Fedora 22 Update: selinux-policy-3.13.1-128.2.fc22

updates at fedoraproject.org updates at fedoraproject.org
Sat Jun 27 22:34:11 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-10299
2015-06-20 13:43:04
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 22
Version     : 3.13.1
Release     : 128.2.fc22
URL         : http://github.com/TresysTechnology/refpolicy/wiki
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--------------------------------------------------------------------------------
Update Information:

Allow glusterd to interact with gluster tools running in a user domain
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun 19 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-128.2
- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
- Call rpm_transition_script() from rpm_run() interface.
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
- Add glusterd_manage_lib_files() interface.
- Allow samba_t net_admin capability to make CIFS mount working.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
- Allow nagios to generate charts.
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
- Allow glusterd to run init scripts.
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
- Allow samba-net to access /var/lib/ctdbd dirs/files.
- Allow glusterd to send a signal to smbd.
- Make ctdbd as home manager to access also FUSE.
- Allow glusterd to use geo-replication gluster tool.
- Allow glusterd to execute ssh-keygen.
- Allow glusterd to interact with cluster services.
- Add rhcs_dbus_chat_cluster()
- systemd-logind accesses /dev/shm. BZ(1230443)
- Label gluster python hooks also as bin_t.
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password. BZ(1222604)
* Tue Jun  9 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-128
- Allow hypervkvp to read /dev/urandom and read  addition states/config files.
- Add rpm_exec_t labeling for /usr/bin/dnf-automatic,/usr/bin/dnf-2 and /usr/bin/dnf-3.
- Allow puppetagent_t to transfer firewalld messages over dbus
- Add httpd_var_lib_t label for roundcubemail 
- Allow mongod to work with configured SSSD.
- Allow sblim domain to read sysctls.
- Allow lsmd plugin to run with configured SSSD.
- Allow pkcs_slotd_t to communicate with sssd 
- Allow rwho_t to communicate with sssd 
- Allow isnsd_t to communicate with sssd 
- Allow openvswitch_t to communicate with sssd 
- Allow tmpreaper_t to manage ntp log content 
- Allow cluster domain to dbus chat with systemd-logind.
- Allow pki-tomcat relabel pki_tomcat_etc_rw_t.
- Allow fowner capability for sssd because of selinux_child handling.
- ALlow bind to read/write inherited ipsec pipes.
- Allow radiusd to connect to radsec ports.
- Allow setuid/setgid for selinux_child.
- Allow lsmd plugin to connect to tcp/5988 by default.
- Allow lsmd plugin to connect to tcp/5989 by default.
- Allow ntlm_auth running in winbind_helper_t to access /dev/urandom.
- Add labeling for pacemaker.log.
- Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
- Use userdom_home_manager() for bacula_t.
- Add fixes to RHEL7 bacula policy
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Allow sysctl to have running under hypervkvp_t domain.
- Allow smartdnotify to use user terminals. 
- Allow pcp domains to create root.socket in /var/lip/pcp directroy. 
- Allow NM to execute dnssec-trigger-script in dnssec_trigger_t domain. 
- Allow rpcbind to create rpcbind.xdr as a temporary file. 
- Allow dnssec-trigger connections to the system DBUS. It uses libnm-glib Python bindings. 
- Allow hostapd net_admin capability. hostapd needs to able to set an interface flag. 
- rsync server can be setup to send mail
- Make "ostree admin upgrade -r" command which suppose to upgrade the system and reboot working again. BZ(1225920)
- Fix samba_load_libgfapi decl in samba.te.
- Move ctdd_domtrans() from ctdbd to gluster.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Glusterd wants to manage samba config files if they are setup together.
- ALlow NM to do access check on /sys.
- Allow NetworkManager to keep RFCOMM connection for Bluetooth DUN open . Based on fixes from Lubomir Rintel.
- Allow NetworkManager nm-dispacher to read links.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Allow docker and container tools to control caps, don't rely on SELinux for now.  Since there is no easy way for SELinux modification of policy as far as caps.  docker run --cap-add will work now
- Allow sosreport to dbus chat with NM.
- Back port fixes for docker svirt_sandbox_domains
- Add ipsec_rw_inherited_pipes() interface.
- Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. 
- Label /usr/libexec/Xorg.wrap as xserver_exec_t. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. 
- Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file.
- Fix labeling for /var/lib/glusterd/hooks.
- Add term_open_unallocated_ttys() interface.
- Add dev_access_check_sysfs() interface.
- Add sysnet_manage_dhcpc_pid() interface.
- Label all gluster hooks in /var/lib/gluster as bin_t. They are not created on the fly.
- Add sudo_manage_db() interface.
- Back port fixes for the docker types to be used by other domains
- Access required to run with unconfine.pp disabled
- Allow ABRT to read all proc types. It wants to read also dmesg_restrict. BZ(1227661)
* Tue May 19 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-127
- Allow docker dbus chat with firewalld. BZ(1221911)
- Allow anaconda to run iscsid in own domain. BZ(1220948).
- Add new iscsid_run() interface.
- Update nagios_run_sudo boolean.
- Allow rhsmcetd to use the ypbind service to access NIS services.
- Add nagios_run_pnp4nagios and nagios_run_sudo booleans to allow run sudo from NRPE utils scripts and allow run nagios in conjunction with PNP4Nagios.
- Allow ctdb to create rawip socket.
- Allow ctdbd to bind  smbd port.
- Make ctdbd as userdom_home_reader.
- Dontaudit chrome-sandbox write access its parent process information. BZ(1220958)
- Fix missing bracket in apache.te.
- Fix httpd_use_openstack boolean related to keystone_read_pid.
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Fix description for seutil_search_config() interface.
- make ssh-keygen as nsswitch domain to access SSSD.
- Label ctdb events scripts as bin_t.
- Add unconfined_dontaudit_write_state() interface.
- Add support for ~/.local/share/networkmanagement/certificates and update filename transitions rules. BZ(1215877)
- Fix selinux_search_fs() interface.
- Update selinux_search_fs(domain) rule to have ability to search /etc/selinuc/ to check if /etc/selinux/config exists. BZ(1219045)
- Add seutil_search_config() interface.
- Fix typo in systemd.te
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
* Tue May 12 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-126
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
- Allow debugfs associate to a sysfs filesystem.
- vport is mislabeled on arm, need to be less specific
- Add relabel_user_home_dirs for use by docker_t
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.BZ(1217616)
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind. BZ(1210663)
- Allow dhcpd kill capability.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow redis to create /var/run/redis/redis.sock.
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
- Allow timemaster send a signal to ntpd.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Allow passenger to accept connection.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for iprdbg logging files in /var/log.
- Add support for mongod/mongos systemd unit files.
- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
* Tue May  5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-125
- Add support for new cobbler dir locations:
- Add nagios_read_lib() interface.
* Thu Apr 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124
- cloudinit and rhsmcertd need to communicate with dbus
- Allow bacula access to tape devices.
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
- Define ipa_var_run_t type
- Add ipa_manage_pid_files interface.
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1058822 - ntop failed to start, open of /var/lib/ntop/macPrefix.db failed
        https://bugzilla.redhat.com/show_bug.cgi?id=1058822
  [ 2 ] Bug #1222604 - SELinux is preventing gnome-keyring-d from 'write' accesses on the directory /run/user/1004.
        https://bugzilla.redhat.com/show_bug.cgi?id=1222604
  [ 3 ] Bug #1227484 - install of packages during cloud-init boot fails with dnf selinux avc denials
        https://bugzilla.redhat.com/show_bug.cgi?id=1227484
  [ 4 ] Bug #1228464 - SELinux is preventing nm-dispatcher from using the 'sigchld' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1228464
  [ 5 ] Bug #1228465 - SELinux is preventing nm-dispatcher from using the 'signull' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1228465
  [ 6 ] Bug #1228466 - SELinux is preventing nm-dispatcher from using the 'sigkill' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1228466
  [ 7 ] Bug #1228494 - SELinux is preventing /usr/sbin/rpcbind from 'write' accesses on the directory /tmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=1228494
  [ 8 ] Bug #1229475 - SELinux is preventing /usr/bin/python2.7 from using the 'transition' accesses on a process.
        https://bugzilla.redhat.com/show_bug.cgi?id=1229475
  [ 9 ] Bug #1230443 - SELinux is preventing systemd-logind from 'getattr' accesses on the file /dev/shm/sem.9334581e-7251-4ef7-a8ec-5bfe8e89ff68.
        https://bugzilla.redhat.com/show_bug.cgi?id=1230443
  [ 10 ] Bug #1230896 - SELinux is preventing /usr/libexec/sssd/selinux_child from using the 'setuid' capabilities.
        https://bugzilla.redhat.com/show_bug.cgi?id=1230896
  [ 11 ] Bug #1224403 - AVC starting radvd from systemd
        https://bugzilla.redhat.com/show_bug.cgi?id=1224403
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list