5.298. selinux-policy

Bug Fixes

BZ#878360

Due to a bug in the SELinux policy, it was not possible to run a cron job with a valid MLS (Multi Level Security) context for the sysadm_u SELinux user. This update fixes relevant SELinux policy rules and cron now works as expected in the described scenario.

BZ#886210

Previously, SELinux prevented "rhevm-guest-agent-gdm-plugin" to connect to the SO_PASSCRED UNIX domain socket. Consequently, Single Sign-On (SSO) did not work because the access to the credential socket was blocked. This update fixes the relevant policy and SSO now works as expected in the described scenario.

Bug Fixes

BZ#864366

Previously, SELinux was blocking the /usr/libexec/qemu-kvm utility during a migration of a virtual machine from Red Hat Enterprise Virtualization Manager. Consequently, such a migration attempt failed and AVC messages were returned. This update fixes the virt_use_fusefs boolean and adds the sanlock_use_fusefs boolean, thus allowing the migration to succeed in the described scenario.

BZ#867395

When trying to start a virtual machine on a POSIX-compliant file system, SELinux denied the operation and returned AVC messages. This update amends the SELinux policy to allow the described scenario to succeed.

Bug Fix

BZ#888381

Previously, the quota_db type was created as the openshift_var_lib_t type. Consequently, an attempt to create a quota system on openshift_var_lib_t failed with a permission error. The relevant part of the SELinux policy has been fixed and the quota system can now be created as expected.

Bug Fixes

BZ#840674

Previously, with the MLS policy activated, a user created with a MLS level was not able to log into the system using the ssh utility because an appropriate MLS policy rule was missing. This update adds the MLS rule and users can now log into the system as expected in the described scenario.

BZ#852456

When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned.

Enhancement

BZ#876075

An SELinux policy for openshift packages has been added.

BZ#833053

When the system produces a new SELinux denial, the setroubleshootd daemon executes the rpm tool to check information about the relevant packages. Previously, setroubleshootd was unable to execute the rpm tool, and AVC denials were logged in the /var/log/audit/audit.log file. With this update, the relevant policy has been corrected so that SELinux denials are no longer produced in the described scenario.

Bug Fixes

BZ#666332

Previously, the sshd init script tried to regenerate new keys during the sshd service startup and the ssh-keygen command failed to write public keys because of an incorrect SELinux security context for the ssh_host_rsa_key.pub file. The security context has been updated and now the sshd service can start up correctly.

BZ#739886

Due to an error in an SELinux policy, SELinux incorrectly prevented the rndc service from reading the /proc/loadavg file. This update provides updated SELinux rules that allow rndc to read the /proc/loadavg file.

BZ#746961

When a non-root user (in the unconfined_t domain) ran the ssh-keygen utility, the SELinux policy did not allow ssh-keygen to create a key outside of the ~/.ssh directory. This update adapts the relevant SELinux policy to make sure a key can be created by a non-root user in the described scenario.

BZ#748190

Previously, when a user tried to use the selinux_avcstat Munin plug-in, this caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, a new SELinux policy has been provided for selinux_avcstat to fix this bug.

BZ#748971

Due to an incorrect SELinux policy, SELinux prevented the openswan utility to use the labeled IPsec protocol. This update provides updated SELinux rules and allows openswan to label IPsec as expected.

BZ#749311

Previously, the nagios event handlers were not supported by any SELinux policy, which broke their functionality. With this update, this support has been added to SELinux policy and nagios event handlers now work correctly with SELinux.

BZ#749501

Previously, when SELinux was running in Enforcing mode, the google-chrome program was unable to execute the nacl_helper_bootstrap command. This update provides an updated SELinux security context and rules that allow google-chrome to execute nacl_helper_bootstrap.

BZ#750869

Previously, the SELinux Multi-Level Security (MLS) policy did not allow users to use either the newrole or sudo command together with the sssd service configured, when the user was logged in the wuth custom MLS range. This update fixes the relevant SELinux policy to allow users to use this configuration.

BZ#751558

With SELinux in Enforcing mode, running the mail program as root with the unconfined.pp policy module disabled resulted in a permission to be denied and an AVC message to be generated. This update fixes relevant SELinux policy rules to allow the mail program to run properly in the described scenario.

BZ#751732

Due to an error in an SELinux policy, SELinux incorrectly prevented the subscription-manager service from reading the /proc/2038/net/psched file. This update provides updated SELinux rules that allow subscription-manager to read that file.

BZ#752418

Prior to this update, the pyzor application was denied the permission to write to the ABRT socket file. Consequently, an AVC message was reported. This update corrects the SELinux policy to grant pyzor the necessary permission in the described scenario.

BZ#752924

With SELinux running in Enforcing mode, the smbcontrol program was unable to send a signal to itself. Consequently, AVC messages were written to the audit log. This update fixes the relevant policy to support this operation.

BZ#718273

Previously, when SELinux was running in Enforcing mode, gridengine mpi jobs were not started correctly. A new policy for these jobs has been provided and gridengine mpi jobs now work as expected.

BZ#753184, BZ#756498

Previously, user cron jobs were set to run in the cronjob_t domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron jobs. The relevant policy rules have been modified and user cron jobs now run in the user domain, thus fixing this bug.

BZ#753396

When running the libvirt commands, such as virsh iface-start or virsh iface-destroy, with SELinux in Enforcing mode and NetworkManager enabled, the commands took an excessive amount of time to finish successfully. With this update, the relevant policy has been added and libvirt commands now work as expected.

BZ#754157

When the auditd daemon was listening on port 60, the SELinux Multi-Level Security (MLS) policy prevented auditd from sending audit events to itself from the same system if it was also running on port 61. This update fixes the relevant policy and this configuration now works as expected.

Note

Before the fix, the described scenario was possible to perform with the use of the audisp-remote plug-in.

BZ#754455

With SELinux enabled, the rsyslogd daemon was unable to start because it was not previously allowed to run the setsched operation using the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy and rsyslogd now starts as expected.

BZ#755877

With SELinux in Enforcing mode, the ssh-keygen utility could not access various applications and thus could not be used to generate SSH keys for such applications. With this update, the ssh_keygen_t SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility works correctly.

BZ#759403

The ssh-keygen utility was not able to read from and write to the /var/lib/condor/ directory. Consequently, with SELinux in Enforcing mode, an OpenMPI job submitted to the parallel universe environment failed to generate SSH keys. With this update, a new SELinux policy has been provided for the /var/lib/condor/ directory, which allows ssh-keygen to access this directory as expected.

BZ#759514

When running a KDE session on a virtual machine with SELinux in Enforcing mode, the session was not locked as expected when the SPICE console was closed. This update adds necessary SELinux rules, which ensure that the session is properly locked in the described scenario.

BZ#760537

Previously, the /var/www/vweb1/logs/ directory was labeled as httpd_log_t, which blocked access to parts of additional web space. With this update, the httpd_log_t security context has been removed for this directory, thus fixing this bug.

BZ#767195

With SELinux in Enforcing mode, the httpd service could not read Git files with the git_system_content_t security label. This update corrects the relevant SELinux policy rules to allow httpd to read these Git files.

BZ#767579

Due to an error in an SELinux policy, SELinux incorrectly prevented to set up a quota on a file system, which was mounted as an user home directory, if the quotacheck -c /user/home/directory command was used. This update provides updated SELinux rules that allow to properly set up quotas in the described scenario.

BZ#754646

Previously, SELinux prevented the sanlock daemon from searching NFS directories. This update provides the sanlock_use_nfs boolean variable to fix this bug.

BZ#768065

When running the Postfix email server, the Amavis virus scanner, and the Spamassassin mail filter on Red Hat Enterprise Linux 6, the spamc_exec_t and razor_exec_t files were alias files, thus referencing the same context. Consequently, the restorecon utility reported these mislabeled files as related to the razor application. With this update, the razor.pp policy file has been removed and restorecon no longer reports these mislabeled files.

BZ#769301

Previously, if SSSD (System Security Services Daemon) used the keyctl_join_session_keyring() and keyctl_setperm() functions to connect to the kernel keyring and store passwords securely while the sssd daemon was running, it was permitted by SELinux. This update fixes the relevant SELinux policy rules to allow the SSSD sys_admin capability to process these operations properly.

BZ#769352

An incorrect SELinux policy prevented the qpidd service from starting. This update provides updated SELinux rules, which allow qpidd to be started correctly.

BZ#769819

Due to the labeling change for the /var/spool/postfix/deferred directory, the Postfix email server terminated. This update provides updated SELinux rules to allows Postfix to run as expected.

BZ#769859

Previously, when installing an updated selinux-policy-targeted package on a system with SELinux disabled, the following error messages were returned:

SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file -- /etc/selinux/targeted/policy/policy.24:  No such file or directory
load_policy: Can't load policy:  No such file or directory

This update provides the updated SELinux spec file that tests SELinux status correctly in the described scenario, thus preventing this bug.

BZ#773641

When SELinux was running in Enforcing mode, the ssh-keygen utility was unable to write to NFS home directories due to missing SELinux policy rules. This update provides updated SELinux rules that allow ssh-keygen to write to NFS home directories using the use_nfs_home_dirs boolean variable.

BZ#782325

When the user tried to execute the check_disk Munin plug-in on a remote system via NRPE (Nagios Remote Plugin Executor), the permission was denied and an AVC message was generated. This update fixes relevant SELinux policy rules to allow check_disk to read the /sys/ directory, thus fixing this bug.

BZ#783592

Previously, SELinux policy for the ipa_memcached service was missing. Consequently, ipa_memcached did not work correctly with SELinux in Enforcing mode. This update adds support for ipa_memcached, thus fixing this bug.

BZ#784011

With the MLS SELinux policy enabled, an administrator running in the sysadm_t SELinux domain was not able to run the rpm command. This update provides updated SELinux rules to allow administrators to run rpm in the described scenario.

BZ#786597

Previously, when SELinux was running in Enforcing mode, the mail-related Munin plug-ins were not able to access the /var/lib/ directory. Consequently, these plug-ins could not work correctly. This update provides updated SELinux rules, which allow these plug-ins to access /var/lib/ and work as expected.

BZ#787271

If a custom cluster MIB (Management Information Base) implementation was run as a separate process, SELinux in Enforcing mode prevented the snmpd service to connect through the AgentX (Agent Extensibility) protocol. This bug has been fixed and the updated SELinux policy rules now allow to run custom cluster MIB implemantions.

BZ#788601

With SELinux in Enforcing mode, the httpd service was unable to access link files in the /var/lib/zarafa/ directory, which caused various problems for the Zarafa groupware with DRBD (Distributed Replicated Block Device) support. This update provides updated SELinux rules and allows httpd to access the directory and Zarafa now works as expected.

BZ#788658

With SELinux in Enforcing mode, an OpenMPI job submitted to the parallel universe environment failed on SSH key generation. This happened because the ssh-keygen utility was unable to access the /var/lib/condor/ directory. This update provides a new SELinux policy for /var/lib/condor/, which allows ssh-keygen to read from and write to this directory, thus fixing this bug.

BZ#789063

With SELinux in Enforcing mode, restarting the tgtd service resulted in SELinux AVC denial messages being returned when tgtd was not able to read the abi_version value. This update fixes the relevant SELinux policy rules to allow tgtd to read abi_version.

BZ#790980

If a custom home directory was set up as an NFS home directory, the google-chrome application was not able to write to this home directroy. With this update, the use_nfs_home_dirs variable has been fixed and google-chrome can now write to the NFS home directory in the described scenario.

BZ#791294

An incorrect SELinux policy prevented the qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. This update provides updated SELinux rules, which allow qpidd to be started correctly.

BZ#796351

Previously, SELinux received AVC denial messages if the dirsrv utility executed the modutil -dbdir /etc/dirsrv/slapd-instname -fips command to enable FIPS mode in an NSS (Network Security Service) key/certificate database. This happened because the NSS_Initialize() function attempted to use pre-link with the dirsrv_t context. With this update, the pre-link is allowed to re-label its own temporary files under these circumstances and the problem no longer occurs.

BZ#799102

With SELinux in Enforcing mode, Samba could not connect to dirsrv/slapd (389DS) via LDAPI, which caused AVC denial messages to be returned. Also, the dirsrv service failed to start properly due to this issue. This update provides an updated SELinux context for the /var/run/slapd.* socket and these services can be started as expected now.

BZ#799968

SSSD sometimes handles high load systems with more than 4,000 processes running simultaneously. Previously, SELinux in Enforcing mode produced an AVC message related to the CAP_SYS_RESOURCE privilege, which is needed to request a higher open file-descriptor limit. With this update, a new SELinux policy rule has been added to allow the CAP_SYS_RESOURCE capability for the SSSD service.

BZ#801163

With SELinux in Enforcing mode, the chsh utility did not work on servers that authenticated with Kerberos. SELinux prevented chsh from accessing certain files and directories. Now, updated SELinux rules have been provided to allow chsh to work properly in the described scenario.

BZ#802247

When a directory was mounted using NFS, restarting the nfsclock service produced an AVC denial message then reported to the /var/log/audit/audit.log log file. Updated SELinux policy rules have been provided, which allow the rpc.statd binary to execute the sm-notify binary, and restarting nfsclock now works properly.

BZ#802745

When files were created by the /usr/bin/R utility in user home directories, an incorrect SELinux context type of user_home_dir_t was returned, rather than the expected user_home_t context. This update fixes the relevant SELinux policy rules to allow /usr/bin/R to create directories in user home directories with correct labeling.

BZ#803422

When an ext4 partition was mounted using NFS, running the xfstest utility on this partition failed because write operations were denied on this partition. With this update, appropriate SELinux policy rules have been provided and write operations are now allowed to such partitions in the described scenario.

BZ#804024

Previously, installation of the selinux-policy-minimum package failed because a scriptlet of this policy attempted to access the /etc/selinux/targeted/seusers file. Now, the selinux-policy.spec file has been modified to store its users' information separately and selinux-policy-minimum can be installed properly.

BZ#804186

Previously, the Postfix email server was unable to work properly with the ~/Maildir/ set up. To fix this bug, a new SELinux context has been provided for the /root/Maildir/ directory.

BZ#804922

With SELinux enabled, a Red Hat Enterprise Linux 6.2 client, which queried an NFS server also running on Red Hat Enterprise Linux 6.2, to get quota details, resulted in no output on the client and the following message to be reported to the server's logs:

rpc.rquotad: Cannot open quotafile aquota.user and the associated AVC.

Updated SELinux policy rules, which allow this type of queries between NFS client and server, have been provided, thus fixing this bug.

BZ#805217

Previously, with SELinux in Enforcing mode and the internal-sftp subsystem configured, users with the unconfined_t SELinux type were unable to connect using the sftp utility. This update fixes the SELinux policy to allow users to utilize sftp successfully in the described scenario.

BZ#807173, BZ#820057

Due to the nfs_export_* booleans values being removed from Red Hat Enterprise Linux 6.3, users could not export subdirectories under the /tmp/ directory and the mounting operations to such directories also failed. With this update, appropriate rules have been provided to allow users to perform these actions in the described scenario.

BZ#807456

With SELinux in Enforcing mode, the cgconfig service could not be started if an NIS (Network Information Service) user was specified in the /etc/cgconfig file. This update fixes the relevant SELinux policy rules and allow cgconfig to use NIS properly.

BZ#808624

When the Dovecot LMTP (Local Mail Transfer Protocol) server was configured as a virtual delivery agent on a Postfix-based mail server, the sieve script was not working correctly with SELinux in Enforcing mode. This update provides appropriate SELinux policy rules to allow the sieve script to work correctly in the described scenario.

BZ#809746

Due to an incorrect SELinux policy, the heartbeat service could not be started correctly. New SELinux policy rules have been provided to allow heartbeat to execute the /usr/lib64/heartbeat/plugins/InterfaceMgr/generic.so binary, thus fixing this bug.

BZ#812850

With SELinux in Enforcing mode, the service libvirt-qmf restart command caused AVC denial messages to be logged to the /var/log/audit/audit.log file. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages.

BZ#812854

Previously, the package-cleanup utility did not work properly when called from a cron job. To fix this bug, the /usr/bin/package-cleanup binary has been labeled with the rpm_exec_t SELinux policy label and package-cleanup now works as expected in the described scenario.

BZ#813803

Previously, the system-config-kdump utlity did not work properly with SELinux enabled. To fix this bug, the /etc/zipl.conf file has been labeled with the boot_t SELinux security label.

BZ#814091

Fence agents (of the fence-agents package) in Red Hat Cluster Suite can use several different methods to connect to fencing devices. While using telnet or ssh works correctly under SELinux, some agents use SNMP. However, the snmpwalk, snmpget, and snmpset utilities did not work due to an incorrect SELinux policy. SELinux policy rules have been updated to allow SNMP utilities running with the fenced_t security type to be able to create files under the /var/lib/net-snmp/ directory, thus fixing this bug.

BZ#821004

With the SELinux MLS policy enabled, the sysadm_r SELinux role could not create a cron job for another user. This bug has been fixed and the sysadm_r SELinux role now belongs among cron admin roles, thus fixing this bug.

Enhancements

BZ#727145

A new policy for the cfengine service has been added to make the system management work while using cfengine.

BZ#747239

This update provides a new SELinux policy for the quota-nld service.

BZ#747993

This update provides a new SELinux policy for the flash plug-in. Previously, the plugin-container processes of this plug-in were running as unconfined.

BZ#749200

This update provides new SELinux policies for the matahari-qmf-sysconfigd and matahari-qmf-sysconfig-consoled services.

BZ#760405

The following boolean variables have been removed because they no longer had any effect:

allow_nfsd_anon_write
nfs_export_all_rw
nfs_export_all_ro

BZ#787413

Previously, there was no separation between the secadm_r, sysadm_r and auditadm_r SELinux roles related to certain operations with log files. This update introduces the new sysadm_secadm.pp SELinux module to provide the role separation.

Note

Note that if the sysadm_secadm.pp module is disabled, sysadm_r is unable to modify security files in the /var/log/ directory, which only secadm_r can do. The basic separation of the roles is as follows:

• The auditadm_r role is able to modify the /var/log/audit.log log file.
• The secadm_r role is able to modify various SELinux properties as well as files in the /var/log/ directory with necessary level. Users of this role can also change a level or a SELinux state, or can load a new module.
• The sysadm_r role (with sysadm_secadm disabled) is able to modify all non-security files because sysadm_r is based on the userdom_admin_user_template() function, which contains the following directives:

  files_manage_non_security_dirs($1_t)
  files_manage_non_security_files($1_t)

  Users of this role are not able to modify /var/log/audit/audit.log, the auditd daemon configuration files, or change a level or a SELinux state.

BZ#795474

Previously, the rsync utility could not access files in either NFS or CIFS home directories. The new rsync_use_nfs boolean value has been provided to provide support for both file systems.

BZ#798534, BZ#812932, BZ#818082, BZ#818611

Previously, the privsep parent process always ran in the sshd_t domain. Consequently, the sshd_t domain had to be relaxed more than necessary for user SSH processes. This update introduces new SELinux policy rules to support permission separation for user SSH processes, each of which now runs in user context as expected.

BZ#801015

A new SELinux policy support has been added for the matahari-qmf-rpcd service.

BZ#801408

With this update, over 400 man pages documenting all confined domains and users on the system have been provided. You can acccess them using commands such as the following:

man httpd_selinux
man staff_selinux

BZ#807682

This update adds SELinux support for ssh_to_job for VM/Java/Sched/Local universe.

BZ#807824

This update adds SELinux support for the Cherokee web server.

BZ#809356

This update adds a new SELinux policy for the libvirt-qmf service.

BZ#810273

This update adds SELinux support for the lvmetad daemon.

BZ#811532

With this update, support for extended file attributes (xattr) has been added for the ZFS file system.

BZ#821038

This update adds a new SELinux policy for all OpenStack services.

Bug Fix

BZ#966996

Previously, the mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.