4.291. selinux-policy

Bug Fixes

BZ#665176

Most of the major services in Red Hat Enterprise Linux 6 have a corresponding service_selinux(8) manual page. Previously, there was no manual page for the MySQL service (mysqld). This update corrects this error, and the selinux-policy packages now provide the mysql_selinux(8) manual page as expected.

BZ#694031

When the SELinux Multi-Level Security (MLS) policy was enabled, running the userdel -r command caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant policy has been corrected so that userdel no longer produces these messages.

BZ#698923

When SELinux was running in enforcing mode, an incorrect SELinux policy prevented the kadmin utility (a program for Kerberos V5 database administration) from setting process priority. With this update, the SELinux policy has been corrected, and kadmin now works as expected.

BZ#701885

Previously, the output of the semanage boolean -l command contained errors. This update fixes the descriptions of various SELinux Booleans to ensure the aforementioned command now produces correct output without errors.

BZ#704191

Prior to this update, the secadm SELinux user was not allowed to modify SELinux configuration files. With this update, the relevant SELinux policy has been corrected and the secadm SELinux user can now modify such configuration files as expected.

BZ#705277, BZ#712961, BZ#716973

With SELinux enabled, the rsyslogd service was previously unable to send messages encrypted with the Transport Layer Security (TLS) protocol. This update corrects the relevant SELinux policy, and rsyslogd can now send such messages as expected.

BZ#705489

With SELinux enabled, configuring cluster fencing agents to use the SSH or Telnet protocol caused these fencing agents to fail. This update contains updated SELinux rules and introduces a new fenced_can_ssh Boolean, which allows the fencing agents to use these protocols.

BZ#706086

Due to a constraint violation, when SELinux was running in enforcing mode, the xinetd service was unable to connect to localhost and the operation failed. With this update, xinetd is now trusted to write outbound packets regardless of the network's or node's Multi-Level Security (MLS) range, which resolves this issue.

BZ#706448

Due to an incorrect SELinux policy, when the user added a NIS username to the /etc/cgrules.conf configuration file, SELinux incorrectly prevented cgroups from properly applying rules to NIS users. This update corrects this error by adding an appropriate policy so that SELinux no longer prevents cgroups from applying rules to NIS users.

BZ#707616

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented a MLS machine form registering with Red Hat Network. This update corrects the SELinux policy so that MLS machines can now be registered as expected.

BZ#710357

Prior to this update, various incorrect SELinux labels caused several Access Vector Cache (AVC) messages to be written to the audit log. With this update, the SELinux labels that triggered these AVC messages have been corrected so that such AVC messages no longer appear in the log.

BZ#713218

Due to incorrect SELinux policy rules, the Kerberos 5 Admin Server (kadmind) was unable to contact the LDAP server and failed to start. This update fixes the relevant policy and kadmind now starts as expected.

BZ#714620

With SELinux running in enforcing mode, the sssd service did not work properly and when any user authenticated to the sshd service using the Generic Security Services Application Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds an appropriate security file context for the /var/cache/krb5cache/ directory, which allows sssd to work correctly.

BZ#715038

Previously, various labels were incorrect and rules for creating new 389-ds instances were missing. Consequent to this, when the user created a new 389-ds instance using the 389-console utility, several Access Vector Cache (AVC) messages appeared in the audit log. With this update, the erroneous labels have been fixed and missing rules have been added so that new 389-ds instances are now created without these AVC messages.

BZ#718390

Due to incorrect SELinux policies, the puppetmaster service was not allowed to get attributes of the chage utility and any attempt to do so caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the SELinux policy rules have been adapted to allow puppetmaster to perform this operation.

BZ#719261

When SELinux was running in enforcing mode, it incorrectly prevented the Postfix mail transfer agent from re-sending queued email messages. This update adds a new security file context for the /var/spool/postfix/maildrop/ directory to make sure Postfix is now allowed to re-send queued email messages as expected.

BZ#719929

The previous version of the httpd_selinux(8) manual page was incomplete and did not provide any information about the following Booleans:

• httpd_enable_ftp_server
• httpd_execmem
• httpd_read_user_content
• httpd_setrlimit
• httpd_ssi_exec
• httpd_tmp_exec
• httpd_use_cifs
• httpd_use_gpg
• httpd_use_nfs
• httpd_can_check_spam
• httpd_can_network_connect_cobbler
• httpd_can_network_connect_db
• httpd_can_network_connect_memcache
• httpd_can_network_relay
• httpd_dbus_avahi

With this update, this error no longer occurs and the aforementioned manual page now describes all available SELinux Booleans as expected.

BZ#722381

Due to the /var/lib/squeezeboxserver/ directory having an incorrect security context, an attempt to start the squeezeboxserver service with SELinux running in enforcing mode failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, the security context of this directory has been corrected so that SELinux no longer prevents squeezeboxserver from starting.

BZ#725414

When a non-root user (in the unconfined_t domain) ran the ssh-keygen utility and the ~/.ssh/ directory did not exist, the utility created this directory with an incorrect security context. This update adapts the relevant SELinux policy to make sure ~/.ssh/ is now created with the correct context (the ssh_home_t type).

BZ#726339

Prior to this update, SELinux prevented the ip utility from using the sys_module capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriate dontaudit rule has been added to make sure such messages are no longer logged.

BZ#727130

When SELinux was running in enforcing mode, an incorrect policy prevented the grubby utility from searching DOS file systems such as FAT32 or NTFS. This update corrects the SELinux policy so that grubby can now work as expected.

BZ#727150

With the omsnmp module enabled, the latest version of the rsyslog daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality.

BZ#727290

Prior to this update, SELinux prevented the lldpad daemon from using the sys_module capabilities, which caused various Access Vector Cache (AVC) messages to be written to the audit log. With this update, an appropriate dontaudit rule has been added to make sure such messages are no longer logged.

BZ#728591

When SELinux was running in enforcing mode, rsyslog clients were incorrectly denied access to port 6514 (the syslog over TLS port). This update adds a new SELinux policy that allows rsyslog clients to connect to this port.

BZ#728699

Prior to this update, SELinux incorrectly prevented the hddtemp utility from listening on localhost. This update corrects this error, and the selinux-policy packages now provide updated SELinux rules that allow hddtemp to listen on localhost as expected.

BZ#728790

When running in enforcing mode, SELinux incorrectly prevented the new fence_kdump agent from binding to a port. This update adds appropriate SELinux rules to make sure this agent can bind to a port as expected.

BZ#729073

Due to an incorrect SELinux policy, an attempt to use nice to modify scheduling priority of the openvpn service failed, because SELinux prevented it. This update provides updated SELinux rules and adds a sys_nice capability so that users are now allowed to modify the scheduling priority as expected.

BZ#729365

The allow_unconfined_qemu_transition Boolean has been removed to make sure that QEMU is allowed to work together with the libguestfs library.

BZ#730218

Due to incorrect SELinux policy rules, the procmail mail delivery agent was not allowed to execute the hostname command when HOST_NAME=`hostname` was specified in the configuration file. This update adapts the SELinux policy to support the aforementioned procmail option.

BZ#730662

Prior to this update, launching a new virtual machine with a fileinject custom property caused Access Vector Cache (AVC) messages to be written to the audit log. With this update, the relevant SELinux policy has been corrected to ensure this action no longer produces such messages.

BZ#730837

When SELinux was running in enforcing mode, an attempt to run the puppet server that was configured as a Passenger web application for scaling purposes failed. This update provides adapted SELinux rules to allow this, and the puppet server configured as a Passenger web application no longer fails to run.

BZ#730852

When the MAXCONN option in the /etc/sysconfig/memcached configuration file was set to a value greater than 1024, an attempt to start the memcached service caused Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy so that memcached no longer produces AVC messages in this scenario.

BZ#732196

The git_selinux(8) manual page now provides all information necessary to make the Git daemon work over the SSH protocol.

BZ#732757

When SELinux was running in enforcing mode, the Kerberos authentication for the CUPS web interface did not work properly. With this update, the SELinux policy has been updated to support this configuration.

BZ#733002

Most of the major services in Red Hat Enterprise Linux 6 have a corresponding service_selinux(8) manual page. Previously, there was no manual page for the Squid caching proxy (squid). This update corrects this error, and the selinux-policy packages now provide the squid_selinux(8) manual page as expected.

BZ#733039

This update adds a new abrt_selinux(8) manual page, which explains how to configure SELinux policy for the Automatic Bug Reporting Tool (ABRT) service (abrtd).

BZ#733494

When SELinux was running in enforcing mode, the amrecover utility stopped responding while recovering data from a virtual tape changer. With this update, appropriate SELinux rules have been added so that amcover no longer hangs in this situation.

BZ#733869

Prior to this update, the qmail-inject, qmail-queue, and sendmail programs were not allowed to search and write into the /var/qmail/queue/ directory. With this update, this error has been fixed and the updated SELinux rules now allow these operations.

BZ#739618

Previously, SELinux incorrectly prevented the Chromium and Google Chrome web browsers from starting due to text file relocations. With this update, an appropriate SELinux rule has been added so that SELinux no longer prevents these web browsers from starting.

BZ#739628

Due to an error in a SELinux policy, the output of the seinfo -r command incorrectly contained lsassd_t, which is not a role. This update corrects the relevant policy to make sure the aforementioned command now produces correct output.

BZ#739883

When the DumpLocation option in the abrt.conf configuration file was set to /tmp/abrt, restarting the abrtd service caused various Access Vector Cache (AVC) messages to be written to the audit log. This update corrects the relevant SELinux policy to add support for this option, and such AVC messages are no longer reported when the abrtd service is restarted.

BZ#740180

Previously, an incorrect SELinux policy prevented the pwupdate script from sending an email. This update corrects this error so that pwupdate is now allowed to work as expected.

BZ#734123

When SELinux was running in enforcing mode, the virsh utility was unable to read form the random number generator device (/dev/random). This update adds appropriate SELinux rules to grant virsh access to this device.

BZ#735198

Prior to this update, when the user used a serial console via the iLO Virtual Serial Port (VSP) and booted to single-user mode, an Access Vector Cache (AVC) message appeared and no login prompt was displayed. With this update, the SELinux policy rules have been updated to make sure the user is now able to log in as expected in this scenario.

BZ#735813

This update adds a SELinux security context for the /etc/passwd.adjunct file to make it possible to use this file on a Network Information Service (NIS) server.

BZ#736300

When SELinux was running in enforcing mode, the smbcontrol utility was unable to use the console. This update adds appropriate SELinux rules to allow smbcontrol to work as expected.

BZ#736388

When SELinux was running in enforcing mode, an incorrect SELinux policy prevented the pulse application from executing the fos binary file. This error has been fixed, and pulse can now execute the aforementioned binary file as expected.

BZ#737571

As a consequence to recent changes to the dhcpd daemon, the SELinux policy incorrectly prevented this daemon from setting the setgid and setuid capabilities. This update corrects the relevant SELinux policy so that dhcpd can now work properly.

BZ#737635

Due to an error in a SELinux policy, SELinux incorrectly prevented luci from starting. These selinux-policy packages provide updated SELinux rules that allow luci to start as expected.

BZ#737790, BZ#741271

To reflect recent changes to the spice-vdagent program, the SELinux policy rules have been updated so that this program can work correctly.

BZ#738156

Prior to this update, the /etc/dhcp/dhcp6.conf and /etc/rc.d/init.d/dhcpcd6 files had an incorrect security context. This update corrects this error, and both /etc/dhcp/dhcp6.conf and /etc/rc.d/init.d/dhcpcd6 are now labeled correctly.

BZ#738529

When the user issued the virt-sanlock-cleanup command, SELinux prevented the sanlock deamon from working properly and various Access Vector Cache (AVC) messages appeared in the audit log. With this update, an appropriate SELinux policy has been added so that sanlock can now work as expected.

BZ#738994

With SELinux running in enforcing mode, the cyrus-master process was not allowed to bind to port tcp/119. Since cyrus-master needs this port in order to run as a Network News Transfer Protocol (NNTP) server, this update fixes the relevant policy to support this configuration.

BZ#739065

The fence_scsi.key file that used to be located in the /var/lib/cluster/ directory has been recently moved to /var/run/cluster/. This update ensures that this file retains the correct security context.

BZ#744817

Prior to this update, the /dev/bsr* devices were incorrectly labeled with the device_t type. This update changes the security context of these devices to cpu_device_t.

BZ#745113

The matahari package has recently renamed its binaries, which caused these files to have an incorrect security context. This update corrects this error and ensures that both binary files and init scripts now have the correct security context.

BZ#745208

When SELinux was running in enforcing mode, an attempt to use PAM Pass-through Authentication failed with an error. This update adds a relevant SELinux policy to make sure that SELinux no longer prevents PAM Pass-through Authentication from working.

BZ#746265

When SELinux was running in enforcing mode, the sssd service was not allowed to create, delete, or read symbolic links in the /var/lib/sss/pipes/private/ directory. This update corrects the relevant SELinux policy rules to allow sssd to perform these operations.

BZ#746616, BZ#743245

The SELinux policy rules have been updated to correctly support the SECMARK kernel feature.

BZ#746764

Prior to this update, the piranha-gui service was denied access to the /etc/sysconfig/ha/lvs.cf file. This update corrects the SELinux policy to grant piranha-gui this access.

BZ#746999

Previously, SELinux prevented the rhev-agentd daemon from getting attributes of all available mount points. This update corrects the relevant SELinux policy so that rhev-agentd can gather all necessary information.

BZ#747321

Previously, SELinux prevented the sshd service from getting attributes of the /root/.hushlogin file. This update adds a new type for this file and updates its security context to make sure that sshd can access it as expected.

BZ#748338

Prior to this update, the sosreport binary run by the ABRT daemon did not work properly. With this update, an appropriate SELinux policy has been added so that SELinux no longer prevents sosreport from working properly when it is run by ABRT.

BZ#749568

When the finger utility attempted to access the /var/run/nslcd/ directory, SELinux incorrectly denied this access and wrote relevant Access Vector Cache (AVC) messages to the audit log. With this update, this error has been fixed and the selinux-policy packages now provide updated SELinux policy rules that allow finger to access this directory, as expected.

BZ#750519

Previously, the SELinux Multi-Level Security (MLS) policy did not allow the user to attach a USB device if the dynamic_ownership option was enabled in the /etc/libvirtd/qemu.conf configuration file. This update fixes the relevant SELinux policy to make sure such a USB device can now be correctly attached in this scenario.

BZ#750934

When SELinux was running in enforcing mode and the unconfined module was disabled, an attempt to start the dirsrv-admin service failed and Access Vector Cache (AVC) messages were written to the audit log. With this update, this error has been fixed and dirsrv-admin now starts as expected in this situation.

Enhancements

BZ#691828

A new SELinux policy for the sanlock and wdmd services has been added to enable using these services with libvirt and vdsm.

BZ#694879

A new SELinux policy for the subscription-manager utility has been added.

BZ#694881

A new SELinux policy for the corosync-notifyd service has been added to make the service running in the corosync_t domain type.

BZ#705772

A new SELinux policy for Red Hat Enterprise Virtualization agents has been added to allow the execution of such agents.

BZ#719738

A new SELinux policy for CTDB services (a clustered database based on Samba's TDB) has been added.

BZ#720463

A new SELinux policy for Zarafa has been added.

BZ#720939

A new SELinux policy for the drbd service has been added.

BZ#723947, BZ#723958, BZ#723964, BZ#723977, BZ#726696, BZ#726699

New SELinux policies have been added for the following services that were previously running in the initrc_t domain: pppoe-server, lldpad, fcoemon, cimserver, uuid, and gatherd.

BZ#725767

A new SELinux policy for the abrt-dump-oops utility has been added to prevent this utility from running in the initrc_t domain.

BZ#729648

A new SELinux policy has been added to allow users to establish a chrooted SFTP environment over the SSH protocol.

BZ#735326

A new SELinux policy has been added to allow IP-in-SSH tunneling.

BZ#736623

A new SELinux Boolean, git_cgit_read_gitosis_content, has been added to allow Gitolite to display a list of available Git repositories.

BZ#738188

A new SELinux Boolean, virt_use_sanlock, has been added to allow the libvirtd daemon to access the sanlock.sock file.

BZ#741967

A new SELinux policy for Clustered Samba commands has been added.

BZ#745531

New SELinux policies for CloudForms services have been added.

BZ#754112

Users cron jobs were set to run in the cronjob_t domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron jobs. With this update, the relevant policy rules have been modified and users cron jobs now run in a user domain.

BZ#754465

When the auditd daemon was listening on port 60, the SELinux Multi-Level Security (MLS) policy prevented auditd from sending audit events to itself from the same system it was running on over port 61, which is possible when using the audisp-remote plugin. This update fixes the relevant policy so that this configuration now works as expected.

BZ#754802

When running the libvirt commands, such as "virsh iface-start" or "virsh iface-destroy" in SELinux enforcing mode and NetworkManager was enabled, the commands took a noticeably long time to finish successfully. With this update, the relevant policy has been added and libvirt commands now work as expected.

BZ#761065

When running a KDE session on a virtual machine with SELinux in enforcing mode, the session was not locked as expected when the SPICE console was closed. This update adds necessary SELinux rules which ensure that the user's session is properly locked under these circumstances.

BZ#786088

An incorrect SELinux policy prevented the qpidd service from starting. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.

BZ#784783

With SELinux in enforcing mode, the ssh-keygen utility was prevented from access to various applications and thus could not be used to generate SSH keys for these programs. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly.

BZ#796423

Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.

BZ#796331

An incorrect SELinux policy prevented the qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.

BZ#796585

With SELinux in enforcing mode, an OpenMPI job submitted to the parallel universe environment failed on ssh keys generation. This happened because the ssh-keygen utility was not able to read from and write to the "/var/lib/condor/" directory". With this update, a new SELinux policy has been added for the "/var/lib/condor/" directory, which allows the ssh-keygen utility to read from and write to this directory.

Bug Fix

BZ#966994

Previously, the mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.