-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2014-7794 2014-06-27 01:29:45 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 20 Version : 3.12.1 Release : 173.fc20 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117
-------------------------------------------------------------------------------- Update Information:
More info http://koji.fedoraproject.org/koji/taskinfo?taskID=7079632 -------------------------------------------------------------------------------- ChangeLog:
* Thu Jun 26 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-173 - Added changes to fedora from bug bz#1082183 - Back ported swift ports - Label conman exec files in /usr/share/conman/exec as bin_t - Add support for /usr/bin/swift-object-expirer and label it as swift_exec_t - Allow glance domain to use syslog - back port additional labeling for neutron * Tue Jun 24 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-172 - Allow keepalived connect to agentx port - Allow neutron-ns-metadata to connectto own unix stream socket - Additional allow rules for docker sandbox processes - Remove duplicate .fc entry for Grilo plugin bookmarks - Add f2fs support for Xattrs * Wed Jun 18 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-171 - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean * Wed Jun 18 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-170 - Add labels for swapon and xfs_growfs - Add mozilla_plugin_use_bluejeans boolean - apcupsd will send a wall message to all terminals telling the system is about to go down - Additional policy required for geard. - Allow geard to transition to passwd and useradd * Tue Jun 17 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-169 - Allow unpriv users to manage games data files. Needed by nethack. - add games_manage_data_files() interface - Revert gnome_dontaudit_search_config in cobbler policy * Thu Jun 12 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-168 - Google chrome has a new directory in homedir - Allow nova domains to read passwd/utmp files - Added policy for geoclue * Mon Jun 9 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-167 - Allow keystone to connect to additional ports to make OpenStack working - Allow thumb_t to connect to the xserver port when you are runnin it via an ssh tunnel - Allow certmonger to manage all certs - rhsmcertd seems to need these accesses. - Add cups_execmem boolean - Allow cups to execute its rw_etc_t files, for brothers printers - Need these privs inorder to watch videon - Allow locate to list directories without labels - Allow staff_t to communicate and run docker - Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dir - Allow bitlbee to use tcp/7778 port - /etc/cron.daily/logrotate to execute fail2ban-client. - Allow keepalives to connect to SNMP port. Support to do SNMP stuff - Allow also fowner cap for varnishd - Allow keepalived to execute bin_t/shell_exec_t - Fix bitlbee policy - Fix rabbitmq.te - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Add fixes for squid which is configured to run with more than one worker. - Allow certmonger to manage all certs - Fix *_ecryptfs_home_dirs booleans - Fix typoes in userdomain.if and libraries.te - Allow ldconfig_t to read/write inherited user tmp pipes - Use proper calling in ssh.te for userdom_home_manager attribute - Fix decl for cockip port * Wed May 21 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-166 - Allow cockpit to bind to its port - Add fixes for squid which is configured to run with more than one worker. - geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t - Allow mozilla_plugin to read alsa_rw_ content - Dontaudit attempts to read fixed disk - Add MCS/MLS Constraints to kernel keyring, also add MCS Constraints to ipc, sem.msgq, shm - Allow seunshare domains to getattr on all executables * Fri May 16 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-165 - More fixes for OpenStack * Fri May 16 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-164 - Add openstack fixes * Tue May 13 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-163 - Add missing dyntransition for sandbox_x_domain * Mon May 12 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-162 - More rules needed for openshift/gear in rhel7 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files - Allow mozilla plugins to use /dev/sr0 - Dontaudit logrotate executing systemctl command attempting to net_admin - Allow neutron execute arping in neutron_t - Allow nova-scheduler to read passwd file - Fix zabbix_can_network boolean to have this boolean for all zabbix domains - Allow openwsman to execute chkpwd and make this domain as unconfined for F20. - Add openwsman_tmp_t rules - Allow ulogd to request the kernel to load a module - Add support for /usr/local/Brother labeling. We removed /usr/local equiv. - Systectl_net_t can be a lnk_file - Fix path to mmap_min_addr - Any app that executes systemctl will attempt a net_admin * Wed May 7 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-161 - Allow keystone to connect to ldap servers - Add additional caps for neutron_t - apcuspd_t can send signull to any domain - Update sandbox_transition() to call sandbox_dyntrasition(). #885288. - gear_t execs ip which for some reason is mounting content on sysfs and / * Mon May 5 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-160 - Dontaudit leaked xserver_misc_device_t into plugins - Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy - Bootloader wants to look at init state - init reads kdbump etc files - userdom_search_admin_dir() calling needs to be optional in kernel.te - Fix labeling for /root/.yubico - Allow httpd_t to kill passenger - Add new labeling for /var/spool/smtpd - Dontaudit leaked xserver_misc_device_t into plugins - Backport exim policy from rawhide to F20 - Allow apache cgi scripts to use inherited httpd_t unix_stream_sockets - Add back kerberos_keytab_template() for exim+f20. - ALlow stap-server to get attr on all fs - Allow mysql to execute ifconfig if Red Hat OpenStack - Fix virt_use_samba in virt.te * Fri May 2 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-159 - Add support for us_cli ports - Fix labeling for /var/run/user/<UID>/gvfs - add support for tcp/9697 - Additional rules required by openstack, needs backport to F20 and RHEL7 - Additional access required by docker - ALlow motion to use tcp/8082 port * Fri Apr 25 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-158 - Fix bug in policy, needs back port to RHEL7/RHEL6 - optional can not be used in boolean. But we want to call ldap_read_certs() in sysnet_use_ldap - Add support for ~/.esmtp_queue directory - Allow net_raw for neutron - ALlow dac_override to neutron_t - Allow neutron to r/w net sysctls - Allow neutron to getattr on all filesystems - Allow swift to getattr on all filesystems - Clean up sysnet_use_ldap() * Fri Apr 25 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-157 - Added fprintd dontaudit tmp dirs rule - Add interface to allow tools to check the processes state of bind/named - ALlow rhsmcertd-worker connect to tcp/8080 - Allow locate to getattr any files in mock_var_lib - Fix label on sensor logs - Add cockpit policy - Allow locate to getattr any files in mock_var_lib - Allow docker to start systemd service - Allow mock-build to write all inherited ttys and ptys - Fix mock_read_lib_files() interface - Allow sys_ptrace for mock-build - Additional access required for gear management of openshift directories - Allow tgtd to read /proc/net/psched - Add glance_use_fusefs() boolean - Allow ifconfig to manage lnk files - Allow ipsec_mgmt_t to read state of the bind process - If you use ldap you should be able to read certs - Dontaudit access to this leaked fifo_file - Remove dup sysnet_manage_ifconfig_run() interface - systemd calling needs to be optional * Fri Apr 18 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-156 - Allow init_t to setattr/relabelfrom dhcp state files - Dontaudit antivirus domains read access on all security files by default - Add missing alias for old amavis_etc_t type - Allow block_suspend cap for haproxy - Additional fixes for instack overcloud - Allow OpenStack to read mysqld_db links and connect to MySQL - Remove dup filename rules in gnome.te - Allow sys_chroot cap for httpd_t and setattr on httpd_log_t - Allow iscsid to handle own unit files - Add iscsi_systemctl() - Allow mongod to create also sock_files in /run with correct labeling * Mon Apr 14 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-155 - Allow httpd to send signull to apache script domains and don't audit leaks - Allow rabbitmq_beam to connect to httpd port - Allow aiccu stream connect to pcscd - Allow dmesg to read hwdata and memory dev * Sat Apr 12 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-154 - Allow all freeipmi domains to read/write ipmi devices - Allow sblim_sfcbd to use also pegasus-https port - Allow rabbitmq_epmd to manage rabbit_var_log_t files - Allow chronyd to read /sys/class/hwmon/hwmon1/device/temp2_input - Allow docker to status any unit file and allow it to start generic unit files * Wed Apr 9 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-153 - Back port puppet fixes from rawhide - Allow automount to getattr all files - openvpn_can_network_connect boolean set default on - Allow conman to resolve DNS and use user ptys - update pegasus_openlmi_admin_t policy - Allow docker to status any unit file and allow it to start generic unit files - Additional perms for gear domain * Tue Apr 8 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-152 - Change hsperfdata_root to have as user_tmp_t - Allow rsyslog low-level network access - Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm - nslcd wants chown capability * Fri Apr 4 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-151 - Fix Multiple same specifications for /var/named/chroot/dev/zero - Add labels for /var/named/chroot_sdb/dev devices - Add support for strongimcv - Use kerberos_keytab_domains in auth_use_nsswitch - Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to - Allow net_raw cap for neutron_t and send sigkill to dnsmasq - Fix ntp_filetrans_named_content for sntp-kod file - Add httpd_dbus_sssd boolean - Dontaudit exec insmod in boinc policy - Rename kerberos_keytab_domain to kerberos_keytab_domains - Add kerberos_keytab_domain() - Fix kerberos_keytab_template() - Make all domains which use kerberos as kerberos_keytab_domain - Allow kill capability to winbind_t * Wed Apr 2 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-150 - varnishd wants chown capability - update ntp_filetrans_named_content() interface - Add additional fixes for neutron_t. #1083335 - Dontaudit getattr on proc_kcore_t - Allow pki_tomcat_t to read ipa lib files - Allow named_filetrans_domain to create /var/cache/ibus with correct labelign - Allow init_t run /sbin/augenrules - Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces - Allow unpriv SELinux user to use sandbox - Add default label for /tmp/hsperfdata_root * Mon Mar 31 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-149 - Allow xauth_t to read user_home_dir_t lnk_file - Add labeling for lightdm-data - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa - Allow pegasus to getattr virt_content - Added some new rules to pcp policy - Fix abrt_manage_spool_retrace() - Allow chrome_sandbox to execute config_home_t - Add support for ABRT FAF * Fri Mar 28 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-148 - Allow kdm to send signull to remote_login_t process - Add gear policy - Turn on gear_port_t - Allow cgit to read gitosis lib files by default - Allow vdagent to read xdm state - Allow NM and fcoeadm to talk together over unix_dgram_socket * Thu Mar 27 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-147 - back port fixes for pegasus_openlmi_admin_t from rawhide - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t * Wed Mar 26 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-146 - add gnome_append_home_config() - Allow thumb to append GNOME config home files - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Identify pki_tomcat_cert_t as a cert_type - Define speech-dispater_exec_t as an application executable - Add a new file context for /var/named/chroot/run directory - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow unprivusers to connect to memcached - label /var/lib/dirsrv/scripts-INSTANCE as bin_t * Mon Mar 24 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-145 - Allow also unpriv user to run vmtools - Allow secadm to read /dev/urandom and meminfo - Add booleans to allow docker processes to use nfs and samba - Add mdadm_tmpfs support - Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t - Allow vmware-user-sui to use user ttys - Allow talk 2 users logged via console too - Allow ftp services to manage xferlog_t - Make all pcp domanis as unconfined for F20 beucause of new policies - allow anaconda to dbus chat with systemd-localed * Fri Mar 21 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-144 - allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t * Thu Mar 20 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-143 - Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te - Allow rtas_errd to readl all sysctls * Wed Mar 19 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-142 - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default - Allow svirt_sandbox_domains to ptrace themselves * Wed Mar 19 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-141 - Allow docker containers to manage /var/lib/docker content * Mon Mar 17 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-140 - Allow docker to read tmpfs_t symlinks - Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets * Mon Mar 17 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-139 - Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets - Dontaudit leaks of sockets into chrome_sandbox_t - If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t - Run vmtools as unconfined domains - Allow snort to manage its log files - Allow systemd_cronjob_t to be entered via bin_t - Allow procman to list doveconf_etc_t - allow keyring daemon to create content in tmpfs directories - Add proper labelling for icedtea-web - vpnc is creating content in networkmanager var run directory - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords * Fri Mar 14 2014 Lukas Vrabec lvrabec@redhat.com 3.12.1-138 - Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least. - Allow net_admin cap for fence_virtd running as fenced_t - Make abrt-java-connector working - Make cimtest script 03_defineVS.py of ComputerSystem group working - Fix git_system_enable_homedirs boolean - Allow munin mail plugins to read network systcl * Thu Mar 13 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-137 - Allow vmtools_helper_t to execute bin_t - Add support for /usr/share/joomla - /var/lib/containers should be labeled as openshift content for now - Allow docker domains to talk to the login programs, to allow a process to login into the container - Allow install_t do dbus chat with NM - Fix interface names in anaconda.if - Add install_t for anaconda. A new type is a part of anaconda policy - sshd to read network sysctls * Wed Mar 12 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-136 - Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec * Tue Mar 11 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-135 - Add docker_connect_any boolean * Tue Mar 11 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-134 - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain - Allow docker to connect to tcp/5000 * Mon Mar 10 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-133 - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir - Allow kerberos_keytab_domain domains to manage keys until we get sssd fix - Allow postgresql to use ldap - Add missing syslog-conn port * Fri Mar 7 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-132 - Modify xdm_write_home to allow create files/links in /root with xdm_home_ - Allow virt domains to read network state * Thu Mar 6 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-131 - Added pcp rules - dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6 - clean up ctdb.te - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow certmonger to list home dirs * Wed Mar 5 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-130 - Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask - Add sysnet_filetrans_named_content_ifconfig() interface - Allow ctdbd to connect own ports - Fix samba_export_all_rw booleanto cover also non security dirs - Allow swift to exec rpm in swift_t and allow to create tmp files/dirs - Allow neutron to create /run/netns with correct labeling - Allow kerberos keytab domains to manage sssd/userdomain keys" - Allow to run ip cmd in neutron_t domain * Mon Mar 3 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-129 - Allow block_suspend cap2 for systemd-logind and rw dri device - Add labeling for /usr/libexec/nm-libreswan-service - Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working - Add xserver_rw_xdm_keys() - Allow rpm_script_t to dbus chat also with systemd-located - Fix ipa_stream_connect_otpd() - update lpd_manage_spool() interface - Allow krb5kdc to stream connect to ipa-otpd - Add ipa_stream_connect_otpd() interface - Allow vpnc to unlink NM pids - Add networkmanager_delete_pid_files() - Allow munin plugins to access unconfined plugins - update abrt_filetrans_named_content to cover /var/spool/debug - Label /var/spool/debug as abrt_var_cache_t - Allow rhsmcertd to connect to squid port - Make docker_transition_unconfined as optional boolean - Allow certmonger to list home dirs * Wed Feb 26 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-128 - Make snapperd as unconfined domain and add additional fixes for it - Remove nsplugin.pp module on upgrade * Tue Feb 25 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-127 - Add snapperd_home_t for HOME_DIR/.snapshots directory - Make sosreport as unconfined domain - Allow sosreport to execute grub2-probe - Allow NM to manage hostname config file - Allow systemd_timedated_t to dbus chat with rpm_script_t - Allow lsmd plugins to connect to http/ssh/http_cache ports by default - Add lsmd_plugin_connect_any boolean - Allow mozilla_plugin to attempt to set capabilities - Allow lsdm_plugins to use tcp_socket - Dontaudit mozilla plugin from getattr on /proc or /sys - Dontaudit use of the keyring by the services in a sandbox - Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools - Fix couchdb_manage_files() to allow manage couchdb conf files - Add support for /var/run/redis.sock - dontaudit gpg trying to use audit - Allow consolekit to create log directories and files - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow pkcsslotd to read users state - Add ioctl to init_dontaudit_rw_stream_socket - Add systemd_hostnamed_manage_config() interface - Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - sddm-greater is a xdm type program * Tue Feb 18 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-126 - Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def * Tue Feb 11 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-125 - Addopt corenet rules for unbound-anchor to rpm_script_t - Allow runuser to send send audit messages. - Allow postfix-local to search .forward in munin lib dirs - Allow udisks to connect to D-Bus - Allow spamd to connect to spamd port - Fix syntax error in snapper.te - Dontaudit osad to search gconf home files - Allow rhsmcertd to manage /etc/sysconf/rhn director - Fix pcp labeling to accept /usr/bin for all daemon binaries - Fix mcelog_read_log() interface - Allow iscsid to manage iscsi lib files - Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. - Make tuned_t as unconfined domain for RHEL7.0 - Allow ABRT to read puppet certs - Add sys_time capability for virt-ga - Allow gemu-ga to domtrans to hwclock_t - Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages - Fix some AVCs in pcp policy - Add to bacula capability setgid and setuid and allow to bind to bacula ports - Changed label from rhnsd_rw_conf_t to rhnsd_conf_t - Add access rhnsd and osad to /etc/sysconfig/rhn - drbdadm executes drbdmeta - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true - Allow init_t to manage pluto.ctl because of init_t instead of initrc_t - Allow systemd_tmpfiles_t to manage all non security files on the system - Added labels for bacula ports - Fix label on /dev/vfio/vfio - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi * Mon Feb 3 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-124 - Added osad policy - Allow postfix to deliver to procmail - Allow bumblebee to seng kill signal to xserver - Allow vmtools to execute /usr/bin/lsb_release - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl * Fri Jan 31 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-123 - Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring * Tue Jan 28 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-122 - Update snapper policy - Allow domains to append rkhunter lib files - Allow snapperd to getattr on all fs - Allow xdm to create /var/gdm with correct labeling - Add label for snapper.log - Allow fail2ban-client to read apache log files - Allow thumb_t to execute dbus-daemon in thumb_t * Mon Jan 27 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-121 - Allow gdm to create /var/gdm with correct labeling - Allow domains to append rkhunterl lib files. #1057982 - Allow systemd_tmpfiles_t net_admin to communicate with journald - Add interface to getattr on an isid_type for any type of file - Update libs_filetrans_named_content() to have support for /usr/lib/debug directory - Allow initrc_t domtrans to authconfig if unconfined is enabled - Allow docker and mount on devpts chr_file - Allow docker to transition to unconfined_t if boolean set - init calling needs to be optional in domain.te - Allow uncofined domain types to handle transient unit files - Fix labeling for vfio devices - Allow net_admin capability and send system log msgs - Allow lldpad send dgram to NM - Add networkmanager_dgram_send() - rkhunter_var_lib_t is correct type - Back port pcp policy from rawhide - Allow openlmi-storage to read removable devices - Allow system cron jobs to manage rkhunter lib files - Add rkhunter_manage_lib_files() - Fix ftpd_use_fusefs boolean to allow manage also symlinks - Allow smbcontrob block_suspend cap2 - Allow slpd to read network and system state info - Allow NM domtrans to iscsid_t if iscsiadm is executed - Allow slapd to send a signal itself - Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. - Fix plymouthd_create_log() interface - Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package - Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container - Allow postfix and cyrus-imapd to work out of box - Allow fcoemon to talk with unpriv user domain using unix_stream_socket - Dontaudit domains that are calling into journald to net_admin - Add rules to allow vmtools to do what it does - snapperd is D-Bus service - Allow OpenLMI PowerManagement to call 'systemctl --force reboot' - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default - Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications - Allow docker to use the network and build images - Allow docker to read selinux files for labeling, and mount on devpts chr_file - Allow domains that transition to svirt_sandbox to send it signals * Tue Jan 21 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-120 - Allow apache to write to the owncloud data directory in /var/www/html... - Allow consolekit to create log dir - Add support for icinga CGI scripts - Add support for icinga - Allow kdumpctl_t to create kdump lock file - Allow kdump to create lnk lock file - Allow nscd_t block_suspen capability - Allow unconfined domain types to manage own transient unit file - Allow systemd domains to handle transient init unit files - Add interfaces to handle transient * Mon Jan 20 2014 Miroslav Greplmgrepl@redhat.com 3.12.1-119 - Add cron unconfined role support for uncofined SELinux user - Call corenet_udp_bind_all_ports() in milter.te - Allow fence_virtd to connect to zented port - Fix header for mirrormanager_admin() - Allow dkim-milter to bind udp ports - Allow milter domains to send signull itself - Allow block_suspend for yum running as mock_t - Allow beam.smp to manage couchdb files - Add couchdb_manage_files() - Add labeling for /var/log/php_errors.log - Allow bumblebee to stream connect to xserver - Allow bumblebee to send a signal to xserver - gnome-thumbnail to stream connect to bumblebee - Allow xkbcomp running as bumblebee_t to execute bin_t - Allow logrotate to read squid.conf - Additional rules to get docker and lxc to play well with SELinux - Allow bumbleed to connect to xserver port - Allow pegasus_openlmi_storage_t to read hwdata * Thu Jan 16 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-118 - Allow init_t to work on transitient and snapshot unit files - Add logging_manage_syslog_config() - Update sysnet_dns_name_resolve() to allow connect to dnssec por - Allow pegasus_openlmi_storage_t to read hwdata - Fix rhcs_rw_cluster_tmpfs() - Allow fenced_t to bind on zented udp port - Added policy for vmtools - Fix mirrormanager_read_lib_files() - Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files - Allow ctdb to create sock files in /var/run/ctdb - Add sblim_filetrans_named_content() interface - Allow rpm scritplets to create /run/gather with correct labeling - Allow gnome keyring domains to create gnome config dirs - Dontaudit read/write to init stream socket for lsmd_plugin_t - Allow automount to read nfs link files - Allow lsm plugins to read/write lsmd stream socket - Allow certmonger to connect ldap port to make IPA CA certificate renewal working. - Add also labeling for /var/run/ctdb - Add missing labeling for /var/lib/ctdb - ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 - Dontaudit hypervkvp to search homedirs - Dontaudit hypervkvp to search admin homedirs - Allow hypervkvp to execute bin_t and ifconfig in the caller domain - Dontaudit xguest_t to read ABRT conf files - Add abrt_dontaudit_read_config() - Allow namespace-init to getattr on fs - Add thumb_role() also for xguest - Add filename transitions to create .spamassassin with correct labeling - Allow apache domain to read mirrormanager pid files - Allow domains to read/write shm and sem owned by mozilla_plugin_t - Allow alsactl to send a generic signal to kernel_t - Allow plymouthd to read run/udev/queue.bin - Allow sys_chroot for NM required by iodine service - Change glusterd to allow mounton all non security * Wed Jan 15 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-117 - Add back rpm_run for unconfined_t * Mon Jan 13 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-116 - Add missing files_create_var_lib_dirs() - Fix typo in ipsec.te - Allow passwd to create directory in /var/lib - Add filename trans also for event21 - Allow iptables command to read /dev/rand - Add sigkill capabilityfor ipsec_t - Add filename transitions for bcache devices - Add additional rules to create /var/log/cron by syslogd_t with correct labeling - Add give everyone full access to all key rings - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Labeled ~/.nv/GLCache as being gstreamer output - Allow nagios_system_plugin to read mrtg lib files - Add mrtg_read_lib_files() - Call rhcs_rw_cluster_tmpfs for dlm_controld - Make authconfing as named_filetrans domain - Allow virsh to connect to user process using stream socket - Allow rtas_errd to read rand/urand devices and add chown capability - Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp - Add also chown cap for abrt_upload_watch_t. It already has dac_override - Allow sosreport to manage rhsmcertd pid files - Add rhsmcertd_manage_pid_files() - Allow also setgid cap for rpc.gssd - Dontaudit access check for abrt on cert_t - Allow pegasus_openlmi_system providers to dbus chat with systemd-logind * Fri Jan 10 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-115 - Fix semanage import handling in spec file * Fri Jan 10 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-114 - Add default lvm_var_run_t label for /var/run/multipathd - Fix log labeling to have correct default label for them after logrotate - Add files_write_root_dirs - Add new openflow port label for 6653/tcp and 6633/tcp - Add xserver_manage_xkb_libs() - Label tcp/8891 as milter por - Allow gnome_manage_generic_cache_files also create cache_home_t files - Fix aide.log labeling - Fix log labeling to have correct default label for them after logrotate - Allow mysqld-safe write access on /root to make mysqld working - Allow sosreport domtrans to prelikn - Allow OpenvSwitch to connec to openflow ports - Allow NM send dgram to lldpad - Allow hyperv domains to execute shell - Allow lsmd plugins stream connect to lsmd/init - Allow sblim domains to create /run/gather with correct labeling - Allow httpd to read ldap certs - Allow cupsd to send dbus msgs to process with different MLS level - Allow bumblebee to stream connect to apmd - Allow bumblebee to run xkbcomp - Additional allow rules to get libvirt-lxc containers working with docker - Additional allow rules to get libvirt-lxc containers working with docker - Allow docker to getattr on itself - Additional rules needed for sandbox apps - Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled - httpd should be able to send signal/signull to httpd_suexec_t - Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain. * Wed Jan 8 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-113 - Add neutron fixes * Mon Jan 6 2014 Miroslav Grepl mgrepl@redhat.com 3.12.1-112 - Allow sshd to write to all process levels in order to change passwd when running at a level - Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range - Allow apcuspd_t to status and start the power unit file - Allow udev to manage kdump unit file - Added new interface modutils_dontaudit_exec_insmod - Allow cobbler to search dhcp_etc_t directory - systemd_systemctl needs sys_admin capability - Allow sytemd_tmpfiles_t to delete all directories - passwd to create gnome-keyring passwd socket - Add missing zabbix_var_lib_t type - Fix filename trans for zabbixsrv in zabbix.te - Allow fprintd_t to send syslog messages - Add zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port - Allow mozilla plugin to chat with policykit, needed for spice - Allow gssprozy to change user and gid, as well as read user keyrings - Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly - Allow polipo to connect to http_cache_ports - Allow cron jobs to manage apache var lib content - Allow yppassword to manage the passwd_file_t - Allow showall_t to send itself signals - Allow cobbler to restart dhcpc, dnsmasq and bind services - Allow certmonger to manage home cert files - Add userdom filename trans for user mail domains - Allow apcuspd_t to status and start the power unit file - Allow cgroupdrulesengd to create content in cgoups directories - Allow smbd_t to signull cluster - Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t - Add label for /var/spool/cron.aquota.user - Allow sandbox_x domains to use work with the mozilla plugin semaphore - Added new policy for speech-dispatcher - Added dontaudit rule for insmod_exec_t in rasdaemon policy - Updated rasdaemon policy - Allow system_mail_t to transition to postfix_postdrop_t - Clean up mirrormanager policy - Allow virt_domains to read cert files, needs backport to RHEL7 - Allow sssd to read systemd_login_var_run_t - Allow irc_t to execute shell and bin-t files: - Add new access for mythtv - Allow rsync_t to manage all non auth files - allow modemmanger to read /dev/urand - Allow sandbox apps to attempt to set and get capabilties * Thu Dec 19 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-111 - Add labeling for /var/lib/servicelog/servicelog.db-journal - Add support for freeipmi port - Add sysadm_u_default_contexts - Make new type to texlive files in homedir - Allow subscription-manager running as sosreport_t to manage rhsmcertd - Additional fixes for docker.te - Remove ability to do mount/sys_admin by default in virt_sandbox domains - New rules required to run docker images within libivrt - Add label for ~/.cvsignore - Change mirrormanager to be run by cron - Add mirrormanager policy - Fixed bumblebee_admin() and mip6d_admin() - Add log support for sensord - Fix typo in docker.te - Allow amanda to do backups over UDP - Allow bumblebee to read /etc/group and clean up bumblebee.te - type transitions with a filename not allowed inside conditionals - Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7 - Make new type to texlive files in homedir * Thu Dec 12 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-110 - Allow freeipmi_ipmidetectd_t to use freeipmi port - Update freeipmi_domain_template() - Allow journalctl running as ABRT to read /run/log/journal - Allow NM to read dispatcher.d directory - Update freeipmi policy - Type transitions with a filename not allowed inside conditionals - Allow tor to bind to hplip port - Make new type to texlive files in homedir - Allow zabbix_agent to transition to dmidecode - Add rules for docker - Allow sosreport to send signull to unconfined_t - Add virt_noatsecure and virt_rlimitinh interfaces - Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port - Add sysadm_u_default_contexts - Add logging_read_syslog_pid() - Fix userdom_manage_home_texlive() interface - Make new type to texlive files in homedir - Add filename transitions for /run and /lock links - Allow virtd to inherit rlimit information * Tue Dec 10 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-109 - Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t - Add labeling for /usr/lib/systemd/system/mariadb.service - Allow hyperv_domain to read sysfs - Fix ldap_read_certs() interface to allow acess also link files - Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt - Allow tuned to run modprobe - Allow portreserve to search /var/lib/sss dir - Add SELinux support for the teamd package contains team network device control daemon. - Dontaudit access check on /proc for bumblebee - Bumblebee wants to load nvidia modules - Fix rpm_named_filetrans_log_files and wine.te - Add conman policy for rawhide - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy - Update pegasus_openlmi_storage_t policy - Add freeipmi_stream_connect() interface - Allow logwatch read madm.conf to support RAID setup - Add raid_read_conf_files() interface - Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling - add rpm_named_filetrans_log_files() interface - Allow dkim-milter to create files/dirs in /tmp - update freeipmi policy - Add policy for freeipmi services - Added rdisc_admin and rdisc_systemctl interfaces - opensm policy clean up - openwsman policy clean up - ninfod policy clean up - Added new policy for ninfod - Added new policy for openwsman - Added rdisc_admin and rdisc_systemctl interfaces - Fix kernel_dontaudit_access_check_proc() - Add support for /dev/uhid - Allow sulogin to get the attributes of initctl and sys_admin cap - Add kernel_dontaudit_access_check_proc() - Fix dev_rw_ipmi_dev() - Fix new interface in devices.if - DRM master and input event devices are used by the TakeDevice API - add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() - Added support for default conman port - Add interfaces for ipmi devices * Wed Dec 4 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-108 - Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t - Label /usr/sbin/htcacheclean as httpd_exec_t - Added support for rdisc unit file - Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs - Allow runuser running as logrotate connections to system DBUS - Label bcache devices as fixed_disk_device_t - Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service - Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t * Mon Dec 2 2013 Miroslav Grepl mgrepl@redhat.com 3.12.1-107 - Add back setpgid/setsched for sosreport_t * Mon Dec 2 2013 Dan Walsh dwalsh@redhat.com 3.12.1-106 - Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1111750 - docker-related AVCs https://bugzilla.redhat.com/show_bug.cgi?id=1111750 --------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org