Fedora 22 Update: selinux-policy-3.13.1-126.fc22
updates at fedoraproject.org
updates at fedoraproject.org
Tue May 26 03:35:47 UTC 2015
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-8101
2015-05-13 06:25:19
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 22
Version : 3.13.1
Release : 126.fc22
URL : http://github.com/TresysTechnology/refpolicy/wiki
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117
--------------------------------------------------------------------------------
Update Information:
More info: http://koji.fedoraproject.org/koji/buildinfo?buildID=636508
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 12 2015 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-126
- Add lvm_stream_connect() interface.
- Add support for /usr/sbin/lvmpolld.BZ(1220817)
- Allow gvfsd-fuse running as xdm_t to use /run/user/42/gvfs as mountpoint.BZ(1218137)
- Allow login_pgm domains to access kernel keyring for nsswitch domains.
- Add labeling for systemd-time*.service unit files and allow systemd-timedated to access these unit files.
- This change will remove entrypoint from filesystems, should be back ported to all RHEL/Fedora systems
- Only allow semanage_t to be able to setenforce 0, no all domains that use selinux_semanage interface
- Allow debugfs associate to a sysfs filesystem.
- vport is mislabeled on arm, need to be less specific
- Add relabel_user_home_dirs for use by docker_t
- Allow net_admin cap for dnssec-trigger to make wifi reconnect working.
- Add support for /var/lib/ipsilon dir and label it as httpd_var_lib_t. BZ(1186046)
- Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
- Add glusterd_filetrans_named_pid() interface.
- Allow antivirus_t to read system state info.BZ(1217616)
- Dontaudit use console for chrome-sandbox. BZ(1216087)
- Add support for ~/.local/share/libvirt/images and for ~/.local/share/libvirt/boot. BZ(1215359)
- Clamd needs to have fsetid capability. BZ(1215308)
- Allow cinder-backup to dbus chat with systemd-logind. BZ(1207098)
- Update httpd_use_openstack boolean to allow httpd to bind commplex_main_port and read keystone log files.
- Allow gssd to access kernel keyring for login_pgm domains.
- Add more fixes related to timemaster+ntp+ptp4l.
- Allow docker sandbox domains to search all mountpoiunts
- update winbind_t rules to allow IPC for winbind. BZ(1210663)
- Allow dhcpd kill capability.
- Add support for new fence agent fence_mpath which is executed by fence_node.
- Remove dac_override capability for setroubleshoot. We now have it running as setroubleshoot user.
- Allow redis to create /var/run/redis/redis.sock.
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
- Allow timemaster send a signal to ntpd.
- Add rules for netlink_socket in iotop.
- Allow iotop netlink socket.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Allow passenger to accept connection.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Label /usr/bin/yum-deprecated as rpm_exec_t. (#1218650)
- Don't use deprecated userdom_manage_tmpfs_role() interface calliing and use userdom_manage_tmp_role() instead.
- Add support for iprdbg logging files in /var/log.
- Add support for mongod/mongos systemd unit files.
- Allow inet_gethost called by couchdb to access /proc/net/unix. BZ(1207538)
- Allow eu-unstrip running under abrt_t to access /var/lib/pcp/pmdas/linux/pmda_linux.so (#1207410)
* Tue May 5 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-125
- Add support for new cobbler dir locations:
- Add nagios_read_lib() interface.
* Thu Apr 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124
- cloudinit and rhsmcertd need to communicate with dbus
- Allow bacula access to tape devices.
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
- Define ipa_var_run_t type
- Add ipa_manage_pid_files interface.
- Allow certmonger to manage renewal.lock. BZ(1213256)
- Allow apcupsd to use USBttys. BZ(1210960)
- Allow sge_execd_t to mamange tmp sge lnk files.BZ(1211574)
- Allow syslogd_t to manage devlog_t lnk files. BZ(1210968)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1186046 - label ipsilon /var/lib files
https://bugzilla.redhat.com/show_bug.cgi?id=1186046
[ 2 ] Bug #1204049 - SELinux is preventing restorecon from 'associate' accesses on the filesystem /sys/kernel/debug.
https://bugzilla.redhat.com/show_bug.cgi?id=1204049
[ 3 ] Bug #1207410 - SELinux is preventing abrt-action-gen from 'read' accesses on the file /var/lib/pcp/pmdas/linux/pmda_linux.so.
https://bugzilla.redhat.com/show_bug.cgi?id=1207410
[ 4 ] Bug #1207538 - SELinux is preventing inet_gethost from 'read' accesses on the file unix.
https://bugzilla.redhat.com/show_bug.cgi?id=1207538
[ 5 ] Bug #1209400 - SELinux is preventing /usr/lib/systemd/systemd-networkd from 'getattr' accesses on the file /proc/sys/net/ipv4/conf/vbr0/forwarding.
https://bugzilla.redhat.com/show_bug.cgi?id=1209400
[ 6 ] Bug #1212332 - SELinux is preventing /usr/lib/systemd/systemd-networkd from 'search' accesses on the directory net.
https://bugzilla.redhat.com/show_bug.cgi?id=1212332
[ 7 ] Bug #1214088 - SELinux is preventing rpc.gssd from 'read' accesses on the key Unknown.
https://bugzilla.redhat.com/show_bug.cgi?id=1214088
[ 8 ] Bug #1216087 - SELinux is preventing /opt/google/chrome/chrome-sandbox from read, write access on the chr_file /dev/tty2.
https://bugzilla.redhat.com/show_bug.cgi?id=1216087
[ 9 ] Bug #1217616 - SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems.
https://bugzilla.redhat.com/show_bug.cgi?id=1217616
[ 10 ] Bug #1218135 - SELinux is preventing glusterd from 'unlink' accesses on the sock_file glusterd.socket.
https://bugzilla.redhat.com/show_bug.cgi?id=1218135
[ 11 ] Bug #1218137 - SELinux is preventing gvfsd-fuse from 'mounton' accesses on the directory /run/user/42/gvfs.
https://bugzilla.redhat.com/show_bug.cgi?id=1218137
[ 12 ] Bug #1210663 - smbcontrol cannot bring winbind online
https://bugzilla.redhat.com/show_bug.cgi?id=1210663
[ 13 ] Bug #1213535 - [F22] New cobbler dir definitions needed in /var/lib/tftpboot
https://bugzilla.redhat.com/show_bug.cgi?id=1213535
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list