이 콘텐츠는 선택한 언어로 제공되지 않습니다.
8.198. selinux-policy
Updated selinux-policy packages that fix a number of bug fixes and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#872542
- When SELinux was in enforcing mode and the
AWStats
utility was configured to purgehttpd
log files, AVC messages were generated due to missing SELinux policy rules for this setup. To fix this bug, theawstats_purge_apache_log_files
Boolean was added. When enabled, the Boolean allowsAWStats
to purge the log files. Thus, the AVC messages are no longer returned. - BZ#878148
- Due to a missing SELinux policy rule, the
httpd
daemon did not have permissions for searching the/var/lib/cobbler/webui_sessions/
directory. Consequently, the user was not able to log into the Cobbler Web User Interface (UI). With this update, the SELinux policy has been updated and the user is now able to use the Cobbler Web UI as expected. - BZ#890646, BZ#890647, BZ#892024
- When SELinux was in enforcing mode, the following problems related to the
postfix
service occurred:With this update, a set of new SELinux policy rules has been added to the SELinux policy to fix these bugs. As a result,- The
postfix
service was unable to connect to the MySQL database. - The
sysadm_u
SELinux user was not able to execute thepostqueue -p
command correctly. - The
postfix
daemon was not able to list the content of the/tmp/
directory. - When the Sender Policy Framework (SPF) verification was enabled on a gateway, the
posfix-master
binary was not able to execute thepostfix-policyd-spf-perl
Postfix server.
postfix
now works as expected in the described scenarios. - BZ#903371
- Previously, a proper security context for the
/usr/local/bin/x11vnc
file was missing. Consequently, SELinux in enforcing mode blocked the GNOME Display Manager (GDM) and the X.Org implementation of the X Window System from executing thex11vnc
server utility. Thexserver_exec_t
security context for the file has been added to the SELinux policy and GDM and X.Org now work correctly in the described scenario. - BZ#906346
- Due to missing SELinux policy rules, the
sysstat
utility was unable to write a device label when generating data for thesar
command. With this update, the SELinux policy has been updated to allowsysstat
to work correctly. - BZ#906773
- Previously, a proper security context for the
/bin/yum-builddep
file was missing. Consequently, SELinux in enforcing mode returned an error after installation of the sendmail package using theyum-builddep
command. The security context has been updated torpm_exec_t
and the installation usingyum-builddep
now proceeds as expected. - BZ#908095
- Due to incorrect SELinux policy rules, an attempt to use the
df_inode
plug-in of theMunin
utility caused AVC messages to be returned. The policy rules have been updated and the plug-in now works as expected. - BZ#909857, BZ#983601, BZ#1003571, BZ#1021566
- When SELinux was in enforcing mode, the following problems related to the
tgtd
daemon occurred due to insufficient SELinux policy rules:The appropriate SELinux policy rules have been added to fix these bugs and- The
tgtd
daemon was not able to connect to the TCP port 3205 when it was running on a server together with theiSNSd
daemon. Consequently,tgtd
failed to discover the Internet Storage Name Service (iSNS) target. - The
tgtd
daemon failed to access the/dev/infiniband/uverbs0
device due to missing SELinux labeling for the device. - The
SYS_RAWIO
,SYS_ADMIN
andIPC_LOCK
capabilities were missing. - The
tgtd
daemon failed to access the/dev/sg0
device.
tgtd
now works as expected in the described scenarios. - BZ#912295
- Previously, when multiple devices were added to the system, a
udev
rule restarted thektune
services for each new device. This could lead to many restarts in a short period of time. The multiple restarts could trigger a race condition in the kernel, which cannot be currently fixed. Thetuned
daemon code has been modified not to trigger more than one restart per 10 seconds, thus preventing the race condition from occurring. - BZ#913673
- When the
cgrulesengd
daemon attempted to use theinotifyfs
scripts for monitoring file-system changes, SELinux denied the daemon to access to the scripts due to the insufficient SELinux policy. This update adds a new SELinux policy rule to fix this bug andcgrulesengd
can now useinotifyfs
as expected. - BZ#915729, BZ#966203, BZ#984903
- When SELinux was in enforcing mode, the following problems related to the
system-config-kdump
utility occurred due to insufficient SELinux policy rules:The appropriate SELinux policy rules have been added to fix these bugs and- The
kexec
feature running in thekdumpgui_t
SELinux domain was not able to access thekcore
file. - The
system-config-kdump
was unable to write to the/boot/efi/EFI/redhat/grub.cfg
file. - The
system-config-kdump
failed to write thezipl
information.
system-config-kdump
now works as expected. - BZ#917157, BZ#991024
- Previously, Nagios Remote Plugin Executor (NRPE) was not allowed to execute the
sudo
utility due to missing SELinux policy rules. Consequently, when users used NRPE and their own Nagios plug-ins for monitoring servers, an attempt to call thestatus
action of theinit.d
script for the supplied service, to determine the health of the service, failed. The appropriate SELinux policy rules have been updated so that NRPE can now use thesudo
utility as expected. - BZ#919192
- Due to an incorrect label of the
/var/lock/subsys/dirsrv-admin
file, an attempt to restart the Administration server using the console or the command line failed. As a consequence, AVC denial messages were returned. This update adds the proper default security context for the file and denial messages are now no longer returned. - BZ#919893
- Previously, a proper security context for the
/sbin/ip6tables
file was missing. Consequently, SELinux in enforcing mode caused failures in theShorewall
utility. With this update, the security context has been updated toiptables_exec_t
. As a result,Shorewall
works as expected. - BZ#921234
- Due to missing SELinux policy rules, the
abrt_t
SELinux domain was not allowed to make a transition to theprelink_t
SELinux domain. As a consequence, the RPM verification of a package, which provided binary of a package that had terminated unexpectedly, failed during the Automatic Bug Reporting Tool (ABRT) processing. The SELinux policy has been modified to fix this bug so that the RPM verification no longer fails in the described scenario. - BZ#922028
- Previously, SELinux in enforcing mode prevented the
snmptthandler
utility from performing any operations in the/var/spool/snmptt/
directory due to the incorrect security context of the directory. With this update, the context has been updated tosnmpd_var_lib_t
so that the utility now works as expected. - BZ#922135
- Due to incorrect SELinux policy rules, the Nagios application was unable to temporary store a file with its test results in the
/var/spool/nagios/checkresults/
directory. This update fixes the relevant SELinux policy rules and Nagios is no longer prevented from storing the file in this directory. - BZ#927003
- The Network Information Service (NIS) master can be configured with other machines running as NIS slaves. Previously, when a NIS client changed the NIS password, a new AVC message was logged into the
/var/log/audit/audit.log
file. This was because SELinux did not allow theyppus
utility to connect to the Transmission Control Protocol (TCP) 111 port. With this update, the appropriate SELinux policy rules have been modified and the AVC message is no longer logged in the described scenario. - BZ#927973
- Due to the incorrect SELinux policy, running the Apache HTTP Server alongside with the
postfix
agent did not work correctly. As a consequence, thepostdrop
utility, which was labeled with thehttpd_t
SELinux label, was unable to access the/var/spool/postfix/maildrop/
directory. With this update, thehttpd_can_sendmail
Boolean has been updated to allowpostdrop
to access the directory. - BZ#947772
- When SELinux was in enforcing mode, the
sanlock-helper
utility was not allowed to send a SIGKILL signal to any process, which was registered to thesanlock
daemon. The relevant SELinux policy rules have been modified with this update andsanlock-helper
is now able to send the SIGKILL signal to the registered processes. - BZ#950103
- Due to insufficient SELinux policy rules, a transition between the
pegasus_t
and themount_t
SELinux domains did not work correctly. Consequently, when the OpenPegasus Web-Based Enterprise Management (WBEM) services tried to retrieve information about a file system using thewbemcli
utility, the access to the mount was denied by SELinux. With this update, the SELinux policy has been modified and OpenPegasus is now able to access the mount in the described scenario. - BZ#952621
- When SELinux was in enforcing mode, the
sandbox
SELinux domains were not able to use inherited user terminals due to missing SELinux policy rules. With this update, the respective rules have been updated to allowsandbox
domains to use these terminals. - BZ#953180
- Due to insufficient SELinux policy rules, when the
s2s
service was used in the mixed Red Hat Network Satellite and Red Hat Network Satellite Proxy environment, the following AVC message was returned in theaudit.log
file:type=AVC msg=audit(1364300742.715:101611): avc: denied { name_connect } for pid=2278 comm="s2s" dest=5269 scontext=system_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket
The appropriate SELinux rules have been added to fix this bug and the AVC message is no longer returned in such a case. - BZ#956720
- Previously the
opasswd
and theopasswd.old
files were labeled with theetc_t
SELinux context. However, these files included sensitive information and were supposed to be labeled with theshadow_t
context. With this update, the SELinux policy has been modified and the files are now correctly labeled withshadow_t
as expected. - BZ#957012
- Previously, clock devices (
/dev/ptp*
) were incorrectly labeled with thedevice_t
SELinux label instead ofclock_device_t
. This update provides a patch to fix this bug and the clock devices are now correctly labeled. - BZ#957023
- Previously, SELinux in enforcing mode prevented the
svnserve
daemon from using the TCP port 3690. The appropriate SELinux policy rules have been updated andsvnserve
can now use the port as expected. - BZ#957265
- Due to missing SELinux rules, a transition between the
aide_t
and theprelink_t
SELinux domains was not possible. As a consequence, when SELinux was running in enforcing mode, theaide --check
command executed inside acron
job did not work correctly. The respective SELinux rules have been updated to fix this bug and the command now works as expected. - BZ#958682, BZ#975921, BZ#1009449
- Previously, the
mysqld_safe
script was unable to execute a shell (/bin/sh
) with theshell_exec_t
SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected. In addition, themysqld_safe
SELinux policy has been modified to allow theSYS_NICE
capability. - BZ#966106
- When using certain versions of the Quantum service with
netns
support, SELinux denied various operations, which caused Quantum to terminate unexpectedly. Moreover, due to a “dontaudit” rule for the operations, AVC messages were not returned unless SELinux was running in permissive mode. The appropriate SELinux policy has been fixed so that SELinux no longer denies the operations and Quantum failures no longer occur in the described scenario. - BZ#966515
- Previously, enabling the
ftp_homdedir
Boolean allowed certain rules, that were not supposed to be allowed by the Boolean. The relevant SELinux policy has been modified and the Boolean now allows only the rules that it is supposed to. - BZ#966635
- Previously, the
Munin
Common Gateway Interface (CGI) scripts was labeled incorrectly, and therefore ran in an incorrect SELinux domain. The file context for the scripts has been updated tohttpd_munin_script_exec_t
and the scripts now run in the correct SELinux domain. - BZ#966640
- Previously, the
/var/log/syslog-ng
file was incorrectly labeled with thesyslog_var_run_t
SELinux security context. Consequently, when SELinux was running in enforcing mode, thelogwatch
utility was unable to access the file. With this update, the security context for thesyslog-ng
file has been modified tovar_log_t
andlogwatch
can now access the file as expected. - BZ#971594
- Previously, an attempt to attach a Logical Volume Management (LVM) volume to a Red Hat OpenStack 3 instance failed due to the incorrect SELinux policy and AVC denial messages were returned. The relevant SELinux policy rules have been modified to add an additional Multi-Category Security (MCS) attribute for the
hald_t
SELinux domain. As a result, the AVC denial messages are now no longer returned in the described scenario. - BZ#973156
- Previously, the
/etc/yaboot.conf
file was incorrectly labeled with theetc_t
SELinux security context. With this update, the security context has been changed to thebootloader_etc_t
. - BZ#974932
- The
SETUID
andSETGID
capabilities were missing in the SELinux policy. As a consequence, when SELinux was in enforcing mode, thersyslog
utility was unable to drop privileges with the$PrivDropToUser
and$PrivDropToGroup
options. With this update, the missing capabilities have been added to the SELinux policy andrsyslog
can now drop privileges as expected. - BZ#978993
- Due to incorrect SELinux policy rules, SELinux prevented the
chronyd
daemon from using theSYS_NICE
capability. The capability is required by thesched_setscheduler()
function. With this update, the SELinux policy rules has been modified to allow the daemon to useSYS_NICE
. - BZ#983217
- Previously, a transition from the
dovecot_t
SELinux domain to theoddjob_mkhomedir_t
SELinux domain was not allowed. Consequently, an attempt to create a user home directory alongside with the Dovecot server and thepam_oddjob_mkhomedir
module enabled failed and AVC messages were returned. The SELinux policy has been modified so that the transition is now allowed. - BZ#995434
- SELinux running in enforcing mode prevented the
lldpad
service from communicating with thefcoemon
service. As a consequence, the user was not able to create a virtual machine in Virtual Machine Manager (virt-manager
) and the following AVC message was returned:type=AVC msg=audit(1376046443.294:69876): avc: denied { sendto } for pid=2755 comm="lldpad" path=003030303232 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket
The appropriate SELinux policy has been fixed and users are now able to create virtual machines as expected. - BZ#998663
- Previously, the SELinux policy prevented running virtual machines based on volumes located in the
/var/run/vdsm/storage/
VDSM's daemon directory. As a consequence, an attempt to run such a virtual machine terminated unexpectedly with an error. With this update, thesvirt_t
SELinux domain has been updated to read symbolic links in the/var/run/
directory. As a result, the virtual machines no longer fail in the described scenario. - BZ#1005196, BZ#1005250
- Due to incorrect SELinux policy rules, certain SELinux domains were unable to access the
/sys/devices/system/cpu/
directory. Consequently, such domains could not get information from the directory. With this update, the relevant SELinux policy rules have been updated to allow the domains access to the/sys/devices/system/cpu/
directory. - BZ#1005806
- With the Multi-Level Security (MLS) SELinux policy enabled, the
xinetd
daemon failed to execute a shell script and the following error message was returned:xinetd[2771]: execv( /usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill.sh ) failed: Permission denied (errno = 13)
The appropriate SELinux rules have been updated to allowxinetd
to execute shell scripts. - BZ#1006952
- Due to insufficient SELinux policy rules, an attempt to start a QEMU process using the
libvirt
library failed with an error. With this update, the SELinux policy has been modified and QEMU processes now start as expected. - BZ#1009661
- Due to insufficient SELinux policy rules, the
beaker
jobs failed during automatic wireless testing and an AVC denied message was returned. Consequently, users were unable to use the wireless connection. The appropriate SELinux policy rules have been updated to fix this bug so that users can now use the wireless connection in the described scenario. - BZ#1009838
- Due to missing SELinux policy rules, when the system was set up to use the
yppasswdd
daemon on a server, therpc.yppasswdd
binary was now allowed to read the/var/run/utmp
file and list the content of the/boot/
directory. The relevant SELinux policy has been updated and the daemon can now access theutmp
file and the/boot/
directory as expected. - BZ#1009859
- When the system was set up to the Concurrent Versions System (CVS) server using Pluggable Authentication Module (PAM) for client authentication, the CVS binary was not allowed to read the
/var/run/utmp
file. This update fixes the relevant SELinux policy to allow CVS to read the file as expected.
Enhancements
- BZ#926022
- With this enhancement, a new Boolean,
ftpd_use_fusefs
, has been added to the SELinux policy. When enabled, this Boolean allows the GlusterFS mounts to be used for the File Transfer Protocol (FTP) data directory. - BZ#854963, BZ#876334, BZ#881834, Bz#891779, BZ#1000521
- The
pand
,haproxy
,watchdog
,lldpad
, andopenhpid
daemons ran in theinitrc_t
SELinux domain. With this enhancement, SELinux support has been added for the daemons and they now use their own separate SELinux domains. - BZ#871437
- With this enhancement, a new SELinux policy for the smstools package is provided.
- BZ#880728, BZ#986198
- Previously, the manual pages did not include all updated SELinux policy rules. With this update, the actual SELinux policy is included in the selinux-policy package. As a result, such manual pages are up-to-date.
- BZ#889120, BZ#915151, BZ#923246, BZ#924843, BZ#1011963,
- Previously, the
pacemaker
resource manager did not have its own SELinux policy defined and used theinitrc_t
domain. With this update, all cluster administrative services includingpacemaker
have been merged together to thecluster_t
SELinux domain. In addition to this merge, all other Red Hat Cluster services have been updated to use thecluster_t
domain. - BZ#859651, BZ#1004380, BZ#1010324
- The
git_shell_t
SELinux type has been removed from the SELinux policy. With this enhancement, the updated SELinux policy for the Git control system is provided. - BZ#890554
- With this enhancement, the SELinux policy for the Zabbix monitoring system has been updated.
- BZ#915314
- With this enhancement, a set of new rules, which allows the user to mount the Gluster file system, has been added to the SELinux policy.
- BZ#922732, BZ#966387
- A new SELinux file type and label has been added for the
/var/lib/openvpn/
directory. In addition, the SELinux policy has been updated to allow OpenVPN to manage its own log files. - BZ#928020, BZ#955189, BZ#979421, BZ#999471, BZ#1002593
- With this enhancement, the
amavis_t
,clamd_t
,clamscan_t
,freshclam_t
SELinux domains have been merged to theantivirus_t
SELinux domain. - BZ#952827
- With this update, SELinux support for 27017, 28017, 27018, 28018, 27019 and 28019 ports has been added. These now ports use their separate
mongod_port_t
SELinux port type. - BZ#953652, BZ#963465, BZ#968344, BZ#969485
- With this update, the SELinux policy for the OpenShift application platform has been updated to reflect the latest upstream policy.
- BZ#953754
- The file contexts for all Nagios plug-ins located in the
usr/lib(64)?/nagios/plugins/
directory have been updated to thenagios_unconfined_plugin_exec_t
context. - BZ#955774
- With this enhancement, two new Booleans have been added to the SELinux policy. The
tftp_use_nfs
Boolean allows The Trivial File Transfer Protocol (TFTP) to read from NFS volumes for public file transfer services. Thetftp_use_cifs
Boolean allows TFTP to read from CIFS volumes. - BZ#959554
- The new Shared System Certificates feature has added new locations, from which system trusted certificated and blacklist information could be read. With this enhancement, SELinux file contexts have been updated accordingly.
- BZ#964345
- The SELinux policy related to the QEMU Guest Agent (
qemu-ga
) has been updated according to newqemu-ga
features and functionality. - BZ#968403
- With this update, the SELinux policy for the Oracle Automatic Storage Management (ASM) has been updated to reflect the latest upstream policy.
- BZ#977047
- The Zettabyte File System (ZFS) has been added to the
xattr
list of supported file systems. With this enhancement, the SELinux policy has been updated accordingly. - BZ#979432
- The new
openvpn_run_unconfined
Boolean has been added to the SELinux policy. When enabled, the Boolean allows OpenVPN to execute unconfined scripts. - BZ#986883
- With this update, the SELinux policy for Internet Protocol Security (IPsec) has been updated to reflect the latest upstream policy.
- BZ#1006370
- With this update, the prefix of the
openstack-selinux
policies has been changed from “quantum” to “neutron”. - BZ#1011973
- With this enhancement, the TCP port 9000 is labeled with the
httpd_port_t
SELinux label.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.