Fedora 22 Update: selinux-policy-3.13.1-128.1.fc22

updates at fedoraproject.org updates at fedoraproject.org
Thu Jun 11 18:38:30 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-9714
2015-06-10 12:49:10
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 22
Version     : 3.13.1
Release     : 128.1.fc22
URL         : http://github.com/TresysTechnology/refpolicy/wiki
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Allow hypervkvp to read /dev/urandom and read  addition states/config files.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun  9 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-128
- Allow hypervkvp to read /dev/urandom and read  addition states/config files.
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
- Allow puppetagent_t to transfer firewalld messages over dbus
- Add httpd_var_lib_t label for roundcubemail 
- Allow mongod to work with configured SSSD.
- Allow sblim domain to read sysctls.
- Allow lsmd plugin to run with configured SSSD.
- Allow pkcs_slotd_t to communicate with sssd 
- Allow rwho_t to communicate with sssd 
- Allow isnsd_t to communicate with sssd 
- Allow openvswitch_t to communicate with sssd 
- Allow tmpreaper_t to manage ntp log content 
- Allow cluster domain to dbus chat with systemd-logind.
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
- Allow fowner capability for sssd because of selinux_child handling.
- ALlow bind to read/write inherited ipsec pipes.
- Allow radiusd to connect to radsec ports.
- Allow setuid/setgid for selinux_child.
- Allow lsmd plugin to connect to tcp/5988 by default.
- Allow lsmd plugin to connect to tcp/5989 by default.
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
- Add labeling for pacemaker.log.
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
- Use userdom_home_manager() for bacula_t.
- Add fixes to RHEL7 bacula policy
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Allow sysctl to have running under hypervkvp_t domain.
- Allow smartdnotify to use user terminals. 
- Allow pcp domains to create root.socket in /var/lip/pcp directroy. 
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. 
- Allow rpcbind to create rpcbind.xdr as a temporary file. 
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. 
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. 
- rsync server can be setup to send mail
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. BZ(1225920)
- Fix samba_load_libgfapi decl in samba.te.
- Move ctdd_domtrans() from ctdbd to gluster.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Glusterd wants to manage samba config files if they are setup together.
- ALlow NM to do access check on /sys.
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
- Allow NetworkManager nm-dispacher to read links.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Allow docker and container tools to control caps, don't rely on SELinux for now.  Since there is no easy way for SELinux modification of policy as far as caps.  docker run --cap-add will work now
- Allow sosreport to dbus chat with NM.
- Back port fixes for docker svirt_sandbox_domains
- Add ipsec_rw_inherited_pipes() interface.
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. 
- Label /usr/libexec/Xorg.wrap as xserver_exec_t. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
- Fix labeling for /var/lib/glusterd/hooks.
- Add term_open_unallocated_ttys() interface.
- Add dev_access_check_sysfs() interface.
- Add sysnet_manage_dhcpc_pid() interface.
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
- Add sudo_manage_db() interface.
- Back port fixes for the docker types to be used by other domains
- Access required to run with unconfine.pp disabled
- Allow ABRT to read all proc types. It wants to read also dmesg_restrict. BZ(1227661)
* Tue May 19 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-127
- Allow docker dbus chat with firewalld. BZ(1221911)
- Allow anaconda to run iscsid in own domain. BZ(1220948).
- Add new iscsid_run() interface.
- Update nagios_run_sudo boolean.
- Allow rhsmcetd to use the ypbind service to access NIS services.
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
- Allow ctdb to create rawip socket.
- Allow ctdbd to bind  smbd port.
- Make ctdbd as userdom_home_reader.
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
- Fix missing bracket in apache.te.
- Fix httpd_use_openstack boolean related to keystone_read_pid.
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Fix description for seutil_search_config() interface.
- make ssh-keygen as nsswitch domain to access SSSD.
- Label ctdb events scripts as bin_t.
- Add unconfined_dontaudit_write_state() interface.
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. BZ(1215877)
- Fix selinux_search_fs() interface.
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045)
- Add seutil_search_config() interface.
- Fix typo in systemd.te
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
* Tue May 12 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-126
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
- Allow debugfs associate to a sysfs filesystem.
- vport is mislabeled on arm, need to be less specific
- Add relabel_user_home_dirs for use by docker_t
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.BZ(1217616)
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind. BZ(1210663)
- Allow dhcpd kill capability.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow redis to create /var/run/redis/redis.sock.
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
- Allow timemaster send a signal to ntpd.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Allow passenger to accept connection.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for iprdbg logging files in /var/log.
- Add support for mongod/mongos systemd unit files.
- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
* Tue May  5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-125
- Add support for new cobbler dir locations:
- Add nagios_read_lib() interface.
* Thu Apr 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124
- cloudinit and rhsmcertd need to communicate with dbus
- Allow bacula access to tape devices.
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
- Define ipa_var_run_t type
- Add ipa_manage_pid_files interface.
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1225245 - SELinux is preventing hostapd from using the 'net_admin' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1225245
  [ 2 ] Bug #1225920 - SELinux does not allow ostree to reboot after an upgrade
        https://bugzilla.redhat.com/show_bug.cgi?id=1225920
  [ 3 ] Bug #1227043 - SELinux is preventing pmdaroot from 'create' accesses on the sock_file root.socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=1227043
  [ 4 ] Bug #1227110 - SELinux is preventing ibus-x11 from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-xWGLPDBLvH.
        https://bugzilla.redhat.com/show_bug.cgi?id=1227110
  [ 5 ] Bug #1227128 - SELinux is preventing /usr/lib/systemd/systemd-networkd from name_bind access on the udp_socket port 68
        https://bugzilla.redhat.com/show_bug.cgi?id=1227128
  [ 6 ] Bug #1227239 - SELinux is preventing dnssec-trigger- from 'write' accesses on the sock_file system_bus_socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=1227239
  [ 7 ] Bug #1227397 - SELinux is preventing NetworkManager from 'execute' accesses on the file dnssec-trigger-script.
        https://bugzilla.redhat.com/show_bug.cgi?id=1227397
  [ 8 ] Bug #1227399 - SELinux is preventing dnssec-trigger- from 'write' accesses on the sock_file private.
        https://bugzilla.redhat.com/show_bug.cgi?id=1227399
  [ 9 ] Bug #1227661 - please, allow abrtd to read /proc/sys/kernel/dmesg_restrict
        https://bugzilla.redhat.com/show_bug.cgi?id=1227661
  [ 10 ] Bug #1228489 - Fedora 22 net install sets /etc/passwd, /etc/group SELinux context to shadow_t
        https://bugzilla.redhat.com/show_bug.cgi?id=1228489
  [ 11 ] Bug #1226543 - SELinux AVCs with systemd-networkd
        https://bugzilla.redhat.com/show_bug.cgi?id=1226543
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list