4.159. selinux-policy

Updated selinux-policy packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fixes

BZ#682856, BZ#841178
When SELinux was running in enforcing mode, it incorrectly prevented the Postfix mail transfer agent from re-sending queued email messages. This update adds a new security file context for the /var/spool/postfix/maildrop/ directory to make sure Postfix is allowed to re-send queued email messages in enforcing mode.
BZ#738995
Previously, the cyrus-master process could not run as an NNTP server because cyrus-master was unable to use the indd port. With this update, the SELinux policy rules have been updated, and the problem with cyrus-master running as an NNTP server no longer occurs.
BZ#751385
Previously, the condor_vm-gahp service running in the initrc_t SELinux domain returned AVC (Access Vector Cache) messages. This update labels condor_vm-gahp the virtd_exec_t SELinux security context, thus fixing this bug.
BZ#784197
When SELinux was running in enforcing mode, the cimserver command was unable to rename its own cimserver_current.conf file. This update fixes the relevant policy and cimserver program can now rename its configuration file as expected.
BZ#785076
When SELinux was running in enforcing mode and Kerberos+NSS was configured to use the coolkey module, AVC messages were returned. This update fixes the relevant SELinux policy so that the AVC messages are no longer returned in the described scenario.
BZ#803704
Previously, when a file was created by the /usr/bin/R command in user home directories, these directories got an incorrect SELinux security context because of missing SELinux policy rules. With this update, the relevant SELinux policy has been amended to ensure that correct SELinux security context is set in the described scenario.
BZ#807686
When OpenMPI (Open Message Passing Interface) was configured to use the parallel universe environment in the Condor server, a large number of AVC messages was returned when an OpenMPI job was submitted. Consequently, the job failed. This update fixes the appropriate SELinux policy and OpenMPI jobs now pass successfully and no longer cause AVC messages to be returned.
BZ#833843
With SELinux in enforcing mode, missing SELinux policy rules prevented the freeradius2 server to communicate with the postgresql database. With this update, appropriate SELinux rules have been added and freeradius2 is now able to communicate with the postgresql.
BZ#834621
SSSD (System Security Services Daemon) sometimes handles systems with more than four thousand processes running simultaneously. This requires the CAP_SYS_RESOURCE Linux capability to be set with a higher limit for open file descriptors but SELinux did not previously allow it. With this update, an appropriate SELinux rule has been added to prevent this bug.
BZ#838511
Previously, with SELinux in enforcing mode, the clamd command was unable to create its own PID file in the /var/run/amavis/ directory. With this update, the amavis_create_pid_files() SELinux policy interface has been fixed to allow this action.
BZ#843443
With SELinux running in enforcing mode, the snmpd daemon was unable to connect to the modcluster service over the Unix stream socket. This bug has been fixed and the updated SELinux policy rules now allow these operations.
BZ#844701
When SELinux was running in enforcing mode, the httpd daemon running in the piranha_web_t SELinux domain was unable to read from the random number generator device (/dev/random). This update adds appropriate SELinux rules to grant httpd running in the piranha_web_t domain access to /dev/random.
BZ#848693
Previously, security contexts for the sesh shell installed in different directories did not match. This update adds a SELinux security context for the /usr/libexec/sesh command to be the same as the context for the /usr/sbin/sesh command.
BZ#848727
Due to an error in a SELinux policy, SELinux incorrectly prevented the netplugd service from starting. Now, updated SELinux policy rules have been provided that allow netplugd execute the brctl command in the brctl SELinux domain, thus fixing this bug.
BZ#849155
Due to an incorrect file context specification, correct labeling for 64-bit Oracle libraries was missing from the SELinux policy. This bug has been fixed and the selinux-policy packages now provide this missing labeling.
BZ#833843
Previously, when the etc-pam-d-radiusd-uses-non-existent-password-auth test was run, the radiusd service was disallowed the ptrace system call, resulting in an AVC message being returned. This update adds an appropriate SELinux policy rule to allow radiusd this system call, thus fixing this bug.
BZ#851658
Previously, OCSP (Online Certificate Status Protocol) requests from the Kerberos KDC (Key Distribution Center) failed in enforcing mode. Consequently, attempts to obtain Kerberos credentials by running the kinit from a smart card were not successful. This update allows the krb5kdc utility to connect to the tcp/9180 port, thus fixing this problem.
BZ#854194
With SELinux in enforcing mode, the following scenario did not work and generated AVC messages to the /var/log/audit/audit.log file:
  1. append the following line to /etc/sysconfig/snmptrapd.options file:
    OPTIONS="-Lsd -x /var/agentx/master"
  2. append following line to /etc/snmp/snmpd.conf file:
    master agentx
  3. run the service snmpd restart and service snmptrapd restart commands.
With this update, an appropriate SELinux rule has been added and this scenario now succeeds.
BZ#855035
Due to incorrect SELinux policy rules, the nmbd service was unable to create the /var/nmbd/unexpected/ directory for its operation. Consequently, the following command failed:
nmblookup -U 127.0.0.1 MACHINE-nmb
Now, the SELinux policy rules have been updated and the problem with the above command no longer occurs.
BZ#855324
With SELinux in enforcing mode, when the openswan service was started and stopped in quick succession on a freshly-booted system, the AVC denial messages were logged to the /var/log/audit/audit.log file. With this update, SELinux policy has been amended to ensure that SELinux no longer logs AVC messages in the described scenario.
BZ#859338
When SELinux was running in enforcing mode, the pulse daemon failed to start the IPVS synchronization daemon at startup and a large number of AVC messages was logged to the /var/log/audit/audit.log file. This bug has been fixed and SELinux now allows IPVS to be started by pulse as expected.
BZ#863155
Due to an incorrect SELinux policy, the swat utility was unable to write into the unexpected samba socket. This update provides a new SELinux policy rule, which prevent this bug.

Enhancements

BZ#839608, BZ#849071
A new SELinux policy rule has been added to allow the CUPS back end to send D-Bus messages to the system bus, thus allowing the hplip3 package to work with SELinux running in enforcing mode.
BZ#843841
The rebased rsyslogd package in Red Hat Enterprise Linux 5.9 required additional SELinux policy updates to allow running the getschedule, setschedule, and sys_nice operations. These selinux-policy packages add the required policy.
BZ#810239
With this update, labels of all files that are processed by the logrotate utility are preserved.
BZ#845672
The zarafa SELinux policy has been updated by the zarafa SELinux policy from Red Hat Enterprise Linux 6.
BZ#772205
Support for the mod_ban module in the proftpd service has been added.
BZ#773042
A new fenced_selinux.8 man page has been added.
BZ#750588
A new virtd_selinux.8 man page has been added.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.