4.159. selinux-policy

Bug Fixes

BZ#682856, BZ#841178

When SELinux was running in enforcing mode, it incorrectly prevented the Postfix mail transfer agent from re-sending queued email messages. This update adds a new security file context for the /var/spool/postfix/maildrop/ directory to make sure Postfix is allowed to re-send queued email messages in enforcing mode.

BZ#738995

Previously, the cyrus-master process could not run as an NNTP server because cyrus-master was unable to use the indd port. With this update, the SELinux policy rules have been updated, and the problem with cyrus-master running as an NNTP server no longer occurs.

BZ#751385

Previously, the condor_vm-gahp service running in the initrc_t SELinux domain returned AVC (Access Vector Cache) messages. This update labels condor_vm-gahp the virtd_exec_t SELinux security context, thus fixing this bug.

BZ#784197

When SELinux was running in enforcing mode, the cimserver command was unable to rename its own cimserver_current.conf file. This update fixes the relevant policy and cimserver program can now rename its configuration file as expected.

BZ#785076

When SELinux was running in enforcing mode and Kerberos+NSS was configured to use the coolkey module, AVC messages were returned. This update fixes the relevant SELinux policy so that the AVC messages are no longer returned in the described scenario.

BZ#803704

Previously, when a file was created by the /usr/bin/R command in user home directories, these directories got an incorrect SELinux security context because of missing SELinux policy rules. With this update, the relevant SELinux policy has been amended to ensure that correct SELinux security context is set in the described scenario.

BZ#807686

When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned.

BZ#833843

With SELinux in enforcing mode, missing SELinux policy rules prevented the freeradius2 server to communicate with the postgresql database. With this update, appropriate SELinux rules have been added and freeradius2 is now able to communicate with the postgresql.

BZ#834621

SSSD (System Security Services Daemon) sometimes handles systems with more than four thousand processes running simultaneously. This requires the CAP_SYS_RESOURCE Linux capability to be set with a higher limit for open file descriptors but SELinux did not previously allow it. With this update, an appropriate SELinux rule has been added to prevent this bug.

BZ#838511

Previously, with SELinux in enforcing mode, the clamd command was unable to create its own PID file in the /var/run/amavis/ directory. With this update, the amavis_create_pid_files() SELinux policy interface has been fixed to allow this action.

BZ#843443

With SELinux running in enforcing mode, the snmpd daemon was unable to connect to the modcluster service over the Unix stream socket. This bug has been fixed and the updated SELinux policy rules now allow these operations.

BZ#844701

When SELinux was running in enforcing mode, the httpd daemon running in the piranha_web_t SELinux domain was unable to read from the random number generator device (/dev/random). This update adds appropriate SELinux rules to grant httpd running in the piranha_web_t domain access to /dev/random.

BZ#848693

Previously, security contexts for the sesh shell installed in different directories did not match. This update adds a SELinux security context for the /usr/libexec/sesh command to be the same as the context for the /usr/sbin/sesh command.

BZ#848727

Due to an error in a SELinux policy, SELinux incorrectly prevented the netplugd service from starting. Now, updated SELinux policy rules have been provided that allow netplugd execute the brctl command in the brctl SELinux domain, thus fixing this bug.

BZ#849155

Due to an incorrect file context specification, correct labeling for 64-bit Oracle libraries was missing from the SELinux policy. This bug has been fixed and the selinux-policy packages now provide this missing labeling.

BZ#833843

Previously, when the etc-pam-d-radiusd-uses-non-existent-password-auth test was run, the radiusd service was disallowed the ptrace system call, resulting in an AVC message being returned. This update adds an appropriate SELinux policy rule to allow radiusd this system call, thus fixing this bug.

BZ#851658

Previously, OCSP (Online Certificate Status Protocol) requests from the Kerberos KDC (Key Distribution Center) failed in enforcing mode. Consequently, attempts to obtain Kerberos credentials by running the kinit from a smart card were not successful. This update allows the krb5kdc utility to connect to the tcp/9180 port, thus fixing this problem.

BZ#854194

With SELinux in enforcing mode, the following scenario did not work and generated AVC messages to the /var/log/audit/audit.log file:

1. append the following line to /etc/sysconfig/snmptrapd.options file:

   OPTIONS="-Lsd -x /var/agentx/master"

2. append following line to /etc/snmp/snmpd.conf file:

   master agentx

3. run the service snmpd restart and service snmptrapd restart commands.

With this update, an appropriate SELinux rule has been added and this scenario now succeeds.

BZ#855035

Due to incorrect SELinux policy rules, the nmbd service was unable to create the /var/nmbd/unexpected/ directory for its operation. Consequently, the following command failed:

nmblookup -U 127.0.0.1 MACHINE-nmb

Now, the SELinux policy rules have been updated and the problem with the above command no longer occurs.

BZ#855324

With SELinux in enforcing mode, when the openswan service was started and stopped in quick succession on a freshly-booted system, the AVC denial messages were logged to the /var/log/audit/audit.log file. With this update, SELinux policy has been amended to ensure that SELinux no longer logs AVC messages in the described scenario.

BZ#859338

When SELinux was running in enforcing mode, the pulse daemon failed to start the IPVS synchronization daemon at startup and a large number of AVC messages was logged to the /var/log/audit/audit.log file. This bug has been fixed and SELinux now allows IPVS to be started by pulse as expected.

BZ#863155

Due to an incorrect SELinux policy, the swat utility was unable to write into the unexpected samba socket. This update provides a new SELinux policy rule, which prevent this bug.

Enhancements

BZ#839608, BZ#849071

A new SELinux policy rule has been added to allow the CUPS back end to send D-Bus messages to the system bus, thus allowing the hplip3 package to work with SELinux running in enforcing mode.

BZ#843841

The rebased rsyslogd package in Red Hat Enterprise Linux 5.9 required additional SELinux policy updates to allow running the getschedule, setschedule, and sys_nice operations. These selinux-policy packages add the required policy.

BZ#810239

With this update, labels of all files that are processed by the logrotate utility are preserved.

BZ#845672

The zarafa SELinux policy has been updated by the zarafa SELinux policy from Red Hat Enterprise Linux 6.

BZ#772205

Support for the mod_ban module in the proftpd service has been added.

BZ#773042

A new fenced_selinux.8 man page has been added.

BZ#750588

A new virtd_selinux.8 man page has been added.