Fedora 41 Update: selinux-policy-41.27-1.fc41

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2024-98cb37f64a
2024-12-20 13:38:02.107422+00:00
--------------------------------------------------------------------------------

Name        : selinux-policy
Product     : Fedora 41
Version     : 41.27
Release     : 1.fc41
URL         : https://github.com/fedora-selinux/selinux-policy
Summary     : SELinux policy configuration
Description :
SELinux core policy package.
Originally based off of reference policy,
the policy has been adjusted to provide support for Fedora.

--------------------------------------------------------------------------------
Update Information:

New F41 selinux-policy build
--------------------------------------------------------------------------------
ChangeLog:

* Tue Dec 17 2024 Zdenek Pytela <zpytela@xxxxxxxxxx> - 41.27-1
- Update ktlsh policy
- Allow request-key to read /etc/passwd
- Allow request-key to manage all domains' keys
- Add support for the KVM guest memfd anon inodes
- Allow auditctl signal auditd
- Dontaudit systemd-coredump the sys_resource capability
- Allow traceroute_t bind rawip sockets to unreserved ports
- Fix the cups_read_pid_files() interface to use read_files_pattern
- Allow virtqemud additional permissions for tmpfs_t blk devices
- Allow virtqemud rw access to svirt_image_t chr files
- Allow virtqemud rw and setattr access to fixed block devices
- Label /etc/mdevctl.d/scripts.d with bin_t
- Allow virtqemud open svirt_devpts_t char files
- Allow virtqemud relabelfrom virt_log_t files
- Allow svirt_tcg_t read virtqemud_t fifo_files
- Allow virtqemud rw and setattr access to sev devices
- Allow virtqemud directly read and write to a fixed disk
- Allow virtqemud_t relabel virt_var_lib_t files
- Allow virtqemud_t relabel virtqemud_var_run_t sock_files
- Add gnome_filetrans_gstreamer_admin_home_content() interface
- Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t
- Make bootupd_t permissive
- Allow init_t nnp domain transition to locate_t
- allow gdm and iiosensorproxy talk to each other via D-bus
- Allow systemd-journald getattr nsfs files
- Allow sendmail to map mail server configuration files
- Allow procmail to read mail aliases
- Allow cifs.idmap helper to set attributes on kernel keys
- Allow irqbalance setpcap capability in the user namespace
- Allow sssd_selinux_manager_t the setcap process permission
- Allow systemd-sleep manage efivarfs files
- Allow systemd-related domains getattr nsfs files
- Allow svirt_t the sys_rawio capability
- Allow alsa watch generic device directories
- Move systemd-homed interfaces to seperate optional_policy block
- Update samba-bgqd policy
- Update virtlogd policy
- Allow svirt_t the sys_rawio capability
- Allow qemu-ga the dac_override and dac_read_search capabilities
- Allow bacula execute container in the container domain
- Allow httpd get attributes of dirsrv unit files
- Allow samba-bgqd read cups config files
- Add label rshim_var_run_t for /run/rshim.pid
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2328821 - cifs.idmap denial when mounting share with SMB3 POSIX extensions enabled
        https://bugzilla.redhat.com/show_bug.cgi?id=2328821
  [ 2 ] Bug #2329280 - SELinux is preventing /usr/lib/systemd/systemd-resolved from 'getattr' accesses on the file /cgroup:[4026531835].
        https://bugzilla.redhat.com/show_bug.cgi?id=2329280
  [ 3 ] Bug #2330477 - SELinux is preventing gst-plugin-scan from read, write access on the chr_file v4l-subdev4.
        https://bugzilla.redhat.com/show_bug.cgi?id=2330477
  [ 4 ] Bug #2330674 - Failed to start systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info.
        https://bugzilla.redhat.com/show_bug.cgi?id=2330674
  [ 5 ] Bug #2330761 - SELinux is preventing /usr/lib/systemd/systemd-executor from 'execute_no_trans' accesses on the file /usr/sbin/updatedb.
        https://bugzilla.redhat.com/show_bug.cgi?id=2330761
  [ 6 ] Bug #2331486 - Allow setcap() syscall for 'sssd_selinux_manager_t'
        https://bugzilla.redhat.com/show_bug.cgi?id=2331486
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2024-98cb37f64a' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

-- 
_______________________________________________
package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]

  Powered by Linux