Updated selinux-policy packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
- SELinux prevented the qemu-guest-agent process from executing the settimeofday() and hwclock() functions. Consequently, qemu-guest-agent was unable to set the system time. A new rule has been added to the SELinux policy and qemu-guest-agent can now set the time as expected.
- Previously, SELinux did not allow the dhcpd daemon to change file ownership on the system. As a consequence, the ownership of files that dhcpd created was changed from the required dhcpd:dhcpd to root:root. The appropriate SELinux policy has been changed, and dhcpd is now able to change the file ownership on the system.
- Due to the missing miscfiles_read_public_files Boolean, the user could not allow the sshd daemon to read public files used for file transfer services. The Boolean has been added to the SELinux policy, thus providing the user the ability to set sshd to read public files.
- Due to a missing SELinux policy rule, the syslog daemon was unable to read the syslogd configuration files labeled with the syslog_conf_t SELinux context. With this update, the SELinux policy has been modified accordingly, and syslog now can read the syslog_conf_t files as expected.
- Due to an insufficient SELinux policy rule, the thttpd daemon ran in the httpd_t domain. As a consequence, the daemon was unable to change file attributes of its log files. The SELinux policy has been modified to fix this bug, and SELinux no longer prevents thttpd from changing attributes of its log files.
- Previously, SELinux did not allow the sssd daemon to write to the krb5 configuration file, thus the daemon was unable to make any changes in krb5. The SELinux policy has been changed with this update, and sssd can now write to krb5.
- Due to a missing SELinux policy rule, the Samba daemons could not list the /tmp/ directory. The SELinux policy has been modified accordingly, and SELinux no longer prevents the Samba daemons from listing the /tmp/ directory.
In addition, this update adds the following
- With this update, new SELinux policy rules have been added, and the following services now run in their own domains, not in the initrc_t domain:thttpd
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.