4.98. selinux-policy
Updated selinux-policy packages that fix numerous bugs are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#746979
- When the SSH daemon (
sshd
) was configured using thergmanager
utility as a service for clustering,sshd
incorrectly ran in thergmanager_t
SELinux domain instead of thesshd_t
SELinux domain. With this update, the relevant SELinux policy has been fixed andsshd
runs insshd_t
as expected in the described scenario. - BZ#838702
- With the SELinux strict policy enabled, when the user executed a locally developed application configured to use the
atd
daemon, the daemon ran in an incorrect SELinux domain due to the missing SELinux policy rules. Consequently, the following error message was logged in the/var/log/message
file:Not allowed to set exec context
With this update, the appropriate SELinux policy rules have been added so thatatd
runs in the correct domain and the error message is no longer returned. - BZ#906279
- When SELinux was running in enforcing mode, it incorrectly prevented processes labeled with the
pptp_t
SELinux security context from accessing files labeled with theproc_net_t
SELinux security context. This update fixes the relevant SELinux policy andpptp_t
processes can access files with theproc_net_t
context as expected. - BZ#921671
- Previously, some patterns in the
/etc/selinux/targeted/contexts/files/file_contexts
file contained typographical errors. Some patterns matched the 32-bit path but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths. - BZ#923428, BZ#926028
- Due to the incorrect SELinux policy rules for the
httpd_use_fusefs
andallow_ftpd_use_fusefs
Booleans, thehttpd
andftpd
daemons were not able to access link files on a FUSE (Filesystem in Userspace) file system when SELinux was running in enforcing mode. The appropriate SELinux policy rules have been fixed andhttpd
andftpd
are now able to access link files on the FUSE file systems as expected. - BZ#953874
- When SELinux was running in enforcing mode, an attempt to fetch a file using the Squid proxy caching server along with Kerberos authentication caused AVC denials to be returned. The relevant SELinux policy has been changed to allow Squid to connect to the tcp/133 port and the AVC denials are no longer returned in the described scenario.
- BZ#958759, BZ#984583
- Previously, the
mysqld_safe
script was unable to execute the Bourne shell (/bin/sh) with theshell_exec_t
SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected. - BZ#959171
- When a Network Information Service (NIS) master with two NIS slaves was configured, executing the
yppasswdd --port 836
command proceeded up until it started rebuilding thepasswd.byname
andpasswd.byuid
databases. The databases were rebuilt successfully but they were not pushed to the NIS slaves due to missing SELinux policy rules. With this update, the relevant SELinux rule has been added to fix this bug and theyppasswdd --port 836
command works as expected. - BZ#966929
- Due to an incorrect SELinux policy, the
openvpn
service was not able to write or read the/var/log/openvpn
file. Consequently, an attempt to startopenvpn
failed and AVC messages were logged to the/var/log/audit/audit.log
file. With this update, the appropriate SELinux policy has been fixed so that the AVC messages are no longer returned andopenvpn
works as expected in the described scenario. - BZ#970707
- When the
php-cgi
command-line interface was called by thehttpd
server, SELinux running in enforcing mode prevented access to the/usr/share/snmp/mibs/.index
file. Consequently, the PHP SNMP (Simple Network Management Protocol) extension did not work correctly due to the missing Management Information Bases (MIBs). With this update, the relevant SELinux policy has been modified and SELinux no longer prevents access to MIBs in the described scenario. - BZ#978864
- Previously, the
snmpd_t
SELinux domain was missing thechown
capability. Consequently, theagentXperms
directive in thesnmpd.conf
file did not work. This update provides an updated SELinux policy rule that allows processes running in thesnmpd_t
SELinux domain to use thechown
capability, thus fixing this bug.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.