Fedora 19 Update: selinux-policy-3.12.1-74.17.fc19

updates at fedoraproject.org updates at fedoraproject.org
Mon Jan 20 03:09:03 UTC 2014


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-0636
2014-01-11 07:25:32
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 19
Version     : 3.12.1
Release     : 74.17.fc19
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

See http://koji.fedoraproject.org/koji/buildinfo?buildID=489481
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.17
- Allow polipo to connect to http_cache_ports
- Add new access for mythtv
- Allow tor to bind to hplip port
- Allow showall_t to send itself signals
- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
- Fixed filetrans in zabbix policy
- Allow httpd to read ldap certs
- passwd to create gnome-keyring passwd socket
- Allow sytemd_tmpfiles_t to delete all directories
* Fri Dec 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.16
- Allow amanda to do backups over UDP
- Add log support for sensord
* Tue Dec 10 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.15
- Add file transition rules for content created by f5link
- Allow cloud_init to transition to rpm_script_t
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow dkim-milter to create files/dirs in /tmp
- Dontaudit mandb searching all mountpoints
* Tue Nov 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.14
- Allow apmd to request the kernel load module
- Allow sssd to request the kernel loads modules
- label mate-keyring-daemon with gkeyringd_exec_t
- Allow procmail_t to connect to dovecot stream sockets
- Allow smoltclient to execute ldconfig
- Allow condor domains to read/write condor_master udp_socket
- sendmail can attempt to block suspend, but will complete successfully
- Add support for texlive2013
- Allow passwd_t to connect to gnome keyring to change password
- Should allow domains to lock the terminal device
* Mon Nov 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.13
- Update xserver.te to make GDM working
* Fri Nov  8 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.12
- Fixed userdom_dontaudit_delete_user_tmp_files
- Add auth_exec_chkpwd interface
- Add interface to dontaudit attempts to delete user_tmp_t files on thumbnails
- Add tcp/8893 as milter port
- Dontaudit leaked write descriptor to dmesg
- Add rpc_kill_rpcd interface
- Dontaudit attempts to write/delete user_tmp_t files
- Dontaudit attempts by system_mail to modify network config
- Allow ipc_lock for abrt to run journalctl.
- Update zoneminder policy
- Add policy for motion service
- Allow glusterd_t to mounton glusterd_tmp_t
- Allow glusterd to unmout al filesystems
- Allow xenstored to read virt config
* Tue Oct 22 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.11
- Back port piranha tmpfs fixes from RHEL6
- Fix piranha_domain_template()
- Allow mozilla_plugin to bind to the vnc port if running with spice
- Allow svirt_domains to read sysctl_net_t
- Update ppp_manage_pid_files interface
- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
- Allow dovecot-auth to read nologin
- Allow mailserver_domains to manage and transition to mailman data
- Allow thin_t to block suspend
- Create resolv.conf in the pppd_var_run_t with the net_conf_t label
- wicd.pid should be labeled as networkmanager_var_run_t
- Label /sbin/xfs_growfs as fsadm_exec_t
- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
- Create resolv.conf in the pppd_var_run_t with the net_conf_t label
- Fix labeling for /etc/strongswan/ipsec.d
- Add labeling for /var/run/charon.ctl socket
- Allow syslogd_t to connect to the syslog_tls port
* Tue Oct 15 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.10
- Add kill capability in glusterfs policy
- Add postfix_rw_spool_maildrop_files interface
- Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop
- Dontaudit setroubleshoot_fixit_t execmem, since it does not seem to really need it.
- Allow init_t to read gnome home data
- Allow svirt sandbox domains to setattr on chr_file and blk_file svirt_sandbox_file_t, so sshd will work within
- Allow httpd_t to read also git sys content symlinks
- Remove httpd_cobbler_content * from cobbler_admin interface
- allow openshift_cgroup_t to read/write inherited openshift file types
- fix gnome_read_generic_data_home_files interface
- Make sure if systemd_logind creates nologin file with the correct label
- Allow syslog to bind to tls ports
- Clean up ipsec.te
- Allow init_t to read gnome home data
- Allow to su_domain to read init states
- Update labeling for /dev/cdc-wdm
* Tue Oct  8 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.9
- Allow systemd domains to read /dev/urand
- Remove duplicated interfaces
- Fix port definition for ctdb ports
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
- Match upstream labeling
- Fix labeling for mgetty.* logs
- glusterd binds to random unreserved ports
- add type defintion for ctdbd_var_t
- Fix ctdb.te
- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
- apcupsd needs to send a message to all users on the system so needs to look them up
- Allow polipo_daemon to connect to flash ports
- Dontaudit attempts for mozilla_plugin to append to /dev/random
- Fix the label on ~/.juniper_networks
- Allow readahead to read /dev/urand
- Fix lots of avcs about tuned
- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
- Allow condor domains to list etc rw dirs
- Allow cobblerd to connect to mysql
- Label zarafa-search as zarafa-indexer
- Openshift cgroup wants to read /etc/passwd
- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
- Allow tuned to search all file system directories
- Allow alsa_t to sys_nice, to get top performance for sound management
- Dontaudit leaked unix_stream_sockets into gnome keyring
- Allow telepathy domains to inhibit pipes on telepathy domains
- Allow dirsrv_t to create tmpfs_t directories
- Allow openvpn_t to manage openvpn_var_log_t files.
* Thu Sep 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.8
- Get labeling right on ipsec.secrets
- Allow systemd to read dhcpc_state
- Allow amanda to write to /etc/amanda/DailySet1 directory
- Fix english on gssd_read_tmp boolean descriptions
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Fix typo in abrt.te
* Wed Sep 25 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.7
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
- Fix handling of fifo files of rpm
- Allow certwatch to write to cert_t directories
- New abrt application
- Allow mozilla_plugin to transition to itself
- Allow mdadm_t to read images labeled svirt_image_t
- Allow NetworkManager to set the kernel scheduler
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- More handling of ther kernel keyring required by kerberos
* Fri Sep 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.6
- Keep initrc_domain if init_t executes bin_t
* Fri Sep 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.5
- Fix label on pam_krb5 helper apps
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Fix label on pam_krb5 helper apps
- Allow init_t to run crash utility
- Call neutron interfaces instead of quantum
- Allow users to communicate with journald using tmpfs files
- Allow nslcd to send signull to itself
- Fix virtd_lxc_t to be able to communicate with hal, need backport to rhel6 ASAP, for docker stuff
- Fix missing types in  virt_admin interface
- Dontaudit attempts by sosreport to read shadow_t
- Allow cobbler to exec rsync and communicate with sssd, using nsswitch
- Add new label mpd_home_t
- Label /srv/www/logs as httpd_log_t
- Allow irc_t to use tcp sockets
- Add labels for apache logs under miq package
- Allow fetchmail to send mails
- allow neutron to connect to amqp ports
- Fix to use quantum port
- Rename quantum to neutron
- Allow virt_qemu_ga_t to read meminfo
- Allow kdump_manage_crash to list the kdump_crash_t directory
- Allow ldconfig to write to kdumpctl fifo files
- Allow openshift_cron_t to run ssh-keygen in ssh_keygen_t to access host keys
* Mon Sep 16 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.4
- fix bad labels in puppet.if
- Allow tcsd to read utmp file
- Define svirt_socket_t as a domain_type
- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file
- Allow passenger to execute ifconfig
* Wed Sep 11 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.3
- Treat usr_t just like bin_t for transitions and executions
- Allow memcache to read sysfs data
- openct needs to be able to create netlink_object_uevent_sockets
- Allow nslcd to read /sys/devices/system/cpu
- Allow mdadm to read /dev/mei
- amanda_exec_t needs to be executable file
- Add additional labeling for qemu-ga/fsfreeze-hook.d scripts
- Allow setpgid and r/w cluster tmpfs for fenced_t
- Allow block_suspend cap for samba-net
- Allow mpd setcap which is needed by pulseaudio
- Add antivirus_home_t type for antivirus date in HOMEDIRS
- Allow glance-api to connect to amqp port
- Fix wrong capabilities in rhcs policy
* Fri Sep  6 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.2
- Fix lsm.fc for pid files
- Allow init_t to transition to all inetd domains
- Allow tgtd_t to connect to isns ports
- Lots of new access required for sosreport
- svirt domains neeed to create kobject_uevint_sockets
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
- Cleanup related to init_domain()+inetd_domain fixes
- Allow cvs to bind to the cvs_port
- Allow ktalkd to bind to the ktalkd_port
- Allow telnetd to bind to the telnetd_port
- Allow rlogind to bind to the rlogin_port
- Allow apache domain to connect to gssproxy socket
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
- Allow cupsd_lpd_t to bind to the printer port
- Allow a confined domain to executes mozilla_exec_t via dbus
- Allow mdadm to getattr any file system
- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work
- Allow all domains that can read gnome_config to read kde config
- Call the correct interface - corenet_udp_bind_ktalkd_port()
- Fix mozilla_plugin_rw_tmpfs_files() 
- Allow systemd running as git_systemd to bind git port
- Allow firewalld to read NM state
- Add interface couchdb_search_pid_dirs
- Add support for couchdb in rabbitmq policy
- Add boolean boinc_execmem
- Add interface netowrkmanager_initrc_domtrans
- Dontaudit leaks into ldconfig_t
- Dontaudit inherited lock files in ifconfig o dhcpc_t
- Move kernel_stream_connect into all Xwindow using users
- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
- Add interface to read authorization data in the users homedir
- Allow ipsec_t to read .google authenticator data
- Allow staff_t to read login config
- Treat files labeld as usr_t like bin_t when it comes to transitions
- Split out rlogin ports from inetd
- Add interface seutil_dbus_chat_semanage
- Fix selinuxutil.if
* Tue Sep  3 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.1
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Fix polipo.te
- Add trans rules for lsm pid files/dirs
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Allow sosreport to getattr everything in /dev and send rawip packets
- Allow sosreport to transition to brctl
- Add missing alias for amavis_etc_t
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Fix cupsd.te
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Fix to define ktalkd_unit_file_t correctly
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add support for tmp directories to openvswitch
- Add logwatch_can_sendmail boolean
- Allow telpathy_domains to search user homedirs and tmp dirs
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
* Thu Aug 29 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74
- Rename svirt_lxc_file_t to svirt_sandbox_file_t
- Allow virt_domain with USB devices to look at dos file systems
- Dontaudit thumb_t trying to look in /proc
- Change svirt_lxc_domain to svirt_sandbox_domain, and add svirt_qemu_net_t type
- Rename interface virt_transition_svirt_lxc to virt_transition_svirt_sanbox
- Allow ipsec_t to domtrans to iptables_t
- dontaudit users running nautilus on /proc
- Dontaudit hostname inheriting any terminal
- Label polgengui as a bin_t
- Allow semanage to create /.autorelabel file
- Label systemd unit files under dracut correctly
- Allow systemd domain to read /proc
- Allow sssd to write to user keyrings for managing kerberos
- Allow rhsmcertd to read init state
- Allow fetchmail to create own pid with correct labeling
- Fix rhcs_domain_template()
- Allow roles which can run mock to read mock lib files to view results
- Allow rpcbind to use nsswitch
* Fri Aug 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-73
- Update rules for condor domains
* Fri Aug 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-72
- Fix collectd_t can read /etc/passwd file
- Fix lsm.if summary
- Add policy for lsmd
- Cleanup raid.te
- Add support for abrt-upload-watch
- Dontaudit access check on cert_t for httpd_t
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
- Allow glusterd to read domains state
- Allow swift to crete cache dirs with correct labeling
- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
- Add support for .Xauthority-n
* Tue Aug 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-71
- Allow boinc to connect to  @/tmp/.X11-unix/X0
- Allow beam.smp to connect to tcp/5984
- Allow named to manage own log files
- Add label for /usr/libexec/dcc/start-dccifd  and domtrans to dccifd_t
- Add virt_transition_userdomain boolean decl
- Allow httpd_t to sendto unix_dgram sockets on its children
- Allow nova domains to execute ifconfig
- bluetooth wants to create fifo_files in /tmp
- exim needs to be able to manage mailman data
- Allow sysstat to getattr on all file systems
- Looks like bluetoothd has moved
- Allow collectd to send ping packets
- Allow svirt_lxc domains to getpgid
- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
- Allow frpintd_t to read /dev/urandom
- Allow asterisk_t to create sock_file in /var/run
- Allow usbmuxd to use netlink_kobject
- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
- More cleanup of svirt_lxc policy
- virtd_lxc_t now talks to dbus
- Dontaudit leaked ptmx_t
- Allow processes to use inherited fifo files
- Allow openvpn_t to connect to squid ports
- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
- Allow user roles to connect to the journal socket
- xauth_t should be allowed to create xauth_home_t
- selinux_set_enforce_mode needs to be used with type
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
* Thu Aug  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-70
- Add label for /var/crash
- Allow fenced to domtrans to sanclok_t
- Allow nagios to manage nagios spool files
- Make tfptd as home_manager
- Allow kdump to read kcore on MLS system
- Allow mysqld-safe sys_nice/sys_resource caps
- Allow apache to search automount tmp dirs if http_use_nfs is enabled
- Allow crond to transition to named_t, for use with unbound
- Allow crond to look at named_conf_t, for unbound
- Allow mozilla_plugin_t to transition its home content
- Allow dovecot_domain to read all system and network state
- Allow semanage to read pid files
- Dontaudit leaked file descriptors from user domain into thumb
- Add fixes for rabbit to fix ##992920,#99293
- Make NFS home, NIS authentication and dbus-daemon working
- Fix thumb_run()
- winbind wants block_suspend
- Fix typo in smokeping.te
- Fix rabbit.te
- Remove dup rule for dovecot.te
- Fix abrt.te
- Allow afs domains to read afs_config files
- Allow login programs to read afs config
- Allow virt_domain to read virt_var_run_t symlinks
- Allow smokeping to send its process signals
- Allow fetchmail to setuid
- Add kdump_manage_crash() interface
- Allow abrt domain to write abrt.socket
- Add append to the dontaudit for unix_stream_socket of xdm_t leak
- Allow xdm_t to create symlinks in log direcotries
- Allow login programs to read afs config
- Fix rules for creating pluto pid files
- Fix userdom_relabel_user_tmp_files()
- Label 10933 as a pop port, for dovecot
* Fri Aug  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-69
- Add fix for pand service
- Fix pegasus.te
- shorewall touches own log
- Allow nrpe to list /var
- Add additional fixes for pegasus_openlmi_storage_t. Domtrans to demicode. A type for openlmi_storage lib files.
- Dontaudit attempts by thumb_t to check access on files/dirs in user homedir
* Tue Jul 30 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-68
- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for additionals
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
* Fri Jul 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-67
- Add support for cmpiLMI_Service-cimprovagt
- Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t
- Label pycmpiLMI_Software-cimprovagt as rpm_exec_t
- Add support for pycmpiLMI_Storage-cimprovagt
- Add support for cmpiLMI_Networking-cimprovagt
- Allow system_cronjob_t to create user_tmpfs_t to make pulseaudio working
- Allow virtual machines and containers to run as user doains, needed for virt-sandbox
- Allow buglist.cgi to read cpu info
* Wed Jul 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-66
- Allow systemd-tmpfile to handle tmp content in print spool dir
- Allow systemd-sysctl to send system log messages
- Add support for RTP media ports and fmpro-internal
- Make auditd working if audit is configured to perform SINGLE action on disk error
- Add interfaces to handle systemd units
- Make systemd-notify working if pcsd is used
- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t
- Instead of having all unconfined domains get all of the named transition rules,
- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default.
- Add definition for the salt ports
- Allow xdm_t to create link files in xdm_var_run_t
- Dontaudit reads of blk files or chr files leaked into ldconfig_t
- Allow sys_chroot for useradd_t
- Allow net_raw cap for ipsec_t
- Allow sysadm_t to reload services
- Add additional fixes to make strongswan working with a simple conf
- Allow sysadm_t to enable/disable init_t services
- Add additional glusterd perms
- Allow apache to read lnk files in the /mnt directory
- Allow glusterd to ask the kernel to load a module
- Fix description of ftpd_use_fusefs boolean
- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t
- Allow glusterds to request load a kernel module
- Allow boinc to stream connect to xserver_t
- Allow sblim domains to read /etc/passwd
- Allow mdadm to read usb devices
- Allow collectd to use ping plugin
- Make foghorn working with SNMP
- Allow sssd to read ldap certs
- Allow haproxy to connect to RTP media ports
- Add additional trans rules for aide_db
- Add labeling for /usr/lib/pcsd/pcsd
- Add labeling for /var/log/pcsd
- Add support for pcs which is a corosync and pacemaker configuration tool
* Tue Jul 16 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-65
- Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t
- Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1
- Allow all domains that can domtrans to shutdown, to start the power services script to shutdown
- consolekit needs to be able to shut down system
- Move around interfaces
- Remove nfsd_rw_t and nfsd_ro_t, they don't do anything
- Add additional fixes for rabbitmq_beam to allow getattr on mountpoints
- Allow gconf-defaults-m to read /etc/passwd
- Fix pki_rw_tomcat_cert() interface to support lnk_files
* Fri Jul 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-64
- Add support for gluster ports
- Make sure that all keys located in /etc/ssh/ are labeled correctly
- Make sure apcuspd lock files get created with the correct label
- Use getcap in gluster.te
- Fix gluster policy
- add additional fixes to allow beam.smp to interact with couchdb files
- Additional fix for #974149
- Allow gluster to user gluster ports
- Allow glusterd to transition to rpcd_t and add additional fixes for #980683
- Allow tgtd working when accessing to the passthrough device
- Fix labeling for mdadm unit files
* Wed Jul 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-63
- Add systemd support for mdadm
* Tue Jul  9 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-62
- Fix definition of sandbox.disabled to sandbox.pp.disabled
* Mon Jul  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-61
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
* Mon Jul  8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
- Allow rabbitmq_beam_t to read process info on rabbitmq_epmd_t
- Allow mozilla_plugin_config_t to create tmp files
- Cleanup openvswitch policy
- Allow mozilla plugin to getattr on all executables
- Allow l2tpd_t to create fifo_files in /var/run
- Allow samba to touch/manage fifo_files or sock_files in a samba_share_t directory
- Allow mdadm to connecto its own unix_stream_socket
- FIXME: nagios changed locations to /log/nagios which is wrong. But we need to have this workaround for now.
- Allow apache to access smokeping pid files
- Allow rabbitmq_beam_t to getattr on all filesystems
- Add systemd support for iodined
- Allow nup_upsdrvctl_t to execute its entrypoint
- Allow fail2ban_client to write to fail2ban_var_run_t, Also allow it to use nsswitch
- add labeling for ~/.cache/libvirt-sandbox
- Add interface to allow domains transitioned to by confined users to send sigchld to screen program
- Allow sysadm_t to check the system status of files labeled etc_t, /etc/fstab
- Allow systemd_localed to start /usr/lib/systemd/system/systemd-vconsole-setup.service
- Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition,  I can see no case where this is  a bad thing, and elminiates a whole class of AVCs.
- Allow staff to getsched all domains, required to run htop
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
- Fix bootloader.fc
- Additional fix
- Fix with xserver_stream_connect_xdm() calling
* Wed Jul  3 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files
- Allow ftp to bind to port 989
- Fix label of new gear directory
- Add support for new directory /var/lib/openshift/gears/
- Add openshift_manage_lib_dirs()
- allow virtd domains to manage setrans_var_run_t
- Allow useradd to manage all openshift content
- Add support so that mozilla_plugin_t can use dri devices
- Allow chronyd to change the scheduler
- Allow apmd to shut downthe system
- Devicekit_disk_t needs to manage /etc/fstab
* Wed Jun 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #916674 - SELinux is preventing /usr/bin/tor from 'name_bind' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=916674
  [ 2 ] Bug #1031930 - SELinux is preventing /usr/bin/gnome-keyring-daemon from 'create' accesses on the sock_file control.
        https://bugzilla.redhat.com/show_bug.cgi?id=1031930
  [ 3 ] Bug #1047020 - SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=1047020
  [ 4 ] Bug #1047144 - SELinux is preventing /usr/bin/systemd-tmpfiles from 'rmdir' accesses on the directory /lost+found.
        https://bugzilla.redhat.com/show_bug.cgi?id=1047144
  [ 5 ] Bug #1046346 - Missing context for zabbix-server(-pgsql)
        https://bugzilla.redhat.com/show_bug.cgi?id=1046346
  [ 6 ] Bug #1047166 - /var/lib/shorewall/.start: line 1079: kill: (5535) - Permission denied
        https://bugzilla.redhat.com/show_bug.cgi?id=1047166
  [ 7 ] Bug #1050981 - SELinux is preventing /usr/sbin/httpd from getattr access on the directory /etc/openldap/certs.
        https://bugzilla.redhat.com/show_bug.cgi?id=1050981
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list