4.176. selinux-policy

BZ#784782

With SELinux in enforcing mode, an Open MPI (Message Passing Interface) job submitted to the parallel universe environment failed when an attempt to generate SSH keys with the ssh-keygen utility was made. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly.

Bug Fixes

BZ#693149

When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the wpa_cli client utility to connect to the running wpa_supplicant daemon. With this update, the SELinux policy has been fixed, and wpa_cli now works as expected.

BZ#715227

Due to an incorrect SELinux policy, the smartd daemon was not able to set up an monitor of a 3ware device. This update corrects this bug by adding an appropriate policy, which allows the smartd policy to create a fixed disk device node.

BZ#716956

Previously, the SELinux Multi-Level Security (MLS) policy did not allow the cron daemon to read a Kerberos configuration file. This update fixes the relevant SELinux policy to make sure the Kerberos configuration file can be read by the cron daemon.

BZ#717152

When the SELinux Multi-Level Security (MLS) policy was enabled, starting the smartd daemon caused Access Vector Cache (AVC) messages to be written to the audit log file. With this update, the relevant policy has been fixed and the AVC messages are no longer produced in the described scenario.

BZ#721041

When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the samba service from scanning the /boot/ directory when responding to quota check requests. The error has been fixed and samba is now allowed to search all mount points in the system.

BZ#722536

Previously, the rsyslogd daemon was unable to connect to a MySQL database when support for the rsyslog-mysql package was enabled. This bug has been fixed and rsyslogd is now allowed to connect to MySQL as expected.

BZ#722579

Due to an error in a SELinux policy, SELinux incorrectly prevented the ricci service from installing RPM packages. With this update, the fixed SELinux rules, which allow ricci to install RPM packages, have been provided.

BZ#728957

Previously, due to an incorrect SElinux context, the user was unable to access the fetchmail.log in their home directory. This update adds a SELinux security context for the .fetchmailrc file located in user home directories to allow the fetchmail application to get external private emails.

BZ#730294

Due to incorrect SELinux policy rules, the procmail mail delivery agent was not allowed to execute the hostname command when HOST_NAME=`hostname` was specified in the configuration file. This update adapts the SELinux policy to support this procmail option.

BZ#730962

When PAM (Pluggable Authentication Modules) authentication was used in the squid daemon with SELinux enabled, the AVC message related to the netlink_audit_socket SELinux class was written to the audit log file. With this update, the relevant policy has been fixed and using PAM with squid no longer produces these messages.

BZ#721041

When SELinux was running in the Enforcing mode, an incorrect SELinux policy prevented the swat (Samba Web Administration Tool) utility from writing to samba log files. This bug has been fixed and swat is now allowed to write to all samba log files.

BZ#733668

On a MLS system, if a new user attempted to reset their password on the first login, SELinux prevented this action. With this update, the SELinux policy has been updated to allow the sysadm_t SELinux user type transition to the passwd_t SELinux domain, which is intended for the passwd utility.

BZ#735813

Previously, the /etc/passwd.adjunct file contained an incorrect label, resulting in a wrong SELinux security context. This update adds a SELinux security context for /etc/passwd.adjunct to make it possible to use this file on a Network Information Service (NIS) server.

BZ#745139

When SELinux was running in the Enforcing mode, rsyslog clients were incorrectly denied access to port 6514 (syslog-over-TLS). This update adds a new SELinux policy that allows rsyslog clients to connect to this port.

BZ#745175

With the omsnmp module enabled, the latest version of the rsyslog daemon can send log messages as SNMP traps. This update adapts the SELinux policy to support this new functionality.

BZ#746351, BZ#761592

When SELinux was enabled, starting the ricci daemon caused Access Vector Cache (AVC) messages to be written to the audit log file. With this update, the relevant policy has been fixed and starting ricci no longer produces these messages.

BZ#752487

Due to inccorect SELinux policy, the finger application was not able to use the nss_ldap module to get information (such as users, hosts, and groups) from LDAP directories. With this update, fixed SELinux rules, which allow finger to connect to the LDAP port to get all needed information from LDAP, have been provided.

BZ#753039, BZ#767633

When an unconfined SELinux user runs the ssh-keygen utility, the user is able to generate SSH keys anywhere. However, transition from the unconfined_t to the ssh_keygen_t domain prevented this functionality. To make the ssh-keygen utility work correctly at all times, the ssh_keygen_t SELinux domain type has now been provided as an unconfined type.

BZ#754121

When SELinux was running in the Enforcing mode, the sssd service was not allowed to create, delete, or read symbolic links in the /var/lib/sss/pipes/private/ directory. This update fixes the relevant SELinux policy rules to allow sssd to perform these operations.

BZ#761481

When SELinux was running in the Enforcing mode, the sssd service did not work properly; if a user authenticated to the sshd service using the Generic Security Services Application Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds an appropriate security file context for the /var/cache/krb5cache/ directory, which allows sssd to work correctly in the described scenario.

BZ#761485, BZ#767565

Previously, the SELinux security context for the iscsiuio binary was not defined in the policy. Consequently, the operation of the iscsid daemon could experience problems. This update adds a SELinux security context for the /sbin/iscsiuio file to make iscsid run in the proper SELinux domain, thus fixing this bug.

BZ#766591

When SELinux was running in the Enforcing mode, the pam_oddjob_mkhomedir utility could not be run, home directories could not be created, and actions for the oddjob service were denied. With this update, the appropriate SELinux rule has been provided and SELinux no longer prevents pam_oddjob_mkhomedir from working correctly in the described scenario.

BZ#781477

Due to an incorrect SELinux policy, an attempt to use the nice utility to modify scheduling priority of the openvpn service failed. This update provides fixed SELinux rules, adds the sys_nice capability, and users are now allowed to modify the scheduling priority as expected.

Enhancements

BZ#709370

With this update, the new SELinux policy for mcelog service has been added to make mcelog work properly on SELinux Multi-Level Security (MLS) systems.

BZ#718219

The support for the dkim-milter, DKIM (DomainKeys Identified Mail) mail filter, application has been backported to the selinux-policy package in order to allow the Postfix email server to use it.

BZ#720462

With this update, the new SELinux policy for the Zarafa Open Source Email & Collaboration Software has been provided for selinux-policy.

BZ#724941

With this update, the new SELinux policy for the subscription-manager utility has been provided for selinux-policy.

BZ#741670

A new SELinux Boolean value, dhcpc_exec_iptables, has been added to allow the dhcpd daemon to execute iptables commands.