Este conteúdo não está disponível no idioma selecionado.
7.225. selinux-policy
Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fix
- BZ#912392
- When multiple devices were added into the system, udev rules restarted ktune services for each new device, so there were several restarts in a short time interval. The multiple restarts triggered a race condition in the kernel which was not easily fixable. Currently, the tuned code is modified not to trigger more than one restart per 10 seconds and the race condition is avoided.
Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy contain the rules that govern how confined processes run on the system.
Bug Fixes
- BZ#837815
- With the Multi-Level Security (MLS) SELinux policy enabled, a user created with an SELinux MLS level could not login to the system through an
SSH
client. The SELinux policy rules have been updated to allow the user to log in to the system in the described scenario. - BZ#835923
- When SELinux was in enforcing mode, an
OpenMPI
job, parallel universe in Red Hat Enterprise Linux MRG Grid, failed and was unable to access files in the/var/lib/condor/execute/
directory. New SELinux policy rules have been added forOpenMPI
jobs to allow a job to access files in this directory. - BZ#857352
- When SELinux was in enforcing mode, a migration from one host to another using the Red Hat Enterprise Virtualization Manager was denied. This update fixes relevant SELinux policy rules and the migration now completes as expected in the described scenario.
- BZ#865759
- Due to a regression, the root user was able to log in when the
ssh_sysadm_login
variable was set toOFF
in MLS. To fix this bug, thessh_sysadm_login
SELinux boolean has been corrected to prevent the root user to log in when this variable is set toOFF
. - BZ#877108
- When the user ran the
system-config-kdump
utility on the IBM System z architecture, the following error message was returned:error opening /etc/zipl.conf for read: Permission denied
This error was caused by missing SELinux policy rules. With this update, the respective rules have been updated to allowsystem-config-kdump
to access the/etc/zipl.conf
file, and the error messages are no longer returned. - BZ#877932
- Previously,
cron
daemon jobs were set to run in thecronjob_t
domain when the SELinux MLS policy was enabled. As a consequence, users could not run theircron
jobs. The relevant policy rules have been modified andcron
jobs now run in the user domain, thus fixing this bug. - BZ#880369
- When the user added a mount point to the
/var/lib/openshift
file and executed thequotacheck -cmug /var/lib/openshift
command, the process resulted in AVC messages logged in the/var/log/audit/audit.log
file. With this update, the quota system can manageopenshift_var_lib_t
directories to make the command work as expected. - BZ#867002
- When the system was set up to use the
SSSD
system daemon to perform user authentication, thepasswd
utility was not allowed to read the/var/lib/sss/mc/
directory. This update fixes the security context for/var/lib/sss/mc/
to allowpasswd
to read this directory as expected. - BZ#878212
- With SELinux in enforcing mode, during automatic testing of Red Hat Enterprise Linux in FIPS mode, PAM (Pluggable Authentication Modules) attempted to run prelink on the
/sbin/unix_chkpwd
file to verify its hash. Consequently, users could not log in to the system. The appropriate SELinux policy rules have been updated and a FIPS mode boolean has been added to resolve this bug. - BZ#887129
- Previously, the
system-config-kdump
utility was unable to handle thekdump
service when SELinux was in enforcing mode for 64-bit PowerPC. To fix this bug, the security context for the/usr/lib/yaboot/addnote
binary file has been changed to the bin_t type. With this update,system-config-kdump
handleskdump
as expected. - BZ#869376
- Due to a missing SELinux policy rule, certain services failed to start in enforcing mode. This update adds the mount_t unlabeled_t:filesystem relabelfrom; rule to make sure these services start as expected.
- BZ#881413
- Previously, if the user added the includedir /var/lib/sss/pubconf/krb5.include.d/ directive to a
krb5.conf
file in Identity Manager and installed a server in permissive mode, it generated numerous AVC messages because a number of processes were not able to read the contents of the included directory. This update adds rules to allow domains that can read the sssd_public_t type to also list this directory. - BZ#859231
- When the krb5 package was upgraded to version 1.9-33.el6_3.3 and Identity Management or FreeIPA was used, an attempt to start the
named
daemon terminated unexpectedly in enforcing mode. This update adapts the relevant SELinux policy to make sure thenamed
daemon can be started in the described scenario. - BZ#858235
- Previously, the
rhnsd
daemon was handled by therhsmcertd
SELinux domain, which caused an AVC denial message to be returned. With this update,rhnsd
has its own SELinux policy domain calledrhnsd_t
, thus preventing these messages. - BZ#831908
- When the
SANLOCKOPTS="-w 0"
option was enabled in the/etc/sysconfig/sanlock
configuration file, AVC denial messages were generated by theservice sanlock restart
command. The SELinux rules have been updated to allow thesanlock
daemon to be restarted correctly without any AVC messages. - BZ#855889
- Previously, the
libselinux
library did not support setting the context based on the contents of/etc/selinux/targeted/logins/$username/
directories. Consequently, central management of SELinux limits did not work properly. With this update, the/etc/selinux/targeted/logins/
directory is now handled by the selinux-policy packages as expected. - BZ#854671
- With SELinux in enforcing mode, the running the
openswan
service with FIPS enabled caused AVC denial messages to be logged to the/var/log/audit/audit.log
file. This update fixes the relevant SELinux policy rules andopenswan
no longer produces AVC messages. - BZ#852763
- With the SELinux MLS policy enabled, users could not mount a file via a loop device. This bug has been fixed, and users can mount a file via a loop device to the
/mnt/
directory successfully. - BZ#835936
- When SELinux was running in enforcing mode, it was impossible to start a virtual machine on a disk located on a POSIX file system, such as GlusterFS. The relevant SELinux policy has been fixed and virtual machines can now be started in the described scenario as expected.
- BZ#843814
- In its current version, the
SSSD
daemon writes SELinux configuration files into the/etc/selinux/<policy>/logins/
directory. The SELinux PAM module then uses this information to set the correct context for a remote user trying to log in. Due to a missing policy for this feature,SSSD
could not write into this directory. With this update, a new security context for/etc/selinux/<[policy]/logins/
has been added together with appropriate SELinux policy rules. - BZ#836311
- Previously, the
heartbeat
subsystem was incorrectly treated by thecorosync
SELinux policy. Consequently, AVC messages were generated andheartbeat
was unusable by default. To fix this bug,heartbeat
is now handled by thergmanager
SELinux policy and AVC messages are no longer returned. - BZ#837138
- With SELinux in enforcing mode, the
clamscan
utility did not work correctly as a backup server in theamavisd-new
interface, which resulted in AVC messages to be returned ifclamscan
could not accessamavis
spool files. This update corrects the SELinux policy to grantclamscan
the necessary permission in the described scenario. - BZ#887892
- Previously, SELinux prevented the
ABRT
(Automatic Bug Reporting Tool) utility to use theinotify
subsystem on the/var/spool/abrt-upload/
directory. Consequently, when the user set up theWatchCrashdumpArchiveDir
option in theABRT
utility, theabrtd
daemon failed on restart. To fix this bug, a SELinux policy rule has been added to allowABRT
to useinotify
on/var/spool/abrt-upload/
with the daemon working correctly. - BZ#842818
- With SELinux in enforcing mode, the
saslauthd
daemon process could not work properly if theMECH=shadow
option was specified in the/etc/sysconfig/saslauthd
file. This update fixes the relevant SELinux policy rules and allowssaslauthd
to use theMECH=shadow
configuration option. - BZ#842905
- Previously, when a process with the user_r SELinux role tried to use the
crontab
utility on an NFS (Network File System) home directory, AVC messages were written to the audit.log file. The relevant SELinux policy has been updated to allow user_r processes to run thecrontab
utility, thus fixing the bug. - BZ#842927, BZ#842968
- When the
MAILDIR=$HOME/Maildir
option was enabled either in the/etc/procmailrc
or indovecot
configuration files, theprocmail
anddovecot
services were not able to access a Maildir directory located in the home directory. This update fixes relevant SELinux policy rules to allow theprocmail
/dovecot
service to read the configuredMAILDIR
option in/etc/procmailrc
. - BZ#886874
- When the
vsftpd
daemon is being stopped, it terminates all childvsftpd
processes by sending the SIGTERM signal to them. When the parent process dies, the child process gets the SIGTERM signal. Previously, this signal was blocked by SELinux. This update fixes the relevant SELinux policy rules to allowvsftpd
to terminate its child processes properly. - BZ#885518
- Previously, the
/var/lib/pgsql/.ssh/
directory had an incorrect security context. With this update, the security context has been changed to the ssh_home_t label, which is required by thePostgreSQL
system backup. - BZ#843543
- Due to an incorrect SELinux policy, SELinux prevented the
libvirtd
daemon from starting thednsmasq
server with the--pid-file=/var/run/libvirt/network/default.pid
option and AVC denial messages were returned. The updated SELinux rules allow thelibvirtd
daemon to start correctly withdnsmasq
support. - BZ#843577
- With the MLS SELinux policy enabled, an administrator in an SELinux domain, with the
sysadm_t
type at the s0-s15:c0.c1023 level, was not able to execute thetar --selinux -zcf wrk.tar.gz /wrk
command. These updated SELinux rules allow administrators to run the command in the described scenario. - BZ#843732
- Due to a missing fcontext for the
/var/named/chroot/lib64/
directory, AVC messages could be returned when working with thenamed
daemon. To fix this bug, the missing SELinux security context for/var/named/chroot/lib64/
has been added. - BZ#836241
- Due to an incorrect SELinux policy, the
dovecot-imap
anddovecot-lda
utilities were not allowed access to the Maildir files and directories with the mail_home_rw_t security context. These updated SELinux rules allowdovecot-imap
anddovecot-lda
to access Maildir home directories. - BZ#844045
- With SELinux in enforcing mode, the
automount
utility erroneously returned themount.nfs4: access denied by a server
error message when instructed to perform a mount operation, which included acontext=
parameter. Mount operations in NFS v3 were not affected. Now, SELinux policy rules have been updated to allowautomount
to work correctly in the described scenario. - BZ#809716
- Due to an incorrect SELinux policy, the
smartd
daemon was not able to create themegaraid_sas_ioctl_node
device with the correct SELinux security context. Consequently, monitoring of some disks on a MegaRAID controller usingsmartd
was prevented. This update provides SELinux rules that allow monitoring of disks on a MegaRAID controller usingsmartd
. - BZ#845201
- Previously, the incorrect default label on the
/etc/openldap/cacerts/
and/etc/openldap/certs/
directories was provided by SELinux policy, which caused various unnecessary AVCs to be returned. To fix this bug, these directories have been labeled with the slapd_cert_t SELinux security label. Now, no redundant AVCs are returned. - BZ#882348, BZ#850774
- Previously, with SELinux in enforcing mode and the
internal-sftp
subsystem configured together with theChroot
option, users with the unconfined_t SELinux type were unable to connect using thesftp
utility. This update fixes the SELinux policy to allow users to utilizesftp
successfully in the described scenario. - BZ#849262
- Previously, the
snmpd
daemon service was unable to connect to thecorosync
service using a Unix stream socket, which resulted in AVC messages being logged in the/var/log/audit/audit.log
file. To fix this bug, a set of new rules has been added to the SELinux policy to allow thesnmpd
daemon to connect tocorosync
. - BZ#849671
- With SELinux in enforcing mode, the
/var/run/amavisd/clamd.pid
file was empty, thus any attempt to restart theclamd.amavisd
daemon failed. Stopping the service failed because of the empty PID file and starting it failed because the socket was already in use or still being used. These updated SELinux rules allowclamd.amavisd
to write to the PID file as expected. - BZ#851113
- Due to an incorrect SELinux policy, there was an incorrect label on the
/var/run/cachefilesd.pid
file. With this update, SELinux policy rules and the security context have been fixed to get the cachefilesd_var_run_t label for the file. - BZ#881993
- Due to missing SELinux policy rules, the
rsync
daemon, which served an automounted home NFS directory, was not able to write files in this directory. To fix this bug, thersync
daemon has been changed into a home manager to allow the needed access permissions. - BZ#851289
- Previously, the 8953/tcp port used the port_t SELinux port type, which prevented the
unbound
service from working correctly. To fix this bug, the 8953/tcp port has been associated with the rndc_port_t SELinux port type. - BZ#851483
- The spice-vdagent package was rebased to the latest upstream version (BZ#842355). A part of this rebased spice-vdagent was moved to the
syslog()
function instead of using its own logging code (BZ#747894). To reflect this change, the SELinux policy rules have been updated for the spice-vdagent policy to allow the use ofsyslog()
. - BZ#852731
- Previously, when a user wanted to create a user home directory on a client which did not exist, they could do so on local volumes. However, this operation was blocked in enforcing mode when the
pam_oddjob_mkhomedir.so
module attempted to create a home directory on an NFS mounted volume. SELinux policy rules have been updated to allowpam_oddjob_mkhomedir
to use NFS and user home directories can now be created in enforcing mode as well. - BZ#853453
- When the
.forward
file was configured by the user on NFS, AVC messages were returned. Consequently,Postfix
was not able to access the script in the aforementioned file. These updated SELinux rules allow to properly set up.forward
in the described scenario. - BZ#811319
- Previously, the
fence_virtd
daemon was unconfined by SELinux, which caused the service to run in the initrc_t type SELinux domain. To fix this bug, the fenced_exec_t security context has been added for thefence_virtd
daemon, and this service now runs in the fenced_t SELinux domain. - BZ#871038
- Previously, with SELinux in enforcing mode, the
setroubleshootd
daemon was not able to read the/proc/irq
file. Consequently, AVC messages were returned. This update provides SELinux rules, which allowsetroubleshootd
to read/proc/irq
, and AVC messages are no longer returned. - BZ#833463
- With SELinux running in enforcing mode, the
fence_vmware_soap
binary did not work correctly. Consequently, fencing failed, services did not failover, and AVC denial messages were written to theaudit.log
file. This update fixes the relevant policy to make thefence_vmware_soap
binary work correctly. - BZ#832998
- Prior to this update, a proper security context for the
/usr/lib/mozilla/plugins/libflashplayer.so
file was missing. Consequently, executing themozilla-plugin-config -i
command caused the following error to be returned:*** NSPlugin Viewer *** ERROR: /usr/lib/mozilla/plugins/libflashplayer.so: cannot restore segment prot after reloc: Permission denied
The security context has been updated, and the command now works as expected. - BZ#821887
- A missing SELinux policy prevented the Red Hat Enterprise Virtualization Hypervisors to recreate the
/etc/mtab
file with a correct security context. To fix this bug, a new SELinux transition from the virtd_t to mount_t SELinux domain has been added. - BZ#858406
- Due to missing SELinux policy rules, Point-In-Time Recovery (PITR) implementation with the support for the
SSH
andRSync
protocols failed to work with PostgreSQL. To resolve this bug, thepostgresql_can_rsync
SELinux boolean has been added to allow PostgreSQL to run thersync
utility and interact with SSH. - BZ#858784
- With SELinux in enforcing mode, the
pulse
utility failed to start the Internet Protocol Video Security (IPVS
) sync daemon at startup. SELinux policy rules have been updated to allowpulse
start the daemon as expected. - BZ#829274
- Previously, the SELinux Multi-Level Security (MLS) policy did not allow the sysadm_r SELinux role to use the
chkconfig SERVICE on/off
commands to enable or disable a service on the system. This update fixes the relevant SELinux policy to allow the sysadm_r SELinux role to use these commands to enable or disable the service. - BZ#860666
- Due to missing SELinux policy rules, the rebased krb5 package version 1.10 returned the following AVC message:
type=AVC msg=audit(1348602155.821:530): avc: denied { write } for pid=23129 comm="kadmind" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3647 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
With this update, thekadmind
utility has been allowed to access anon_inode file descriptors to fix the AVC message. - BZ#868959
- Previously, the cluster-cim package was allowed to be used in enforcing mode. However, AVC messages connected with access to the /var/run/clumond.sock and /var/run/cman_client Unix sockets were identified. To fix this bug, new SELinux policy rules have been provided to allow the
cimprovag
utility to connect to the cman_client socket. - BZ#861011, BZ#901565
- Previously, the
/var/nmbd/
directory was labeled asvar_t
, which caused issues with Samba services which needed to access this directory. The security context has been updated and Samba can now access this directory as expected. Furthermore, SELinux can prevent thenmbd
service from writing into the/var/
repository, which causes problems with NetBIOS name resolution and leads to SELinux AVC denial messages. - BZ#867001
- In the previous update, the rsyslog-gssapi package allowed the
rsyslog
utility to use the Generic Security Services Application Program Interface (GSSAPI). However, AVC messages were returned as a consequence. This update fixes relevant SELinux policy rules to allow thersyslog
utility to use Kerberos tickets on the client side. - BZ#865567
- With SELinux in enforcing mode, when the
fail2ban
service was restarted andfail2ban
was not able to execute theldconfig
andiptables
commands, it resulted in SELinux AVC denial messages being returned. This update fixes the relevant SELinux policy rules to allowfail2ban
to executeldconfig
and also fix security contexts foriptables
binaries. - BZ#841950
- Due to an incorrect security context for the
/opt/sartest
file, data could not be written to this location by thesadc
utility running from a rootcron
daemon job. The security context has been updated and nowsadc
running from a rootcron
job can write data to this location. - BZ#860858
- Previously, when the
clamdscan
utility was called by a Sendmail filter, theclamd
daemon was not able to scan all files on the system. This update adds theclamscan_can_scan_system
variable to allow all antivirus programs to scan all files on the system. - BZ#825221
- Due to missing SELinux policy rules, the
restorecon
utility disregarded custom rules for symbolic links. These updated SELinux rules allowrestorecon
to properly handle custom rules for symlinks. - BZ#863407
- Due to missing SELinux policy rules, the
freshclam
utility was not able to update databases through theHTTP proxy
daemon when run by thecron
daemon. To fix this bug, the relevant SELinux policy rules have been updated. As a result,freshclam
now updates databases as expected in the described scenario. - BZ#864546, BZ#886619
- Previously, SELinux prevented the puppet master from running passenger web application. To fix this bug, security context for the Passenger Apache module has been updated to reflect latest passenger paths to executables to make sure all applications using Passenger web applications run with the correct SELinux domain.
- BZ#860087
- When a user set up the Red Hat Enterprise Linux 6 system as a VPN server with the
IPSec+L2TP
VPN, SELinux prevented thepppd
daemon from accessing some needed components after connecting to the VPN server with the following error message:pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket
This update adds the missing SELinux policy to make sure allpppd
actions are enabled by SELinux. - BZ#823647
- Previously, some patterns in the
/etc/selinux/targeted/contexts/files/file_contexts
file contained typo errors. Some patterns matched the 32-bit path, but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths. - BZ#831068
- Previously, when a user tried to change a password in the GNOME user account dialog window, the attempt was blocked by SELinux in enforcing mode due to missing SELinux rules for the passwd_t SELinux domain. With this update, SELinux policy rules have been added to allow users to change their passwords in the GNOME user account dialog window.
- BZ#871106, BZ#882850
- Previously, there were problems to hook certain monitoring plug-ins to the
munin
plug-in domain with SELinux in enforcing mode. To fix this bug, the unconfined_munin_plugin_t SELinux type has been added to the SELinux policy to cover all unconfinedmunin
plug-ins. As a result,munin
plug-ins can now run unconfined. - BZ#871816
- With SELinux in enforcing mode, the
ipactl
restart command caused AVC denial messages to be returned. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages. - BZ#855286
- While installing an ISO image on a virtual machine (VM) from Red Hat Enterprise Virtualization Manager, AVC messages were generated. These AVC were returned due to the
sanlock
utility which could not access files and directories on the FUSE file system. To fix this bug, thesanlock_use_fusefs
SELinux boolean variable has been added and installing from an ISO image on a VM now succeeds. - BZ#853970
- Previously, a Red Hat Cluster Suite node did not auto-join a cluster ring after power fencing due to missing SELinux policy rules for the
corosync
utility. Consequently,corosync
failed to reboot. To fix this bug,corosync
has been allowed to use1229/udp
and1228/udp
ports to make auto-join a cluster ring after power fencing. As a result, a machine re-joins the cluster after fencing and reboots as expected. - BZ#853852
- Previously, the SELinux boolean variable for NFS failed to prevent an NFS client from accessing a share. Consequently, the NFS client could mount an NFS share and read or write files. Because the NFS server runs as a kernel process, the
nfs_export_all_rw
boolean variable was needed no longer and has been removed from the policy, thus fixing the bug. NFS clients now cannot access shares in the described scenario. - BZ#879266
- When the user was installing Red Hat Cluster Suite packages from Red Hat Network, the installation process became unresponsive and the cluster suite was not installed. With this update, the relevant policy has been added and Red Hat Cluster Suite packages from RHN can now be installed as expected.
- BZ#880407
- Previously, if the user ran the
restorecon
utility on/ect/multipath*
directories and files, the security context was reset. This update fixes relevant SELinux policy rules and adds updated SELinux security context for these directories and files. - BZ#846069
- Previously, the
piranha-web
utility was unable to connect to thewindbind
daemon using Unix stream sockets. Consequently, AVC messages were returned. To fix this bug, a set of new rules has been added to the SELinux policy to allow thepiranha-web
service to connect towindbind
. - BZ#883143
- Due to the incorrect
git_read_generic_system_content_files()
interface, thegit-daemon
andhttpd
daemons could not serve the same directory. To fix this bug, thegit_read_generic_system_content_files()
interface has been updated to allowgit-daemon
andhttpd
to serve the same directory. - BZ#809877
- Previously, due to incorrect file context specifications, the policy did not always have a correct label for files in the
/var/log/
directory which were processed by thelogrotate
utility. To fix this bug, the file context specifications have been updated and the files and directories processed bylogrotate
now have correct labels. - BZ#844448
- Previously, the
munin-node
agent lacked necessary SELinux rules for reading Exim log files. Consequently, multiple bundled exim plug-ins were prevented from working andmunin-node
terminated unexpectedly. This update fixes the relevant SELinux policy rules to allowmunin-node
to read exim log files to make exim Munin plug-ins working correctly. - BZ#843455
- Previously, when the user tried to use the
munin_stats
Munin plug-in, it caused AVC messages to be returned. To fix this bug, updated SELinux policy rules have been provided andmunin_stats
now works as expected. - BZ#886563
- If a user tried to use a post-login script in the
dovecot
utility, an AVC message was returned. This update fixes relevant SELinux policy rules and adds updated SELinux rules to allowdovecot
to start the/bin/bash
file. Now, AVC messages are no longer returned. - BZ#841329
- Due to an incorrect SELinux policy, confined SELinux users could not decrypt S/MIME (Secure/Multipurpose Internet Mail Extensions) emails by preventing the
gpg-agent
daemon from reading the/dev/random
file. Theclaws-mail
client using thesmime
utility was affected by this bug. Now, SELinux policy rules have been updated to allow SELinux confined users to decrypt S/MIME emails. - BZ#770065
- Previously, when a user tried to use the
check_icmp
Munin plug-in, AVC messages were returned. With this update, a corrected SELinux policy has been provided forcheck_icmp
, thus fixing the bug. - BZ#890687
- When a user attempted to configure the
rsync
daemon to log directly to a specific file, missing SELinux policy rules let the user create the log file, but did not allow to append to it. With this update, SELinux policy rules have been added to allowrsync
to append to a specific log file. - BZ#821483
- With SELinux in enforcing mode, running a
spamd
daemon process updating Razor configuration files resulted in a permission to be denied and an AVC message to be generated. This update fixes relevant SELinux policy rules to allowspamd
processes to update Razor configuration files in the described scenario. - BZ#869304
- With SELinux in enforcing mode, on a Red Hat Enterprise Linux 6.3 hypervisor, SELinux prevented the QEMU-KVM
getattr()
function access when starting VMs from Red Hat Enterprise Virtualization Manager hosted on a Red Hat Storage (RHS) storage domain. This update fixes relevant SELinux policy rules to allow the QEMU-KVMgetattr()
access. - BZ#867628
- Prior to this update, the manual pages did not reflect actual state of SELinux policy rules. To fix this bug, the actual policy has been included in the selinux-policy package. Furthermore, all auto-generated manual pages are now regenerated on the system using the
sepolicy
utility from Fedora to provide better SELinux manual pages for each SELinux domain. - BZ#887793
- The
wdmd
watchdog daemon used the/etc/wdmd.d/checkquorum.wdmd
script, both provided by the sanlock package, for checking out the cluster state. Consequently, with SELinux enabled, this detection failed resulting in a self-resetting loop. To fix this bug, the SELinux support for thewatchdog
script from thesanlock
utility has been added, and the detection no longer fails.
Enhancements
- BZ#739103
- On Red Hat Enterprise Linux 6, root privileges are required to start a KVM guest with bridged networking. The
libvirt
library in turn launches a QEMU process as the unprivilegedqemu
user. Newqemu:///session
URIs introduced tolibvirt
attempted to allow the unprivileged user to start KVM guests and have the QEMU process execute as the same unprivileged user but failed since theCAP_NET_ADMIN
capability is required to use TUN/TAP networking. To fix this bug from the SELinux perspective, a new SELinux policy has been added for a networking helper program that QEMU can invoke. - BZ#801493
- This update provides a new SELinux policy for the
pacemaker
service. - BZ#807157
- This update provides a new SELinux policy for the
numad
service. - BZ#807678
- This update provides a new SELinux policy for the
bcfg2-server
service. - BZ#836034
- This update provides a new SELinux policy for the OpenStack Essex cloud computing framework.
- BZ#834994
- This update provides a new SELinux policy for the
rhnsd
service. - BZ#839250, BZ#838260
- A new SELinux antivirus policy module has been introduced in this release. This module contains the antivirus_db_t file type and the
antivirus
attribute to consolidate all anti-virus programs on the system. The module also allows to manage files and directories labeled with the antivirus_db_t file type. - BZ#833557
- This update provides a new SELinux policy for the
xl2tpd
service. - BZ#827389
- This update adds SELinux support for the Gitolite v.3 utility, which allows users to set up hosting of Git repositories on a central server.
- BZ#811361
- This update provides a new SELinux policy for the
svnserve
service. - BZ#811304
- This update provides a new SELinux policy for the
glusterd
daemon. - BZ#848915
- This update provides a new SELinux policy for the
slpd
daemon. - BZ#845417
- This update provides a new SELinux policy for the
ovs-vswitchd
andovs-brcompatd
Open vSwitch services. - BZ#845033
- This update provides a new SELinux policy for the iucvtty application provides full-screen terminal access to a Linux instance running as a z/VM Inter-User Communication Vehicle (IUCV).
- BZ#839831
- The QEMU emulator now provides a new
qemu-ga
(guest agent) daemon. This daemon runs on the guest and executes commands on behalf of processes running on the host. This update provides a new SELinux policy for a newqemu-ga
(guest agent) daemon. - BZ#848918
- This update provides a new SELinux policy for the
sencord
service. - BZ#851128, BZ#888164
- SELinux support has been added for the
rpc.rstatd
andrpc.rusersd
daemons to prevent them from running in theinitrc_t
SELinux domain. Now, these services run in therpcd_t
SELinux domain. - BZ#851241
- This update provides a new SELinux policy for the
cpglockd
service. - BZ#885432
- Support for the
/usr/share/ovirt-guest-agent/ovirt-guest-agent.py
file has been added to these updated packages. - BZ#875839
- Support for OpenShift Enterprise Policy has been added to Red Hat Enterprise Linux 6.4.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.