4.291. selinux-policy
Updated selinux-policy packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#665176
- Most of the major services in Red Hat Enterprise Linux 6 have a corresponding service_selinux(8) manual page. Previously, there was no manual page for the MySQL service (
mysqld
). This update corrects this error, and the selinux-policy packages now provide the mysql_selinux(8) manual page as expected. - BZ#694031
- When the SELinux Multi-Level Security (MLS) policy was enabled, running the
userdel -r
command caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant policy has been corrected so that userdel no longer produces these messages. - BZ#698923
- When SELinux was running in enforcing mode, an incorrect SELinux policy prevented the kadmin utility (a program for Kerberos V5 database administration) from setting process priority. With this update, the SELinux policy has been corrected, and kadmin now works as expected.
- BZ#701885
- Previously, the output of the
semanage boolean -l
command contained errors. This update fixes the descriptions of various SELinux Booleans to ensure the aforementioned command now produces correct output without errors. - BZ#704191
- Prior to this update, the
secadm
SELinux user was not allowed to modify SELinux configuration files. With this update, the relevant SELinux policy has been corrected and thesecadm
SELinux user can now modify such configuration files as expected. - BZ#705277, BZ#712961, BZ#716973
- With SELinux enabled, the
rsyslogd
service was previously unable to send messages encrypted with the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy, andrsyslogd
can now send such messages as expected. - BZ#705489
- With SELinux enabled, configuring cluster fencing agents to use the SSH or Telnet protocol caused these fencing agents to fail. This update contains updated SELinux rules and introduces a new
fenced_can_ssh
Boolean, which allows the fencing agents to use these protocols. - BZ#706086
- Due to a constraint violation, when SELinux was running in enforcing mode, the
xinetd
service was unable to connect tolocalhost
and the operation failed. With this update,xinetd
is now trusted to write outbound packets regardless of the network's or node's Multi-Level Security (MLS) range, which resolves this issue. - BZ#706448
- Due to an incorrect SELinux policy, when the user added a NIS username to the
/etc/cgrules.conf
configuration file, SELinux incorrectly preventedcgroups
from properly applying rules to NIS users. This update corrects this error by adding an appropriate policy so that SELinux no longer preventscgroups
from applying rules to NIS users. - BZ#707616
- Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented a MLS machine form registering with Red Hat Network. This update corrects the SELinux policy so that MLS machines can now be registered as expected.
- BZ#710357
- Prior to this update, various incorrect SELinux labels caused several Access Vector Cache (AVC) messages to be written to the audit log. With this update, the SELinux labels that triggered these AVC messages have been corrected so that such AVC messages no longer appear in the log.
- BZ#713218
- Due to incorrect SELinux policy rules, the Kerberos 5 Admin Server (
kadmind
) was unable to contact the LDAP server and failed to start. This update fixes the relevant policy andkadmind
now starts as expected. - BZ#714620
- With SELinux running in enforcing mode, the
sssd
service did not work properly and when any user authenticated to the sshd service using the Generic Security Services Application Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds an appropriate security file context for the/var/cache/krb5cache/
directory, which allowssssd
to work correctly. - BZ#715038
- Previously, various labels were incorrect and rules for creating new 389-ds instances were missing. Consequent to this, when the user created a new 389-ds instance using the 389-console utility, several Access Vector Cache (AVC) messages appeared in the audit log. With this update, the erroneous labels have been fixed and missing rules have been added so that new 389-ds instances are now created without these AVC messages.
- BZ#718390
- Due to incorrect SELinux policies, the
puppetmaster
service was not allowed to get attributes of the chage utility and any attempt to do so caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the SELinux policy rules have been adapted to allowpuppetmaster
to perform this operation. - BZ#719261
- When SELinux was running in enforcing mode, it incorrectly prevented the Postfix mail transfer agent from re-sending queued email messages. This update adds a new security file context for the
/var/spool/postfix/maildrop/
directory to make sure Postfix is now allowed to re-send queued email messages as expected. - BZ#719929
- The previous version of the httpd_selinux(8) manual page was incomplete and did not provide any information about the following Booleans:
- httpd_enable_ftp_server
- httpd_execmem
- httpd_read_user_content
- httpd_setrlimit
- httpd_ssi_exec
- httpd_tmp_exec
- httpd_use_cifs
- httpd_use_gpg
- httpd_use_nfs
- httpd_can_check_spam
- httpd_can_network_connect_cobbler
- httpd_can_network_connect_db
- httpd_can_network_connect_memcache
- httpd_can_network_relay
- httpd_dbus_avahi
With this update, this error no longer occurs and the aforementioned manual page now describes all available SELinux Booleans as expected. - BZ#722381
- Due to the
/var/lib/squeezeboxserver/
directory having an incorrect security context, an attempt to start thesqueezeboxserver
service with SELinux running in enforcing mode failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, the security context of this directory has been corrected so that SELinux no longer preventssqueezeboxserver
from starting. - BZ#725414
- When a non-
root
user (in theunconfined_t
domain) ran thessh-keygen
utility and the~/.ssh/
directory did not exist, the utility created this directory with an incorrect security context. This update adapts the relevant SELinux policy to make sure~/.ssh/
is now created with the correct context (thessh_home_t
type). - BZ#726339
- Prior to this update, SELinux prevented the ip utility from using the
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriatedontaudit
rule has been added to make sure such messages are no longer logged. - BZ#727130
- When SELinux was running in enforcing mode, an incorrect policy prevented the grubby utility from searching DOS file systems such as
FAT32
orNTFS
. This update corrects the SELinux policy so that grubby can now work as expected. - BZ#727150
- With the
omsnmp
module enabled, the latest version of the rsyslog daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality. - BZ#727290
- Prior to this update, SELinux prevented the lldpad daemon from using the
sys_module
capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriatedontaudit
rule has been added to make sure such messages are no longer logged. - BZ#728591
- When SELinux was running in enforcing mode, rsyslog clients were incorrectly denied access to port
6514
(the syslog over TLS port). This update adds a new SELinux policy that allows rsyslog clients to connect to this port. - BZ#728699
- Prior to this update, SELinux incorrectly prevented the hddtemp utility from listening on
localhost
. This update corrects this error, and the selinux-policy packages now provide updated SELinux rules that allow hddtemp to listen onlocalhost
as expected. - BZ#728790
- When running in enforcing mode, SELinux incorrectly prevented the new fence_kdump agent from binding to a port. This update adds appropriate SELinux rules to make sure this agent can bind to a port as expected.
- BZ#729073
- Due to an incorrect SELinux policy, an attempt to use nice to modify scheduling priority of the
openvpn
service failed, because SELinux prevented it. This update provides updated SELinux rules and adds asys_nice
capability so that users are now allowed to modify the scheduling priority as expected. - BZ#729365
- The
allow_unconfined_qemu_transition
Boolean has been removed to make sure that QEMU is allowed to work together with thelibguestfs
library. - BZ#730218
- Due to incorrect SELinux policy rules, the procmail mail delivery agent was not allowed to execute the
hostname
command whenHOST_NAME=`hostname`
was specified in the configuration file. This update adapts the SELinux policy to support the aforementioned procmail option. - BZ#730662
- Prior to this update, launching a new virtual machine with a
fileinject
custom property caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant SELinux policy has been corrected to ensure this action no longer produces such messages. - BZ#730837
- When SELinux was running in enforcing mode, an attempt to run the puppet server that was configured as a Passenger web application for scaling purposes failed. This update provides adapted SELinux rules to allow this, and the puppet server configured as a Passenger web application no longer fails to run.
- BZ#730852
- When the
MAXCONN
option in the/etc/sysconfig/memcached
configuration file was set to a value greater than1024
, an attempt to start thememcached
service caused Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy so thatmemcached
no longer produces AVC messages in this scenario. - BZ#732196
- The git_selinux(8) manual page now provides all information necessary to make the Git daemon work over the SSH protocol.
- BZ#732757
- When SELinux was running in enforcing mode, the Kerberos authentication for the CUPS web interface did not work properly. With this update, the SELinux policy has been updated to support this configuration.
- BZ#733002
- Most of the major services in Red Hat Enterprise Linux 6 have a corresponding service_selinux(8) manual page. Previously, there was no manual page for the Squid caching proxy (
squid
). This update corrects this error, and the selinux-policy packages now provide the squid_selinux(8) manual page as expected. - BZ#733039
- This update adds a new abrt_selinux(8) manual page, which explains how to configure SELinux policy for the Automatic Bug Reporting Tool (ABRT) service (
abrtd
). - BZ#733494
- When SELinux was running in enforcing mode, the amrecover utility stopped responding while recovering data from a virtual tape changer. With this update, appropriate SELinux rules have been added so that amcover no longer hangs in this situation.
- BZ#733869
- Prior to this update, the qmail-inject, qmail-queue, and sendmail programs were not allowed to search and write into the
/var/qmail/queue/
directory. With this update, this error has been fixed and the updated SELinux rules now allow these operations. - BZ#739618
- Previously, SELinux incorrectly prevented the Chromium and Google Chrome web browsers from starting due to text file relocations. With this update, an appropriate SELinux rule has been added so that SELinux no longer prevents these web browsers from starting.
- BZ#739628
- Due to an error in a SELinux policy, the output of the
seinfo -r
command incorrectly containedlsassd_t
, which is not a role. This update corrects the relevant policy to make sure the aforementioned command now produces correct output. - BZ#739883
- When the
DumpLocation
option in theabrt.conf
configuration file was set to/tmp/abrt
, restarting theabrtd
service caused various Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy to add support for this option, and such AVC messages are no longer reported when theabrtd
service is restarted. - BZ#740180
- Previously, an incorrect SELinux policy prevented the pwupdate script from sending an email. This update corrects this error so that pwupdate is now allowed to work as expected.
- BZ#734123
- When SELinux was running in enforcing mode, the virsh utility was unable to read form the random number generator device (
/dev/random
). This update adds appropriate SELinux rules to grant virsh access to this device. - BZ#735198
- Prior to this update, when the user used a serial console via the iLO Virtual Serial Port (VSP) and booted to single-user mode, an Access Vector Cache (AVC) message appeared and no login prompt was displayed. With this update, the SELinux policy rules have been updated to make sure the user is now able to log in as expected in this scenario.
- BZ#735813
- This update adds a SELinux security context for the
/etc/passwd.adjunct
file to make it possible to use this file on a Network Information Service (NIS) server. - BZ#736300
- When SELinux was running in enforcing mode, the smbcontrol utility was unable to use the console. This update adds appropriate SELinux rules to allow smbcontrol to work as expected.
- BZ#736388
- When SELinux was running in enforcing mode, an incorrect SELinux policy prevented the pulse application from executing the fos binary file. This error has been fixed, and pulse can now execute the aforementioned binary file as expected.
- BZ#737571
- As a consequence to recent changes to the
dhcpd
daemon, the SELinux policy incorrectly prevented this daemon from setting thesetgid
andsetuid
capabilities. This update corrects the relevant SELinux policy so thatdhcpd
can now work properly. - BZ#737635
- Due to an error in a SELinux policy, SELinux incorrectly prevented luci from starting. These selinux-policy packages provide updated SELinux rules that allow luci to start as expected.
- BZ#737790, BZ#741271
- To reflect recent changes to the spice-vdagent program, the SELinux policy rules have been updated so that this program can work correctly.
- BZ#738156
- Prior to this update, the
/etc/dhcp/dhcp6.conf
and/etc/rc.d/init.d/dhcpcd6
files had an incorrect security context. This update corrects this error, and both/etc/dhcp/dhcp6.conf
and/etc/rc.d/init.d/dhcpcd6
are now labeled correctly. - BZ#738529
- When the user issued the virt-sanlock-cleanup command, SELinux prevented the
sanlock
deamon from working properly and various Access Vector Cache (AVC) messages appeared in the audit log. With this update, an appropriate SELinux policy has been added so thatsanlock
can now work as expected. - BZ#738994
- With SELinux running in enforcing mode, the cyrus-master process was not allowed to bind to port
tcp/119
. Since cyrus-master needs this port in order to run as a Network News Transfer Protocol (NNTP) server, this update fixes the relevant policy to support this configuration. - BZ#739065
- The
fence_scsi.key
file that used to be located in the/var/lib/cluster/
directory has been recently moved to/var/run/cluster/
. This update ensures that this file retains the correct security context. - BZ#744817
- Prior to this update, the
/dev/bsr*
devices were incorrectly labeled with thedevice_t
type. This update changes the security context of these devices tocpu_device_t
. - BZ#745113
- The matahari package has recently renamed its binaries, which caused these files to have an incorrect security context. This update corrects this error and ensures that both binary files and init scripts now have the correct security context.
- BZ#745208
- When SELinux was running in enforcing mode, an attempt to use PAM Pass-through Authentication failed with an error. This update adds a relevant SELinux policy to make sure that SELinux no longer prevents PAM Pass-through Authentication from working.
- BZ#746265
- When SELinux was running in enforcing mode, the
sssd
service was not allowed to create, delete, or read symbolic links in the/var/lib/sss/pipes/private/
directory. This update corrects the relevant SELinux policy rules to allowsssd
to perform these operations. - BZ#746616, BZ#743245
- The SELinux policy rules have been updated to correctly support the
SECMARK
kernel feature. - BZ#746764
- Prior to this update, the
piranha-gui
service was denied access to the/etc/sysconfig/ha/lvs.cf
file. This update corrects the SELinux policy to grantpiranha-gui
this access. - BZ#746999
- Previously, SELinux prevented the
rhev-agentd
daemon from getting attributes of all available mount points. This update corrects the relevant SELinux policy so thatrhev-agentd
can gather all necessary information. - BZ#747321
- Previously, SELinux prevented the
sshd
service from getting attributes of the/root/.hushlogin
file. This update adds a new type for this file and updates its security context to make sure thatsshd
can access it as expected. - BZ#748338
- Prior to this update, the sosreport binary run by the ABRT daemon did not work properly. With this update, an appropriate SELinux policy has been added so that SELinux no longer prevents sosreport from working properly when it is run by ABRT.
- BZ#749568
- When the finger utility attempted to access the
/var/run/nslcd/
directory, SELinux incorrectly denied this access and wrote relevant Access Vector Cache (AVC) messages to the audit log. With this update, this error has been fixed and the selinux-policy packages now provide updated SELinux policy rules that allow finger to access this directory, as expected. - BZ#750519
- Previously, the SELinux Multi-Level Security (MLS) policy did not allow the user to attach a USB device if the
dynamic_ownership
option was enabled in the/etc/libvirtd/qemu.conf
configuration file. This update fixes the relevant SELinux policy to make sure such a USB device can now be correctly attached in this scenario. - BZ#750934
- When SELinux was running in enforcing mode and the
unconfined
module was disabled, an attempt to start thedirsrv-admin
service failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, this error has been fixed anddirsrv-admin
now starts as expected in this situation.
Enhancements
- BZ#691828
- A new SELinux policy for the
sanlock
andwdmd
services has been added to enable using these services with libvirt and vdsm. - BZ#694879
- A new SELinux policy for the subscription-manager utility has been added.
- BZ#694881
- A new SELinux policy for the corosync-notifyd service has been added to make the service running in the
corosync_t
domain type. - BZ#705772
- A new SELinux policy for Red Hat Enterprise Virtualization agents has been added to allow the execution of such agents.
- BZ#719738
- A new SELinux policy for CTDB services (a clustered database based on Samba's TDB) has been added.
- BZ#720463
- A new SELinux policy for Zarafa has been added.
- BZ#720939
- A new SELinux policy for the
drbd
service has been added. - BZ#723947, BZ#723958, BZ#723964, BZ#723977, BZ#726696, BZ#726699
- New SELinux policies have been added for the following services that were previously running in the
initrc_t
domain:pppoe-server
,lldpad
,fcoemon
,cimserver
,uuid
, andgatherd
. - BZ#725767
- A new SELinux policy for the abrt-dump-oops utility has been added to prevent this utility from running in the
initrc_t
domain. - BZ#729648
- A new SELinux policy has been added to allow users to establish a chrooted SFTP environment over the SSH protocol.
- BZ#735326
- A new SELinux policy has been added to allow IP-in-SSH tunneling.
- BZ#736623
- A new SELinux Boolean,
git_cgit_read_gitosis_content
, has been added to allow Gitolite to display a list of available Git repositories. - BZ#738188
- A new SELinux Boolean,
virt_use_sanlock
, has been added to allow thelibvirtd
daemon to access thesanlock.sock
file. - BZ#741967
- A new SELinux policy for Clustered Samba commands has been added.
- BZ#745531
- New SELinux policies for CloudForms services have been added.
All users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated selinux-policy packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#754112
- Users cron jobs were set to run in the cronjob_t domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron jobs. With this update, the relevant policy rules have been modified and users cron jobs now run in a user domain.
- BZ#754465
- When the auditd daemon was listening on port 60, the SELinux Multi-Level Security (MLS) policy prevented auditd from sending audit events to itself from the same system it was running on over port 61, which is possible when using the audisp-remote plugin. This update fixes the relevant policy so that this configuration now works as expected.
- BZ#754802
- When running the libvirt commands, such as "virsh iface-start" or "virsh iface-destroy" in SELinux enforcing mode and NetworkManager was enabled, the commands took a noticeably long time to finish successfully. With this update, the relevant policy has been added and libvirt commands now work as expected.
All users of selinux-policy are advised to upgrade to these updated packages, which resolve these issues.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#761065
- When running a KDE session on a virtual machine with SELinux in enforcing mode, the session was not locked as expected when the SPICE console was closed. This update adds necessary SELinux rules which ensure that the user's session is properly locked under these circumstances.
All users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#786088
- An incorrect SELinux policy prevented the qpidd service from starting. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.
- BZ#784783
- With SELinux in enforcing mode, the ssh-keygen utility was prevented from access to various applications and thus could not be used to generate SSH keys for these programs. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly.
All users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#796423
- Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
All users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#796331
- An incorrect SELinux policy prevented the qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.
- BZ#796585
- With SELinux in enforcing mode, an OpenMPI job submitted to the parallel universe environment failed on ssh keys generation. This happened because the ssh-keygen utility was not able to read from and write to the "/var/lib/condor/" directory". With this update, a new SELinux policy has been added for the "/var/lib/condor/" directory, which allows the ssh-keygen utility to read from and write to this directory.
All users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6 Extended Update Support.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#966994
- Previously, the mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.
Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.