8.198. selinux-policy

Bug Fixes

BZ#872542

When SELinux was in enforcing mode and the AWStats utility was configured to purge httpd log files, AVC messages were generated due to missing SELinux policy rules for this setup. To fix this bug, the awstats_purge_apache_log_files Boolean was added. When enabled, the Boolean allows AWStats to purge the log files. Thus, the AVC messages are no longer returned.

BZ#878148

Due to a missing SELinux policy rule, the httpd daemon did not have permissions for searching the /var/lib/cobbler/webui_sessions/ directory. Consequently, the user was not able to log into the Cobbler Web User Interface (UI). With this update, the SELinux policy has been updated and the user is now able to use the Cobbler Web UI as expected.

BZ#890646, BZ#890647, BZ#892024

When SELinux was in enforcing mode, the following problems related to the postfix service occurred:

• The postfix service was unable to connect to the MySQL database.
• The sysadm_u SELinux user was not able to execute the postqueue -p command correctly.
• The postfix daemon was not able to list the content of the /tmp/ directory.
• When the Sender Policy Framework (SPF) verification was enabled on a gateway, the posfix-master binary was not able to execute the postfix-policyd-spf-perl Postfix server.

With this update, a set of new SELinux policy rules has been added to the SELinux policy to fix these bugs. As a result, postfix now works as expected in the described scenarios.

BZ#903371

Previously, a proper security context for the /usr/local/bin/x11vnc file was missing. Consequently, SELinux in enforcing mode blocked the GNOME Display Manager (GDM) and the X.Org implementation of the X Window System from executing the x11vnc server utility. The xserver_exec_t security context for the file has been added to the SELinux policy and GDM and X.Org now work correctly in the described scenario.

BZ#906346

Due to missing SELinux policy rules, the sysstat utility was unable to write a device label when generating data for the sar command. With this update, the SELinux policy has been updated to allow sysstat to work correctly.

BZ#906773

Previously, a proper security context for the /bin/yum-builddep file was missing. Consequently, SELinux in enforcing mode returned an error after installation of the sendmail package using the yum-builddep command. The security context has been updated to rpm_exec_t and the installation using yum-builddep now proceeds as expected.

BZ#908095

Due to incorrect SELinux policy rules, an attempt to use the df_inode plug-in of the Munin utility caused AVC messages to be returned. The policy rules have been updated and the plug-in now works as expected.

BZ#909857, BZ#983601, BZ#1003571, BZ#1021566

When SELinux was in enforcing mode, the following problems related to the tgtd daemon occurred due to insufficient SELinux policy rules:

• The tgtd daemon was not able to connect to the TCP port 3205 when it was running on a server together with the iSNSd daemon. Consequently, tgtd failed to discover the Internet Storage Name Service (iSNS) target.
• The tgtd daemon failed to access the /dev/infiniband/uverbs0 device due to missing SELinux labeling for the device.
• The SYS_RAWIO, SYS_ADMIN and IPC_LOCK capabilities were missing.
• The tgtd daemon failed to access the /dev/sg0 device.

The appropriate SELinux policy rules have been added to fix these bugs and tgtd now works as expected in the described scenarios.

BZ#912295

Previously, when multiple devices were added to the system, a udev rule restarted the ktune services for each new device. This could lead to many restarts in a short period of time. The multiple restarts could trigger a race condition in the kernel, which cannot be currently fixed. The tuned daemon code has been modified not to trigger more than one restart per 10 seconds, thus preventing the race condition from occurring.

BZ#913673

When the cgrulesengd daemon attempted to use the inotifyfs scripts for monitoring file-system changes, SELinux denied the daemon to access to the scripts due to the insufficient SELinux policy. This update adds a new SELinux policy rule to fix this bug and cgrulesengd can now use inotifyfs as expected.

BZ#915729, BZ#966203, BZ#984903

When SELinux was in enforcing mode, the following problems related to the system-config-kdump utility occurred due to insufficient SELinux policy rules:

• The kexec feature running in the kdumpgui_t SELinux domain was not able to access the kcore file.
• The system-config-kdump was unable to write to the /boot/efi/EFI/redhat/grub.cfg file.
• The system-config-kdump failed to write the zipl information.

The appropriate SELinux policy rules have been added to fix these bugs and system-config-kdump now works as expected.

BZ#917157, BZ#991024

Previously, Nagios Remote Plugin Executor (NRPE) was not allowed to execute the sudo utility due to missing SELinux policy rules. Consequently, when users used NRPE and their own Nagios plug-ins for monitoring servers, an attempt to call the status action of the init.d script for the supplied service, to determine the health of the service, failed. The appropriate SELinux policy rules have been updated so that NRPE can now use the sudo utility as expected.

BZ#919192

Due to an incorrect label of the /var/lock/subsys/dirsrv-admin file, an attempt to restart the Administration server using the console or the command line failed. As a consequence, AVC denial messages were returned. This update adds the proper default security context for the file and denial messages are now no longer returned.

BZ#919893

Previously, a proper security context for the /sbin/ip6tables file was missing. Consequently, SELinux in enforcing mode caused failures in the Shorewall utility. With this update, the security context has been updated to iptables_exec_t. As a result, Shorewall works as expected.

BZ#921234

Due to missing SELinux policy rules, the abrt_t SELinux domain was not allowed to make a transition to the prelink_t SELinux domain. As a consequence, the RPM verification of a package, which provided binary of a package that had terminated unexpectedly, failed during the Automatic Bug Reporting Tool (ABRT) processing. The SELinux policy has been modified to fix this bug so that the RPM verification no longer fails in the described scenario.

BZ#922028

Previously, SELinux in enforcing mode prevented the snmptthandler utility from performing any operations in the /var/spool/snmptt/ directory due to the incorrect security context of the directory. With this update, the context has been updated to snmpd_var_lib_t so that the utility now works as expected.

BZ#922135

Due to incorrect SELinux policy rules, the Nagios application was unable to temporary store a file with its test results in the /var/spool/nagios/checkresults/ directory. This update fixes the relevant SELinux policy rules and Nagios is no longer prevented from storing the file in this directory.

BZ#927003

The Network Information Service (NIS) master can be configured with other machines running as NIS slaves. Previously, when a NIS client changed the NIS password, a new AVC message was logged into the /var/log/audit/audit.log file. This was because SELinux did not allow the yppus utility to connect to the Transmission Control Protocol (TCP) 111 port. With this update, the appropriate SELinux policy rules have been modified and the AVC message is no longer logged in the described scenario.

BZ#927973

Due to the incorrect SELinux policy, running the Apache HTTP Server alongside with the postfix agent did not work correctly. As a consequence, the postdrop utility, which was labeled with the httpd_t SELinux label, was unable to access the /var/spool/postfix/maildrop/ directory. With this update, the httpd_can_sendmail Boolean has been updated to allow postdrop to access the directory.

BZ#947772

When SELinux was in enforcing mode, the sanlock-helper utility was not allowed to send a SIGKILL signal to any process, which was registered to the sanlock daemon. The relevant SELinux policy rules have been modified with this update and sanlock-helper is now able to send the SIGKILL signal to the registered processes.

BZ#950103

Due to insufficient SELinux policy rules, a transition between the pegasus_t and the mount_t SELinux domains did not work correctly. Consequently, when the OpenPegasus Web-Based Enterprise Management (WBEM) services tried to retrieve information about a file system using the wbemcli utility, the access to the mount was denied by SELinux. With this update, the SELinux policy has been modified and OpenPegasus is now able to access the mount in the described scenario.

BZ#952621

When SELinux was in enforcing mode, the sandbox SELinux domains were not able to use inherited user terminals due to missing SELinux policy rules. With this update, the respective rules have been updated to allow sandbox domains to use these terminals.

BZ#953180

Due to insufficient SELinux policy rules, when the s2s service was used in the mixed Red Hat Network Satellite and Red Hat Network Satellite Proxy environment, the following AVC message was returned in the audit.log file:

type=AVC msg=audit(1364300742.715:101611): avc: denied { name_connect } for pid=2278 comm="s2s" dest=5269 scontext=system_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket

The appropriate SELinux rules have been added to fix this bug and the AVC message is no longer returned in such a case.

BZ#956720

Previously the opasswd and the opasswd.old files were labeled with the etc_t SELinux context. However, these files included sensitive information and were supposed to be labeled with the shadow_t context. With this update, the SELinux policy has been modified and the files are now correctly labeled with shadow_t as expected.

BZ#957012

Previously, clock devices (/dev/ptp*) were incorrectly labeled with the device_t SELinux label instead of clock_device_t. This update provides a patch to fix this bug and the clock devices are now correctly labeled.

BZ#957023

Previously, SELinux in enforcing mode prevented the svnserve daemon from using the TCP port 3690. The appropriate SELinux policy rules have been updated and svnserve can now use the port as expected.

BZ#957265

Due to missing SELinux rules, a transition between the aide_t and the prelink_t SELinux domains was not possible. As a consequence, when SELinux was running in enforcing mode, the aide --check command executed inside a cron job did not work correctly. The respective SELinux rules have been updated to fix this bug and the command now works as expected.

BZ#958682, BZ#975921, BZ#1009449

Previously, the mysqld_safe script was unable to execute a shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected. In addition, the mysqld_safe SELinux policy has been modified to allow the SYS_NICE capability.

BZ#966106

When using certain versions of the Quantum service with netns support, SELinux denied various operations, which caused Quantum to terminate unexpectedly. Moreover, due to a “dontaudit” rule for the operations, AVC messages were not returned unless SELinux was running in permissive mode. The appropriate SELinux policy has been fixed so that SELinux no longer denies the operations and Quantum failures no longer occur in the described scenario.

BZ#966515

Previously, enabling the ftp_homdedir Boolean allowed certain rules, that were not supposed to be allowed by the Boolean. The relevant SELinux policy has been modified and the Boolean now allows only the rules that it is supposed to.

BZ#966635

Previously, the Munin Common Gateway Interface (CGI) scripts was labeled incorrectly, and therefore ran in an incorrect SELinux domain. The file context for the scripts has been updated to httpd_munin_script_exec_t and the scripts now run in the correct SELinux domain.

BZ#966640

Previously, the /var/log/syslog-ng file was incorrectly labeled with the syslog_var_run_t SELinux security context. Consequently, when SELinux was running in enforcing mode, the logwatch utility was unable to access the file. With this update, the security context for the syslog-ng file has been modified to var_log_t and logwatch can now access the file as expected.

BZ#971594

Previously, an attempt to attach a Logical Volume Management (LVM) volume to a Red Hat OpenStack 3 instance failed due to the incorrect SELinux policy and AVC denial messages were returned. The relevant SELinux policy rules have been modified to add an additional Multi-Category Security (MCS) attribute for the hald_t SELinux domain. As a result, the AVC denial messages are now no longer returned in the described scenario.

BZ#973156

Previously, the /etc/yaboot.conf file was incorrectly labeled with the etc_t SELinux security context. With this update, the security context has been changed to the bootloader_etc_t.

BZ#974932

The SETUID and SETGID capabilities were missing in the SELinux policy. As a consequence, when SELinux was in enforcing mode, the rsyslog utility was unable to drop privileges with the $PrivDropToUser and $PrivDropToGroup options. With this update, the missing capabilities have been added to the SELinux policy and rsyslog can now drop privileges as expected.

BZ#978993

Due to incorrect SELinux policy rules, SELinux prevented the chronyd daemon from using the SYS_NICE capability. The capability is required by the sched_setscheduler() function. With this update, the SELinux policy rules has been modified to allow the daemon to use SYS_NICE.

BZ#983217

Previously, a transition from the dovecot_t SELinux domain to the oddjob_mkhomedir_t SELinux domain was not allowed. Consequently, an attempt to create a user home directory alongside with the Dovecot server and the pam_oddjob_mkhomedir module enabled failed and AVC messages were returned. The SELinux policy has been modified so that the transition is now allowed.

BZ#995434

SELinux running in enforcing mode prevented the lldpad service from communicating with the fcoemon service. As a consequence, the user was not able to create a virtual machine in Virtual Machine Manager (virt-manager) and the following AVC message was returned:

type=AVC msg=audit(1376046443.294:69876): avc:  denied  { sendto } for  pid=2755 comm="lldpad" path=003030303232 
scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket

The appropriate SELinux policy has been fixed and users are now able to create virtual machines as expected.

BZ#998663

Previously, the SELinux policy prevented running virtual machines based on volumes located in the /var/run/vdsm/storage/ VDSM's daemon directory. As a consequence, an attempt to run such a virtual machine terminated unexpectedly with an error. With this update, the svirt_t SELinux domain has been updated to read symbolic links in the /var/run/ directory. As a result, the virtual machines no longer fail in the described scenario.

BZ#1005196, BZ#1005250

Due to incorrect SELinux policy rules, certain SELinux domains were unable to access the /sys/devices/system/cpu/ directory. Consequently, such domains could not get information from the directory. With this update, the relevant SELinux policy rules have been updated to allow the domains access to the /sys/devices/system/cpu/ directory.

BZ#1005806

With the Multi-Level Security (MLS) SELinux policy enabled, the xinetd daemon failed to execute a shell script and the following error message was returned:

xinetd[2771]: execv( /usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill.sh ) failed: Permission denied (errno = 13)

The appropriate SELinux rules have been updated to allow xinetd to execute shell scripts.

BZ#1006952

Due to insufficient SELinux policy rules, an attempt to start a QEMU process using the libvirt library failed with an error. With this update, the SELinux policy has been modified and QEMU processes now start as expected.

BZ#1009661

Due to insufficient SELinux policy rules, the beaker jobs failed during automatic wireless testing and an AVC denied message was returned. Consequently, users were unable to use the wireless connection. The appropriate SELinux policy rules have been updated to fix this bug so that users can now use the wireless connection in the described scenario.

BZ#1009838

Due to missing SELinux policy rules, when the system was set up to use the yppasswdd daemon on a server, the rpc.yppasswdd binary was now allowed to read the /var/run/utmp file and list the content of the /boot/ directory. The relevant SELinux policy has been updated and the daemon can now access the utmp file and the /boot/ directory as expected.

BZ#1009859

When the system was set up to the Concurrent Versions System (CVS) server using Pluggable Authentication Module (PAM) for client authentication, the CVS binary was not allowed to read the /var/run/utmp file. This update fixes the relevant SELinux policy to allow CVS to read the file as expected.

Enhancements

BZ#926022

With this enhancement, a new Boolean, ftpd_use_fusefs, has been added to the SELinux policy. When enabled, this Boolean allows the GlusterFS mounts to be used for the File Transfer Protocol (FTP) data directory.

BZ#854963, BZ#876334, BZ#881834, Bz#891779, BZ#1000521

The pand, haproxy, watchdog, lldpad, and openhpid daemons ran in the initrc_t SELinux domain. With this enhancement, SELinux support has been added for the daemons and they now use their own separate SELinux domains.

BZ#871437

With this enhancement, a new SELinux policy for the smstools package is provided.

BZ#880728, BZ#986198

Previously, the manual pages did not include all updated SELinux policy rules. With this update, the actual SELinux policy is included in the selinux-policy package. As a result, such manual pages are up-to-date.

BZ#889120, BZ#915151, BZ#923246, BZ#924843, BZ#1011963,

Previously, the pacemaker resource manager did not have its own SELinux policy defined and used the initrc_t domain. With this update, all cluster administrative services including pacemaker have been merged together to the cluster_t SELinux domain. In addition to this merge, all other Red Hat Cluster services have been updated to use the cluster_t domain.

BZ#859651, BZ#1004380, BZ#1010324

The git_shell_t SELinux type has been removed from the SELinux policy. With this enhancement, the updated SELinux policy for the Git control system is provided.

BZ#890554

With this enhancement, the SELinux policy for the Zabbix monitoring system has been updated.

BZ#915314

With this enhancement, a set of new rules, which allows the user to mount the Gluster file system, has been added to the SELinux policy.

BZ#922732, BZ#966387

A new SELinux file type and label has been added for the /var/lib/openvpn/ directory. In addition, the SELinux policy has been updated to allow OpenVPN to manage its own log files.

BZ#928020, BZ#955189, BZ#979421, BZ#999471, BZ#1002593

With this enhancement, the amavis_t, clamd_t, clamscan_t, freshclam_t SELinux domains have been merged to the antivirus_t SELinux domain.

BZ#952827

With this update, SELinux support for 27017, 28017, 27018, 28018, 27019 and 28019 ports has been added. These now ports use their separate mongod_port_t SELinux port type.

BZ#953652, BZ#963465, BZ#968344, BZ#969485

With this update, the SELinux policy for the OpenShift application platform has been updated to reflect the latest upstream policy.

BZ#953754

The file contexts for all Nagios plug-ins located in the usr/lib(64)?/nagios/plugins/ directory have been updated to the nagios_unconfined_plugin_exec_t context.

BZ#955774

With this enhancement, two new Booleans have been added to the SELinux policy. The tftp_use_nfs Boolean allows The Trivial File Transfer Protocol (TFTP) to read from NFS volumes for public file transfer services. The tftp_use_cifs Boolean allows TFTP to read from CIFS volumes.

BZ#959554

The new Shared System Certificates feature has added new locations, from which system trusted certificated and blacklist information could be read. With this enhancement, SELinux file contexts have been updated accordingly.

BZ#964345

The SELinux policy related to the QEMU Guest Agent (qemu-ga) has been updated according to new qemu-ga features and functionality.

BZ#968403

With this update, the SELinux policy for the Oracle Automatic Storage Management (ASM) has been updated to reflect the latest upstream policy.

BZ#977047

The Zettabyte File System (ZFS) has been added to the xattr list of supported file systems. With this enhancement, the SELinux policy has been updated accordingly.

BZ#979432

The new openvpn_run_unconfined Boolean has been added to the SELinux policy. When enabled, the Boolean allows OpenVPN to execute unconfined scripts.

BZ#986883

With this update, the SELinux policy for Internet Protocol Security (IPsec) has been updated to reflect the latest upstream policy.

BZ#1006370

With this update, the prefix of the openstack-selinux policies has been changed from “quantum” to “neutron”.

BZ#1011973

With this enhancement, the TCP port 9000 is labeled with the httpd_port_t SELinux label.