4.159. selinux-policy
Updated selinux-policy packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#682856, BZ#841178
- When SELinux was running in enforcing mode, it incorrectly prevented the Postfix mail transfer agent from re-sending queued email messages. This update adds a new security file context for the
/var/spool/postfix/maildrop/
directory to make sure Postfix is allowed to re-send queued email messages in enforcing mode. - BZ#738995
- Previously, the
cyrus-master
process could not run as an NNTP server becausecyrus-master
was unable to use theindd
port. With this update, the SELinux policy rules have been updated, and the problem withcyrus-master
running as an NNTP server no longer occurs. - BZ#751385
- Previously, the
condor_vm-gahp
service running in theinitrc_t
SELinux domain returned AVC (Access Vector Cache) messages. This update labelscondor_vm-gahp
thevirtd_exec_t
SELinux security context, thus fixing this bug. - BZ#784197
- When SELinux was running in enforcing mode, the
cimserver
command was unable to rename its owncimserver_current.conf
file. This update fixes the relevant policy andcimserver
program can now rename its configuration file as expected. - BZ#785076
- When SELinux was running in enforcing mode and Kerberos+NSS was configured to use the
coolkey
module, AVC messages were returned. This update fixes the relevant SELinux policy so that the AVC messages are no longer returned in the described scenario. - BZ#803704
- Previously, when a file was created by the
/usr/bin/R
command in user home directories, these directories got an incorrect SELinux security context because of missing SELinux policy rules. With this update, the relevant SELinux policy has been amended to ensure that correct SELinux security context is set in the described scenario. - BZ#807686
- When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned.
- BZ#833843
- With SELinux in enforcing mode, missing SELinux policy rules prevented the
freeradius2
server to communicate with thepostgresql
database. With this update, appropriate SELinux rules have been added andfreeradius2
is now able to communicate with thepostgresql
. - BZ#834621
- SSSD (System Security Services Daemon) sometimes handles systems with more than four thousand processes running simultaneously. This requires the
CAP_SYS_RESOURCE
Linux capability to be set with a higher limit for open file descriptors but SELinux did not previously allow it. With this update, an appropriate SELinux rule has been added to prevent this bug. - BZ#838511
- Previously, with SELinux in enforcing mode, the
clamd
command was unable to create its own PID file in the/var/run/amavis/
directory. With this update, theamavis_create_pid_files()
SELinux policy interface has been fixed to allow this action. - BZ#843443
- With SELinux running in enforcing mode, the
snmpd
daemon was unable to connect to themodcluster
service over theUnix
stream socket. This bug has been fixed and the updated SELinux policy rules now allow these operations. - BZ#844701
- When SELinux was running in enforcing mode, the
httpd
daemon running in thepiranha_web_t
SELinux domain was unable to read from the random number generator device (/dev/random
). This update adds appropriate SELinux rules to granthttpd
running in thepiranha_web_t
domain access to/dev/random
. - BZ#848693
- Previously, security contexts for the
sesh
shell installed in different directories did not match. This update adds a SELinux security context for the/usr/libexec/sesh
command to be the same as the context for the/usr/sbin/sesh
command. - BZ#848727
- Due to an error in a SELinux policy, SELinux incorrectly prevented the
netplugd
service from starting. Now, updated SELinux policy rules have been provided that allownetplugd
execute thebrctl
command in thebrctl
SELinux domain, thus fixing this bug. - BZ#849155
- Due to an incorrect file context specification, correct labeling for 64-bit Oracle libraries was missing from the SELinux policy. This bug has been fixed and the selinux-policy packages now provide this missing labeling.
- BZ#833843
- Previously, when the
etc-pam-d-radiusd-uses-non-existent-password-auth
test was run, theradiusd
service was disallowed theptrace
system call, resulting in an AVC message being returned. This update adds an appropriate SELinux policy rule to allowradiusd
this system call, thus fixing this bug. - BZ#851658
- Previously, OCSP (Online Certificate Status Protocol) requests from the Kerberos KDC (Key Distribution Center) failed in enforcing mode. Consequently, attempts to obtain Kerberos credentials by running the
kinit
from a smart card were not successful. This update allows thekrb5kdc
utility to connect to thetcp/9180
port, thus fixing this problem. - BZ#854194
- With SELinux in enforcing mode, the following scenario did not work and generated AVC messages to the
/var/log/audit/audit.log
file:- append the following line to
/etc/sysconfig/snmptrapd.options
file:OPTIONS="-Lsd -x /var/agentx/master"
- append following line to
/etc/snmp/snmpd.conf
file:master agentx
- run the
service snmpd restart
andservice snmptrapd restart
commands.
With this update, an appropriate SELinux rule has been added and this scenario now succeeds. - BZ#855035
- Due to incorrect SELinux policy rules, the
nmbd
service was unable to create the/var/nmbd/unexpected/
directory for its operation. Consequently, the following command failed:nmblookup -U 127.0.0.1 MACHINE-nmb
Now, the SELinux policy rules have been updated and the problem with the above command no longer occurs. - BZ#855324
- With SELinux in enforcing mode, when the
openswan
service was started and stopped in quick succession on a freshly-booted system, the AVC denial messages were logged to the/var/log/audit/audit.log
file. With this update, SELinux policy has been amended to ensure that SELinux no longer logs AVC messages in the described scenario. - BZ#859338
- When SELinux was running in enforcing mode, the
pulse
daemon failed to start theIPVS
synchronization daemon at startup and a large number of AVC messages was logged to the/var/log/audit/audit.log
file. This bug has been fixed and SELinux now allowsIPVS
to be started bypulse
as expected. - BZ#863155
- Due to an incorrect SELinux policy, the
swat
utility was unable to write into theunexpected
samba socket. This update provides a new SELinux policy rule, which prevent this bug.
Enhancements
- BZ#839608, BZ#849071
- A new SELinux policy rule has been added to allow the CUPS back end to send D-Bus messages to the system bus, thus allowing the hplip3 package to work with SELinux running in enforcing mode.
- BZ#843841
- The rebased rsyslogd package in Red Hat Enterprise Linux 5.9 required additional SELinux policy updates to allow running the
getschedule
,setschedule
, andsys_nice
operations. These selinux-policy packages add the required policy. - BZ#810239
- With this update, labels of all files that are processed by the
logrotate
utility are preserved. - BZ#845672
- The
zarafa
SELinux policy has been updated by thezarafa
SELinux policy from Red Hat Enterprise Linux 6. - BZ#772205
- Support for the
mod_ban
module in theproftpd
service has been added. - BZ#773042
- A new
fenced_selinux.8
man page has been added. - BZ#750588
- A new
virtd_selinux.8
man page has been added.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.