Fedora 20 Update: selinux-policy-3.12.1-135.fc20

updates at fedoraproject.org updates at fedoraproject.org
Fri Mar 21 09:26:34 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-3813
2014-03-13 03:06:59
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 20
Version     : 3.12.1
Release     : 135.fc20
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Add docker_connect_any boolean Allow unpriv SELinux users to dbus chat with firewalld Add lvm_write_metadata() Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type Allow pegasus_openlmi_storage_t to write lvm metadata Add hide_broken_symptoms for kdumpgui because of systemd bug Make kdumpgui_t as unconfined domain Allow docker to connect to tcp/5000 Allow numad to write scan_sleep_millisecs Turn on entropyd_use_audio boolean by default Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf Allow lscpu running as rhsmcertd_t to read /proc/sysinfo Fix label on irclogs in the homedir Allow kerberos_keytab_domain domains to manage keys until we get sssd fix Allow postgresql to use ldap Add missing syslog-conn port
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-135
- Add docker_connect_any boolean
* Tue Mar 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-134
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Add hide_broken_symptoms for kdumpgui because of systemd bug
- Make kdumpgui_t as unconfined domain
- Allow docker to connect to tcp/5000
* Mon Mar 10 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-133
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
- Allow postgresql to use ldap
- Add missing syslog-conn port
* Fri Mar  7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-132
- Modify xdm_write_home to allow create files/links in /root with xdm_home_
- Allow virt domains to read network state
* Thu Mar  6 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-131
- Added pcp rules
- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6
- clean up ctdb.te
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow certmonger to list home dirs
* Wed Mar  5 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-130
- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
- Add sysnet_filetrans_named_content_ifconfig() interface
- Allow ctdbd to connect own ports
- Fix samba_export_all_rw booleanto cover also non security dirs
- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
- Allow neutron to create /run/netns with correct labeling
- Allow kerberos keytab domains to manage sssd/userdomain keys"
- Allow to run ip cmd in neutron_t domain
* Mon Mar  3 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-129
- Allow block_suspend cap2 for systemd-logind and rw dri device
- Add labeling for /usr/libexec/nm-libreswan-service
- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
- Add xserver_rw_xdm_keys()
- Allow rpm_script_t to dbus chat also with systemd-located
- Fix ipa_stream_connect_otpd()
- update lpd_manage_spool() interface
- Allow krb5kdc to stream connect to ipa-otpd
- Add ipa_stream_connect_otpd() interface
- Allow vpnc to unlink NM pids
- Add networkmanager_delete_pid_files()
- Allow munin plugins to access unconfined plugins
- update abrt_filetrans_named_content to cover /var/spool/debug
- Label /var/spool/debug as abrt_var_cache_t
- Allow rhsmcertd to connect to squid port
- Make docker_transition_unconfined as optional boolean
- Allow certmonger to list home dirs
* Wed Feb 26 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-128
- Make snapperd as unconfined domain and add additional fixes for it
- Remove nsplugin.pp module on upgrade
* Tue Feb 25 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-127
- Add snapperd_home_t for HOME_DIR/.snapshots directory
- Make sosreport as unconfined domain
- Allow sosreport to execute grub2-probe
- Allow NM to manage hostname config file
- Allow systemd_timedated_t to dbus chat with rpm_script_t
- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
- Add lsmd_plugin_connect_any boolean
- Allow mozilla_plugin to attempt to set capabilities
- Allow lsdm_plugins to use tcp_socket
- Dontaudit mozilla plugin from getattr on /proc or /sys
- Dontaudit use of the keyring by the services in a sandbox
- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t
- Allow rabbitmq_beam to connect to jabber_interserver_port
- Allow logwatch_mail_t to transition to qmail_inject and queueu
- Added new rules to pcp policy
- Allow vmtools_helper_t to change role to system_r
- Allow NM to dbus chat with vmtools
- Fix couchdb_manage_files() to allow manage couchdb conf files
- Add support for /var/run/redis.sock
- dontaudit gpg trying to use audit
- Allow consolekit to create log directories and files
- Fix vmtools policy to allow user roles to access vmtools_helper_t
- Allow block_suspend cap2 for ipa-otpd
- Allow pkcsslotd to read users state
- Add ioctl to init_dontaudit_rw_stream_socket
- Add systemd_hostnamed_manage_config() interface
- Remove transition for temp dirs created by init_t
- gdm-simple-slave uses use setsockopt
- sddm-greater is a xdm type program
* Tue Feb 18 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-126
- Add lvm_read_metadata()
- Allow auditadm to search /var/log/audit dir
- Add lvm_read_metadata() interface
- Allow confined users to run vmtools helpers
- Fix userdom_common_user_template()
- Generic systemd unit scripts do write check on /
- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
- Add additional fixes needed for init_t and setup script running in generic unit files
- Allow general users to create packet_sockets
- added connlcli port
- Add init_manage_transient_unit() interface
- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
- Fix userdomain.te to require passwd class
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Dontaudit rendom domains listing /proc and hittping system_map_t
- Dontauit leaks of var_t into ifconfig_t
- Allow domains that transition to ssh_t to manipulate its keyring
- Define oracleasm_t as a device node
- Change to handle /root as a symbolic link for os-tree
- Allow sysadm_t to create packet_socket, also move some rules to attributes
- Add label for openvswitch port
- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
- Allow postfix_local to read .forward in pcp lib files
- Allow pegasus_openlmi_storage_t to read lvm metadata
- Add additional fixes for pegasus_openlmi_storage_t
- Allow bumblebee to manage debugfs
- Make bumblebee as unconfined domain
- Allow snmp to read etc_aliases_t
- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
- Allow pegasus_openlmi_storage_t to read /proc/1/environ
- Dontaudit read gconf files for cupsd_config_t
- make vmtools as unconfined domain
- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
- Allow collectd_t to use a mysql database
- Allow ipa-otpd to perform DNS name resolution
- Added new policy for keepalived
- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
- Add additional fixes new pscs-lite+polkit support
- Add labeling for /run/krb5kdc
- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
- Allow pcscd to read users proc info
- Dontaudit smbd_t sending out random signuls
- Add boolean to allow openshift domains to use nfs
- Allow w3c_validator to create content in /tmp
- zabbix_agent uses nsswitch
- Allow procmail and dovecot to work together to deliver mail
- Allow spamd to execute files in homedir if boolean turned on
- Allow openvswitch to listen on port 6634
- Add net_admin capability in collectd policy
- Fixed snapperd policy
- Fixed bugsfor pcp policy
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Add kerberos_keytab_domain attribute
- Fix snapperd_conf_t def
* Tue Feb 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-125
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Make tuned_t as unconfined domain for RHEL7.0
- Allow ABRT to read puppet certs
- Add sys_time capability for virt-ga
- Allow gemu-ga to domtrans to hwclock_t
- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
- Fix some AVCs in pcp policy
- Add to bacula capability setgid and setuid and allow to bind to bacula ports
- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
- Add access rhnsd and osad to /etc/sysconfig/rhn
- drbdadm executes drbdmeta
- Fixes needed for docker
- Allow epmd to manage /var/log/rabbitmq/startup_err file
- Allow beam.smp connect to amqp port
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
- Allow systemd_tmpfiles_t to manage all non security files on the system
- Added labels for bacula ports
- Fix label on /dev/vfio/vfio
- Add kernel_mounton_messages() interface
- init wants to manage lock files for iscsi
* Mon Feb  3 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-124
- Added osad policy
- Allow postfix to deliver to procmail
- Allow bumblebee to seng kill signal to xserver
- Allow vmtools to execute /usr/bin/lsb_release
- Allow docker to write system net ctrls
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix pcp.te
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Allow call renice in mlocate
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
* Fri Jan 31 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-123
- Turn on bacula, rhnsd policy
- Add support for rhnsd unit file
- Add dbus_chat_session_bus() interface
- Add dbus_stream_connect_session_bus() interface
- Fix logrotate_use_nfs boolean
- Add lot of pcp fixes found in RHEL7
- fix labeling for pmie for pcp pkg
- Change thumb_t to be allowed to chat/connect with session bus type
- Allow call renice in mlocate
- Add logrotate_use_nfs boolean
- Allow setroubleshootd to read rpc sysctl
- Fixes for *_admin interfaces
- Add pegasus_openlmi_storage_var_run_t type def
- Add support for /var/run/openlmi-storage
- Allow tuned to create syslog.conf with correct labeling
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
- Add support for dey_sapi port
- Add logging_filetrans_named_conf()
- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
* Tue Jan 28 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-122
- Update snapper policy
- Allow domains to append rkhunter lib files
- Allow snapperd to getattr on all fs
- Allow xdm to create /var/gdm with correct labeling
- Add label for snapper.log
- Allow fail2ban-client to read apache log files
- Allow thumb_t to execute dbus-daemon in thumb_t
* Mon Jan 27 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-121
- Allow gdm to create /var/gdm with correct labeling
- Allow domains to append rkhunterl lib files. #1057982
- Allow systemd_tmpfiles_t net_admin to communicate with journald
- Add interface to getattr on an isid_type for any type of file
- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory
- Allow initrc_t domtrans to authconfig if unconfined is enabled
- Allow docker and mount on devpts chr_file
- Allow docker to transition to unconfined_t if boolean set
- init calling needs to be optional in domain.te
- Allow uncofined domain types to handle transient unit files
- Fix labeling for vfio devices
- Allow net_admin capability and send system log msgs
- Allow lldpad send dgram to NM
- Add networkmanager_dgram_send()
- rkhunter_var_lib_t is correct type
- Back port pcp policy from rawhide
- Allow openlmi-storage to read removable devices
- Allow system cron jobs to manage rkhunter lib files
- Add rkhunter_manage_lib_files()
- Fix ftpd_use_fusefs boolean to allow manage also symlinks
- Allow smbcontrob block_suspend cap2
- Allow slpd to read network and system state info
- Allow NM domtrans to iscsid_t if iscsiadm is executed
- Allow slapd to send a signal itself
- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
- Fix plymouthd_create_log() interface
- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container
- Allow postfix and cyrus-imapd to work out of box
- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
- Dontaudit domains that are calling into journald to net_admin
- Add rules to allow vmtools to do what it does
- snapperd is D-Bus service
- Allow OpenLMI PowerManagement to call 'systemctl --force reboot'
- Add haproxy_connect_any boolean
- Allow haproxy also to use http cache port by default
- Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
- Allow docker to use the network and build images
- Allow docker to read selinux files for labeling, and mount on devpts chr_file
- Allow domains that transition to svirt_sandbox to send it signals
* Tue Jan 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-120
- Allow apache to write to the owncloud data directory in /var/www/html...
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- Add interfaces to handle transient
* Mon Jan 20 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-119
- Add cron unconfined role support for uncofined SELinux user
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
- Allow dkim-milter to bind udp ports
- Allow milter domains to send signull itself
- Allow block_suspend for yum running as mock_t
- Allow beam.smp to manage couchdb files
- Add couchdb_manage_files()
- Add labeling for /var/log/php_errors.log
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
- Allow xkbcomp running as bumblebee_t to execute  bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
* Thu Jan 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-118
- Allow init_t to work on transitient and snapshot unit files
- Add logging_manage_syslog_config()
- Update sysnet_dns_name_resolve() to allow connect to dnssec por
- Allow pegasus_openlmi_storage_t to read hwdata
- Fix rhcs_rw_cluster_tmpfs()
- Allow fenced_t to bind on zented udp port
- Added policy for vmtools
- Fix mirrormanager_read_lib_files()
- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
- Allow ctdb to create sock files in /var/run/ctdb
- Add sblim_filetrans_named_content() interface
- Allow rpm scritplets to create /run/gather with correct labeling
- Allow gnome keyring domains to create gnome config dirs
- Dontaudit read/write to init stream socket for lsmd_plugin_t
- Allow automount to read nfs link files
- Allow lsm plugins to read/write lsmd stream socket
- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
- Add also labeling for /var/run/ctdb
- Add missing labeling for /var/lib/ctdb
- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
- Dontaudit hypervkvp to search homedirs
- Dontaudit hypervkvp to search admin homedirs
- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
- Dontaudit xguest_t to read ABRT conf files
- Add abrt_dontaudit_read_config()
- Allow namespace-init to getattr on fs
- Add thumb_role() also for xguest
- Add filename transitions to create .spamassassin with correct labeling
- Allow apache domain to read mirrormanager pid files
- Allow domains to read/write shm and sem owned by mozilla_plugin_t
- Allow alsactl to send a generic signal to kernel_t
- Allow plymouthd to read run/udev/queue.bin
- Allow sys_chroot for NM required by iodine service
- Change glusterd to allow mounton all non security
* Wed Jan 15 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-117
- Add back rpm_run for unconfined_t
* Mon Jan 13 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-116
- Add missing files_create_var_lib_dirs()
- Fix typo in ipsec.te
- Allow passwd to create directory in /var/lib
- Add filename trans also for event21
- Allow iptables command to read /dev/rand
- Add sigkill capabilityfor ipsec_t
- Add filename transitions for bcache devices
- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
- Add give everyone full access to all key rings
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Labeled ~/.nv/GLCache as being gstreamer output
- Allow nagios_system_plugin to read mrtg lib files
- Add mrtg_read_lib_files()
- Call rhcs_rw_cluster_tmpfs for dlm_controld
- Make authconfing as named_filetrans domain
- Allow virsh to connect to user process using stream socket
- Allow rtas_errd to read rand/urand devices and add chown capability
- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
- Add also chown cap for abrt_upload_watch_t. It already has dac_override
- Allow sosreport to manage rhsmcertd pid files
- Add rhsmcertd_manage_pid_files()
- Allow also setgid cap for rpc.gssd
- Dontaudit access check for abrt on cert_t
- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-115
- Fix semanage import handling in spec file
* Fri Jan 10 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-114
- Add default lvm_var_run_t label for /var/run/multipathd
- Fix log labeling to have correct default label for them after logrotate
- Add files_write_root_dirs
- Add new openflow port label for 6653/tcp and 6633/tcp
- Add xserver_manage_xkb_libs()
- Label tcp/8891 as milter por
- Allow gnome_manage_generic_cache_files also create cache_home_t files
- Fix aide.log labeling
- Fix log labeling to have correct default label for them after logrotate
- Allow mysqld-safe write access on /root to make mysqld working
- Allow sosreport domtrans to prelikn
- Allow OpenvSwitch to connec to openflow ports
- Allow NM send dgram to lldpad
- Allow hyperv domains to execute shell
- Allow lsmd plugins stream connect to lsmd/init
- Allow sblim domains to create /run/gather with correct labeling
- Allow httpd to read ldap certs
- Allow cupsd to send dbus msgs to process with different MLS level
- Allow bumblebee to stream connect to apmd
- Allow bumblebee to run xkbcomp
- Additional allow rules to get libvirt-lxc containers working with docker
- Additional allow rules to get libvirt-lxc containers working with docker
- Allow docker to getattr on itself
- Additional rules needed for sandbox apps
- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
- httpd should be able to send signal/signull to httpd_suexec_t
- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain.
* Wed Jan  8 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-113
- Add neutron fixes
* Mon Jan  6 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-112
- Allow sshd to write to all process levels in order to change passwd when running at a level
- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
- Allow apcuspd_t to status and start the power unit file
- Allow udev to manage kdump unit file
- Added new interface modutils_dontaudit_exec_insmod
- Allow cobbler to search dhcp_etc_t directory
- systemd_systemctl needs sys_admin capability
- Allow sytemd_tmpfiles_t to delete all directories
- passwd to create gnome-keyring passwd socket
- Add missing zabbix_var_lib_t type
- Fix filename trans for zabbixsrv in zabbix.te
- Allow fprintd_t to send syslog messages
- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
- Allow mozilla plugin to chat with policykit, needed for spice
- Allow gssprozy to change user and gid, as well as read user keyrings
- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
- Allow polipo to connect to http_cache_ports
- Allow cron jobs to manage apache var lib content
- Allow yppassword to manage the passwd_file_t
- Allow showall_t to send itself signals
- Allow cobbler to restart dhcpc, dnsmasq and bind services
- Allow certmonger to manage home cert files
- Add userdom filename trans for user mail domains
- Allow apcuspd_t to status and start the power unit file
- Allow cgroupdrulesengd to create content in cgoups directories
- Allow smbd_t to signull cluster
- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
- Add label for /var/spool/cron.aquota.user
- Allow sandbox_x domains to use work with the mozilla plugin semaphore
- Added new policy for speech-dispatcher
- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
- Updated rasdaemon policy
- Allow system_mail_t to transition to postfix_postdrop_t
- Clean up mirrormanager policy
- Allow virt_domains to read cert files, needs backport to RHEL7
- Allow sssd to read systemd_login_var_run_t
- Allow irc_t to execute shell and bin-t files:
- Add new access for mythtv
- Allow rsync_t to manage all non auth files
- allow modemmanger to read /dev/urand
- Allow sandbox apps to attempt to set and get capabilties
* Thu Dec 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-111
- Add labeling for /var/lib/servicelog/servicelog.db-journal
- Add support for freeipmi port
- Add sysadm_u_default_contexts
- Make new type to texlive files in homedir
- Allow subscription-manager running as sosreport_t to manage rhsmcertd
- Additional fixes for docker.te
- Remove ability to do mount/sys_admin by default in virt_sandbox domains
- New rules required to run docker images within libivrt
- Add label for ~/.cvsignore
- Change mirrormanager to be run by cron
- Add mirrormanager policy
- Fixed bumblebee_admin() and mip6d_admin()
- Add log support for sensord
- Fix typo in docker.te
- Allow amanda to do backups over UDP
- Allow bumblebee to read /etc/group and clean up bumblebee.te
- type transitions with a filename not allowed inside conditionals
- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
- Make new type to texlive files in homedir
* Thu Dec 12 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-110
- Allow freeipmi_ipmidetectd_t to use freeipmi port
- Update freeipmi_domain_template()
- Allow journalctl running as ABRT to read /run/log/journal
- Allow NM to read dispatcher.d directory
- Update freeipmi policy
- Type transitions with a filename not allowed inside conditionals
- Allow tor to bind to hplip port
- Make new type to texlive files in homedir
- Allow zabbix_agent to transition to dmidecode
- Add rules for docker
- Allow sosreport to send signull to unconfined_t
- Add virt_noatsecure and virt_rlimitinh interfaces
- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
- Add sysadm_u_default_contexts
- Add logging_read_syslog_pid()
- Fix userdom_manage_home_texlive() interface
- Make new type to texlive files in homedir
- Add filename transitions for /run and /lock links
- Allow virtd to inherit rlimit information
* Tue Dec 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-109
- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
- Add labeling for /usr/lib/systemd/system/mariadb.service
- Allow hyperv_domain to read sysfs
- Fix ldap_read_certs() interface to allow acess also link files
- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
- Allow tuned to run modprobe
- Allow portreserve to search /var/lib/sss dir
- Add SELinux support for the teamd package contains team network device control daemon.
- Dontaudit access check on /proc for bumblebee
- Bumblebee wants to load nvidia modules
- Fix rpm_named_filetrans_log_files and wine.te
- Add conman policy for rawhide
- DRM master and input event devices are used by  the TakeDevice API
- Clean up bumblebee policy
- Update pegasus_openlmi_storage_t policy
- Add freeipmi_stream_connect() interface
- Allow logwatch read madm.conf to support RAID setup
- Add raid_read_conf_files() interface
- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
- add rpm_named_filetrans_log_files() interface
- Allow dkim-milter to create files/dirs in /tmp
- update freeipmi policy
- Add policy for freeipmi services
- Added rdisc_admin and rdisc_systemctl interfaces
- opensm policy clean up
- openwsman policy clean up
- ninfod policy clean up
- Added new policy for ninfod
- Added new policy for openwsman
- Added rdisc_admin and rdisc_systemctl interfaces
- Fix kernel_dontaudit_access_check_proc()
- Add support for /dev/uhid
- Allow sulogin to get the attributes of initctl and sys_admin cap
- Add kernel_dontaudit_access_check_proc()
- Fix dev_rw_ipmi_dev()
- Fix new interface in devices.if
- DRM master and input event devices are used by  the TakeDevice API
- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
- Added support for default conman port
- Add interfaces for ipmi devices
* Wed Dec  4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-108
- Allow sosreport to send a signal to ABRT
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Added support for rdisc unit file
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
* Mon Dec  2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-107
- Add back setpgid/setsched for sosreport_t
* Mon Dec  2 2013 Dan Walsh <dwalsh at redhat.com> 3.12.1-106
- Added fix for clout_init to transition to rpm_script_t (dwalsh at redhat.com)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1005453 - SELinux is preventing /usr/bin/pulseaudio from using the 'setcap' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1005453
  [ 2 ] Bug #1063827 - selinux avc for httpd accessing KEYRING ccache type
        https://bugzilla.redhat.com/show_bug.cgi?id=1063827
  [ 3 ] Bug #1067687 - SELinux is preventing /usr/sbin/slapd from write access on the file /var/log/slapd/slapd.log.
        https://bugzilla.redhat.com/show_bug.cgi?id=1067687
  [ 4 ] Bug #1069076 - SELinux is preventing /usr/libexec/goa-daemon from 'read' accesses on the key .
        https://bugzilla.redhat.com/show_bug.cgi?id=1069076
  [ 5 ] Bug #1069161 - SELinux is preventing /usr/lib64/firefox/plugin-container from 'getattr' accesses on the file /proc/kmsg.
        https://bugzilla.redhat.com/show_bug.cgi?id=1069161
  [ 6 ] Bug #1069346 - SELinux is preventing /usr/bin/ps from using the 'sys_ptrace' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1069346
  [ 7 ] Bug #1069640 - [fail2ban_t] SELinux is preventing /usr/sbin/ipset from create access on the netlink_socket
        https://bugzilla.redhat.com/show_bug.cgi?id=1069640
  [ 8 ] Bug #1071054 - SELinux is preventing /usr/libexec/gdm-session-worker from using the 'net_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1071054
  [ 9 ] Bug #1071622 - SELinux is preventing /usr/bin/python2.7 from 'create' accesses on the fifo_file hpfax-pipe-124.
        https://bugzilla.redhat.com/show_bug.cgi?id=1071622
  [ 10 ] Bug #1072001 - SELinux is preventing /usr/sbin/ip from 'nlmsg_write' accesses on the netlink_route_socket .
        https://bugzilla.redhat.com/show_bug.cgi?id=1072001
  [ 11 ] Bug #1072006 - SELinux is preventing /usr/bin/python2.7 from 'getattr' accesses on the file .
        https://bugzilla.redhat.com/show_bug.cgi?id=1072006
  [ 12 ] Bug #1072008 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory .
        https://bugzilla.redhat.com/show_bug.cgi?id=1072008
  [ 13 ] Bug #1072011 - SELinux is preventing /usr/sbin/ip from 'mounton' accesses on the directory .
        https://bugzilla.redhat.com/show_bug.cgi?id=1072011
  [ 14 ] Bug #1072038 - SELinux is preventing /usr/bin/systemd-tty-ask-password-agent from 'open' accesses on the chr_file .
        https://bugzilla.redhat.com/show_bug.cgi?id=1072038
  [ 15 ] Bug #1072695 - SELinux is preventing /usr/sbin/smbd from 'setattr' accesses on the directory Shared.
        https://bugzilla.redhat.com/show_bug.cgi?id=1072695
  [ 16 ] Bug #1074887 - SELinux is preventing /usr/sbin/zabbix_server_pgsql from create access on the unix_dgram_socket
        https://bugzilla.redhat.com/show_bug.cgi?id=1074887
  [ 17 ] Bug #1071706 - docker's global requirements were not met: type/attribute unconfined_t
        https://bugzilla.redhat.com/show_bug.cgi?id=1071706
  [ 18 ] Bug #1073105 - When audio-entropyd is started by systemd, SELinux prevents it from running
        https://bugzilla.redhat.com/show_bug.cgi?id=1073105
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list