[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fedora 12 Update: selinux-policy-3.6.32-49.fc12



--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-12131
2009-11-25 13:36:30
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 12
Version     : 3.6.32
Release     : 49.fc12
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20090730

--------------------------------------------------------------------------------
Update Information:

Fixes many bugs including    - Abrt connect to any port  - Dontaudit chrome-
sandbox trying to getattr on all processes  - Allow passwd to execute gnome-
keyring  - Allow chrome_sandbox_t to read home content inherited from the parent
- Fix eclipse labeling  - Allow mozilla to connect to flash port  - Allow
pulseaudio to connect to unix_streams  - Allow sambagui to read secrets file  -
Allow mount to mount unlabeled files  - ALlow abrt to use ypbind, send kill
signals  - Allow arpwatch to create socket class  - Allow asterisk to read urand
- Allow corosync to communicate with user tmpfs  - Allow devicedisk to read virt
images block devices  - Allow gpsd to sys_tty_config  - Fix nagios interfaces  -
Policy for nagios plugins  - Fixes for nx   - Allow rtkit_daemon to read locale
file  - Allow snort to create socket   - Additional perms for xauth  - lots of
textrel_lib_t file context
--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 23 2009 Dan Walsh <dwalsh redhat com> 3.6.32-49
- Allow sssd to read all processes domain
* Mon Nov 23 2009 Dan Walsh <dwalsh redhat com> 3.6.32-48
- Abrt connect to any port
- Dontaudit chrome-sandbox trying to getattr on all processes
- Allow passwd to execute gnome-keyring
- Allow chrome_sandbox_t to read home content inherited from the parent
- Fix eclipse labeling
- Allow mozilla to connect to flash port
- Allow pulseaudio to connect to unix_streams
- Allow sambagui to read secrets file
- Allow mount to mount unlabeled files
- ALlow abrt to use ypbind, send kill signals
- Allow arpwatch to create socket class
- Allow asterisk to read urand
- Allow corosync to communicate with user tmpfs
- Allow devicedisk to read virt images block devices
- Allow gpsd to sys_tty_config
- Fix nagios interfaces
- Policy for nagios plugins
- Fixes for nx 
- Allow rtkit_daemon to read locale file
- Allow snort to create socket 
- Additional perms for xauth
- lots of textrel_lib_t file context
* Tue Nov 17 2009 Dan Walsh <dwalsh redhat com> 3.6.32-47
- Make mozilla call in execmem.if optional to fix build of minimum install
- Allow uucpd to execute shells and send mail
- Fix label on libtfmessbsp.so
* Mon Nov 16 2009 Dan Walsh <dwalsh redhat com> 3.6.32-46
- abrt needs more access to rpm pid files
- Abrt wants to execute its own tmp files
- abrt needs to write sysfs 
- abrt needs to search all file system dirs
- logrotate and tmpreaper need to be able to manage abrt cache
- rtkit_daemon needs to be able to setsched on lots of user apps
- networkmanager creates dirs in /var/lib
- plymouth executes lvm tools
* Fri Nov 13 2009 Dan Walsh <dwalsh redhat com> 3.6.32-45
- Allow mount on dos file systems
- fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses
* Thu Nov 12 2009 Dan Walsh <dwalsh redhat com> 3.6.32-44
- Add lighttpd file context to apache.fc
- Allow tmpreaper to read /var/cache/yum
- Allow kdump_t sys_rawio
- Add execmem_exec_t context for /usr/bin/aticonfig
- Allow dovecot-deliver to signull dovecot
- Add textrel_shlib_t to /usr/lib/libADM5avcodec.so
* Tue Nov 10 2009 Dan Walsh <dwalsh redhat com> 3.6.32-43
- Fix transition so unconfined_exemem_t creates user_tmp_t
- Allow chrome_sandbox_t to write to user_tmp_t when printing
- Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files
- Allow execmem_t to execmod files in mozilla_home_t
- Allow firewallgui to communicate with nscd
* Mon Nov  9 2009 Dan Walsh <dwalsh redhat com> 3.6.32-42
- Allow kdump to read the kernel core interface 
- Dontaudit abrt read all files in home dir
- Allow kismet client to write to .kismet dir in homedir
- Turn on  asterisk policy and allow logrotate to communicate with it
- Allow abrt to manage rpm cache files
- Rules to allow sysadm_t to install a kernel
- Allow local_login to read console_device_t to Z series logins
- Allow automount and devicekit_disk to search all filesystem dirs
- Allow corosync to setrlimit
- Allow hal to read modules.dep
- Fix xdm using pcscd
- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
- Eliminate transition from unconifned_t to loadkeys_t
- Dontaudit several leaks to xauth_t
- Allow xdm_t to search for man pages
- Allow xdm_dbus to append to xdm log
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #538237 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox access to a leaked /dev/tty1 file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=538237
  [ 2 ] Bug #538262 - SELinux is preventing /usr/bin/python "create" access on rpmfusion-free-debuginfo.
        https://bugzilla.redhat.com/show_bug.cgi?id=538262
  [ 3 ] Bug #538310 - SELinux is preventing /usr/lib64/chromium-browser/chromium-browser "read" access on chromium.
        https://bugzilla.redhat.com/show_bug.cgi?id=538310
  [ 4 ] Bug #538369 - SELinux is preventing /opt/ibm/lotus/notes/framework/rcp/eclipse/plugins/com.ibm.rcp.base_6.2.1.20090925-1604/linux/x86/notes2 from making the program stack executable.
        https://bugzilla.redhat.com/show_bug.cgi?id=538369
  [ 5 ] Bug #538389 - SELinux is preventing /bin/bash "getattr" access on /bin/uname.
        https://bugzilla.redhat.com/show_bug.cgi?id=538389
  [ 6 ] Bug #538390 - SELinux is preventing /sbin/consoletype access to a leaked /tmp/.webmin/727338_1_start.cgi file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=538390
  [ 7 ] Bug #538396 - SELinux is preventing /bin/bash "getattr" access on /var/run/mysqld/mysqld.pid.
        https://bugzilla.redhat.com/show_bug.cgi?id=538396
  [ 8 ] Bug #538397 - SELinux is preventing /bin/rm "write" access on /var/run/mysqld.
        https://bugzilla.redhat.com/show_bug.cgi?id=538397
  [ 9 ] Bug #538427 - SELinux is preventing /usr/Aptana Studio 2.0/AptanaStudio from making the program stack executable.
        https://bugzilla.redhat.com/show_bug.cgi?id=538427
  [ 10 ] Bug #538461 - SELinux is preventing /usr/sbin/avahi-autoipd "create" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=538461
  [ 11 ] Bug #538494 - setkey_t fails to request module load for af_key
        https://bugzilla.redhat.com/show_bug.cgi?id=538494
  [ 12 ] Bug #538569 - SELinux is preventing /usr/bin/xauth "read" access on /proc/<pid>/status.
        https://bugzilla.redhat.com/show_bug.cgi?id=538569
  [ 13 ] Bug #538581 - SELinux is preventing /usr/libexec/rtkit-daemon (deleted) "setsched" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=538581
  [ 14 ] Bug #538582 - SELinux is preventing /usr/libexec/rtkit-daemon (deleted) "setsched" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=538582
  [ 15 ] Bug #538587 - SELinux is preventing nautilus (xguest_t) "getattr" proc_mdstat_t.
        https://bugzilla.redhat.com/show_bug.cgi?id=538587
  [ 16 ] Bug #538641 - SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin from loading /home/suresh/.thunderbird/q6va9077.default/extensions/{340c2bbc-ce74-4362-90b5-7c26312808ef}/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=538641
  [ 17 ] Bug #538661 - SELinux is preventing /usr/bin/python "search" access on 16049.
        https://bugzilla.redhat.com/show_bug.cgi?id=538661
  [ 18 ] Bug #538664 - racoon_t needs to load ipsec modules
        https://bugzilla.redhat.com/show_bug.cgi?id=538664
  [ 19 ] Bug #538666 - SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java from loading /home/liveuser/.juniper_networks/network_connect/libncui.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=538666
  [ 20 ] Bug #538667 - SELinux is preventing /bin/mount "mount" access on /.
        https://bugzilla.redhat.com/show_bug.cgi?id=538667
  [ 21 ] Bug #538672 - SELinux prevented mount from mounting on the file or directory     "/mnt/live" (type "iso9660_t").
        https://bugzilla.redhat.com/show_bug.cgi?id=538672
  [ 22 ] Bug #538708 - SELinux is preventing /usr/sbin/arpwatch "create" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=538708
  [ 23 ] Bug #538728 - SELinux is preventing /home/lonnie/Programs/Songbird/songbird-bin from loading /home/lonnie/Programs/Songbird/components/sbMediacoreManager.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=538728
  [ 24 ] Bug #538811 - SELinux is preventing /usr/sbin/named access to a leaked /tmp/.webmin/305863_1_start.cgi file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=538811
  [ 25 ] Bug #538843 - SELinux is preventing /usr/bin/gdb "read" access on nppdf.so.
        https://bugzilla.redhat.com/show_bug.cgi?id=538843
  [ 26 ] Bug #538992 - SELinux prevented abrtd from using NIS (yp).
        https://bugzilla.redhat.com/show_bug.cgi?id=538992
  [ 27 ] Bug #538998 - SELinux is preventing /usr/sbin/abrtd "name_bind" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=538998
  [ 28 ] Bug #539295 - SELinux is preventing /usr/sbin/NetworkManager "read" access on /var/lib/NetworkManager/NetworkManager.state.
        https://bugzilla.redhat.com/show_bug.cgi?id=539295
  [ 29 ] Bug #539399 - SELinux is preventing /usr/sbin/NetworkManager "read" access on /var/lib/NetworkManager/NetworkManager.state.
        https://bugzilla.redhat.com/show_bug.cgi?id=539399
  [ 30 ] Bug #539415 - SELinux is preventing /usr/bin/nautilus (deleted) "setattr" access on mounts.
        https://bugzilla.redhat.com/show_bug.cgi?id=539415
  [ 31 ] Bug #539519 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /var/run/pcscd.pub.
        https://bugzilla.redhat.com/show_bug.cgi?id=539519
  [ 32 ] Bug #539549 - SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home.
        https://bugzilla.redhat.com/show_bug.cgi?id=539549
  [ 33 ] Bug #539581 - SELinux is preventing /usr/bin/abrt-pyhook-helper "write" access on /var/cache/abrt.
        https://bugzilla.redhat.com/show_bug.cgi?id=539581
  [ 34 ] Bug #539603 - SELinux is preventing /usr/libexec/pk-gstreamer-install from loading /usr/lib64/gstreamer-0.10/libgstffmpeg.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=539603
  [ 35 ] Bug #539619 - SELinux is preventing /usr/bin/xauth "getattr" access on /home.
        https://bugzilla.redhat.com/show_bug.cgi?id=539619
  [ 36 ] Bug #539630 - SELinux is preventing /usr/bin/abrt-pyhook-helper "write" access on /var/run/nscd/socket.
        https://bugzilla.redhat.com/show_bug.cgi?id=539630
  [ 37 ] Bug #539707 - SELinux is preventing /usr/lib64/nagios/plugins/check_disk "getattr" access on /dev/sdb1.
        https://bugzilla.redhat.com/show_bug.cgi?id=539707
  [ 38 ] Bug #539708 - SELinux is preventing /usr/bin/xauth "getattr" access on /tmp.
        https://bugzilla.redhat.com/show_bug.cgi?id=539708
  [ 39 ] Bug #539750 - SELinux is preventing the /usr/lib/chromium-browser/chromium-browser from using potentially mislabeled files (/home/akshay/.config/chromium/Dictionaries/en-US-1-2.bdic).
        https://bugzilla.redhat.com/show_bug.cgi?id=539750
  [ 40 ] Bug #539754 - SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "getattr" access on /proc/<pid>.
        https://bugzilla.redhat.com/show_bug.cgi?id=539754
  [ 41 ] Bug #539810 - SELinux is preventing /usr/lib/vmware/bin/appLoader from loading /usr/lib/vmware/lib/libvmware-gksu.so/libvmware-gksu.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=539810
  [ 42 ] Bug #539817 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "read" access on /proc.
        https://bugzilla.redhat.com/show_bug.cgi?id=539817
  [ 43 ] Bug #539822 - SELinux is preventing /opt/Komodo-Edit-5/lib/mozilla/komodo-bin from making the program stack executable.
        https://bugzilla.redhat.com/show_bug.cgi?id=539822
  [ 44 ] Bug #539824 - SELinux is preventing /opt/Komodo-Edit-5/lib/mozilla/komodo-bin from loading /opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/_ssl.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=539824
  [ 45 ] Bug #539835 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "read" access on /proc.
        https://bugzilla.redhat.com/show_bug.cgi?id=539835
  [ 46 ] Bug #539888 - SELinux is preventing avidemux2_gtk from loading /usr/lib/ADM_plugins/videoFilter/libADM_vf_FluxSmooth.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=539888
  [ 47 ] Bug #539958 - SELinux is preventing /usr/bin/python "create" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=539958
  [ 48 ] Bug #539959 - SELinux is preventing /usr/bin/python "connect" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=539959
  [ 49 ] Bug #539964 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "read" access on 0.
        https://bugzilla.redhat.com/show_bug.cgi?id=539964
  [ 50 ] Bug #539977 - SELinux is preventing the /usr/lib64/chromium-browser/chromium-browser from using potentially mislabeled files (/home/yankee/.config/chromium/Dictionaries/nl-NL-1-1.bdic).
        https://bugzilla.redhat.com/show_bug.cgi?id=539977
  [ 51 ] Bug #539988 - SELinux is preventing /usr/sbin/snort-plain "create" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=539988
  [ 52 ] Bug #539998 - SELinux is preventing /usr/sbin/sshd "read" access on /usr/NX/home/nx/.ssh/authorized_keys2
        https://bugzilla.redhat.com/show_bug.cgi?id=539998
  [ 53 ] Bug #540027 - SELinux prevented asterisk from reading from the urandom device.
        https://bugzilla.redhat.com/show_bug.cgi?id=540027
  [ 54 ] Bug #540107 - SELinux is preventing /usr/bin/pdbedit "read write" access on passdb.tdb.
        https://bugzilla.redhat.com/show_bug.cgi?id=540107
  [ 55 ] Bug #540112 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "search" access on 66.
        https://bugzilla.redhat.com/show_bug.cgi?id=540112
  [ 56 ] Bug #540173 - SELinux is preventing /usr/bin/python "name_connect" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=540173
  [ 57 ] Bug #540181 - SELinux is preventing /usr/bin/python "create" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=540181
  [ 58 ] Bug #540210 - SELinux is preventing firefox-bin from loading /usr/lib/firefox-2.0.20/extensions/talkback mozilla org/components/libqfaservices.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540210
  [ 59 ] Bug #540241 - SELinux is preventing /usr/bin/xauth access to a leaked console file descriptor.
        https://bugzilla.redhat.com/show_bug.cgi?id=540241
  [ 60 ] Bug #540345 - SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "open" access on /proc.
        https://bugzilla.redhat.com/show_bug.cgi?id=540345
  [ 61 ] Bug #540346 - SELinux is preventing /usr/libexec/pk-gstreamer-install from loading /usr/lib/gstreamer-0.10/libgstflump3dec.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540346
  [ 62 ] Bug #540367 - SELinux is preventing /usr/bin/passwd "execute" access on /usr/bin/gnome-keyring-daemon.
        https://bugzilla.redhat.com/show_bug.cgi?id=540367
  [ 63 ] Bug #540385 - SELinux is preventing /usr/sbin/gpsd "sys_tty_config" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=540385
  [ 64 ] Bug #540445 - SELinux is preventing /usr/libexec/rtkit-daemon "read" access on /etc/localtime.
        https://bugzilla.redhat.com/show_bug.cgi?id=540445
  [ 65 ] Bug #540522 - SELinux is preventing /usr/bin/vlc from loading /usr/lib/libx264.so.68 which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540522
  [ 66 ] Bug #540564 - SELinux is preventing /usr/bin/python from loading /usr/lib/cedega/gddb_parser32_1013.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540564
  [ 67 ] Bug #540583 - SELinux is preventing /usr/sbin/abrtd (deleted) "kill" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=540583
  [ 68 ] Bug #540586 - SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java from loading /home/art/.jagex_cache_32/runescape/libjaggl_dri.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540586
  [ 69 ] Bug #540590 - SELinux is preventing /usr/bin/nautilus from loading /usr/lib/gstreamer-0.10/libgstflump3dec.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=540590
  [ 70 ] Bug #533486 - SELinux is preventing /usr/lib64/nspluginwrapper/plugin-config from making the program stack executable.
        https://bugzilla.redhat.com/show_bug.cgi?id=533486
  [ 71 ] Bug #533694 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files settings.php.
        https://bugzilla.redhat.com/show_bug.cgi?id=533694
  [ 72 ] Bug #534001 - SELinux is preventing /usr/lib/firefox-3.5.4/firefox from loading /home/jlaska/.mozilla/firefox/fbf1b42a.default/extensions/lazarus interclue com/platform/Linux_x86-gcc3/components/WeaveCrypto.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=534001
  [ 73 ] Bug #537816 - SELinux is preventing /usr/libexec/rtkit-daemon "setsched" access.
        https://bugzilla.redhat.com/show_bug.cgi?id=537816
  [ 74 ] Bug #537963 - SELinux is preventing /usr/bin/mod_install from loading /usr/lib/libtfmessbsp.so which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=537963
  [ 75 ] Bug #537967 - SELinux is preventing /usr/bin/avidemux2_gtk from loading /usr/lib/libADM5avcodec.so.52 which requires text relocation.
        https://bugzilla.redhat.com/show_bug.cgi?id=537967
  [ 76 ] Bug #538060 - SELinux is preventing /usr/sbin/uuxqt "execute" access on /bin/bash.
        https://bugzilla.redhat.com/show_bug.cgi?id=538060
  [ 77 ] Bug #538061 - SELinux is preventing /usr/sbin/uuxqt "execute" access on /usr/sbin/sendmail.postfix.
        https://bugzilla.redhat.com/show_bug.cgi?id=538061
  [ 78 ] Bug #538162 - SELinux is preventing /usr/bin/python "lock" access on /sys/devices/platform/dcdbas/smi_request.
        https://bugzilla.redhat.com/show_bug.cgi?id=538162
  [ 79 ] Bug #538195 - SELinux is preventing /opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins/com.ibm.rcp.base_6.2.0.20090525-1200/linux/x86/symphony from making the program stack executable.
        https://bugzilla.redhat.com/show_bug.cgi?id=538195
  [ 80 ] Bug #538197 - SELinux is preventing /usr/bin/abrt-pyhook-helper "write" access on abrt.
        https://bugzilla.redhat.com/show_bug.cgi?id=538197
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update selinux-policy' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]