1.156. selinux-policy

Due to an incorrect SELinux policy, SELinux did not allow FreeRADIUS to disable storing core dump files upon a failure. This update applies a backported patch that addresses this issue, and FreeRADIUS can now be configured not to create core dumps as expected.

Previously, when a leaked file descriptor was detected during a system update, an Access Vector Cache (AVC) message was written to the audit log. With this update, the relevant SELinux policy has been added to prevent SELinux from reporting file descriptors leaked during a system update.

When running in enforcing mode, SELinux did not allow the clustat utility to bind to a reserved port. This update adapts the SELinux rules to permit such connection, so that clustat is now able to bind to the required port as expected.

Prior to this update, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the modprobe utility from sending the SIGNULL signal to all processes. With this update, the relevant policy has been fixed, and SELinux no longer prevents modprobe from sending SIGNULL to all processes.

When Samba is configured to run as a Windows Internet Name Server (WINS) that is integrated to a Name Service Switch (NSS), programs that resolve a NetBIOS name require access to the /var/cache/samba/unexpected.tdb file. Previously, SELinux incorrectly denied this access. This update adapts the relevant SELinux policy to allow this access, and programs resolving a NetBIOS name are now able to access this file as expected.

Previous versions of the seliux-policy packages did not provide a SELinux policy for the /var/spool/rsyslog/ directory. With this update, this policy has been added.

When the utmp option in the /etc/samba/smb.conf configuration file is set to yes, Samba records sessions in the utmp and wtmp files. Prior to this update, the SELinux policy did not allow the smbd daemon to write to the wtmp file. With this update, the SELinux policy has been corrected, so that Samba is now allowed to work as expected.

When running in enforcing mode, SELinux did not allow the net utility to create a Kerberos keytab file when the system was joined to a Windows 2003 Active Directory domain. This update corrects this error, and SELinux no longer prevents the net utility from creating a Kerberos keytab file.

Prior to this update, an attempt to use the System Security Services Daemon (SSSD) with an LDAP domain connected to an OpenLDAP server over the Transport Layer Security (TLS) protocol caused various AVC messages to be written to the audit log. This update applies a backported patch that resolves this issue, so that no unnecessary AVC messages are recorded.

The rsyslogd tool allows a user to change the maximum number of open file descriptors by adding the $MaxOpenFiles directive to the /etc/rsyslog.conf file. Previously, an attempt to use this directive to set a number that is larger than the default value failed, because SELinux prevented rsyslogd from accessing setrlimit. This update corrects the relevant policy to allow this access, so that the rsyslogd tool is now able to increase the maximum number of open file descriptors as expected.

In order to perform its job, the pyzor client requires access to certain files in users' home directories. Prior to this update, SELinux did not allow pyzor to access these files if the home directories were located on an NFS mount point. With this update, SELinux no longer denies pyzor access to NFS-mounted home directories, allowing it to work correctly.

Due to missing SELinux policies, various AVC messages may have been reported when attempting to start the pulse or ipvsadm service. This update adds the relevant policies to make sure these services can be started as expected.

For debugging purposes, Openswan allows a user to specify a directory in which to store a core dump file in case the pluto service crashes. Prior to this update, running SELinux in enforcing mode rendered Openswan unable to create such a core dump. With this update, the relevant policy has been corrected, and SELinux no longer prevents Openswan from creating core dump files.

The sshd service, ssh client, and other SSH-aware utilities need to read data from the /dev/random and /dev/urandom devices. Prior to this update, SELinux may have incorrectly prevented these programs from accessing these devices. This update adapts the SELinux policy so that these utilities are able to read data from both /dev/random and /dev/urandom as expected.

Due to an incorrect SELinux policy, the Pyzor spam filtering system was incorrectly denied access to configuration files located in the /etc/ directory. This update corrects the SELinux policy to make sure Pyzor is no longer prevented from accessing its configuration files.

With SELinux running in enforcing mode, any communication via the Stream Control Transmission Protocol (SCTP) was denied. With this update, the relevant SELinux policy has been adapted to allow the SCTP communication.

Prior to this update, restarting the vsftpd service by using the service vsftpd restart command caused an AVC message to be written to the audit log. With this update, SELinux rules have been added to address this issue, and restarting the vsftpd service no longer produces AVC messages.

With SELinux enabled, running the named service in a chroot environment rendered it unable to update log files. This error has been fixed, and SELinux no longer prevents named from updating the log files.

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the lsusb command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the kpartx -x command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

Due to an incorrect SELinux policy, when the OpenAIS Standards-Based Cluster Framework was started, various AVC messages were written to the audit log, and the openais service was unable to use UDP port 5404. This error has been fixed, the relevant SELinux policy has been corrected, and the openais service now works as expected.

Previous versions of the selinux-policy packages were missing SELinux rules for the syslog-ng syslog server. With this update, these rules have been added.

Previously, using the arping utility on an IBM System z machine incorrectly caused an AVC message to be written to the audit log. This update corrects the relevant SELinux policy, and running arping no longer produces unnecessary AVC messages.

Prior to this update, SELinux incorrectly prevented the clamav-milter utility to from opening a socket, causing it to terminate with an error. With this update, this error has been fixed, and clamav-milter can now be used as expected.

With SELinux running in enforcing mode, the Apache HTTP Server may have been unable to use the worker Multi-Processing Module (MPM). This update applies a backported patch that adds the httpd_execmem boolean. As a result, SELinux no longer prevents the Apache HTTP Server from loading the worker MPM.

Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the user_u and staff_u SELinux users from running the ssh-keygen utility. This update fixes the relevant policy, and both user_u and staff_u users are now able to run ssh-keygen as expected.

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the crontab -l command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the iprinit, iprdump, and iprupdate services from working correctly. With this update, this error no longer occurs, and the aforementioned services are able to work as expected.

Due to an error in SELinux rules, running SELinux in enforcing mode rendered the clustat utility unable to connect to a cluster port. With this update, the SELinux rules have been updated to permit such connection, resolving this issue.

Prior to this update, the .k5login files in the users' home directories were labeled with a wrong security context, which caused SELinux to incorrectly prevent the krb5_child process from accessing these files. With this update, the security context of the .k5login files has been corrected so that krb5_child is no longer denied access to these files.

This update introduces the squid_selinux(8) manual page, which provides detailed documentation of the SELinux policy for the squid daemon.

This update adds a new security context for devices in the /dev/hpilo/ directory, which provide an interface to the HP Integrated Lights-Out (iLO) remote management functionality.