/show_bug.cgi?id=1046978
  [ 39 ] Bug #1047021 - SELinux is preventing /usr/sbin/ModemManager from 'read' accesses on the chr_file urandom.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047021
  [ 40 ] Bug #1047072 - cobbler denied search on dhcp_etc_t
        https://bugzilla.redhat.com/show_bug.cgi?id=1047072
  [ 41 ] Bug #1047241 - SELinux is preventing /usr/bin/irssi from 'execute' accesses on the file /usr/bin/bash.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047241
  [ 42 ] Bug #1047880 - SELinux is preventing /usr/libexec/sssd/sssd_be from 'search' accesses on the directory users.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047880
  [ 43 ] Bug #1047958 - New avc for mythtv
        https://bugzilla.redhat.com/show_bug.cgi?id=1047958
  [ 44 ] Bug #1048043 - SELinux is preventing /usr/bin/rsync from 'unlink' accesses on the fifo_file 1388530054545.
        https://bugzilla.redhat.com/show_bug.cgi?id=1048043
  [ 45 ] Bug #1048064 - SELinux is preventing /usr/sbin/ssmtp from 'write' accesses on the directory /root.
        https://bugzilla.redhat.com/show_bug.cgi?id=1048064
  [ 46 ] Bug #1048591 - SELinux is preventing /usr/sbin/pcscd from using the 'signull' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1048591
  [ 47 ] Bug #1048736 - /dev/urandom should be readable by svnserve_t
        https://bugzilla.redhat.com/show_bug.cgi?id=1048736
  [ 48 ] Bug #1048748 - SELinux is preventing /usr/sbin/postdrop from 'write' accesses on the file /tmp/fai2ban_t1ssIn.stderr (deleted).
        https://bugzilla.redhat.com/show_bug.cgi?id=1048748
  [ 49 ] Bug #1049491 - Mozilla policy doesn't make much sense wrt spice - boolean mozilla_plugin_use_spice is useless
        https://bugzilla.redhat.com/show_bug.cgi?id=1049491
  [ 50 ] Bug #1049801 - Running cuda on optimus laptops triggers selinux warnings
        https://bugzilla.redhat.com/show_bug.cgi?id=1049801
  [ 51 ] Bug #1050210 - lxcCheckNetNsSupport fails to detect NETNS
        https://bugzilla.redhat.com/show_bug.cgi?id=1050210
  [ 52 ] Bug #1050351 - SELinux is preventing /usr/bin/gnome-keyring-daemon from 'create' accesses on the file user.
        https://bugzilla.redhat.com/show_bug.cgi?id=1050351
  [ 53 ] Bug #1050924 - selinux warnings for hypervkvpd
        https://bugzilla.redhat.com/show_bug.cgi?id=1050924
  [ 54 ] Bug #1051489 - SELinux is preventing /usr/bin/reporter-ureport from write access on the directory nssdb.
        https://bugzilla.redhat.com/show_bug.cgi?id=1051489
  [ 55 ] Bug #1051502 - SELinux is preventing /usr/libexec/strongswan/starter from using the sigkill access on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1051502
  [ 56 ] Bug #1052048 - Installing selinux-policy-minimum-3.12.1-106.fc20 prints semanage import: error
        https://bugzilla.redhat.com/show_bug.cgi?id=1052048
  [ 57 ] Bug #1052177 - SELinux is preventing /usr/bin/tar from using the chown capability.
        https://bugzilla.redhat.com/show_bug.cgi?id=1052177
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list