Fedora 21 Update: selinux-policy-3.13.1-105.20.fc21
updates at fedoraproject.org
updates at fedoraproject.org
Sat Aug 15 02:11:15 UTC 2015
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-12049
2015-07-28 22:49:30
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 21
Version : 3.13.1
Release : 105.20.fc21
URL : http://github.com/TresysTechnology/refpolicy/wiki
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=670457
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jul 21 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.20
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Allow abrt_t read all proc files. BZ (1240885)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Set label of /sys/kernel/debug
- Label new dnssec-trigger files.
* Mon Jun 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.19
- Add networkmanager_sigkill() and networkmanager_signull() interfaces.
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Rename xodbc-connect port to xodbc_connect
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow dnssec-trigger to send sigkill,signull to NM
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Allow abrt_dump_oops_t fowner chown fsetid cap itself. BZ(1235944)
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
* Wed Jun 24 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.18
- Add unconfined_dontaudit_write_state() interface.
- Make docker_t as unconfined. BZ(1215842)
* Tue Jun 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.17
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
- ALlow NM to do access check on /sys.
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
- Allow NetworkManager nm-dispacher to read links.
- Fix missing bracket in apache.te.
- Fix httpd_use_openstack boolean related to keystone_read_pid.
- Add postgresql support for systemd unit files.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Add term_open_unallocated_ttys() interface.
- Add dev_access_check_sysfs() interface.
* Tue May 19 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.16
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Allow antivirus_t to read system state info.BZ(1217616)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
- Fix description for seutil_search_config() interface.
- Fix selinux_search_fs() interface.
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045)
- Add seutil_search_config() interface.
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
* Thu Apr 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.15
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
* Mon Apr 20 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.14
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Add ipa_manage_pid_files interface.
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
- Add more restriction on entrypoint for unconfined domains.
* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13
-Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
- Allow mock_t to use ptmx. BZ(1181333)
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
- Allow dnssec_trigger_t to stream connect to networkmanager.
- Add more restriction on entrypoint for unconfined domains.
- Allow systemd_networkd_t to load kernel module. BZ(1209402)
- Allow systemd_networkd cap. dac_override. BZ(1204352)
* Tue Apr 7 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
- Add collectd net_raw capability. BZ(1194169)
* Thu Apr 2 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.11
- Allow networkmanager and cloud_init_t to dbus chat
- Fix sysnet_filetrans_named_content interface. BZ(1207942)
- Fix cloudform policy.(m4 is case sensitive)
* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.10
- Allow kmscon to read system state. BZ (1206871)
- Allow plymouthd to open usbttys. BZ(1202429)
- apmd needs sys_resource when shutting down the machine
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
- Allow all domains some process flags
* Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.9
- Allow mysqld_t to use pam. BZ(1196104)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
* Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.8
- Merge docker policy from rawhide.
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow docker to communicate with openvswitch
- Fix some resolv problems
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow all domains that read resolv.conf to search through /run. Since multiple domains including NetworkManager will be putting their resolv.conf into this directory
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Fix labels, improve sysnet_manage_config interface.
* Mon Mar 9 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.7
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
- Allow abrt_watch_log_t read passwd file. BZ(1197396)
- Allow abrt_watch_log_t to nsswitch_domain. BZ(1199659)
- Allow cups to read colord_var_lib_t files. BZ(1199765)
* Thu Mar 5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.6
- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406)
- Add gluster_exec_lib interface.
- Allow cyrus bind tcp berknet port. BZ(1198347)
- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190)
- Allow l2tp to manage NetworkManager_var_run_t files. BZ(1197428)
- Allow denyhosts execute iptables. BZ(1197371)
- Allow brltty rw event device. BZ(1190349)
- Allow cupsd config to execute ldconfig. BZ(1196608)
- Allow ping_t read urand. BZ(1181831)
- Add support for tcp/2005 port.
* Wed Feb 25 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.5
- Make sure NetworkManager configures resolv.conf correctly
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Added interface files_search_all_pids
- Allow search all pid dirs when managing net_conf_t files
- Fix path label to resolv.conf under NetworkManager
* Mon Feb 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.4
- Added logging_syslogd_pid_filetrans
- Additional fix for labeleling /dev/log correctly
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Label /dev/log correctly.
- Create dnf and yum directories in /var with correct label
- Dontaudit sys_resource in prelink_cron)_system_t
- Add filename transitions for /var/lib/rpm and /var/cache/rpm
- Create dnf and yum directories in /var with correct label
- Allow brltty ioctl on usb_device_t. BZ(1190349)
* Thu Feb 5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.3
- apmd needs sys_resource when shutting down the machine
- Allow upsmon_t to read urandom device.
* Mon Feb 2 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.2
- Added boolean xdm_bind_vnc_tcp_port. BZ(1187975)
- Allow svirt sandbox domains to read /proc/mtrr
- Allow sshd_t to manage gssd keyring
- Allow docker to attach to the sandbox and user domains tun devices
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Allow dovecot domains to use sys_resouce
- Allow svirt sandbox domains to read /proc/mtrr
- Allow polipo_deamon connect to all ephemeral ports. BZ(1187723)
- Allow sshd_t to manage gssd keyring
* Thu Jan 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.1
- Add unconfined_setsched() interface
- Add ipsec_rw_inherited_pipes() interface.
- Update seutil_manage_config() interface.
- journald now reads the netlink audit socket
- Update ipsec_manage_pid() interface.
- Allow netutils chown capability to make tcpdump working with -w
- Label /ostree/deploy/rhel-atomic-host/deploy directory as system_conf_t.
- Allow ipsec to execute _updown.netkey script to run unbound-control.
- Add auditing support for ipsec.
- Allow nut_upsmon_t to read random_device_t. BZ(1186072)
- Allow fowner capability for sssd because of selinux_child handling.
- ALlow bind to read/write inherited ipsec pipes
- Allow hypervkvp to read /dev/urandom and read addition states/config files.
- Allow cluster domain to dbus chat with systemd-logind.
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd
- Add glusterd_filetrans_named_pid() interface.
- Allow radiusd to connect to radsec ports.
- Allow setuid/setgid for selinux_child.
- Allow pingd to read /dev/urandom. BZ(1181831)
- Allow lsmd plugin to connect to tcp/5989 by default.
- pkcsslotd_lock_t should be an alias for pkcs_slotd_lock_t.
- Allow docker_t to changes it rlimit
- Allow docker to setsched on unconfined_t user
- Dontaudit couchdb search in gconf_home_t. BZ(1177717)
- Call correct macro in virt_read_content().
- Allow neutron to read rpm DB.
- Add labeling for pacemaker.log.
- Allow radius to connect/bind radsec ports.
- Allow pm-suspend running as virt_qemu_ga to read /var/log/pm-suspend.log.
- Add devicekit_read_log_files()
- Allow virt_qemu_ga to dbus chat with rpm.
- Update virt_read_content() interface to allow read also char devices.
* Thu Jan 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105
- Fix labels on /etc/kde/kdm
- Allow texlive managers to relabelfrom
- Add iptables_var_lib_t for /var/lib/ebtables
- Allow mount_ecryptfs_t to read/write pam_console data
- allow mozilla plugins to connect to bluetooth devices
- Allow system_mail_t to create content in /var/lib/munin
- Allow prosody_t to execmem, since it is using loajit.
- Allow NetworkManager to noatsecure openvpn
- Allow canna go call getpw*
- Allow telepathy_mission_control to create tmp files
- Remove boolean gpg_agent_env_file
- Allow shorewall to transition to the netutils domain
- Allow bumblebee read proc_net_t. BZ (1176329)
- Dontaudit attempts by thumb_t to setfscreate, this is caused by executing mv command under thumb_t domain
* Thu Jan 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-104
- Fix unconfined_server_dbus_chat() interface
- Add type for tcp/18700 port and have it as lsm_plugin_port_t.
- Fix mount_entry_type() interface.
- Update xserver_rw_xdm_keys() interface to have 'setattr'.
- fix storage_tmp_filetrans_fixed_disk() interface.
- Allow sulogin to read /dev/urandom and /dev/random.
- Update radius port definition to have also tcp/18121.
- Add 18120/tcp as radius port.
- Label prandom as random_device_t.
- Allow charon to manage files in /etc/strongimcv labeled as ipsec_conf_t.
- Dontaudit svirt_domains attempting to setattr on /proc
- Allow systemd_passwd_agent to look at processes in /proc
- Fix label on /var/lib/sddm
- Allow systemd_logind_t to delete tmpfs files
- Allow systemd to manage all lock files
- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems
- Allow init_t to create gnome content in homedirs
- systemd_sysctl needs to have sys_rawio
- userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs
- Allow userdomains to use mount commands as entrypoints
- bug #1178562 shows systemd_hostnamed_t reads /proc/xen
- Label /usr/libexec/Xorg.bin as xserver_exec_t.
- Allow sssd to send dbus all user domains.
- Allow lsm plugin to read certificates.
- Make snapperd as unconfined domain.
- Fix labeling for keystone CGI scripts
- Fix bugs in interfaces discovered by sepolicy.
- Allow slapd to read /usr/share/cracklib/pw_dict.hwm.
- Allow lsm plugins to connect to tcp/18700 by default.
- Allow brltty mknod capability to allow create /var/run/brltty/vcsa.
- Fix pcp_domain_template() interface.
- Allow mon_fsstatd to read /proc/sys/fs/binfmt_misc.
- Allow glance-scrubber to connect tcp/9191.
- Add conman_can_network.
- Allow conman to create files/dirs in /tmp.
- Allow rabbitmq_t to run hostname
- Allow named to manage files in dnssec_trigger_var_run_t directory
- Allow rabbitmq_t to deal with link files created with its content
- Allow pcp_domains to connect to ephemeral ports, allow webd domain to dbus with avahi
- Dontaudit svirt_domains attempting to setattr on /proc
- Allow mdadm_t to getattr on init status files
- Allow rpcd_t to write to /proc
- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems
- Add lmt-req.lock as a apmd_lock file
- Allow rpm running under sblim domain to send signull to setroubleshootd.
* Mon Dec 15 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-103
- Docker has a new config/key file it writes to /etc/docker
- Add support for /usr/share/vdsm/daemonAdapter
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean.
- Allow virt_qemu_ga_t to execute kmod
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
* Thu Dec 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-102
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Allow docker daemon to start transitiant units
- Add support for /var/run/gluster.
- Allow openvpn manage systemd_passwd_var_run_t files. BZ(1170085)
- Fix /usr/libexec/sssd/selinux_child labeling.
- Label /usr/libexec/tomcat/server as tomcat_exec_t.
* Tue Dec 2 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-101
- Add files_dontaudit_list_security_dirs() interface
- Allow rlogind to use also rlogin ports
- Dontaudit couchdb to list /var
- couchdb: allow disksup to monitor the local disks
- dontaudit list security dirs for samba domain.
- Label /var/lib/rpmrebuilddb/ as rpm_var_lib_t. BZ (1167946)
* Tue Nov 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-100
- Add seutil_dontaudit_access_check_semanage_module_store() interface
- Update to have all _systemctl() interface also init_reload_services()
- Allow named_filetrans_domain to create ibus directory with correct labeling
- Add labeling for /sbin/iw.
- Label tcp port 5280 as ejabberd port. BZ(1059930)
- Make /usr/bin/vncserver running as unconfined_service_t.
- getty_t should be ranged in MLS. Then also local_login_t runs as ranged domain
- Label /etc/docker/certs.d as cert_t
- Allow all systemd domains to search file systems
- I guess there can be content under /var/lib/lockdown #1167502
- Dontaudit access check on SELinux module store for sssd
- Update to have all _systemctl() interface also init_reload_services()
- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working
- Allow keystone to send a generic signal to own process.
- Dontaudit list user_tmp files for system_mail_t
- label virt-who as virtd_exec_t
- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
- Add virt_signull() interface
- Allow .snapshots to be created in other directories, on all mountpoints
- Add missing alias for _content_rw_t
- Allow spamd to access razor-agent.log
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1172774 - SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems.
https://bugzilla.redhat.com/show_bug.cgi?id=1172774
[ 2 ] Bug #1208742 - SELinux is preventing dnssec-trigger- from 'write' accesses on the sock_file private.
https://bugzilla.redhat.com/show_bug.cgi?id=1208742
[ 3 ] Bug #1209183 - SELinux is preventing dnf-automatic from using the 'transition' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=1209183
[ 4 ] Bug #1231947 - SELinux is preventing restorecon from 'associate' accesses on the filesystem /sys/kernel/debug.
https://bugzilla.redhat.com/show_bug.cgi?id=1231947
[ 5 ] Bug #1240885 - SELinux is preventing cat from 'read' accesses on the file dmesg_restrict.
https://bugzilla.redhat.com/show_bug.cgi?id=1240885
[ 6 ] Bug #1241989 - SELinux is preventing nm-dispatcher from using the 'signull' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=1241989
[ 7 ] Bug #1242115 - SELinux is preventing gmain from using the 'sigchld' accesses on a process.
https://bugzilla.redhat.com/show_bug.cgi?id=1242115
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list