Fedora 20 Update: selinux-policy-3.12.1-117.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sat Jan 18 04:23:42 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-0870
2014-01-16 05:23:10
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 20
Version     : 3.12.1
Release     : 117.fc20
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Add back rpm_run for unconfined_t
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jan 15 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-117
- Add back rpm_run for unconfined_t
* Mon Jan 13 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-116
- Add missing files_create_var_lib_dirs()
- Fix typo in ipsec.te
- Allow passwd to create directory in /var/lib
- Add filename trans also for event21
- Allow iptables command to read /dev/rand
- Add sigkill capabilityfor ipsec_t
- Add filename transitions for bcache devices
- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
- Add give everyone full access to all key rings
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Labeled ~/.nv/GLCache as being gstreamer output
- Allow nagios_system_plugin to read mrtg lib files
- Add mrtg_read_lib_files()
- Call rhcs_rw_cluster_tmpfs for dlm_controld
- Make authconfing as named_filetrans domain
- Allow virsh to connect to user process using stream socket
- Allow rtas_errd to read rand/urand devices and add chown capability
- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
- Add also chown cap for abrt_upload_watch_t. It already has dac_override
- Allow sosreport to manage rhsmcertd pid files
- Add rhsmcertd_manage_pid_files()
- Allow also setgid cap for rpc.gssd
- Dontaudit access check for abrt on cert_t
- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-115
- Fix semanage import handling in spec file
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-114
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Add files_write_root_dirs
- Add new openflow port label for 6653/tcp and 6633/tcp
- Add xserver_manage_xkb_libs()
- Label tcp/8891 as milter por
- Allow gnome_manage_generic_cache_files also create cache_home_t files
- Fix aide.log labeling
- Fix log labeling to have correct default label for them after logrotate
- Allow mysqld-safe write access on /root to make mysqld working
- Allow sosreport domtrans to prelikn
- Allow OpenvSwitch to connec to openflow ports
- Allow NM send dgram to lldpad
- Allow hyperv domains to execute shell
- Allow lsmd plugins stream connect to lsmd/init
- Allow sblim domains to create /run/gather with correct labeling
- Allow httpd to read ldap certs
- Allow cupsd to send dbus msgs to process with different MLS level
- Allow bumblebee to stream connect to apmd
- Allow bumblebee to run xkbcomp
- Additional allow rules to get libvirt-lxc containers working with docker
- Additional allow rules to get libvirt-lxc containers working with docker
- Allow docker to getattr on itself
- Additional rules needed for sandbox apps
- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
- httpd should be able to send signal/signull to httpd_suexec_t
- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
* Wed Jan  8 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-113
- Add neutron fixes
* Mon Jan  6 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-112
- Allow sshd to write to all process levels in order to change passwd when running at a level
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
- Allow apcuspd_t to status and start the power unit file
- Allow udev to manage kdump unit file
- Added new interface modutils_dontaudit_exec_insmod
- Allow cobbler to search dhcp_etc_t directory
- systemd_systemctl needs sys_admin capability
- Allow sytemd_tmpfiles_t to delete all directories
- passwd to create gnome-keyring passwd socket
- Add missing zabbix_var_lib_t type
- Fix filename trans for zabbixsrv in zabbix.te
- Allow fprintd_t to send syslog messages
- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
- Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow certmonger to manage home cert files
- Add userdom filename trans for user mail domains
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Allow smbd_t to signull cluster
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow virt_domains to read cert files, needs backport to RHEL7
- Allow sssd to read systemd_login_var_run_t
- Allow irc_t to execute shell and bin-t files:
- Add new access for mythtv
- Allow rsync_t to manage all non auth files
- allow modemmanger to read /dev/urand
- Allow sandbox apps to attempt to set and get capabilties
* Thu Dec 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-111
- Add labeling for /var/lib/servicelog/servicelog.db-journal
- Add support for freeipmi port
- Add sysadm_u_default_contexts
- Make new type to texlive files in homedir
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Additional fixes for docker.te
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Fix typo in docker.te
- Allow amanda to do backups over UDP
- Allow bumblebee to read /etc/group and clean up bumblebee.te
- type transitions with a filename not allowed inside conditionals
- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
- Make new type to texlive files in homedir
* Thu Dec 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-110
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
* Tue Dec 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-109
- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
- Add labeling for /usr/lib/systemd/system/mariadb.service
- Allow hyperv_domain to read sysfs
- Fix ldap_read_certs() interface to allow acess also link files
- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
- Allow tuned to run modprobe
- Allow portreserve to search /var/lib/sss dir
- Add SELinux support for the teamd package contains team network device control daemon.
- Dontaudit access check on /proc for bumblebee
- Bumblebee wants to load nvidia modules
- Fix rpm_named_filetrans_log_files and wine.te
- Add conman policy for rawhide
- DRM master and input event devices are used by  the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Added new policy for ninfod
- Added new policy for openwsman
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix kernel_dontaudit_access_check_proc()
- Add support for /dev/uhid
- Allow sulogin to get the attributes of initctl and sys_admin cap
- Add kernel_dontaudit_access_check_proc()
- Fix dev_rw_ipmi_dev()
- Fix new interface in devices.if
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
* Wed Dec  4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-108
- Allow sosreport to send a signal to ABRT
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Added support for rdisc unit file
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
* Mon Dec  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-107
- Add back setpgid/setsched for sosreport_t
* Mon Dec  2 2013 Dan Walsh <dwalsh at redhat.com> 3.12.1-106
- Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1047817 - SELinux is preventing /usr/sbin/iodine from using the 'sys_chroot' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047817
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list