4.176. selinux-policy
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#784782
- With SELinux in enforcing mode, an Open MPI (Message Passing Interface) job submitted to the parallel universe environment failed when an attempt to generate SSH keys with the ssh-keygen utility was made. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly.
All users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#693149
- When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the
wpa_cli
client utility to connect to the runningwpa_supplicant
daemon. With this update, the SELinux policy has been fixed, andwpa_cli
now works as expected. - BZ#715227
- Due to an incorrect SELinux policy, the
smartd
daemon was not able to set up an monitor of a 3ware device. This update corrects this bug by adding an appropriate policy, which allows thesmartd
policy to create a fixed disk device node. - BZ#716956
- Previously, the SELinux Multi-Level Security (MLS) policy did not allow the
cron
daemon to read a Kerberos configuration file. This update fixes the relevant SELinux policy to make sure the Kerberos configuration file can be read by thecron
daemon. - BZ#717152
- When the SELinux Multi-Level Security (MLS) policy was enabled, starting the
smartd
daemon caused Access Vector Cache (AVC) messages to be written to theaudit
log file. With this update, the relevant policy has been fixed and the AVC messages are no longer produced in the described scenario. - BZ#721041
- When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the
samba
service from scanning the/boot/
directory when responding to quota check requests. The error has been fixed andsamba
is now allowed to search all mount points in the system. - BZ#722536
- Previously, the
rsyslogd
daemon was unable to connect to a MySQL database when support for the rsyslog-mysql package was enabled. This bug has been fixed andrsyslogd
is now allowed to connect to MySQL as expected. - BZ#722579
- Due to an error in a SELinux policy, SELinux incorrectly prevented the
ricci
service from installing RPM packages. With this update, the fixed SELinux rules, which allowricci
to install RPM packages, have been provided. - BZ#728957
- Previously, due to an incorrect SElinux context, the user was unable to access the
fetchmail.log
in their home directory. This update adds a SELinux security context for the.fetchmailrc
file located in user home directories to allow the fetchmail application to get external private emails. - BZ#730294
- Due to incorrect SELinux policy rules, the
procmail
mail delivery agent was not allowed to execute thehostname
command whenHOST_NAME=`hostname`
was specified in the configuration file. This update adapts the SELinux policy to support thisprocmail
option. - BZ#730962
- When PAM (Pluggable Authentication Modules) authentication was used in the
squid
daemon with SELinux enabled, the AVC message related to thenetlink_audit_socket
SELinux class was written to theaudit
log file. With this update, the relevant policy has been fixed and using PAM withsquid
no longer produces these messages. - BZ#721041
- When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the
swat
(Samba Web Administration Tool) utility from writing tosamba
log files. This bug has been fixed andswat
is now allowed to write to allsamba
log files. - BZ#733668
- On a MLS system, if a new user attempted to reset their password on the first login, SELinux prevented this action. With this update, the SELinux policy has been updated to allow the
sysadm_t
SELinux user type transition to thepasswd_t
SELinux domain, which is intended for thepasswd
utility. - BZ#735813
- Previously, the
/etc/passwd.adjunct
file contained an incorrect label, resulting in a wrong SELinux security context. This update adds a SELinux security context for/etc/passwd.adjunct
to make it possible to use this file on a Network Information Service (NIS) server. - BZ#745139
- When SELinux was running in the Enforcing mode,
rsyslog
clients were incorrectly denied access to port 6514 (syslog-over-TLS
). This update adds a new SELinux policy that allowsrsyslog
clients to connect to this port. - BZ#745175
- With the
omsnmp
module enabled, the latest version of thersyslog
daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality. - BZ#746351, BZ#761592
- When SELinux was enabled, starting the
ricci
daemon caused Access Vector Cache (AVC) messages to be written to theaudit
log file. With this update, the relevant policy has been fixed and startingricci
no longer produces these messages. - BZ#752487
- Due to inccorect SELinux policy, the finger application was not able to use the
nss_ldap
module to get information (such as users, hosts, and groups) from LDAP directories. With this update, fixed SELinux rules, which allow finger to connect to the LDAP port to get all needed information from LDAP, have been provided. - BZ#753039, BZ#767633
- When an unconfined SELinux user runs the
ssh-keygen
utility, the user is able to generate SSH keys anywhere. However, transition from theunconfined_t
to thessh_keygen_t
domain prevented this functionality. To make thessh-keygen
utility work correctly at all times, thessh_keygen_t
SELinux domain type has now been provided as an unconfined type. - BZ#754121
- When SELinux was running in the Enforcing mode, the
sssd
service was not allowed to create, delete, or read symbolic links in the/var/lib/sss/pipes/private/
directory. This update fixes the relevant SELinux policy rules to allowsssd
to perform these operations. - BZ#761481
- When SELinux was running in the Enforcing mode, the
sssd
service did not work properly; if a user authenticated to thesshd
service using the Generic Security Services Application Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds an appropriate security file context for the/var/cache/krb5cache/
directory, which allowssssd
to work correctly in the described scenario. - BZ#761485, BZ#767565
- Previously, the SELinux security context for the
iscsiuio
binary was not defined in the policy. Consequently, the operation of theiscsid
daemon could experience problems. This update adds a SELinux security context for the/sbin/iscsiuio
file to makeiscsid
run in the proper SELinux domain, thus fixing this bug. - BZ#766591
- When SELinux was running in the Enforcing mode, the
pam_oddjob_mkhomedir
utility could not be run, home directories could not be created, and actions for theoddjob
service were denied. With this update, the appropriate SELinux rule has been provided and SELinux no longer preventspam_oddjob_mkhomedir
from working correctly in the described scenario. - BZ#781477
- Due to an incorrect SELinux policy, an attempt to use the
nice
utility to modify scheduling priority of theopenvpn
service failed. This update provides fixed SELinux rules, adds thesys_nice
capability, and users are now allowed to modify the scheduling priority as expected.
Enhancements
- BZ#709370
- With this update, the new SELinux policy for
mcelog
service has been added to makemcelog
work properly on SELinux Multi-Level Security (MLS) systems. - BZ#718219
- The support for the dkim-milter, DKIM (DomainKeys Identified Mail) mail filter, application has been backported to the selinux-policy package in order to allow the Postfix email server to use it.
- BZ#720462
- With this update, the new SELinux policy for the Zarafa Open Source Email & Collaboration Software has been provided for selinux-policy.
- BZ#724941
- With this update, the new SELinux policy for the
subscription-manager
utility has been provided for selinux-policy. - BZ#741670
- A new SELinux Boolean value,
dhcpc_exec_iptables
, has been added to allow thedhcpd
daemon to executeiptables
commands.
All users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.