Fedora 22 Update: selinux-policy-3.13.1-128.8.fc22

updates at fedoraproject.org updates at fedoraproject.org
Thu Jul 30 13:54:55 UTC 2015


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-11989
2015-07-28 22:46:53
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 22
Version     : 3.13.1
Release     : 128.8.fc22
URL         : http://github.com/TresysTechnology/refpolicy/wiki
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=670426
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 21 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.8
- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te
- Allow glusterd to manage nfsd and rpcd services.
- Add samba_manage_winbind_pid() interface
- Allow networkmanager to  communicate via dbus with systemd_hostanmed.
- Allow stream connect logrotate to prosody.
- Add prosody_stream_connect() interface.
- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t.
- Allow prosody to create own tmp files/dirs.
- Allow keepalived request kernel load module
- kadmind should not read generic files in /usr
- Allow kadmind_t access to /etc/krb5.keytab
- Add more fixes to kerberos.te
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0
- Add lsmd_t to nsswitch_domain.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc.
- Add fixes to pegasus_openlmi_domain Resolves:#1088904
- Allow Glance Scrubber to connect to commplex_main port
- Allow RabbitMQ to connect to amqp port
- Allow isnsd read access on the file /proc/net/unix
- Allow qpidd access to /proc/<pid>/net/psched
- Allow openshift_initrc_t to communicate with firewalld over dbus.
- Allow ctdbd_t send signull to samba_unconfined_net_t.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()."
- Fix ctdb policy
- Revert "Allow ctdbd sending signull to process winbind, samba_unconfined_net, to"
- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Label /var/db/ as system_db_t.
* Tue Jul 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.7
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix typo in nova policy
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Fix label openstack-nova-metadata-api binary file
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
* Thu Jul  9 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.6
- Fix paths in inn policy, Allow innd read innd_log_t dirs, Allow innd execute innd_etc_t files
- Allow connect ypserv to portmap_port_t.
- Fix path from /usr/sbin/redis-server to /usr/bin/redis-server.
- Add tmpreaper booleans to use nfs_t and samba_share_t.
- Add interface samba_setattr_samba_share_dirs.
- Dontaudit smbd_t block_suspend capability. This is kernel bug.
- Add interfaces winbind_signull(), samba_unconfined_net_signull().
- Allow gluster to connect to all ports. It is required by random services executed by gluster.
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."
- Allow pcp domains to connect to own process using unix_stream_socket.
- Typo in abrt.te
- Allow  abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly.
- Add nagios_domtrans_unconfined_plugins() interface.
- Merge remote-tracking branch 'refs/remotes/origin/f22-contrib' into f22-contrib
- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840)
- Add interface fs_setattr_nfs_dirs
- Fix logging_syslogd_run_nagios_plugins calling in logging.te
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Add support for oddjob based helper in FreeIPA. BZ(1238165)
* Thu Jul  2 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.5
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Allow pmcd daemon stream connect to mysqld.
- Allow drbd_t write to fixed_disk_device.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
- Allow iptables to read ctdbd lib files.
- Add systemd-networkd_t to nsswitch domains.
* Mon Jun 29 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.4
- Dontaudit apache to manage snmpd_var_lib_t files/dirs. BZ(1189214)
- Add interface snmp_dontaudit_manage_snmp_var_lib_files().
- Rename xodbc-connect port to xodbc_connect
- Allow ovsdb-server to connect on xodbc-connect and ovsdb tcp ports. BZ(1179809)
- Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
- Allow iscsid write to fifo file kdumpctl_tmp_t. Appears when kdump generates the initramfs during the kernel boot. BZ(1181476)
- Dontaudit chrome to read passwd file. BZ(1204307)
- Allow firewalld exec ldconfig. BZ(1232748)
- Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798)
- Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
- Make docker_t as unconfined. BZ(1215842)
- Rename xodbc-connect port to xodbc_connect
- Label tcp port 6632 as xodbc-connect port. BZ (1179809)
- Label tcp port 6640 as ovsdb port. BZ (1179809)
* Tue Jun 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-128.3
- Allow NetworkManager write to sysfs. BZ(1234086)
- Add postgresql support for systemd unit files.
* Fri Jun 19 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-128.2
- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. BZ(1222604)
* Tue Jun  9 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-128
- Allow hypervkvp to read /dev/urandom and read  addition states/config files.
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
- Allow puppetagent_t to transfer firewalld messages over dbus
- Add httpd_var_lib_t label for roundcubemail 
- Allow mongod to work with configured SSSD.
- Allow sblim domain to read sysctls.
- Allow lsmd plugin to run with configured SSSD.
- Allow pkcs_slotd_t to communicate with sssd 
- Allow rwho_t to communicate with sssd 
- Allow isnsd_t to communicate with sssd 
- Allow openvswitch_t to communicate with sssd 
- Allow tmpreaper_t to manage ntp log content 
- Allow cluster domain to dbus chat with systemd-logind.
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
- Allow fowner capability for sssd because of selinux_child handling.
- ALlow bind to read/write inherited ipsec pipes.
- Allow radiusd to connect to radsec ports.
- Allow setuid/setgid for selinux_child.
- Allow lsmd plugin to connect to tcp/5988 by default.
- Allow lsmd plugin to connect to tcp/5989 by default.
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
- Add labeling for pacemaker.log.
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
- Use userdom_home_manager() for bacula_t.
- Add fixes to RHEL7 bacula policy
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Allow sysctl to have running under hypervkvp_t domain.
- Allow smartdnotify to use user terminals. 
- Allow pcp domains to create root.socket in /var/lip/pcp directroy. 
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. 
- Allow rpcbind to create rpcbind.xdr as a temporary file. 
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. 
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. 
- rsync server can be setup to send mail
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. BZ(1225920)
- Fix samba_load_libgfapi decl in samba.te.
- Move ctdd_domtrans() from ctdbd to gluster.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Glusterd wants to manage samba config files if they are setup together.
- ALlow NM to do access check on /sys.
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
- Allow NetworkManager nm-dispacher to read links.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Allow docker and container tools to control caps, don't rely on SELinux for now.  Since there is no easy way for SELinux modification of policy as far as caps.  docker run --cap-add will work now
- Allow sosreport to dbus chat with NM.
- Back port fixes for docker svirt_sandbox_domains
- Add ipsec_rw_inherited_pipes() interface.
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. 
- Label /usr/libexec/Xorg.wrap as xserver_exec_t. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
- Fix labeling for /var/lib/glusterd/hooks.
- Add term_open_unallocated_ttys() interface.
- Add dev_access_check_sysfs() interface.
- Add sysnet_manage_dhcpc_pid() interface.
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
- Add sudo_manage_db() interface.
- Back port fixes for the docker types to be used by other domains
- Access required to run with unconfine.pp disabled
- Allow ABRT to read all proc types. It wants to read also dmesg_restrict. BZ(1227661)
* Tue May 19 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-127
- Allow docker dbus chat with firewalld. BZ(1221911)
- Allow anaconda to run iscsid in own domain. BZ(1220948).
- Add new iscsid_run() interface.
- Update nagios_run_sudo boolean.
- Allow rhsmcetd to use the ypbind service to access NIS services.
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
- Allow ctdb to create rawip socket.
- Allow ctdbd to bind  smbd port.
- Make ctdbd as userdom_home_reader.
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
- Fix missing bracket in apache.te.
- Fix httpd_use_openstack boolean related to keystone_read_pid.
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Fix description for seutil_search_config() interface.
- make ssh-keygen as nsswitch domain to access SSSD.
- Label ctdb events scripts as bin_t.
- Add unconfined_dontaudit_write_state() interface.
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. BZ(1215877)
- Fix selinux_search_fs() interface.
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045)
- Add seutil_search_config() interface.
- Fix typo in systemd.te
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
* Tue May 12 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-126
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
- Allow debugfs associate to a sysfs filesystem.
- vport is mislabeled on arm, need to be less specific
- Add relabel_user_home_dirs for use by docker_t
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.BZ(1217616)
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind. BZ(1210663)
- Allow dhcpd kill capability.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow redis to create /var/run/redis/redis.sock.
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
- Allow timemaster send a signal to ntpd.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Allow passenger to accept connection.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for iprdbg logging files in /var/log.
- Add support for mongod/mongos systemd unit files.
- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
* Tue May  5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-125
- Add support for new cobbler dir locations:
- Add nagios_read_lib() interface.
* Thu Apr 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124
- cloudinit and rhsmcertd need to communicate with dbus
- Allow bacula access to tape devices.
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
- Define ipa_var_run_t type
- Add ipa_manage_pid_files interface.
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1240193 - /etc/resolv.conf relabel issue
        https://bugzilla.redhat.com/show_bug.cgi?id=1240193
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list