5.298. selinux-policy
Updated selinux-policy packages that fix the bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#878360
- Due to a bug in the SELinux policy, it was not possible to run a cron job with a valid MLS (Multi Level Security) context for the sysadm_u SELinux user. This update fixes relevant SELinux policy rules and cron now works as expected in the described scenario.
- BZ#886210
- Previously, SELinux prevented "rhevm-guest-agent-gdm-plugin" to connect to the SO_PASSCRED UNIX domain socket. Consequently, Single Sign-On (SSO) did not work because the access to the credential socket was blocked. This update fixes the relevant policy and SSO now works as expected in the described scenario.
All users of SELinux are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#864366
- Previously, SELinux was blocking the /usr/libexec/qemu-kvm utility during a migration of a virtual machine from Red Hat Enterprise Virtualization Manager. Consequently, such a migration attempt failed and AVC messages were returned. This update fixes the virt_use_fusefs boolean and adds the sanlock_use_fusefs boolean, thus allowing the migration to succeed in the described scenario.
- BZ#867395
- When trying to start a virtual machine on a POSIX-compliant file system, SELinux denied the operation and returned AVC messages. This update amends the SELinux policy to allow the described scenario to succeed.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#888381
- Previously, the quota_db type was created as the openshift_var_lib_t type. Consequently, an attempt to create a quota system on openshift_var_lib_t failed with a permission error. The relevant part of the SELinux policy has been fixed and the quota system can now be created as expected.
Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#840674
- Previously, with the MLS policy activated, a user created with a MLS level was not able to log into the system using the ssh utility because an appropriate MLS policy rule was missing. This update adds the MLS rule and users can now log into the system as expected in the described scenario.
- BZ#852456
- When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Updated selinux-policy packages that add an enhancement are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Enhancement
- BZ#876075
- An SELinux policy for openshift packages has been added.
Users of selinux-policy are advised to upgrade to these updated packages, which add this enhancement.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#833053
- When the system produces a new SELinux denial, the setroubleshootd daemon executes the rpm tool to check information about the relevant packages. Previously, setroubleshootd was unable to execute the rpm tool, and AVC denials were logged in the /var/log/audit/audit.log file. With this update, the relevant policy has been corrected so that SELinux denials are no longer produced in the described scenario.
All users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#666332
- Previously, the
sshd
init script tried to regenerate new keys during thesshd
service startup and thessh-keygen
command failed to write public keys because of an incorrect SELinux security context for thessh_host_rsa_key.pub
file. The security context has been updated and now thesshd
service can start up correctly. - BZ#739886
- Due to an error in an SELinux policy, SELinux incorrectly prevented the
rndc
service from reading the/proc/loadavg
file. This update provides updated SELinux rules that allowrndc
to read the/proc/loadavg
file. - BZ#746961
- When a non-root user (in the
unconfined_t
domain) ran thessh-keygen
utility, the SELinux policy did not allowssh-keygen
to create a key outside of the~/.ssh
directory. This update adapts the relevant SELinux policy to make sure a key can be created by a non-root user in the described scenario. - BZ#748190
- Previously, when a user tried to use the
selinux_avcstat
Munin plug-in, this caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, a new SELinux policy has been provided forselinux_avcstat
to fix this bug. - BZ#748971
- Due to an incorrect SELinux policy, SELinux prevented the
openswan
utility to use the labeled IPsec protocol. This update provides updated SELinux rules and allowsopenswan
to label IPsec as expected. - BZ#749311
- Previously, the
nagios
event handlers were not supported by any SELinux policy, which broke their functionality. With this update, this support has been added to SELinux policy andnagios
event handlers now work correctly with SELinux. - BZ#749501
- Previously, when SELinux was running in Enforcing mode, the
google-chrome
program was unable to execute thenacl_helper_bootstrap
command. This update provides an updated SELinux security context and rules that allowgoogle-chrome
to executenacl_helper_bootstrap
. - BZ#750869
- Previously, the SELinux Multi-Level Security (MLS) policy did not allow users to use either the
newrole
orsudo
command together with thesssd
service configured, when the user was logged in thewuth
custom MLS range. This update fixes the relevant SELinux policy to allow users to use this configuration. - BZ#751558
- With SELinux in Enforcing mode, running the
mail
program as root with theunconfined.pp
policy module disabled resulted in a permission to be denied and an AVC message to be generated. This update fixes relevant SELinux policy rules to allow themail
program to run properly in the described scenario. - BZ#751732
- Due to an error in an SELinux policy, SELinux incorrectly prevented the
subscription-manager
service from reading the/proc/2038/net/psched
file. This update provides updated SELinux rules that allowsubscription-manager
to read that file. - BZ#752418
- Prior to this update, the
pyzor
application was denied the permission to write to theABRT
socket file. Consequently, an AVC message was reported. This update corrects the SELinux policy to grantpyzor
the necessary permission in the described scenario. - BZ#752924
- With SELinux running in Enforcing mode, the
smbcontrol
program was unable to send a signal to itself. Consequently, AVC messages were written to the audit log. This update fixes the relevant policy to support this operation. - BZ#718273
- Previously, when SELinux was running in Enforcing mode,
gridengine mpi
jobs were not started correctly. A new policy for these jobs has been provided andgridengine mpi
jobs now work as expected. - BZ#753184, BZ#756498
- Previously, user
cron
jobs were set to run in thecronjob_t
domain when the SELinux MLS policy was enabled. As a consequence, users could not run theircron
jobs. The relevant policy rules have been modified and usercron
jobs now run in theuser
domain, thus fixing this bug. - BZ#753396
- When running the
libvirt
commands, such asvirsh iface-start
orvirsh iface-destroy
, with SELinux in Enforcing mode and NetworkManager enabled, the commands took an excessive amount of time to finish successfully. With this update, the relevant policy has been added andlibvirt
commands now work as expected. - BZ#754157
- When the
auditd
daemon was listening on port 60, the SELinux Multi-Level Security (MLS) policy preventedauditd
from sending audit events to itself from the same system if it was also running on port 61. This update fixes the relevant policy and this configuration now works as expected.Note
Before the fix, the described scenario was possible to perform with the use of theaudisp-remote
plug-in. - BZ#754455
- With SELinux enabled, the
rsyslogd
daemon was unable to start because it was not previously allowed to run thesetsched
operation using the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy andrsyslogd
now starts as expected. - BZ#755877
- With SELinux in Enforcing mode, the
ssh-keygen
utility could not access various applications and thus could not be used to generate SSH keys for such applications. With this update, thessh_keygen_t
SELinux domain type has been implemented as unconfined, which ensures thessh-keygen
utility works correctly. - BZ#759403
- The
ssh-keygen
utility was not able to read from and write to the/var/lib/condor/
directory. Consequently, with SELinux in Enforcing mode, an OpenMPI job submitted to the parallel universe environment failed to generate SSH keys. With this update, a new SELinux policy has been provided for the/var/lib/condor/
directory, which allowsssh-keygen
to access this directory as expected. - BZ#759514
- When running a KDE session on a virtual machine with SELinux in Enforcing mode, the session was not locked as expected when the SPICE console was closed. This update adds necessary SELinux rules, which ensure that the session is properly locked in the described scenario.
- BZ#760537
- Previously, the
/var/www/vweb1/logs/
directory was labeled ashttpd_log_t
, which blocked access to parts of additional web space. With this update, thehttpd_log_t
security context has been removed for this directory, thus fixing this bug. - BZ#767195
- With SELinux in Enforcing mode, the
httpd
service could not read Git files with thegit_system_content_t
security label. This update corrects the relevant SELinux policy rules to allowhttpd
to read these Git files. - BZ#767579
- Due to an error in an SELinux policy, SELinux incorrectly prevented to set up a quota on a file system, which was mounted as an user home directory, if the
quotacheck -c /user/home/directory
command was used. This update provides updated SELinux rules that allow to properly set up quotas in the described scenario. - BZ#754646
- Previously, SELinux prevented the
sanlock
daemon from searching NFS directories. This update provides thesanlock_use_nfs
boolean variable to fix this bug. - BZ#768065
- When running the Postfix email server, the Amavis virus scanner, and the Spamassassin mail filter on Red Hat Enterprise Linux 6, the
spamc_exec_t
andrazor_exec_t
files were alias files, thus referencing the same context. Consequently, therestorecon
utility reported these mislabeled files as related to therazor
application. With this update, therazor.pp
policy file has been removed andrestorecon
no longer reports these mislabeled files. - BZ#769301
- Previously, if SSSD (System Security Services Daemon) used the
keyctl_join_session_keyring()
andkeyctl_setperm()
functions to connect to the kernel keyring and store passwords securely while thesssd
daemon was running, it was permitted by SELinux. This update fixes the relevant SELinux policy rules to allow the SSSDsys_admin
capability to process these operations properly. - BZ#769352
- An incorrect SELinux policy prevented the
qpidd
service from starting. This update provides updated SELinux rules, which allowqpidd
to be started correctly. - BZ#769819
- Due to the labeling change for the
/var/spool/postfix/deferred
directory, the Postfix email server terminated. This update provides updated SELinux rules to allows Postfix to run as expected. - BZ#769859
- Previously, when installing an updated selinux-policy-targeted package on a system with SELinux disabled, the following error messages were returned:
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version. SELinux: Could not open policy file -- /etc/selinux/targeted/policy/policy.24: No such file or directory load_policy: Can't load policy: No such file or directory
This update provides the updated SELinux spec file that tests SELinux status correctly in the described scenario, thus preventing this bug. - BZ#773641
- When SELinux was running in Enforcing mode, the
ssh-keygen
utility was unable to write to NFS home directories due to missing SELinux policy rules. This update provides updated SELinux rules that allowssh-keygen
to write to NFS home directories using theuse_nfs_home_dirs
boolean variable. - BZ#782325
- When the user tried to execute the
check_disk
Munin plug-in on a remote system via NRPE (Nagios Remote Plugin Executor), the permission was denied and an AVC message was generated. This update fixes relevant SELinux policy rules to allowcheck_disk
to read the/sys/
directory, thus fixing this bug. - BZ#783592
- Previously, SELinux policy for the
ipa_memcached
service was missing. Consequently,ipa_memcached
did not work correctly with SELinux in Enforcing mode. This update adds support foripa_memcached
, thus fixing this bug. - BZ#784011
- With the MLS SELinux policy enabled, an administrator running in the
sysadm_t
SELinux domain was not able to run therpm
command. This update provides updated SELinux rules to allow administrators to runrpm
in the described scenario. - BZ#786597
- Previously, when SELinux was running in Enforcing mode, the mail-related Munin plug-ins were not able to access the
/var/lib/
directory. Consequently, these plug-ins could not work correctly. This update provides updated SELinux rules, which allow these plug-ins to access/var/lib/
and work as expected. - BZ#787271
- If a custom cluster MIB (Management Information Base) implementation was run as a separate process, SELinux in Enforcing mode prevented the
snmpd
service to connect through the AgentX (Agent Extensibility) protocol. This bug has been fixed and the updated SELinux policy rules now allow to run custom cluster MIB implemantions. - BZ#788601
- With SELinux in Enforcing mode, the
httpd
service was unable to access link files in the/var/lib/zarafa/
directory, which caused various problems for the Zarafa groupware with DRBD (Distributed Replicated Block Device) support. This update provides updated SELinux rules and allowshttpd
to access the directory and Zarafa now works as expected. - BZ#788658
- With SELinux in Enforcing mode, an OpenMPI job submitted to the parallel universe environment failed on SSH key generation. This happened because the
ssh-keygen
utility was unable to access the/var/lib/condor/
directory. This update provides a new SELinux policy for/var/lib/condor/
, which allowsssh-keygen
to read from and write to this directory, thus fixing this bug. - BZ#789063
- With SELinux in Enforcing mode, restarting the
tgtd
service resulted in SELinux AVC denial messages being returned whentgtd
was not able to read theabi_version
value. This update fixes the relevant SELinux policy rules to allowtgtd
to readabi_version
. - BZ#790980
- If a custom home directory was set up as an NFS home directory, the
google-chrome
application was not able to write to this home directroy. With this update, theuse_nfs_home_dirs
variable has been fixed andgoogle-chrome
can now write to the NFS home directory in the described scenario. - BZ#791294
- An incorrect SELinux policy prevented the
qpidd
service from connecting to the AMQP (Advanced Message Queuing Protocol) port when theqpidd
daemon was configured with Corosync clustering. This update provides updated SELinux rules, which allowqpidd
to be started correctly. - BZ#796351
- Previously, SELinux received AVC denial messages if the
dirsrv
utility executed themodutil -dbdir /etc/dirsrv/slapd-instname -fips
command to enable FIPS mode in an NSS (Network Security Service) key/certificate database. This happened because theNSS_Initialize()
function attempted to use pre-link with thedirsrv_t
context. With this update, the pre-link is allowed to re-label its own temporary files under these circumstances and the problem no longer occurs. - BZ#799102
- With SELinux in Enforcing mode, Samba could not connect to dirsrv/slapd (389DS) via LDAPI, which caused AVC denial messages to be returned. Also, the
dirsrv
service failed to start properly due to this issue. This update provides an updated SELinux context for the/var/run/slapd.*
socket and these services can be started as expected now. - BZ#799968
- SSSD sometimes handles high load systems with more than 4,000 processes running simultaneously. Previously, SELinux in Enforcing mode produced an AVC message related to the
CAP_SYS_RESOURCE
privilege, which is needed to request a higher open file-descriptor limit. With this update, a new SELinux policy rule has been added to allow theCAP_SYS_RESOURCE
capability for the SSSD service. - BZ#801163
- With SELinux in Enforcing mode, the
chsh
utility did not work on servers that authenticated with Kerberos. SELinux preventedchsh
from accessing certain files and directories. Now, updated SELinux rules have been provided to allowchsh
to work properly in the described scenario. - BZ#802247
- When a directory was mounted using NFS, restarting the
nfsclock
service produced an AVC denial message then reported to the/var/log/audit/audit.log
log file. Updated SELinux policy rules have been provided, which allow therpc.statd
binary to execute thesm-notify
binary, and restartingnfsclock
now works properly. - BZ#802745
- When files were created by the
/usr/bin/R
utility in user home directories, an incorrect SELinux context type ofuser_home_dir_t
was returned, rather than the expecteduser_home_t
context. This update fixes the relevant SELinux policy rules to allow/usr/bin/R
to create directories in user home directories with correct labeling. - BZ#803422
- When an ext4 partition was mounted using NFS, running the
xfstest
utility on this partition failed because write operations were denied on this partition. With this update, appropriate SELinux policy rules have been provided and write operations are now allowed to such partitions in the described scenario. - BZ#804024
- Previously, installation of the selinux-policy-minimum package failed because a scriptlet of this policy attempted to access the
/etc/selinux/targeted/seusers
file. Now, theselinux-policy.spec
file has been modified to store its users' information separately and selinux-policy-minimum can be installed properly. - BZ#804186
- Previously, the Postfix email server was unable to work properly with the
~/Maildir/
set up. To fix this bug, a new SELinux context has been provided for the/root/Maildir/
directory. - BZ#804922
- With SELinux enabled, a Red Hat Enterprise Linux 6.2 client, which queried an NFS server also running on Red Hat Enterprise Linux 6.2, to get quota details, resulted in no output on the client and the following message to be reported to the server's logs:
rpc.rquotad: Cannot open quotafile aquota.user and the associated AVC.
Updated SELinux policy rules, which allow this type of queries between NFS client and server, have been provided, thus fixing this bug. - BZ#805217
- Previously, with SELinux in Enforcing mode and the
internal-sftp
subsystem configured, users with theunconfined_t
SELinux type were unable to connect using thesftp
utility. This update fixes the SELinux policy to allow users to utilizesftp
successfully in the described scenario. - BZ#807173, BZ#820057
- Due to the
nfs_export_*
booleans values being removed from Red Hat Enterprise Linux 6.3, users could not export subdirectories under the/tmp/
directory and the mounting operations to such directories also failed. With this update, appropriate rules have been provided to allow users to perform these actions in the described scenario. - BZ#807456
- With SELinux in Enforcing mode, the
cgconfig
service could not be started if an NIS (Network Information Service) user was specified in the/etc/cgconfig
file. This update fixes the relevant SELinux policy rules and allowcgconfig
to use NIS properly. - BZ#808624
- When the Dovecot LMTP (Local Mail Transfer Protocol) server was configured as a virtual delivery agent on a Postfix-based mail server, the
sieve
script was not working correctly with SELinux in Enforcing mode. This update provides appropriate SELinux policy rules to allow thesieve
script to work correctly in the described scenario. - BZ#809746
- Due to an incorrect SELinux policy, the
heartbeat
service could not be started correctly. New SELinux policy rules have been provided to allowheartbeat
to execute the/usr/lib64/heartbeat/plugins/InterfaceMgr/generic.so
binary, thus fixing this bug. - BZ#812850
- With SELinux in Enforcing mode, the
service libvirt-qmf restart
command caused AVC denial messages to be logged to the/var/log/audit/audit.log
file. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages. - BZ#812854
- Previously, the
package-cleanup
utility did not work properly when called from acron
job. To fix this bug, the/usr/bin/package-cleanup
binary has been labeled with therpm_exec_t
SELinux policy label andpackage-cleanup
now works as expected in the described scenario. - BZ#813803
- Previously, the
system-config-kdump
utlity did not work properly with SELinux enabled. To fix this bug, the/etc/zipl.conf
file has been labeled with theboot_t
SELinux security label. - BZ#814091
- Fence agents (of the fence-agents package) in Red Hat Cluster Suite can use several different methods to connect to fencing devices. While using
telnet
orssh
works correctly under SELinux, some agents use SNMP. However, thesnmpwalk
,snmpget
, andsnmpset
utilities did not work due to an incorrect SELinux policy. SELinux policy rules have been updated to allow SNMP utilities running with thefenced_t
security type to be able to create files under the/var/lib/net-snmp/
directory, thus fixing this bug. - BZ#821004
- With the SELinux MLS policy enabled, the
sysadm_r
SELinux role could not create a cron job for another user. This bug has been fixed and thesysadm_r
SELinux role now belongs among cron admin roles, thus fixing this bug.
Enhancements
- BZ#727145
- A new policy for the
cfengine
service has been added to make the system management work while usingcfengine
. - BZ#747239
- This update provides a new SELinux policy for the
quota-nld
service. - BZ#747993
- This update provides a new SELinux policy for the
flash
plug-in. Previously, theplugin-container
processes of this plug-in were running as unconfined. - BZ#749200
- This update provides new SELinux policies for the
matahari-qmf-sysconfigd
andmatahari-qmf-sysconfig-consoled
services. - BZ#760405
- The following boolean variables have been removed because they no longer had any effect:
allow_nfsd_anon_write nfs_export_all_rw nfs_export_all_ro
- BZ#787413
- Previously, there was no separation between the
secadm_r
,sysadm_r
andauditadm_r
SELinux roles related to certain operations with log files. This update introduces the newsysadm_secadm.pp
SELinux module to provide the role separation.Note
Note that if thesysadm_secadm.pp
module is disabled,sysadm_r
is unable to modify security files in the/var/log/
directory, which onlysecadm_r
can do. The basic separation of the roles is as follows:- The
auditadm_r
role is able to modify the/var/log/audit.log
log file. - The
secadm_r
role is able to modify various SELinux properties as well as files in the/var/log/
directory with necessary level. Users of this role can also change a level or a SELinux state, or can load a new module. - The
sysadm_r
role (withsysadm_secadm
disabled) is able to modify all non-security files becausesysadm_r
is based on theuserdom_admin_user_template()
function, which contains the following directives:files_manage_non_security_dirs($1_t) files_manage_non_security_files($1_t)
Users of this role are not able to modify/var/log/audit/audit.log
, theauditd
daemon configuration files, or change a level or a SELinux state.
- BZ#795474
- Previously, the
rsync
utility could not access files in either NFS or CIFS home directories. The newrsync_use_nfs
boolean value has been provided to provide support for both file systems. - BZ#798534, BZ#812932, BZ#818082, BZ#818611
- Previously, the
privsep
parent process always ran in thesshd_t
domain. Consequently, thesshd_t
domain had to be relaxed more than necessary for user SSH processes. This update introduces new SELinux policy rules to support permission separation for user SSH processes, each of which now runs in user context as expected. - BZ#801015
- A new SELinux policy support has been added for the
matahari-qmf-rpcd
service. - BZ#801408
- With this update, over 400 man pages documenting all confined domains and users on the system have been provided. You can acccess them using commands such as the following:
man httpd_selinux man staff_selinux
- BZ#807682
- This update adds SELinux support for
ssh_to_job
for VM/Java/Sched/Local universe. - BZ#807824
- This update adds SELinux support for the Cherokee web server.
- BZ#809356
- This update adds a new SELinux policy for the
libvirt-qmf
service. - BZ#810273
- This update adds SELinux support for the
lvmetad
daemon. - BZ#811532
- With this update, support for extended file attributes (xattr) has been added for the
ZFS
file system. - BZ#821038
- This update adds a new SELinux policy for all OpenStack services.
Users of selinux-policy should upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6 Extended Update Support.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#966996
- Previously, the mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.
Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.