-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-13384 2009-12-18 03:19:42 --------------------------------------------------------------------------------
Name : selinux-policy Product : Fedora 12 Version : 3.6.32 Release : 59.fc12 URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20090730 -------------------------------------------------------------------------------- Update Information: * Tue Dec 15 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-59 - Dontaudit udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read symlinks on noxattr file systems - Remove wine from unconfined domain if unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port - Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to communicate with racoon and zebra - Allow dbus service dbus_chat with unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices - Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files - Change label on fusermount * Thu Dec 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-58 - Dontaudit udp_socket leaks for xauth_t * Wed Dec 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-57 - Allow unconfined_t to send dbus messages to setroubleshoot - Allow confined screen app to setattr on user ttys - remove wine_t from unconfined domain when unconfined.pp disabled - Allow sysadm_t to communicate with racoon - Allow xauth to be run from all unconfined user types - Fix labeling on all /var/cache/mod_* apps - Allow asterisk to communicate with postgresql - Fix labeling for /var/lib/certmaster - Add policy for ksmtuned and tgtd - Fixes for vhostmd -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 15 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-59 - Dontaudit udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read symlinks on noxattr file systems - Remove wine from unconfined domain if unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port - Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to communicate with racoon and zebra - Allow dbus service dbus_chat with unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices - Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files - Change label on fusermount * Thu Dec 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-58 - Dontaudit udp_socket leaks for xauth_t * Wed Dec 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-57 - Allow unconfined_t to send dbus messages to setroubleshoot - Allow confined screen app to setattr on user ttys - remove wine_t from unconfined domain when unconfined.pp disabled - Allow sysadm_t to communicate with racoon - Allow xauth to be run from all unconfined user types - Fix labeling on all /var/cache/mod_* apps - Allow asterisk to communicate with postgresql - Fix labeling for /var/lib/certmaster - Add policy for ksmtuned and tgtd - Fixes fro vhostmd * Mon Dec 7 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-56 - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device - Allow sysadm_t to connect to zebra stream socket - Dontaudit policykit_auth trying to config terminal - Allow logrotate and asterisk to execute asterisk - Allow logrotate to read var_lib files (zope) and connect to fail2ban stream - Allow firewallgui to communicate with unconfined_t - Allow podsleuth to ask the kernel to load modules - Fix labeling on vhostmd scripts - Remove transition from unconfined_t to windbind_helper_t - Allow abrt_helper to look at inotify - Fix labels for mythtv - Allow apache to signal sendmail - allow asterisk to send mail - Allow rpcd to get and setcap - Add tor_bind_all_unreserved_ports boolean - Add policy for vhostmd - MOre textrel_shlib_t files - Add rw_herited_term_perms * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-55 - Add fprintd_chat(unconfined_t) to fix su timeout problem - Make xguest follow allow_execstack boolean - Dontaudit dbus looking at nfs * Thu Dec 3 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-54 - Require selinux-policy from selinux-policy-TYPE - Add labeling to /usr/lib/win32 textrel_shlib_t - dontaudit all leaks for abrt_helper - Fix labeling for mythtv - Dontaudit setroubleshoot_fix leaks - Allow xauth_t to read usr_t - Allow iptables to use fifo files - Fix labeling on /var/lib/wifiroamd * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-53 - Remove transition from dhcpc_t to consoletype_t, just allow exec - Fixes for prelink cron job - Fix label on yumex backend - Allow unconfined_java_t to communicate with iptables - Allow abrt to read /tmp files - Fix nut/ups policy * Tue Dec 1 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-52 - Major fixup of ntop policy - Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session bus - Allow modemmanager to use generic ptys, and sys_tty_config capability - Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs and nfs file systems - Allow kismet to read network state - Allow cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files - Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t files * Wed Nov 25 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-51 - Mark google shared libraries as requiring textrel_shlib - Allow svirt to bind/connect to network ports - Add label for .libvirt directory. * Tue Nov 24 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-50 - Allow modemmanager sys_admin * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-49 - Allow sssd to read all processes domain * Mon Nov 23 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-48 - Abrt connect to any port - Dontaudit chrome-sandbox trying to getattr on all processes - Allow passwd to execute gnome-keyring - Allow chrome_sandbox_t to read home content inherited from the parent - Fix eclipse labeling - Allow mozilla to connect to flash port - Allow pulseaudio to connect to unix_streams - Allow sambagui to read secrets file - Allow mount to mount unlabeled files - ALlow abrt to use ypbind, send kill signals - Allow arpwatch to create socket class - Allow asterisk to read urand - Allow corosync to communicate with user tmpfs - Allow devicedisk to read virt images block devices - Allow gpsd to sys_tty_config - Fix nagios interfaces - Policy for nagios plugins - Fixes for nx - Allow rtkit_daemon to read locale file - Allow snort to create socket - Additional perms for xauth - lots of textrel_lib_t file context * Tue Nov 17 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-47 - Make mozilla call in execmem.if optional to fix build of minimum install - Allow uucpd to execute shells and send mail - Fix label on libtfmessbsp.so * Mon Nov 16 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-46 - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files - abrt needs to write sysfs - abrt needs to search all file system dirs - logrotate and tmpreaper need to be able to manage abrt cache - rtkit_daemon needs to be able to setsched on lots of user apps - networkmanager creates dirs in /var/lib - plymouth executes lvm tools * Fri Nov 13 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-45 - Allow mount on dos file systems - fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses * Thu Nov 12 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-44 - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio - Add execmem_exec_t context for /usr/bin/aticonfig - Allow dovecot-deliver to signull dovecot - Add textrel_shlib_t to /usr/lib/libADM5avcodec.so * Tue Nov 10 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-43 - Fix transition so unconfined_exemem_t creates user_tmp_t - Allow chrome_sandbox_t to write to user_tmp_t when printing - Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files - Allow execmem_t to execmod files in mozilla_home_t - Allow firewallgui to communicate with nscd * Mon Nov 9 2009 Dan Walsh <dwa...@redhat.com> 3.6.32-42 - Allow kdump to read the kernel core interface - Dontaudit abrt read all files in home dir - Allow kismet client to write to .kismet dir in homedir - Turn on asterisk policy and allow logrotate to communicate with it - Allow abrt to manage rpm cache files - Rules to allow sysadm_t to install a kernel - Allow local_login to read console_device_t to Z series logins - Allow automount and devicekit_disk to search all filesystem dirs - Allow corosync to setrlimit - Allow hal to read modules.dep - Fix xdm using pcscd - Dontaudit gssd trying to write user_tmp_t, kerberos libary problem. - Eliminate transition from unconifned_t to loadkeys_t - Dontaudit several leaks to xauth_t - Allow xdm_t to search for man pages - Allow xdm_dbus to append to xdm log -------------------------------------------------------------------------------- References: [ 1 ] Bug #542654 - ntop triggers several AVC denials when starting https://bugzilla.redhat.com/show_bug.cgi?id=542654 [ 2 ] Bug #545285 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files mod_gnutls.dir. https://bugzilla.redhat.com/show_bug.cgi?id=545285 [ 3 ] Bug #545534 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline. https://bugzilla.redhat.com/show_bug.cgi?id=545534 [ 4 ] Bug #545562 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline. https://bugzilla.redhat.com/show_bug.cgi?id=545562 [ 5 ] Bug #545598 - SELinux is preventing /sbin/iscsid "associate" access. https://bugzilla.redhat.com/show_bug.cgi?id=545598 [ 6 ] Bug #545607 - SELinux is preventing /usr/bin/python (deleted) "getattr" access on /var/lib/certmaster/certmaster/certs/alpha.rzhou.org.cert. https://bugzilla.redhat.com/show_bug.cgi?id=545607 [ 7 ] Bug #545648 - SELinux is preventing /usr/bin/iceauth "read" access on dcopPfMg8b. https://bugzilla.redhat.com/show_bug.cgi?id=545648 [ 8 ] Bug #545676 - SELinux is preventing /usr/libexec/polkit-1/polkitd "getattr" access on /proc/<pid>. https://bugzilla.redhat.com/show_bug.cgi?id=545676 [ 9 ] Bug #545741 - SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on 2B. https://bugzilla.redhat.com/show_bug.cgi?id=545741 [ 10 ] Bug #545747 - SELinux is preventing /usr/bin/xauth access to a leaked unix_stream_socket file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=545747 [ 11 ] Bug #545771 - SELinux is preventing /usr/sbin/slapd "write" access. (to cn=config database) https://bugzilla.redhat.com/show_bug.cgi?id=545771 [ 12 ] Bug #546007 - SELinux is preventing /usr/bin/python "read" access on /proc/<pid>/cmdline. https://bugzilla.redhat.com/show_bug.cgi?id=546007 [ 13 ] Bug #546078 - SELinux is preventing /sbin/setfiles access to a leaked /tmp/xerr-root-:0 file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=546078 [ 14 ] Bug #546101 - SELinux is preventing /usr/bin/xauth access to a leaked udp_socket file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=546101 [ 15 ] Bug #546143 - SELinux is preventing /usr/libexec/polkit-gnome-authentication-agent-1 "search" access on /home. https://bugzilla.redhat.com/show_bug.cgi?id=546143 [ 16 ] Bug #546145 - SELinux is preventing /usr/libexec/polkit-gnome-authentication-agent-1 "search" access on /usr/share/X11/fonts. https://bugzilla.redhat.com/show_bug.cgi?id=546145 [ 17 ] Bug #546157 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid. https://bugzilla.redhat.com/show_bug.cgi?id=546157 [ 18 ] Bug #546224 - SELinux is preventing /usr/bin/xauth "write" access on /usr/NX/home/nx. https://bugzilla.redhat.com/show_bug.cgi?id=546224 [ 19 ] Bug #546265 - SELinux is preventing /usr/libexec/hal-storage-mount "sys_resource" access. https://bugzilla.redhat.com/show_bug.cgi?id=546265 [ 20 ] Bug #546352 - SELinux is preventing /usr/sbin/dovecot "write" access on /var/log/dovecot/dovecot.log. https://bugzilla.redhat.com/show_bug.cgi?id=546352 [ 21 ] Bug #546360 - SELinux is preventing /sbin/unix_chkpwd access to a leaked 0 file descriptor. https://bugzilla.redhat.com/show_bug.cgi?id=546360 [ 22 ] Bug #546362 - SELinux is preventing /usr/libexec/polkit-1/polkitd "getattr" access on /proc/<pid>/stat. https://bugzilla.redhat.com/show_bug.cgi?id=546362 [ 23 ] Bug #546400 - SELinux is preventing /usr/bin/xauth "write" access on /usr/NX/home/nx. https://bugzilla.redhat.com/show_bug.cgi?id=546400 [ 24 ] Bug #546467 - SELinux is preventing /bin/bash "search" access on /home/aurin. https://bugzilla.redhat.com/show_bug.cgi?id=546467 [ 25 ] Bug #546773 - SELinux is preventing /usr/bin/iceauth "getattr" access on /tmp/dcopPfMg8b. https://bugzilla.redhat.com/show_bug.cgi?id=546773 [ 26 ] Bug #546798 - SELinux is preventing /usr/libexec/gdm-session-worker "create" access on event.1652.17022326. https://bugzilla.redhat.com/show_bug.cgi?id=546798 [ 27 ] Bug #546799 - SELinux is preventing /usr/bin/kismet_server "name_connect" access. https://bugzilla.redhat.com/show_bug.cgi?id=546799 [ 28 ] Bug #546801 - SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled files (/home/juan/Downloads). https://bugzilla.redhat.com/show_bug.cgi?id=546801 [ 29 ] Bug #546806 - SELinux is preventing /usr/bin/gdb "read" access on /lib/modules/2.6.31.6-166.fc12.x86_64/vdso/vdso.so. https://bugzilla.redhat.com/show_bug.cgi?id=546806 [ 30 ] Bug #546853 - SELinux is preventing /lib/ld-2.11.so "execute" access on /usr/lib/firefox-3.5.5/firefox. https://bugzilla.redhat.com/show_bug.cgi?id=546853 [ 31 ] Bug #546888 - SELinux is preventing /usr/bin/gok "getattr" access on /var/mail. https://bugzilla.redhat.com/show_bug.cgi?id=546888 [ 32 ] Bug #547003 - SELinux is preventing /usr/libexec/mysqld "unlink" access on squeezebox-mysql.sock. https://bugzilla.redhat.com/show_bug.cgi?id=547003 [ 33 ] Bug #547021 - SELinux is preventing /usr/bin/xauth "write" access on nx. https://bugzilla.redhat.com/show_bug.cgi?id=547021 [ 34 ] Bug #547043 - SELinux is preventing /usr/sbin/lircd "read" access on fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=547043 [ 35 ] Bug #547111 - SELinux is preventing /usr/bin/updatedb "read" access on 2.0.0.0__b03f5f7f11d50a3a. https://bugzilla.redhat.com/show_bug.cgi?id=547111 [ 36 ] Bug #547180 - SELinux is preventing /usr/sbin/swat "search" access on /root. https://bugzilla.redhat.com/show_bug.cgi?id=547180 [ 37 ] Bug #547247 - SELinux is preventing /usr/libexec/mysqld from connecting to port 49527. https://bugzilla.redhat.com/show_bug.cgi?id=547247 [ 38 ] Bug #547342 - SELinux is preventing /bin/sed "write" access on fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=547342 [ 39 ] Bug #547468 - SELinux is preventing Samba (smbd) "search" access to 4DC3BA73696361. https://bugzilla.redhat.com/show_bug.cgi?id=547468 [ 40 ] Bug #547472 - SELinux is preventing /usr/bin/python "read" access on /var/run/abrt.pid. https://bugzilla.redhat.com/show_bug.cgi?id=547472 [ 41 ] Bug #547555 - SELinux is preventing /usr/bin/mythfrontend from loading /usr/lib/mythtv/filters/libgreedyhdeint.so which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=547555 [ 42 ] Bug #547569 - SELinux is preventing /usr/lib/cups/backend/tpu "read" access. https://bugzilla.redhat.com/show_bug.cgi?id=547569 [ 43 ] Bug #547575 - SELinux is preventing /bin/bash "search" access on /home. https://bugzilla.redhat.com/show_bug.cgi?id=547575 [ 44 ] Bug #547579 - SELinux is preventing tuned "read" access on fifo_file. https://bugzilla.redhat.com/show_bug.cgi?id=547579 [ 45 ] Bug #547580 - SELinux is preventing ethtool "read" access on /usr/share/tuned/monitorplugins/net.py. https://bugzilla.redhat.com/show_bug.cgi?id=547580 [ 46 ] Bug #547612 - SELinux is preventing /usr/bin/iceauth "read" access on /proc/<pid>/status. https://bugzilla.redhat.com/show_bug.cgi?id=547612 [ 47 ] Bug #547632 - SELinux is preventing /opt/lampp/bin/php-5.3.0 from loading /opt/lampp/lib/libct.so.3.0.0 which requires text relocation. https://bugzilla.redhat.com/show_bug.cgi?id=547632 [ 48 ] Bug #547793 - SELinux is preventing /usr/bin/memcached "write" access on memcached.pid. https://bugzilla.redhat.com/show_bug.cgi?id=547793 [ 49 ] Bug #547794 - SELinux is preventing /usr/bin/memcached "bind" access. https://bugzilla.redhat.com/show_bug.cgi?id=547794 [ 50 ] Bug #547858 - SELinux is preventing /usr/bin/gok "getattr" access on /var/games. https://bugzilla.redhat.com/show_bug.cgi?id=547858 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update selinux-policy' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce
