Fedora 12 Update: selinux-policy-3.6.32-56.fc12

Wed Dec 16 01:07:25 UTC 2009

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-12990
2009-12-10 03:29:22
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 12
Version     : 3.6.32
Release     : 56.fc12
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20090730

--------------------------------------------------------------------------------
Update Information:

- Dontaudit exec of fusermount from xguest  - Allow licrd to use mouse_device  -
Allow sysadm_t to connect to zebra stream socket  - Dontaudit policykit_auth
trying to config terminal  - Allow logrotate and asterisk to execute asterisk  -
Allow logrotate to read var_lib files (zope) and connect to fail2ban stream  -
Allow firewallgui to communicate with unconfined_t  - Allow podsleuth to ask the
kernel to load modules  - Fix labeling on vhostmd scripts  - Remove transition
from unconfined_t to windbind_helper_t  - Allow abrt_helper to look at inotify
- Fix labels for mythtv  - Allow apache to signal sendmail  - allow asterisk to
send mail  - Allow rpcd to get and setcap  - Add tor_bind_all_unreserved_ports
boolean  - Add policy for vhostmd  - MOre textrel_shlib_t files  - Add
rw_herited_term_perms
--------------------------------------------------------------------------------
ChangeLog:

* Mon Dec  7 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-56
- Dontaudit exec of fusermount from xguest
- Allow licrd to use mouse_device
- Allow sysadm_t to connect to zebra stream socket
- Dontaudit policykit_auth trying to config terminal
- Allow logrotate and asterisk to execute asterisk
- Allow logrotate to read var_lib files (zope) and connect to fail2ban stream
- Allow firewallgui to communicate with unconfined_t
- Allow podsleuth to ask the kernel to load modules
- Fix labeling on vhostmd scripts
- Remove transition from unconfined_t to windbind_helper_t
- Allow abrt_helper to look at inotify
- Fix labels for mythtv
- Allow apache to signal sendmail
- allow asterisk to send mail
- Allow rpcd to get and setcap
- Add tor_bind_all_unreserved_ports boolean
- Add policy for vhostmd
- MOre textrel_shlib_t files
- Add rw_herited_term_perms
* Thu Dec  3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-55
- Add fprintd_chat(unconfined_t) to fix su timeout problem
- Make xguest follow allow_execstack boolean
- Dontaudit dbus looking at nfs
* Thu Dec  3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-54
- Require selinux-policy from selinux-policy-TYPE
- Add labeling to /usr/lib/win32 textrel_shlib_t
- dontaudit all leaks for abrt_helper
- Fix labeling for mythtv
- Dontaudit setroubleshoot_fix leaks
- Allow xauth_t to read usr_t
- Allow iptables to use fifo files
- Fix labeling on /var/lib/wifiroamd
* Tue Dec  1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-53
- Remove transition from dhcpc_t to consoletype_t, just allow exec
- Fixes for prelink cron job
- Fix label on yumex backend
- Allow unconfined_java_t to communicate with iptables
- Allow abrt to read /tmp files
- Fix nut/ups policy
* Tue Dec  1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-52
- Major fixup of ntop policy
- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22
- Allow xdm to signal session bus
- Allow modemmanager to use generic ptys, and sys_tty_config capability
- Allow abrt_helper chown access, dontaudit leaks
- Allow logwatch to list cifs and nfs file systems
- Allow kismet to read network state
- Allow cupsd_config_t to connecto unconfined unix_stream
- Fix avahi labeling and allow avahi to manage /etc/resolv.conf
- Allow sshd to read usr_t files
- Allow login programs to manage pcscd_var_run_t files
- Allow tor to read usr_t files
* Wed Nov 25 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-51
- Mark google shared libraries as requiring textrel_shlib
- Allow svirt to bind/connect to network ports
- Add label for .libvirt directory.
* Tue Nov 24 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-50
- Allow modemmanager sys_admin
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-49
- Allow sssd to read all processes domain
* Mon Nov 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-48
- Abrt connect to any port
- Dontaudit chrome-sandbox trying to getattr on all processes
- Allow passwd to execute gnome-keyring
- Allow chrome_sandbox_t to read home content inherited from the parent
- Fix eclipse labeling
- Allow mozilla to connect to flash port
- Allow pulseaudio to connect to unix_streams
- Allow sambagui to read secrets file
- Allow mount to mount unlabeled files
- ALlow abrt to use ypbind, send kill signals
- Allow arpwatch to create socket class
- Allow asterisk to read urand
- Allow corosync to communicate with user tmpfs
- Allow devicedisk to read virt images block devices
- Allow gpsd to sys_tty_config
- Fix nagios interfaces
- Policy for nagios plugins
- Fixes for nx 
- Allow rtkit_daemon to read locale file
- Allow snort to create socket 
- Additional perms for xauth
- lots of textrel_lib_t file context
* Tue Nov 17 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-47
- Make mozilla call in execmem.if optional to fix build of minimum install
- Allow uucpd to execute shells and send mail
- Fix label on libtfmessbsp.so
* Mon Nov 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-46
- abrt needs more access to rpm pid files
- Abrt wants to execute its own tmp files
- abrt needs to write sysfs 
- abrt needs to search all file system dirs
- logrotate and tmpreaper need to be able to manage abrt cache
- rtkit_daemon needs to be able to setsched on lots of user apps
- networkmanager creates dirs in /var/lib
- plymouth executes lvm tools
* Fri Nov 13 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-45
- Allow mount on dos file systems
- fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses
* Thu Nov 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-44
- Add lighttpd file context to apache.fc
- Allow tmpreaper to read /var/cache/yum
- Allow kdump_t sys_rawio
- Add execmem_exec_t context for /usr/bin/aticonfig
- Allow dovecot-deliver to signull dovecot
- Add textrel_shlib_t to /usr/lib/libADM5avcodec.so
* Tue Nov 10 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-43
- Fix transition so unconfined_exemem_t creates user_tmp_t
- Allow chrome_sandbox_t to write to user_tmp_t when printing
- Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files
- Allow execmem_t to execmod files in mozilla_home_t
- Allow firewallgui to communicate with nscd
* Mon Nov  9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-42
- Allow kdump to read the kernel core interface 
- Dontaudit abrt read all files in home dir
- Allow kismet client to write to .kismet dir in homedir
- Turn on  asterisk policy and allow logrotate to communicate with it
- Allow abrt to manage rpm cache files
- Rules to allow sysadm_t to install a kernel
- Allow local_login to read console_device_t to Z series logins
- Allow automount and devicekit_disk to search all filesystem dirs
- Allow corosync to setrlimit
- Allow hal to read modules.dep
- Fix xdm using pcscd
- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
- Eliminate transition from unconifned_t to loadkeys_t
- Dontaudit several leaks to xauth_t
- Allow xdm_t to search for man pages
- Allow xdm_dbus to append to xdm log
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #543872 - SELinux is preventing /usr/bin/ntlm_auth access to a leaked /dev/snd/controlC0 file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=543872
  [ 2 ] Bug #544117 - SELinux is preventing /sbin/setfiles access to a leaked /tmp/xerr-root-:0 file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=544117
  [ 3 ] Bug #544242 - SELinux is preventing /sbin/unix_chkpwd access to a leaked 0 file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=544242
  [ 4 ] Bug #544439 - SELinux is preventing /usr/bin/xauth "read" access on /usr/share/fonts/abyssinica/Abyssinica_SIL.ttf.
        https://bugzilla.redhat.com/show_bug.cgi?id=544439
  [ 5 ] Bug #544496 - SELinux is preventing /usr/sbin/lircd "read" access on mouse0.
        https://bugzilla.redhat.com/show_bug.cgi?id=544496
  [ 6 ] Bug #544556 - SELinux is preventing /usr/sbin/logrotate "getattr" access on /var/lib/zope/etc/logrotate.conf.
        https://bugzilla.redhat.com/show_bug.cgi?id=544556
  [ 7 ] Bug #544672 - SELinux is preventing /sbin/rpc.statd access to a leaked fifo_file file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=544672
  [ 8 ] Bug #544678 - SELinux is preventing gdm-smartcard-w "write" access on /var/run/pcscd.events.
        https://bugzilla.redhat.com/show_bug.cgi?id=544678
  [ 9 ] Bug #544697 - SELinux is preventing /usr/bin/abrt-pyhook-helper access to a leaked inotify file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=544697
  [ 10 ] Bug #544704 - SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 "sys_tty_config" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=544704
  [ 11 ] Bug #544765 - SELinux is preventing /usr/sbin/logrotate "getattr" access on /var/lib/zope/etc/logrotate.conf.
        https://bugzilla.redhat.com/show_bug.cgi?id=544765
  [ 12 ] Bug #544787 - 'system-config-firewall' : firewallgui_t unconfined_t:dbus send_msg;
        https://bugzilla.redhat.com/show_bug.cgi?id=544787
  [ 13 ] Bug #544811 - SELinux is preventing /usr/sbin/asterisk "execute_no_trans" access on /usr/sbin/asterisk.
        https://bugzilla.redhat.com/show_bug.cgi?id=544811
  [ 14 ] Bug #544813 - SELinux is preventing /bin/bash "execute" access on /usr/sbin/asterisk.
        https://bugzilla.redhat.com/show_bug.cgi?id=544813
  [ 15 ] Bug #544853 - SELinux is preventing /usr/bin/Xorg from loading /opt/VBoxGuestAdditions-3.1.0/lib/VBoxOGL.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=544853
  [ 16 ] Bug #544994 - SELinux is preventing /usr/sbin/httpd "signal" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=544994
  [ 17 ] Bug #545083 - SELinux is preventing /usr/sbin/sendmail.postfix "execute" access on /usr/sbin/sendmail.postfix.
        https://bugzilla.redhat.com/show_bug.cgi?id=545083
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------