B.86. selinux-policy

Updated selinux-policy packages that fix various bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
BZ#637081
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems.
BZ#637082
When SELinux was enabled, suspending VMware virtual machines was either slowed down, or failed. With this update, the relevant policy has been corrected, and VMware virtual machines are now suspended as expected.
BZ#636489
When the cluster was configured to use fence_scsi, running the cman startup script or using the "fence_node -U <nodename>" command failed. These updated selinux-policy packages contain updated SELinux rules and add the security file context for the /var/lib/cluster directory, which allows the cluster with fence_scsi enabled to work properly.
BZ#636488
Previously, the "allow_corosync_rw_tmpfs" boolean allowed third party applications to create, write and read generic tmpfs files. To prevent this, the boolean has been removed, and unless the unconfined policy is disabled, generic tmpfs files can now be managed using Corosync.
BZ#642607
Due to SELinux policies, certmonger was not permitted to search through directories that contain certificates. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which allow certmonger to access these directories.
BZ#642609
When SELinux was enabled, users were unable to mount GFS2 file systems listed in /etc/fstab. With this update, SELinux rules have been added to allow the mount process to communicate with gfs_controld, so that such file systems can now be mount as expected.
BZ#644807
Due to incorrect SELinux policy, smbcontrol, a utility that sends messages to the smbd, nmbd, or winbindd service, did not work properly. This error has been fixed, the relevant policy code has been added, and SELinux no longer prevents smbcontrol from working.
BZ#644808
With SELinux running in the enforcing mode, resuming the system from the Suspend mode failed, because the /etc/resolv.conf file did not have the correct security context. This was caused by NetworkManager, which was running under wrong SELinux domain, "devicekit_power_t". With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from the Suspend mode now works as expected.
BZ#644820
Prior to this update, running the passwd command in the single user mode (that is, runlevel 1) failed when SELinux was enabled. To address this issue, the SELinux rules have been updated, so that passwd can now access the console, as well as all terminals (TTYs) and pseudo terminals (PTYs).
BZ#645658
Due to SELinux policy rules, certain iptables commands such as "iptables-save" or "iptables -L" were unable to write to files with output redirection. With this update, the SELinux domain transition from "unconfined_t" to the "iptables_t" domain has been removed, and such commands now work as expected.
All users of selinux-policy are advised to upgrade to these updated packages, which resolve these issues.