8.213. selinux-policy

Updated selinux-policy packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fixes

BZ#1062384
SELinux prevented the qemu-guest-agent process from executing the settimeofday() and hwclock() functions. Consequently, qemu-guest-agent was unable to set the system time. A new rule has been added to the SELinux policy and qemu-guest-agent can now set the time as expected.
BZ#1082640
Previously, SELinux did not allow the dhcpd daemon to change file ownership on the system. As a consequence, the ownership of files that dhcpd created was changed from the required dhcpd:dhcpd to root:root. The appropriate SELinux policy has been changed, and dhcpd is now able to change the file ownership on the system.
BZ#1097387
Due to the missing miscfiles_read_public_files Boolean, the user could not allow the sshd daemon to read public files used for file transfer services. The Boolean has been added to the SELinux policy, thus providing the user the ability to set sshd to read public files.
BZ#1111538
Due to a missing SELinux policy rule, the syslog daemon was unable to read the syslogd configuration files labeled with the syslog_conf_t SELinux context. With this update, the SELinux policy has been modified accordingly, and syslog now can read the syslog_conf_t files as expected.
BZ#1111581
Due to an insufficient SELinux policy rule, the thttpd daemon ran in the httpd_t domain. As a consequence, the daemon was unable to change file attributes of its log files. The SELinux policy has been modified to fix this bug, and SELinux no longer prevents thttpd from changing attributes of its log files.
BZ#1122866
Previously, SELinux did not allow the sssd daemon to write to the krb5 configuration file, thus the daemon was unable to make any changes in krb5. The SELinux policy has been changed with this update, and sssd can now write to krb5.
BZ#1127602
Due to a missing SELinux policy rule, the Samba daemons could not list the /tmp/ directory. The SELinux policy has been modified accordingly, and SELinux no longer prevents the Samba daemons from listing the /tmp/ directory.
In addition, this update adds the following

Enhancement

BZ#1069843
With this update, new SELinux policy rules have been added, and the following services now run in their own domains, not in the initrc_t domain:
thttpd
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.