Updated selinux-policy packages that fix numerous bugs are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
- When the SSH daemon (
sshd) was configured using the
rgmanagerutility as a service for clustering,
sshdincorrectly ran in the
rgmanager_tSELinux domain instead of the
sshd_tSELinux domain. With this update, the relevant SELinux policy has been fixed and
sshd_tas expected in the described scenario.
- With the SELinux strict policy enabled, when the user executed a locally developed application configured to use the
atddaemon, the daemon ran in an incorrect SELinux domain due to the missing SELinux policy rules. Consequently, the following error message was logged in the
Not allowed to set exec contextWith this update, the appropriate SELinux policy rules have been added so that
atdruns in the correct domain and the error message is no longer returned.
- When SELinux was running in enforcing mode, it incorrectly prevented processes labeled with the
pptp_tSELinux security context from accessing files labeled with the
proc_net_tSELinux security context. This update fixes the relevant SELinux policy and
pptp_tprocesses can access files with the
proc_net_tcontext as expected.
- Previously, some patterns in the
/etc/selinux/targeted/contexts/files/file_contextsfile contained typographical errors. Some patterns matched the 32-bit path but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths.
- BZ#923428, BZ#926028
- Due to the incorrect SELinux policy rules for the
ftpddaemons were not able to access link files on a FUSE (Filesystem in Userspace) file system when SELinux was running in enforcing mode. The appropriate SELinux policy rules have been fixed and
ftpdare now able to access link files on the FUSE file systems as expected.
- When SELinux was running in enforcing mode, an attempt to fetch a file using the Squid proxy caching server along with Kerberos authentication caused AVC denials to be returned. The relevant SELinux policy has been changed to allow Squid to connect to the tcp/133 port and the AVC denials are no longer returned in the described scenario.
- BZ#958759, BZ#984583
- Previously, the
mysqld_safescript was unable to execute the Bourne shell (/bin/sh) with the
shell_exec_tSELinux security context. Consequently, the mysql55 and mariadb55 Software Collection packages were not working correctly. With this update, SELinux policy rules have been updated and these packages now work as expected.
- When a Network Information Service (NIS) master with two NIS slaves was configured, executing the
yppasswdd --port 836command proceeded up until it started rebuilding the
passwd.byuiddatabases. The databases were rebuilt successfully but they were not pushed to the NIS slaves due to missing SELinux policy rules. With this update, the relevant SELinux rule has been added to fix this bug and the
yppasswdd --port 836command works as expected.
- Due to an incorrect SELinux policy, the
openvpnservice was not able to write or read the
/var/log/openvpnfile. Consequently, an attempt to start
openvpnfailed and AVC messages were logged to the
/var/log/audit/audit.logfile. With this update, the appropriate SELinux policy has been fixed so that the AVC messages are no longer returned and
openvpnworks as expected in the described scenario.
- When the
php-cgicommand-line interface was called by the
httpdserver, SELinux running in enforcing mode prevented access to the
/usr/share/snmp/mibs/.indexfile. Consequently, the PHP SNMP (Simple Network Management Protocol) extension did not work correctly due to the missing Management Information Bases (MIBs). With this update, the relevant SELinux policy has been modified and SELinux no longer prevents access to MIBs in the described scenario.
- Previously, the
snmpd_tSELinux domain was missing the
chowncapability. Consequently, the
agentXpermsdirective in the
snmpd.conffile did not work. This update provides an updated SELinux policy rule that allows processes running in the
snmpd_tSELinux domain to use the
chowncapability, thus fixing this bug.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.