4.98. selinux-policy

Bug Fixes

BZ#746979

When the SSH daemon (sshd) was configured using the rgmanager utility as a service for clustering, sshd incorrectly ran in the rgmanager_t SELinux domain instead of the sshd_t SELinux domain. With this update, the relevant SELinux policy has been fixed and sshd runs in sshd_t as expected in the described scenario.

BZ#838702

With the SELinux strict policy enabled, when the user executed a locally developed application configured to use the atd daemon, the daemon ran in an incorrect SELinux domain due to the missing SELinux policy rules. Consequently, the following error message was logged in the /var/log/message file:

Not allowed to set exec context

With this update, the appropriate SELinux policy rules have been added so that atd runs in the correct domain and the error message is no longer returned.

BZ#906279

When SELinux was running in enforcing mode, it incorrectly prevented processes labeled with the pptp_t SELinux security context from accessing files labeled with the proc_net_t SELinux security context. This update fixes the relevant SELinux policy and pptp_t processes can access files with the proc_net_t context as expected.

BZ#921671

Previously, some patterns in the /etc/selinux/targeted/contexts/files/file_contexts file contained typographical errors. Some patterns matched the 32-bit path but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths.

BZ#923428, BZ#926028

Due to the incorrect SELinux policy rules for the httpd_use_fusefs and allow_ftpd_use_fusefs Booleans, the httpd and ftpd daemons were not able to access link files on a FUSE (Filesystem in Userspace) file system when SELinux was running in enforcing mode. The appropriate SELinux policy rules have been fixed and httpd and ftpd are now able to access link files on the FUSE file systems as expected.

BZ#953874

When SELinux was running in enforcing mode, an attempt to fetch a file using the Squid proxy caching server along with Kerberos authentication caused AVC denials to be returned. The relevant SELinux policy has been changed to allow Squid to connect to the tcp/133 port and the AVC denials are no longer returned in the described scenario.

BZ#958759, BZ#984583

Previously, the mysqld_safe script was unable to execute the Bourne shell (/bin/sh) with the shell_exec_t SELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.

BZ#959171

When a Network Information Service (NIS) master with two NIS slaves was configured, executing the yppasswdd --port 836 command proceeded up until it started rebuilding the passwd.byname and passwd.byuid databases. The databases were rebuilt successfully but they were not pushed to the NIS slaves due to missing SELinux policy rules. With this update, the relevant SELinux rule has been added to fix this bug and the yppasswdd --port 836 command works as expected.

BZ#966929

Due to an incorrect SELinux policy, the openvpn service was not able to write or read the /var/log/openvpn file. Consequently, an attempt to start openvpn failed and AVC messages were logged to the /var/log/audit/audit.log file. With this update, the appropriate SELinux policy has been fixed so that the AVC messages are no longer returned and openvpn works as expected in the described scenario.

BZ#970707

When the php-cgi command-line interface was called by the httpd server, SELinux running in enforcing mode prevented access to the /usr/share/snmp/mibs/.index file. Consequently, the PHP SNMP (Simple Network Management Protocol) extension did not work correctly due to the missing Management Information Bases (MIBs). With this update, the relevant SELinux policy has been modified and SELinux no longer prevents access to MIBs in the described scenario.

BZ#978864

Previously, the snmpd_t SELinux domain was missing the chown capability. Consequently, the agentXperms directive in the snmpd.conf file did not work. This update provides an updated SELinux policy rule that allows processes running in the snmpd_t SELinux domain to use the chown capability, thus fixing this bug.