4.98. selinux-policy

download PDF
Updated selinux-policy packages that fix numerous bugs are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fixes

When the SSH daemon (sshd) was configured using the rgmanager utility as a service for clustering, sshd incorrectly ran in the rgmanager_t SELinux domain instead of the sshd_t SELinux domain. With this update, the relevant SELinux policy has been fixed and sshd runs in sshd_t as expected in the described scenario.
With the SELinux strict policy enabled, when the user executed a locally developed application configured to use the atd daemon, the daemon ran in an incorrect SELinux domain due to the missing SELinux policy rules. Consequently, the following error message was logged in the /var/log/message file:
Not allowed to set exec context
With this update, the appropriate SELinux policy rules have been added so that atd runs in the correct domain and the error message is no longer returned.
When SELinux was running in enforcing mode, it incorrectly prevented processes labeled with the pptp_t SELinux security context from accessing files labeled with the proc_net_t SELinux security context. This update fixes the relevant SELinux policy and pptp_t processes can access files with the proc_net_t context as expected.
Previously, some patterns in the /etc/selinux/targeted/contexts/files/file_contexts file contained typographical errors. Some patterns matched the 32-bit path but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths.
BZ#923428, BZ#926028
Due to the incorrect SELinux policy rules for the httpd_use_fusefs and allow_ftpd_use_fusefs Booleans, the httpd and ftpd daemons were not able to access link files on a FUSE (Filesystem in Userspace) file system when SELinux was running in enforcing mode. The appropriate SELinux policy rules have been fixed and httpd and ftpd are now able to access link files on the FUSE file systems as expected.
When SELinux was running in enforcing mode, an attempt to fetch a file using the Squid proxy caching server along with Kerberos authentication caused AVC denials to be returned. The relevant SELinux policy has been changed to allow Squid to connect to the tcp/133 port and the AVC denials are no longer returned in the described scenario.
BZ#958759, BZ#984583
Previously, the mysqld_safe script was unable to execute the Bourne shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.
When a Network Information Service (NIS) master with two NIS slaves was configured, executing the yppasswdd --port 836 command proceeded up until it started rebuilding the passwd.byname and passwd.byuid databases. The databases were rebuilt successfully but they were not pushed to the NIS slaves due to missing SELinux policy rules. With this update, the relevant SELinux rule has been added to fix this bug and the yppasswdd --port 836 command works as expected.
Due to an incorrect SELinux policy, the openvpn service was not able to write or read the /var/log/openvpn file. Consequently, an attempt to start openvpn failed and AVC messages were logged to the /var/log/audit/audit.log file. With this update, the appropriate SELinux policy has been fixed so that the AVC messages are no longer returned and openvpn works as expected in the described scenario.
When the php-cgi command-line interface was called by the httpd server, SELinux running in enforcing mode prevented access to the /usr/share/snmp/mibs/.index file. Consequently, the PHP SNMP (Simple Network Management Protocol) extension did not work correctly due to the missing Management Information Bases (MIBs). With this update, the relevant SELinux policy has been modified and SELinux no longer prevents access to MIBs in the described scenario.
Previously, the snmpd_t SELinux domain was missing the chown capability. Consequently, the agentXperms directive in the snmpd.conf file did not work. This update provides an updated SELinux policy rule that allows processes running in the snmpd_t SELinux domain to use the chown capability, thus fixing this bug.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.