-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-13536 2010-08-26 00:25:59 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 13 Version : 3.7.19 Release : 51.fc13 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
- Fixes for boinc policy - Fixes for shorewall policy - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket -------------------------------------------------------------------------------- ChangeLog:
* Wed Aug 25 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-51 - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket * Tue Aug 24 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-50 - Fixes for boinc policy - Fixes for shorewall policy * Fri Aug 20 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-49 - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest - Fix amavis_read_spool_files interface * Wed Aug 18 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-48 - Fixes for shorewall policy - Allow sssd chown capability - Fix label for /usr/bin/mutter - Label dead.letter as mail_home_t - Allow pcscd to read hardware state information - Fixes for ulogd policy * Fri Aug 13 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-47 - Fixes for boinc-project policy - Allow swat to read nmbd pid file - Allow fail2ban to read BIND log files - Fix cert handling from Dan - Remove transition from unconfined to ncftool domain * Wed Aug 11 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-46 - Allow ipsec-mgmt to dbus chat with unconfined - Fixes for boinc policy * Tue Aug 10 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-45 - Fixes for cgroup policy - Fixes for ncftool policy - Add ncftool_read_user_content boolean - Fix label for boinc init script - Fix label for fence_tool - Allow vhostmd to write virt content - Allow ricci domtrans ot shutdown * Thu Aug 5 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-44 - Add support for luci - Add label for /var/spool/up2date * Wed Aug 4 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-43 - Allow ncftool to run brctl - Fixes for ricci-modclusterd policy - Allow uucpd to execute ssh client - Add label for dayplanner - Allow sandbox_xserver execstack * Mon Aug 2 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-42 - Allow kdump to read information from the debugging filesystem - Update boinc policy - Fixes for logwatch-mail policy * Tue Jul 27 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-41 - Allow logwatch_mail to read read the networking state information. - Add label for /usr/bin/dosbox - Allow systat sys_admin capability * Fri Jul 23 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-40 - Fixes for puppetmaster - Fix label for kadmin init script - Fixes for logwatch-mail policy - Allow arpwatch to request the kernel to load modules - Allow cron jobs to run with context of user that started them * Wed Jul 21 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-39 - Allow munin_system_plugin to read files in /usr - Do not audit insmod attempts to write virt daemon unnamed pipes - Allow corosync to read ricci lib files * Mon Jul 19 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-38 - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls - Fixes for logwatch policy * Wed Jul 14 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell - Fixes for munin plugin policy * Tue Jul 13 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-36 - Allow netutils to read and write USB monitor devices - Fix label for /rhev - Add user_setrlimit boolean - Allow initrc to manage virt lib files - Add support for ebtables - Add label for /bin/mksh - Dontaudit aiccu sys_tty_config capability - Add httpd_setrlimit boolean * Fri Jul 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-35 - Add label for /bin/yash - Fixes for rhcs and corosync policy - Fixes for piranha-web policy * Thu Jul 1 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-34 - Fix ipsec-mgmt inteface * Wed Jun 30 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-33 - Fix label for /var/lib/git - Fix labels for conflicted files - Fix cgroup_admin interface * Mon Jun 28 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-32 - Allow sectool to connect to users over unix stream socket - Add label for /var/spool/abrt-upload - Add audio_home_t type for homedir/Music files - Allow aiccu to read network config files - Allow qpidd to setsched - Allow virt domains to manage svirt_image_t fifo files - Fixes for NM-openswan - Fixes for admin interfaces * Mon Jun 21 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-31 - Remove daemons dontaudit to search all dirs - Add support for epylog - All all domains to read lib files - Allow denyhosts to send syslog messages - Allow mysql-safe setrlimit - Allow rpm to execute rpm_tmp_t - Allow dmesg to appen abrt_var_cache files - Fixed label for abrt.socket * Wed Jun 16 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-30 - Allow sysadm to run ncftool - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev * Tue Jun 15 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-29 - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote * Mon Jun 14 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy - Add mpd policy * Wed Jun 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-27 - Allow ftpd ipc_lock capability - Allow audisp-remote to getcap and setcap - Allow iscsid to read and write raw memory devices - Fixes for bitlbee policy * Wed Jun 9 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-26 - Allow krb5kdc to write krb5kdc_principal_t file - Allow hald to send generic signal to dhcp client - Fix dev_rw_vhost interface - Add /var/run/abrt.socket label * Tue Jun 8 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-25 - Fixes for cmirrord policy - Dontaudit xauth to list inotifyfs filesystem. - Allow xserver to translate contexts. - Allow kdumpgui domain sys_admin capability - Allow vpnc to relabelfrom tun_socket - Allow prelink_cron_system_t to signal - Fixes for gitolite - Allow virt domain to read symbolic links in device directories * Thu Jun 3 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-24 - Add support for /dev/vhost-net - Allow psad to read files in /usr - Allow systat to use nscd socket - Fixes for boinc policy * Tue Jun 1 2010 Miroslav Grepl mgrepl@redhat.com 3.7.19-23 - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability * Tue May 25 2010 Dan Walsh dwalsh@redhat.com 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label * Mon May 24 2010 Dan Walsh dwalsh@redhat.com 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: 594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 * Thu May 20 2010 Dan Walsh dwalsh@redhat.com 3.7.19-20 - Allow mount to r/w abrt fifo file - Allow svirt_t to getattr on hugetlbfs - Allow abrt to create a directory under /var/spool * Wed May 19 2010 Dan Walsh dwalsh@redhat.com 3.7.19-19 - Add labels for /sys - Allow sshd to getattr on shutdown - Fixes for munin - Allow sssd to use the kernel key ring - Allow tor to send syslog messages - Allow iptabels to read usr files - allow policykit to read all domains state * Thu May 13 2010 Dan Walsh dwalsh@redhat.com 3.7.19-17 - Fix path for /var/spool/abrt - Allow nfs_t as an entrypoint for http_sys_script_t - Add policy for piranha - Lots of fixes for sosreport * Wed May 12 2010 Dan Walsh dwalsh@redhat.com 3.7.19-16 - Allow xm_t to read network state and get and set capabilities - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself - Allow unconfined_execmem_t and gconfsd mechanism to dbus - Allow staff to kill ping process - Add additional MLS rules * Mon May 10 2010 Dan Walsh dwalsh@redhat.com 3.7.19-15 - Allow gdm to edit ~/.gconf dir Resolves: #590677 - Allow dovecot to create directories in /var/lib/dovecot Partially resolves 590224 - Allow avahi to dbus chat with NetworkManager - Fix cobbler labels - Dontaudit iceauth_t leaks - fix /var/lib/lxdm file context - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log * Thu May 6 2010 Dan Walsh dwalsh@redhat.com 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus - Add chronyd_read_keys, append_keys for initrc_t - Add log support for ksmtuned Resolves: #586663 * Thu May 6 2010 Dan Walsh dwalsh@redhat.com 3.7.19-13 - Allow boinc to send mail * Wed May 5 2010 Dan Walsh dwalsh@redhat.com 3.7.19-12 - Allow initrc_t to remove dhcpc_state_t - Fix label on sa-update.cron - Allow dhcpc to restart chrony initrc - Don't allow sandbox to send signals to its parent processes - Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t Resolves: #589136 * Mon May 3 2010 Dan Walsh dwalsh@redhat.com 3.7.19-11 - Fix location of oddjob_mkhomedir Resolves: #587385 - fix labeling on /root/.shosts and ~/.shosts - Allow ipsec_mgmt_t to manage net_conf_t Resolves: #586760 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #626111 - SELinux is preventing minirosetta_2.1 "signal" access . https://bugzilla.redhat.com/show_bug.cgi?id=626111 [ 2 ] Bug #625963 - SELinux is preventing /var/lib/boinc/projects/www.gpugrid.net/acemd2_6.04_x86_64-pc-linux-gnu__cuda "read" access on /var/lib/boinc. https://bugzilla.redhat.com/show_bug.cgi?id=625963 [ 3 ] Bug #625957 - SELinux is preventing /var/lib/boinc/projects/www.rnaworld.de_rnaworld/cmswrapper_0.10_x86_64-pc-linux-gnu "sigkill" access . https://bugzilla.redhat.com/show_bug.cgi?id=625957 [ 4 ] Bug #625961 - SELinux is preventing /var/lib/boinc/projects/www.gpugrid.net/acemd2_6.04_x86_64-pc-linux-gnu__cuda "getattr" access on /etc/nsswitch.conf. https://bugzilla.redhat.com/show_bug.cgi?id=625961 [ 5 ] Bug #626167 - SELinux is preventing /usr/sbin/ssmtp "getattr" access on /etc/aliases. https://bugzilla.redhat.com/show_bug.cgi?id=626167 [ 6 ] Bug #624546 - Spam reporting through Horde application framework to Spamassassin ends up in AVC denial https://bugzilla.redhat.com/show_bug.cgi?id=624546 [ 7 ] Bug #625917 - Selinux prevents httpd from using gnupg https://bugzilla.redhat.com/show_bug.cgi?id=625917 [ 8 ] Bug #625780 - O SELinux está a impedir o acesso /usr/lib/cyrus-imapd/cyrus-master "fsetid" https://bugzilla.redhat.com/show_bug.cgi?id=625780 [ 9 ] Bug #625781 - O SELinux está a impedir o acesso /usr/lib/cyrus-imapd/deliver "open" on /usr/lib/cyrus-imapd/deliver https://bugzilla.redhat.com/show_bug.cgi?id=625781 [ 10 ] Bug #591854 - SELinux empêche /usr/bin/vlc de charger /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du texte. https://bugzilla.redhat.com/show_bug.cgi?id=591854 [ 11 ] Bug #626047 - SELinux is preventing /usr/sbin/ulogd "read" access on hosts. https://bugzilla.redhat.com/show_bug.cgi?id=626047 [ 12 ] Bug #626082 - SELinux is preventing /usr/sbin/ulogd "connect" access . https://bugzilla.redhat.com/show_bug.cgi?id=626082 [ 13 ] Bug #626114 - SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=626114 [ 14 ] Bug #624303 - SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin "unlink" access on catalog.cache. https://bugzilla.redhat.com/show_bug.cgi?id=624303 [ 15 ] Bug #627208 - postfix_local_t cannot read usr_t files https://bugzilla.redhat.com/show_bug.cgi?id=627208 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org