Fedora 12 Update: selinux-policy-3.6.32-59.fc12
updates at fedoraproject.org
updates at fedoraproject.org
Wed Dec 23 21:31:14 UTC 2009
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-13384
2009-12-18 03:19:42
--------------------------------------------------------------------------------
Name : selinux-policy
Product : Fedora 12
Version : 3.6.32
Release : 59.fc12
URL : http://oss.tresys.com/repos/refpolicy/
Summary : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20090730
--------------------------------------------------------------------------------
Update Information:
* Tue Dec 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-59 - Dontaudit
udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read
symlinks on noxattr file systems - Remove wine from unconfined domain if
unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port
- Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to
communicate with racoon and zebra - Allow dbus service dbus_chat with
unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for
mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add
log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql
and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t
dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create
homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from
fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices -
Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files -
Change label on fusermount * Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com>
3.6.32-58 - Dontaudit udp_socket leaks for xauth_t * Wed Dec 9 2009 Dan
Walsh <dwalsh at redhat.com> 3.6.32-57 - Allow unconfined_t to send dbus messages
to setroubleshoot - Allow confined screen app to setattr on user ttys - remove
wine_t from unconfined domain when unconfined.pp disabled - Allow sysadm_t to
communicate with racoon - Allow xauth to be run from all unconfined user types
- Fix labeling on all /var/cache/mod_* apps - Allow asterisk to communicate
with postgresql - Fix labeling for /var/lib/certmaster - Add policy for
ksmtuned and tgtd - Fixes for vhostmd
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-59
- Dontaudit udp_socket leaks for xauth_t
- Dontaudit rules for iceauth_t
- Let locate read symlinks on noxattr file systems
- Remove wine from unconfined domain if unconfined pp removed
- Add labels for vhostmd
- Add port 546 as a dhcpc port
- Add labeled for /dev/dahdi
- Add certmonger policy
- Allow sysadm to communicate with racoon and zebra
- Allow dbus service dbus_chat with unconfined_t
- Fixes for xguest
- Add dontaudits for abrt
- file contexts for mythtv
- Lots of fixes for asterisk
- Fix file context for certmaster
- Add log dir for dovecot
- Policy for ksmtuned
- File labeling and fixes for mysql and mysql_safe
- New plugin infrstructure for nagios
- Allow nut_upsd_t dac_override
- File context fixes for nx
- Allow oddjob_mkhomedir to create homedir
- Add pcscd_pub interfaces to be used by xdm
- Add stream connect from fenced to corosync
- Fixes for swat
- Allow fsdaemon to manage scsi devices
- Policy for tgtd
- Policy for vhostmd
- Allow ipsec to create tmp files
- Change label on fusermount
* Thu Dec 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-58
- Dontaudit udp_socket leaks for xauth_t
* Wed Dec 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-57
- Allow unconfined_t to send dbus messages to setroubleshoot
- Allow confined screen app to setattr on user ttys
- remove wine_t from unconfined domain when unconfined.pp disabled
- Allow sysadm_t to communicate with racoon
- Allow xauth to be run from all unconfined user types
- Fix labeling on all /var/cache/mod_* apps
- Allow asterisk to communicate with postgresql
- Fix labeling for /var/lib/certmaster
- Add policy for ksmtuned and tgtd
- Fixes fro vhostmd
* Mon Dec 7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-56
- Dontaudit exec of fusermount from xguest
- Allow licrd to use mouse_device
- Allow sysadm_t to connect to zebra stream socket
- Dontaudit policykit_auth trying to config terminal
- Allow logrotate and asterisk to execute asterisk
- Allow logrotate to read var_lib files (zope) and connect to fail2ban stream
- Allow firewallgui to communicate with unconfined_t
- Allow podsleuth to ask the kernel to load modules
- Fix labeling on vhostmd scripts
- Remove transition from unconfined_t to windbind_helper_t
- Allow abrt_helper to look at inotify
- Fix labels for mythtv
- Allow apache to signal sendmail
- allow asterisk to send mail
- Allow rpcd to get and setcap
- Add tor_bind_all_unreserved_ports boolean
- Add policy for vhostmd
- MOre textrel_shlib_t files
- Add rw_herited_term_perms
* Thu Dec 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-55
- Add fprintd_chat(unconfined_t) to fix su timeout problem
- Make xguest follow allow_execstack boolean
- Dontaudit dbus looking at nfs
* Thu Dec 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-54
- Require selinux-policy from selinux-policy-TYPE
- Add labeling to /usr/lib/win32 textrel_shlib_t
- dontaudit all leaks for abrt_helper
- Fix labeling for mythtv
- Dontaudit setroubleshoot_fix leaks
- Allow xauth_t to read usr_t
- Allow iptables to use fifo files
- Fix labeling on /var/lib/wifiroamd
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-53
- Remove transition from dhcpc_t to consoletype_t, just allow exec
- Fixes for prelink cron job
- Fix label on yumex backend
- Allow unconfined_java_t to communicate with iptables
- Allow abrt to read /tmp files
- Fix nut/ups policy
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-52
- Major fixup of ntop policy
- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22
- Allow xdm to signal session bus
- Allow modemmanager to use generic ptys, and sys_tty_config capability
- Allow abrt_helper chown access, dontaudit leaks
- Allow logwatch to list cifs and nfs file systems
- Allow kismet to read network state
- Allow cupsd_config_t to connecto unconfined unix_stream
- Fix avahi labeling and allow avahi to manage /etc/resolv.conf
- Allow sshd to read usr_t files
- Allow login programs to manage pcscd_var_run_t files
- Allow tor to read usr_t files
* Wed Nov 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-51
- Mark google shared libraries as requiring textrel_shlib
- Allow svirt to bind/connect to network ports
- Add label for .libvirt directory.
* Tue Nov 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-50
- Allow modemmanager sys_admin
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-49
- Allow sssd to read all processes domain
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-48
- Abrt connect to any port
- Dontaudit chrome-sandbox trying to getattr on all processes
- Allow passwd to execute gnome-keyring
- Allow chrome_sandbox_t to read home content inherited from the parent
- Fix eclipse labeling
- Allow mozilla to connect to flash port
- Allow pulseaudio to connect to unix_streams
- Allow sambagui to read secrets file
- Allow mount to mount unlabeled files
- ALlow abrt to use ypbind, send kill signals
- Allow arpwatch to create socket class
- Allow asterisk to read urand
- Allow corosync to communicate with user tmpfs
- Allow devicedisk to read virt images block devices
- Allow gpsd to sys_tty_config
- Fix nagios interfaces
- Policy for nagios plugins
- Fixes for nx
- Allow rtkit_daemon to read locale file
- Allow snort to create socket
- Additional perms for xauth
- lots of textrel_lib_t file context
* Tue Nov 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-47
- Make mozilla call in execmem.if optional to fix build of minimum install
- Allow uucpd to execute shells and send mail
- Fix label on libtfmessbsp.so
* Mon Nov 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-46
- abrt needs more access to rpm pid files
- Abrt wants to execute its own tmp files
- abrt needs to write sysfs
- abrt needs to search all file system dirs
- logrotate and tmpreaper need to be able to manage abrt cache
- rtkit_daemon needs to be able to setsched on lots of user apps
- networkmanager creates dirs in /var/lib
- plymouth executes lvm tools
* Fri Nov 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-45
- Allow mount on dos file systems
- fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses
* Thu Nov 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-44
- Add lighttpd file context to apache.fc
- Allow tmpreaper to read /var/cache/yum
- Allow kdump_t sys_rawio
- Add execmem_exec_t context for /usr/bin/aticonfig
- Allow dovecot-deliver to signull dovecot
- Add textrel_shlib_t to /usr/lib/libADM5avcodec.so
* Tue Nov 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-43
- Fix transition so unconfined_exemem_t creates user_tmp_t
- Allow chrome_sandbox_t to write to user_tmp_t when printing
- Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files
- Allow execmem_t to execmod files in mozilla_home_t
- Allow firewallgui to communicate with nscd
* Mon Nov 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-42
- Allow kdump to read the kernel core interface
- Dontaudit abrt read all files in home dir
- Allow kismet client to write to .kismet dir in homedir
- Turn on asterisk policy and allow logrotate to communicate with it
- Allow abrt to manage rpm cache files
- Rules to allow sysadm_t to install a kernel
- Allow local_login to read console_device_t to Z series logins
- Allow automount and devicekit_disk to search all filesystem dirs
- Allow corosync to setrlimit
- Allow hal to read modules.dep
- Fix xdm using pcscd
- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
- Eliminate transition from unconifned_t to loadkeys_t
- Dontaudit several leaks to xauth_t
- Allow xdm_t to search for man pages
- Allow xdm_dbus to append to xdm log
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #542654 - ntop triggers several AVC denials when starting
https://bugzilla.redhat.com/show_bug.cgi?id=542654
[ 2 ] Bug #545285 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files mod_gnutls.dir.
https://bugzilla.redhat.com/show_bug.cgi?id=545285
[ 3 ] Bug #545534 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline.
https://bugzilla.redhat.com/show_bug.cgi?id=545534
[ 4 ] Bug #545562 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline.
https://bugzilla.redhat.com/show_bug.cgi?id=545562
[ 5 ] Bug #545598 - SELinux is preventing /sbin/iscsid "associate" access.
https://bugzilla.redhat.com/show_bug.cgi?id=545598
[ 6 ] Bug #545607 - SELinux is preventing /usr/bin/python (deleted) "getattr" access on /var/lib/certmaster/certmaster/certs/alpha.rzhou.org.cert.
https://bugzilla.redhat.com/show_bug.cgi?id=545607
[ 7 ] Bug #545648 - SELinux is preventing /usr/bin/iceauth "read" access on dcopPfMg8b.
https://bugzilla.redhat.com/show_bug.cgi?id=545648
[ 8 ] Bug #545676 - SELinux is preventing /usr/libexec/polkit-1/polkitd "getattr" access on /proc/<pid>.
https://bugzilla.redhat.com/show_bug.cgi?id=545676
[ 9 ] Bug #545741 - SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on 2B.
https://bugzilla.redhat.com/show_bug.cgi?id=545741
[ 10 ] Bug #545747 - SELinux is preventing /usr/bin/xauth access to a leaked unix_stream_socket file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=545747
[ 11 ] Bug #545771 - SELinux is preventing /usr/sbin/slapd "write" access. (to cn=config database)
https://bugzilla.redhat.com/show_bug.cgi?id=545771
[ 12 ] Bug #546007 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline.
https://bugzilla.redhat.com/show_bug.cgi?id=546007
[ 13 ] Bug #546078 - SELinux is preventing /sbin/setfiles access to a leaked /tmp/xerr-root-:0 file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=546078
[ 14 ] Bug #546101 - SELinux is preventing /usr/bin/xauth access to a leaked udp_socket file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=546101
[ 15 ] Bug #546143 - SELinux is preventing /usr/libexec/polkit-gnome-authentication-agent-1 "search" access on /home.
https://bugzilla.redhat.com/show_bug.cgi?id=546143
[ 16 ] Bug #546145 - SELinux is preventing /usr/libexec/polkit-gnome-authentication-agent-1 "search" access on /usr/share/X11/fonts.
https://bugzilla.redhat.com/show_bug.cgi?id=546145
[ 17 ] Bug #546157 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
https://bugzilla.redhat.com/show_bug.cgi?id=546157
[ 18 ] Bug #546224 - SELinux is preventing /usr/bin/xauth "write" access on /usr/NX/home/nx.
https://bugzilla.redhat.com/show_bug.cgi?id=546224
[ 19 ] Bug #546265 - SELinux is preventing /usr/libexec/hal-storage-mount "sys_resource" access.
https://bugzilla.redhat.com/show_bug.cgi?id=546265
[ 20 ] Bug #546352 - SELinux is preventing /usr/sbin/dovecot "write" access on /var/log/dovecot/dovecot.log.
https://bugzilla.redhat.com/show_bug.cgi?id=546352
[ 21 ] Bug #546360 - SELinux is preventing /sbin/unix_chkpwd access to a leaked 0 file descriptor.
https://bugzilla.redhat.com/show_bug.cgi?id=546360
[ 22 ] Bug #546362 - SELinux is preventing /usr/libexec/polkit-1/polkitd "getattr" access on /proc/<pid>/stat.
https://bugzilla.redhat.com/show_bug.cgi?id=546362
[ 23 ] Bug #546400 - SELinux is preventing /usr/bin/xauth "write" access on /usr/NX/home/nx.
https://bugzilla.redhat.com/show_bug.cgi?id=546400
[ 24 ] Bug #546467 - SELinux is preventing /bin/bash "search" access on /home/aurin.
https://bugzilla.redhat.com/show_bug.cgi?id=546467
[ 25 ] Bug #546773 - SELinux is preventing /usr/bin/iceauth "getattr" access on /tmp/dcopPfMg8b.
https://bugzilla.redhat.com/show_bug.cgi?id=546773
[ 26 ] Bug #546798 - SELinux is preventing /usr/libexec/gdm-session-worker "create" access on event.1652.17022326.
https://bugzilla.redhat.com/show_bug.cgi?id=546798
[ 27 ] Bug #546799 - SELinux is preventing /usr/bin/kismet_server "name_connect" access.
https://bugzilla.redhat.com/show_bug.cgi?id=546799
[ 28 ] Bug #546801 - SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled files (/home/juan/Downloads).
https://bugzilla.redhat.com/show_bug.cgi?id=546801
[ 29 ] Bug #546806 - SELinux is preventing /usr/bin/gdb "read" access on /lib/modules/2.6.31.6-166.fc12.x86_64/vdso/vdso.so.
https://bugzilla.redhat.com/show_bug.cgi?id=546806
[ 30 ] Bug #546853 - SELinux is preventing /lib/ld-2.11.so "execute" access on /usr/lib/firefox-3.5.5/firefox.
https://bugzilla.redhat.com/show_bug.cgi?id=546853
[ 31 ] Bug #546888 - SELinux is preventing /usr/bin/gok "getattr" access on /var/mail.
https://bugzilla.redhat.com/show_bug.cgi?id=546888
[ 32 ] Bug #547003 - SELinux is preventing /usr/libexec/mysqld "unlink" access on squeezebox-mysql.sock.
https://bugzilla.redhat.com/show_bug.cgi?id=547003
[ 33 ] Bug #547021 - SELinux is preventing /usr/bin/xauth "write" access on nx.
https://bugzilla.redhat.com/show_bug.cgi?id=547021
[ 34 ] Bug #547043 - SELinux is preventing /usr/sbin/lircd "read" access on fifo_file.
https://bugzilla.redhat.com/show_bug.cgi?id=547043
[ 35 ] Bug #547111 - SELinux is preventing /usr/bin/updatedb "read" access on 2.0.0.0__b03f5f7f11d50a3a.
https://bugzilla.redhat.com/show_bug.cgi?id=547111
[ 36 ] Bug #547180 - SELinux is preventing /usr/sbin/swat "search" access on /root.
https://bugzilla.redhat.com/show_bug.cgi?id=547180
[ 37 ] Bug #547247 - SELinux is preventing /usr/libexec/mysqld from connecting to port 49527.
https://bugzilla.redhat.com/show_bug.cgi?id=547247
[ 38 ] Bug #547342 - SELinux is preventing /bin/sed "write" access on fifo_file.
https://bugzilla.redhat.com/show_bug.cgi?id=547342
[ 39 ] Bug #547468 - SELinux is preventing Samba (smbd) "search" access to 4DC3BA73696361.
https://bugzilla.redhat.com/show_bug.cgi?id=547468
[ 40 ] Bug #547472 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid.
https://bugzilla.redhat.com/show_bug.cgi?id=547472
[ 41 ] Bug #547555 - SELinux is preventing /usr/bin/mythfrontend from loading /usr/lib/mythtv/filters/libgreedyhdeint.so which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=547555
[ 42 ] Bug #547569 - SELinux is preventing /usr/lib/cups/backend/tpu "read" access.
https://bugzilla.redhat.com/show_bug.cgi?id=547569
[ 43 ] Bug #547575 - SELinux is preventing /bin/bash "search" access on /home.
https://bugzilla.redhat.com/show_bug.cgi?id=547575
[ 44 ] Bug #547579 - SELinux is preventing tuned "read" access on fifo_file.
https://bugzilla.redhat.com/show_bug.cgi?id=547579
[ 45 ] Bug #547580 - SELinux is preventing ethtool "read" access on /usr/share/tuned/monitorplugins/net.py.
https://bugzilla.redhat.com/show_bug.cgi?id=547580
[ 46 ] Bug #547612 - SELinux is preventing /usr/bin/iceauth "read" access on /proc/<pid>/status.
https://bugzilla.redhat.com/show_bug.cgi?id=547612
[ 47 ] Bug #547632 - SELinux is preventing /opt/lampp/bin/php-5.3.0 from loading /opt/lampp/lib/libct.so.3.0.0 which requires text relocation.
https://bugzilla.redhat.com/show_bug.cgi?id=547632
[ 48 ] Bug #547793 - SELinux is preventing /usr/bin/memcached "write" access on memcached.pid.
https://bugzilla.redhat.com/show_bug.cgi?id=547793
[ 49 ] Bug #547794 - SELinux is preventing /usr/bin/memcached "bind" access.
https://bugzilla.redhat.com/show_bug.cgi?id=547794
[ 50 ] Bug #547858 - SELinux is preventing /usr/bin/gok "getattr" access on /var/games.
https://bugzilla.redhat.com/show_bug.cgi?id=547858
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list