Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.225. selinux-policy

Updated selinux-policy packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fix

BZ#912392
When multiple devices were added into the system, udev rules restarted ktune services for each new device, so there were several restarts in a short time interval. The multiple restarts triggered a race condition in the kernel which was not easily fixable. Currently, the tuned code is modified not to trigger more than one restart per 10 seconds and the race condition is avoided.
Users of selinux-policy are advised to upgrade to these updated packages, which fix this bug.
Updated selinux-policy packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy contain the rules that govern how confined processes run on the system.

Bug Fixes

BZ#837815
With the Multi-Level Security (MLS) SELinux policy enabled, a user created with an SELinux MLS level could not login to the system through an SSH client. The SELinux policy rules have been updated to allow the user to log in to the system in the described scenario.
BZ#835923
When SELinux was in enforcing mode, an OpenMPI job, parallel universe in Red Hat Enterprise Linux MRG Grid, failed and was unable to access files in the /var/lib/condor/execute/ directory. New SELinux policy rules have been added for OpenMPI jobs to allow a job to access files in this directory.
BZ#857352
When SELinux was in enforcing mode, a migration from one host to another using the Red Hat Enterprise Virtualization Manager was denied. This update fixes relevant SELinux policy rules and the migration now completes as expected in the described scenario.
BZ#865759
Due to a regression, the root user was able to log in when the ssh_sysadm_login variable was set to OFF in MLS. To fix this bug, the ssh_sysadm_login SELinux boolean has been corrected to prevent the root user to log in when this variable is set to OFF.
BZ#877108
When the user ran the system-config-kdump utility on the IBM System z architecture, the following error message was returned:
error opening /etc/zipl.conf for read: Permission denied
This error was caused by missing SELinux policy rules. With this update, the respective rules have been updated to allow system-config-kdump to access the /etc/zipl.conf file, and the error messages are no longer returned.
BZ#877932
Previously, cron daemon jobs were set to run in the cronjob_t domain when the SELinux MLS policy was enabled. As a consequence, users could not run their cron jobs. The relevant policy rules have been modified and cron jobs now run in the user domain, thus fixing this bug.
BZ#880369
When the user added a mount point to the /var/lib/openshift file and executed the quotacheck -cmug /var/lib/openshift command, the process resulted in AVC messages logged in the /var/log/audit/audit.log file. With this update, the quota system can manage openshift_var_lib_t directories to make the command work as expected.
BZ#867002
When the system was set up to use the SSSD system daemon to perform user authentication, the passwd utility was not allowed to read the /var/lib/sss/mc/ directory. This update fixes the security context for /var/lib/sss/mc/ to allow passwd to read this directory as expected.
BZ#878212
With SELinux in enforcing mode, during automatic testing of Red Hat Enterprise Linux in FIPS mode, PAM (Pluggable Authentication Modules) attempted to run prelink on the /sbin/unix_chkpwd file to verify its hash. Consequently, users could not log in to the system. The appropriate SELinux policy rules have been updated and a FIPS mode boolean has been added to resolve this bug.
BZ#887129
Previously, the system-config-kdump utility was unable to handle the kdump service when SELinux was in enforcing mode for 64-bit PowerPC. To fix this bug, the security context for the /usr/lib/yaboot/addnote binary file has been changed to the bin_t type. With this update, system-config-kdump handles kdump as expected.
BZ#869376
Due to a missing SELinux policy rule, certain services failed to start in enforcing mode. This update adds the mount_t unlabeled_t:filesystem relabelfrom; rule to make sure these services start as expected.
BZ#881413
Previously, if the user added the includedir /var/lib/sss/pubconf/krb5.include.d/ directive to a krb5.conf file in Identity Manager and installed a server in permissive mode, it generated numerous AVC messages because a number of processes were not able to read the contents of the included directory. This update adds rules to allow domains that can read the sssd_public_t type to also list this directory.
BZ#859231
When the krb5 package was upgraded to version 1.9-33.el6_3.3 and Identity Management or FreeIPA was used, an attempt to start the named daemon terminated unexpectedly in enforcing mode. This update adapts the relevant SELinux policy to make sure the named daemon can be started in the described scenario.
BZ#858235
Previously, the rhnsd daemon was handled by the rhsmcertd SELinux domain, which caused an AVC denial message to be returned. With this update, rhnsd has its own SELinux policy domain called rhnsd_t, thus preventing these messages.
BZ#831908
When the SANLOCKOPTS="-w 0" option was enabled in the /etc/sysconfig/sanlock configuration file, AVC denial messages were generated by the service sanlock restart command. The SELinux rules have been updated to allow the sanlock daemon to be restarted correctly without any AVC messages.
BZ#855889
Previously, the libselinux library did not support setting the context based on the contents of /etc/selinux/targeted/logins/$username/ directories. Consequently, central management of SELinux limits did not work properly. With this update, the /etc/selinux/targeted/logins/ directory is now handled by the selinux-policy packages as expected.
BZ#854671
With SELinux in enforcing mode, the running the openswan service with FIPS enabled caused AVC denial messages to be logged to the /var/log/audit/audit.log file. This update fixes the relevant SELinux policy rules and openswan no longer produces AVC messages.
BZ#852763
With the SELinux MLS policy enabled, users could not mount a file via a loop device. This bug has been fixed, and users can mount a file via a loop device to the /mnt/ directory successfully.
BZ#835936
When SELinux was running in enforcing mode, it was impossible to start a virtual machine on a disk located on a POSIX file system, such as GlusterFS. The relevant SELinux policy has been fixed and virtual machines can now be started in the described scenario as expected.
BZ#843814
In its current version, the SSSD daemon writes SELinux configuration files into the /etc/selinux/<policy>/logins/ directory. The SELinux PAM module then uses this information to set the correct context for a remote user trying to log in. Due to a missing policy for this feature, SSSD could not write into this directory. With this update, a new security context for /etc/selinux/<[policy]/logins/ has been added together with appropriate SELinux policy rules.
BZ#836311
Previously, the heartbeat subsystem was incorrectly treated by the corosync SELinux policy. Consequently, AVC messages were generated and heartbeat was unusable by default. To fix this bug, heartbeat is now handled by the rgmanager SELinux policy and AVC messages are no longer returned.
BZ#837138
With SELinux in enforcing mode, the clamscan utility did not work correctly as a backup server in the amavisd-new interface, which resulted in AVC messages to be returned if clamscan could not access amavis spool files. This update corrects the SELinux policy to grant clamscan the necessary permission in the described scenario.
BZ#887892
Previously, SELinux prevented the ABRT (Automatic Bug Reporting Tool) utility to use the inotify subsystem on the /var/spool/abrt-upload/ directory. Consequently, when the user set up the WatchCrashdumpArchiveDir option in the ABRT utility, the abrtd daemon failed on restart. To fix this bug, a SELinux policy rule has been added to allow ABRT to use inotify on /var/spool/abrt-upload/ with the daemon working correctly.
BZ#842818
With SELinux in enforcing mode, the saslauthd daemon process could not work properly if the MECH=shadow option was specified in the /etc/sysconfig/saslauthd file. This update fixes the relevant SELinux policy rules and allows saslauthd to use the MECH=shadow configuration option.
BZ#842905
Previously, when a process with the user_r SELinux role tried to use the crontab utility on an NFS (Network File System) home directory, AVC messages were written to the audit.log file. The relevant SELinux policy has been updated to allow user_r processes to run the crontab utility, thus fixing the bug.
BZ#842927, BZ#842968
When the MAILDIR=$HOME/Maildir option was enabled either in the /etc/procmailrc or in dovecot configuration files, the procmail and dovecot services were not able to access a Maildir directory located in the home directory. This update fixes relevant SELinux policy rules to allow the procmail/dovecot service to read the configured MAILDIR option in /etc/procmailrc.
BZ#886874
When the vsftpd daemon is being stopped, it terminates all child vsftpd processes by sending the SIGTERM signal to them. When the parent process dies, the child process gets the SIGTERM signal. Previously, this signal was blocked by SELinux. This update fixes the relevant SELinux policy rules to allow vsftpd to terminate its child processes properly.
BZ#885518
Previously, the /var/lib/pgsql/.ssh/ directory had an incorrect security context. With this update, the security context has been changed to the ssh_home_t label, which is required by the PostgreSQL system backup.
BZ#843543
Due to an incorrect SELinux policy, SELinux prevented the libvirtd daemon from starting the dnsmasq server with the --pid-file=/var/run/libvirt/network/default.pid option and AVC denial messages were returned. The updated SELinux rules allow the libvirtd daemon to start correctly with dnsmasq support.
BZ#843577
With the MLS SELinux policy enabled, an administrator in an SELinux domain, with the sysadm_t type at the s0-s15:c0.c1023 level, was not able to execute the tar --selinux -zcf wrk.tar.gz /wrk command. These updated SELinux rules allow administrators to run the command in the described scenario.
BZ#843732
Due to a missing fcontext for the /var/named/chroot/lib64/ directory, AVC messages could be returned when working with the named daemon. To fix this bug, the missing SELinux security context for /var/named/chroot/lib64/ has been added.
BZ#836241
Due to an incorrect SELinux policy, the dovecot-imap and dovecot-lda utilities were not allowed access to the Maildir files and directories with the mail_home_rw_t security context. These updated SELinux rules allow dovecot-imap and dovecot-lda to access Maildir home directories.
BZ#844045
With SELinux in enforcing mode, the automount utility erroneously returned the mount.nfs4: access denied by a server error message when instructed to perform a mount operation, which included a context= parameter. Mount operations in NFS v3 were not affected. Now, SELinux policy rules have been updated to allow automount to work correctly in the described scenario.
BZ#809716
Due to an incorrect SELinux policy, the smartd daemon was not able to create the megaraid_sas_ioctl_node device with the correct SELinux security context. Consequently, monitoring of some disks on a MegaRAID controller using smartd was prevented. This update provides SELinux rules that allow monitoring of disks on a MegaRAID controller using smartd.
BZ#845201
Previously, the incorrect default label on the /etc/openldap/cacerts/ and /etc/openldap/certs/ directories was provided by SELinux policy, which caused various unnecessary AVCs to be returned. To fix this bug, these directories have been labeled with the slapd_cert_t SELinux security label. Now, no redundant AVCs are returned.
BZ#882348, BZ#850774
Previously, with SELinux in enforcing mode and the internal-sftp subsystem configured together with the Chroot option, users with the unconfined_t SELinux type were unable to connect using the sftp utility. This update fixes the SELinux policy to allow users to utilize sftp successfully in the described scenario.
BZ#849262
Previously, the snmpd daemon service was unable to connect to the corosync service using a Unix stream socket, which resulted in AVC messages being logged in the /var/log/audit/audit.log file. To fix this bug, a set of new rules has been added to the SELinux policy to allow the snmpd daemon to connect to corosync.
BZ#849671
With SELinux in enforcing mode, the /var/run/amavisd/clamd.pid file was empty, thus any attempt to restart the clamd.amavisd daemon failed. Stopping the service failed because of the empty PID file and starting it failed because the socket was already in use or still being used. These updated SELinux rules allow clamd.amavisd to write to the PID file as expected.
BZ#851113
Due to an incorrect SELinux policy, there was an incorrect label on the /var/run/cachefilesd.pid file. With this update, SELinux policy rules and the security context have been fixed to get the cachefilesd_var_run_t label for the file.
BZ#881993
Due to missing SELinux policy rules, the rsync daemon, which served an automounted home NFS directory, was not able to write files in this directory. To fix this bug, the rsync daemon has been changed into a home manager to allow the needed access permissions.
BZ#851289
Previously, the 8953/tcp port used the port_t SELinux port type, which prevented the unbound service from working correctly. To fix this bug, the 8953/tcp port has been associated with the rndc_port_t SELinux port type.
BZ#851483
The spice-vdagent package was rebased to the latest upstream version (BZ#842355). A part of this rebased spice-vdagent was moved to the syslog() function instead of using its own logging code (BZ#747894). To reflect this change, the SELinux policy rules have been updated for the spice-vdagent policy to allow the use of syslog().
BZ#852731
Previously, when a user wanted to create a user home directory on a client which did not exist, they could do so on local volumes. However, this operation was blocked in enforcing mode when the pam_oddjob_mkhomedir.so module attempted to create a home directory on an NFS mounted volume. SELinux policy rules have been updated to allow pam_oddjob_mkhomedir to use NFS and user home directories can now be created in enforcing mode as well.
BZ#853453
When the .forward file was configured by the user on NFS, AVC messages were returned. Consequently, Postfix was not able to access the script in the aforementioned file. These updated SELinux rules allow to properly set up .forward in the described scenario.
BZ#811319
Previously, the fence_virtd daemon was unconfined by SELinux, which caused the service to run in the initrc_t type SELinux domain. To fix this bug, the fenced_exec_t security context has been added for the fence_virtd daemon, and this service now runs in the fenced_t SELinux domain.
BZ#871038
Previously, with SELinux in enforcing mode, the setroubleshootd daemon was not able to read the /proc/irq file. Consequently, AVC messages were returned. This update provides SELinux rules, which allow setroubleshootd to read /proc/irq, and AVC messages are no longer returned.
BZ#833463
With SELinux running in enforcing mode, the fence_vmware_soap binary did not work correctly. Consequently, fencing failed, services did not failover, and AVC denial messages were written to the audit.log file. This update fixes the relevant policy to make the fence_vmware_soap binary work correctly.
BZ#832998
Prior to this update, a proper security context for the /usr/lib/mozilla/plugins/libflashplayer.so file was missing. Consequently, executing the mozilla-plugin-config -i command caused the following error to be returned:
*** NSPlugin Viewer  *** ERROR: 
/usr/lib/mozilla/plugins/libflashplayer.so: cannot restore segment prot 
after reloc: Permission denied
The security context has been updated, and the command now works as expected.
BZ#821887
A missing SELinux policy prevented the Red Hat Enterprise Virtualization Hypervisors to recreate the /etc/mtab file with a correct security context. To fix this bug, a new SELinux transition from the virtd_t to mount_t SELinux domain has been added.
BZ#858406
Due to missing SELinux policy rules, Point-In-Time Recovery (PITR) implementation with the support for the SSH and RSync protocols failed to work with PostgreSQL. To resolve this bug, the postgresql_can_rsync SELinux boolean has been added to allow PostgreSQL to run the rsync utility and interact with SSH.
BZ#858784
With SELinux in enforcing mode, the pulse utility failed to start the Internet Protocol Video Security (IPVS) sync daemon at startup. SELinux policy rules have been updated to allow pulse start the daemon as expected.
BZ#829274
Previously, the SELinux Multi-Level Security (MLS) policy did not allow the sysadm_r SELinux role to use the chkconfig SERVICE on/off commands to enable or disable a service on the system. This update fixes the relevant SELinux policy to allow the sysadm_r SELinux role to use these commands to enable or disable the service.
BZ#860666
Due to missing SELinux policy rules, the rebased krb5 package version 1.10 returned the following AVC message:
type=AVC msg=audit(1348602155.821:530): avc:  denied  { write } for  pid=23129 comm="kadmind" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3647 scontext=unconfined_u:system_r:kadmind_t:s0 
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
With this update, the kadmind utility has been allowed to access anon_inode file descriptors to fix the AVC message.
BZ#868959
Previously, the cluster-cim package was allowed to be used in enforcing mode. However, AVC messages connected with access to the /var/run/clumond.sock and /var/run/cman_client Unix sockets were identified. To fix this bug, new SELinux policy rules have been provided to allow the cimprovag utility to connect to the cman_client socket.
BZ#861011, BZ#901565
Previously, the /var/nmbd/ directory was labeled as var_t, which caused issues with Samba services which needed to access this directory. The security context has been updated and Samba can now access this directory as expected. Furthermore, SELinux can prevent the nmbd service from writing into the /var/ repository, which causes problems with NetBIOS name resolution and leads to SELinux AVC denial messages.
BZ#867001
In the previous update, the rsyslog-gssapi package allowed the rsyslog utility to use the Generic Security Services Application Program Interface (GSSAPI). However, AVC messages were returned as a consequence. This update fixes relevant SELinux policy rules to allow the rsyslog utility to use Kerberos tickets on the client side.
BZ#865567
With SELinux in enforcing mode, when the fail2ban service was restarted and fail2ban was not able to execute the ldconfig and iptables commands, it resulted in SELinux AVC denial messages being returned. This update fixes the relevant SELinux policy rules to allow fail2ban to execute ldconfig and also fix security contexts for iptables binaries.
BZ#841950
Due to an incorrect security context for the /opt/sartest file, data could not be written to this location by the sadc utility running from a root cron daemon job. The security context has been updated and now sadc running from a root cron job can write data to this location.
BZ#860858
Previously, when the clamdscan utility was called by a Sendmail filter, the clamd daemon was not able to scan all files on the system. This update adds the clamscan_can_scan_system variable to allow all antivirus programs to scan all files on the system.
BZ#825221
Due to missing SELinux policy rules, the restorecon utility disregarded custom rules for symbolic links. These updated SELinux rules allow restorecon to properly handle custom rules for symlinks.
BZ#863407
Due to missing SELinux policy rules, the freshclam utility was not able to update databases through the HTTP proxy daemon when run by the cron daemon. To fix this bug, the relevant SELinux policy rules have been updated. As a result, freshclam now updates databases as expected in the described scenario.
BZ#864546, BZ#886619
Previously, SELinux prevented the puppet master from running passenger web application. To fix this bug, security context for the Passenger Apache module has been updated to reflect latest passenger paths to executables to make sure all applications using Passenger web applications run with the correct SELinux domain.
BZ#860087
When a user set up the Red Hat Enterprise Linux 6 system as a VPN server with the IPSec+L2TP VPN, SELinux prevented the pppd daemon from accessing some needed components after connecting to the VPN server with the following error message:
pppd needs to be allowed also to "read" and "write" operations on l2tpd_t:socket
This update adds the missing SELinux policy to make sure all pppd actions are enabled by SELinux.
BZ#823647
Previously, some patterns in the /etc/selinux/targeted/contexts/files/file_contexts file contained typo errors. Some patterns matched the 32-bit path, but the same pattern for the 64-bit path was missing. Consequently, different security contexts were assigned to these paths. With this update, the relevant file context specifications have been corrected so that there are no more differences between these paths.
BZ#831068
Previously, when a user tried to change a password in the GNOME user account dialog window, the attempt was blocked by SELinux in enforcing mode due to missing SELinux rules for the passwd_t SELinux domain. With this update, SELinux policy rules have been added to allow users to change their passwords in the GNOME user account dialog window.
BZ#871106, BZ#882850
Previously, there were problems to hook certain monitoring plug-ins to the munin plug-in domain with SELinux in enforcing mode. To fix this bug, the unconfined_munin_plugin_t SELinux type has been added to the SELinux policy to cover all unconfined munin plug-ins. As a result, munin plug-ins can now run unconfined.
BZ#871816
With SELinux in enforcing mode, the ipactl restart command caused AVC denial messages to be returned. This update fixes the relevant SELinux policy rules and the command no longer produces AVC messages.
BZ#855286
While installing an ISO image on a virtual machine (VM) from Red Hat Enterprise Virtualization Manager, AVC messages were generated. These AVC were returned due to the sanlock utility which could not access files and directories on the FUSE file system. To fix this bug, the sanlock_use_fusefs SELinux boolean variable has been added and installing from an ISO image on a VM now succeeds.
BZ#853970
Previously, a Red Hat Cluster Suite node did not auto-join a cluster ring after power fencing due to missing SELinux policy rules for the corosync utility. Consequently, corosync failed to reboot. To fix this bug, corosync has been allowed to use 1229/udp and 1228/udp ports to make auto-join a cluster ring after power fencing. As a result, a machine re-joins the cluster after fencing and reboots as expected.
BZ#853852
Previously, the SELinux boolean variable for NFS failed to prevent an NFS client from accessing a share. Consequently, the NFS client could mount an NFS share and read or write files. Because the NFS server runs as a kernel process, the nfs_export_all_rw boolean variable was needed no longer and has been removed from the policy, thus fixing the bug. NFS clients now cannot access shares in the described scenario.
BZ#879266
When the user was installing Red Hat Cluster Suite packages from Red Hat Network, the installation process became unresponsive and the cluster suite was not installed. With this update, the relevant policy has been added and Red Hat Cluster Suite packages from RHN can now be installed as expected.
BZ#880407
Previously, if the user ran the restorecon utility on /ect/multipath* directories and files, the security context was reset. This update fixes relevant SELinux policy rules and adds updated SELinux security context for these directories and files.
BZ#846069
Previously, the piranha-web utility was unable to connect to the windbind daemon using Unix stream sockets. Consequently, AVC messages were returned. To fix this bug, a set of new rules has been added to the SELinux policy to allow the piranha-web service to connect to windbind.
BZ#883143
Due to the incorrect git_read_generic_system_content_files() interface, the git-daemon and httpd daemons could not serve the same directory. To fix this bug, the git_read_generic_system_content_files() interface has been updated to allow git-daemon and httpd to serve the same directory.
BZ#809877
Previously, due to incorrect file context specifications, the policy did not always have a correct label for files in the /var/log/ directory which were processed by the logrotate utility. To fix this bug, the file context specifications have been updated and the files and directories processed by logrotate now have correct labels.
BZ#844448
Previously, the munin-node agent lacked necessary SELinux rules for reading Exim log files. Consequently, multiple bundled exim plug-ins were prevented from working and munin-node terminated unexpectedly. This update fixes the relevant SELinux policy rules to allow munin-node to read exim log files to make exim Munin plug-ins working correctly.
BZ#843455
Previously, when the user tried to use the munin_stats Munin plug-in, it caused AVC messages to be returned. To fix this bug, updated SELinux policy rules have been provided and munin_stats now works as expected.
BZ#886563
If a user tried to use a post-login script in the dovecot utility, an AVC message was returned. This update fixes relevant SELinux policy rules and adds updated SELinux rules to allow dovecot to start the /bin/bash file. Now, AVC messages are no longer returned.
BZ#841329
Due to an incorrect SELinux policy, confined SELinux users could not decrypt S/MIME (Secure/Multipurpose Internet Mail Extensions) emails by preventing the gpg-agent daemon from reading the /dev/random file. The claws-mail client using the smime utility was affected by this bug. Now, SELinux policy rules have been updated to allow SELinux confined users to decrypt S/MIME emails.
BZ#770065
Previously, when a user tried to use the check_icmp Munin plug-in, AVC messages were returned. With this update, a corrected SELinux policy has been provided for check_icmp, thus fixing the bug.
BZ#890687
When a user attempted to configure the rsync daemon to log directly to a specific file, missing SELinux policy rules let the user create the log file, but did not allow to append to it. With this update, SELinux policy rules have been added to allow rsync to append to a specific log file.
BZ#821483
With SELinux in enforcing mode, running a spamd daemon process updating Razor configuration files resulted in a permission to be denied and an AVC message to be generated. This update fixes relevant SELinux policy rules to allow spamd processes to update Razor configuration files in the described scenario.
BZ#869304
With SELinux in enforcing mode, on a Red Hat Enterprise Linux 6.3 hypervisor, SELinux prevented the QEMU-KVM getattr() function access when starting VMs from Red Hat Enterprise Virtualization Manager hosted on a Red Hat Storage (RHS) storage domain. This update fixes relevant SELinux policy rules to allow the QEMU-KVM getattr() access.
BZ#867628
Prior to this update, the manual pages did not reflect actual state of SELinux policy rules. To fix this bug, the actual policy has been included in the selinux-policy package. Furthermore, all auto-generated manual pages are now regenerated on the system using the sepolicy utility from Fedora to provide better SELinux manual pages for each SELinux domain.
BZ#887793
The wdmd watchdog daemon used the /etc/wdmd.d/checkquorum.wdmd script, both provided by the sanlock package, for checking out the cluster state. Consequently, with SELinux enabled, this detection failed resulting in a self-resetting loop. To fix this bug, the SELinux support for the watchdog script from the sanlock utility has been added, and the detection no longer fails.

Enhancements

BZ#739103
On Red Hat Enterprise Linux 6, root privileges are required to start a KVM guest with bridged networking. The libvirt library in turn launches a QEMU process as the unprivileged qemu user. New qemu:///session URIs introduced to libvirt attempted to allow the unprivileged user to start KVM guests and have the QEMU process execute as the same unprivileged user but failed since the CAP_NET_ADMIN capability is required to use TUN/TAP networking. To fix this bug from the SELinux perspective, a new SELinux policy has been added for a networking helper program that QEMU can invoke.
BZ#801493
This update provides a new SELinux policy for the pacemaker service.
BZ#807157
This update provides a new SELinux policy for the numad service.
BZ#807678
This update provides a new SELinux policy for the bcfg2-server service.
BZ#836034
This update provides a new SELinux policy for the OpenStack Essex cloud computing framework.
BZ#834994
This update provides a new SELinux policy for the rhnsd service.
BZ#839250, BZ#838260
A new SELinux antivirus policy module has been introduced in this release. This module contains the antivirus_db_t file type and the antivirus attribute to consolidate all anti-virus programs on the system. The module also allows to manage files and directories labeled with the antivirus_db_t file type.
BZ#833557
This update provides a new SELinux policy for the xl2tpd service.
BZ#827389
This update adds SELinux support for the Gitolite v.3 utility, which allows users to set up hosting of Git repositories on a central server.
BZ#811361
This update provides a new SELinux policy for the svnserve service.
BZ#811304
This update provides a new SELinux policy for the glusterd daemon.
BZ#848915
This update provides a new SELinux policy for the slpd daemon.
BZ#845417
This update provides a new SELinux policy for the ovs-vswitchd and ovs-brcompatd Open vSwitch services.
BZ#845033
This update provides a new SELinux policy for the iucvtty application provides full-screen terminal access to a Linux instance running as a z/VM Inter-User Communication Vehicle (IUCV).
BZ#839831
The QEMU emulator now provides a new qemu-ga (guest agent) daemon. This daemon runs on the guest and executes commands on behalf of processes running on the host. This update provides a new SELinux policy for a new qemu-ga (guest agent) daemon.
BZ#848918
This update provides a new SELinux policy for the sencord service.
BZ#851128, BZ#888164
SELinux support has been added for the rpc.rstatd and rpc.rusersd daemons to prevent them from running in the initrc_t SELinux domain. Now, these services run in the rpcd_t SELinux domain.
BZ#851241
This update provides a new SELinux policy for the cpglockd service.
BZ#885432
Support for the /usr/share/ovirt-guest-agent/ovirt-guest-agent.py file has been added to these updated packages.
BZ#875839
Support for OpenShift Enterprise Policy has been added to Red Hat Enterprise Linux 6.4.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.