RHBA-2018:3111 - Bug Fix Advisory

Topic

An update for selinux-policy is now available for Red Hat Enterprise Linux 7.

Description

The selinux-policy packages contain the rules that govern how confined processes run on the system.

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Users of selinux-policy are advised to upgrade to these updated packages.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux for ARM 64 7 aarch64
• Red Hat Enterprise Linux for Power 9 7 ppc64le
• Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1271324 - sepolicy generate --cgi option makes unbuildable module
• BZ - 1275727 - homedir polyinstantiation (pam_namespace) doesn't work in mls
• BZ - 1293384 - watchdog.d and python script
• BZ - 1307183 - gridengine MPI jobs fail with SELinux denials
• BZ - 1347052 - SELinux prevents zabbix_agent from running sudo
• BZ - 1364513 - selinux denial when bringing interface up or down with dhcp
• BZ - 1365555 - Revert workaround for issues with snapper and btrfs subvolume labels
• BZ - 1368642 - When connecting the mail system to mariadb via socked, new rules are needed.
• BZ - 1373186 - SELinux prevents gnome-keyring-daemon from writing to user home directory
• BZ - 1380697 - selinux prevents executing scripts by zabbix-agent
• BZ - 1381234 - SELinux is preventing /usr/bin/perl from 'create' accesses on the directory .spamassassin.
• BZ - 1384769 - Selinux preventing /usr/bin/tmux as login shell
• BZ - 1405870 - Denials for rhsmcertd on Xen Dom0
• BZ - 1406470 - SELinux "preventing rpc.mountd from ioctl access on the blk_file /dev/rbd1" when sharing rbd device over NFS and mounting as v3 on a client
• BZ - 1415960 - cimserver is blocked by selinux with sblim-sfcb service
• BZ - 1418860 - SELinux does not allow zabbix agent to access redis tcp socket
• BZ - 1422424 - error creating output file /var/lib/logrotate.status.tmp: Permission denied
• BZ - 1423361 - /bin/bash: /etc/cron.hourly/man-db.cron: Permission denied
• BZ - 1427553 - RFE: NFS over AF_VSOCK support in SELinux
• BZ - 1428805 - abrt-cli can't used by check_mk
• BZ - 1443473 - SELinux prevents keepalived to connect to arbitrary ports
• BZ - 1446681 - avc: denied { write } for comm="rpc.nfsd" name="nlm_grace_period"
• BZ - 1448799 - SELinux is preventing /usr/libexec/qemu-kvm from search access on process directory of sanlock daemon
• BZ - 1452444 - SELinux prevents amanda 3.4.4 from using shared memory
• BZ - 1458538 - Typo in selinux config
• BZ - 1460481 - SELinux avoids writing to tlp-related /run/tlp/lock_tlp (via ethtool and iw)
• BZ - 1460715 - SELinux is preventing /usr/libexec/abrt-hook-ccpp from connectto access on the unix_stream_socket /run/nscd/socket.
• BZ - 1463593 - [ESXi][RHEL7.5]unknown delay on pre-freeze script via vm-tool
• BZ - 1465276 - vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest
• BZ - 1468431 - Zabbix agent fails to start due to being unable to disable coredumps
• BZ - 1468744 - selinux-policy preventing pesign from accessing necessary items
• BZ - 1474440 - selinux blocks starting of ocf:heartbeat:mysql pacemaker cluster resource
• BZ - 1477900 - SELinux is preventing samba with kerberos
• BZ - 1477948 - in bug 1451318, Tomcat was allowed to connect to PostgreSQL port, but there should be a boolean for that
• BZ - 1492137 - AVC denials with SBD in cluster
• BZ - 1499046 - Selinux policy prevents systemd-sysctl from changing user.max_user_namespaces
• BZ - 1503835 - Openvswitch crash loop when adding netdev bridge ovs 2.7.2.10 FDP and selinux enabled
• BZ - 1509055 - Tang needs an SELinux policy
• BZ - 1511437 - more specific file context pattern for /run/ebtables.lock is missing
• BZ - 1512852 - avc denied for nscd, avc: denied { read } comm="nscd" name="disable_ipv6" dev="proc"
• BZ - 1513100 - SELInux prevents fail2ban from setting resource limits
• BZ - 1514591 - Restarting ipmievd service results in avc denied errors.
• BZ - 1516233 - Freeradius produce avc: denied { search }
• BZ - 1516513 - SELinux is preventing /usr/bin/ps from using the sys_ptrace capability after installing pcp-zeroconf
• BZ - 1516593 - avc: denied { write } for comm="rpc.nfsd" name="nlm_grace_period" dev="proc" ino=54559 when setting lockd.conf
• BZ - 1516862 - Update selinux-policy rpm macros in dist-git.
• BZ - 1521063 - udisks2.service is not confined because the udisksd location has changed
• BZ - 1526012 - rsyslogd is not allowed to read IDM's Tomcat pki_log files
• BZ - 1527522 - Logrotate is not allowed to send kill signal
• BZ - 1532017 - SELinux prevents /usr/bin/bash (running as squid_t) from getattr+execute access on the file /usr/sbin/ldconfig
• BZ - 1536690 - SELinux denial of 'kexec' trying to read the vmlinuz file
• BZ - 1538363 - SELinux is preventing /usr/sbin/conmand from open access on the file /var/log/conman.d/pvr.
• BZ - 1539748 - selinux-policy is blocking the connection to mongodb on port 27017 from tomcat webapp.
• BZ - 1539938 - [Hyper-V] hypervvssd and selinux denials
• BZ - 1540711 - selinux policy stops tor from starting if configured to host a hidden service
• BZ - 1545098 - SELinux prevents abrt-handle-upload from searching in /etc/pki directory
• BZ - 1545230 - certmonger is not allowed to use local MTA
• BZ - 1545586 - unbound start causes avc denial
• BZ - 1546664 - selinux_modules_uninstall macro should modify the specified policy store
• BZ - 1546897 - RabbitMQ Selinux Allow dir create in tmp_t
• BZ - 1547700 - fs_rw_nsfs_files has requiring wrong nsfs_fs_t type
• BZ - 1548350 - SELinux prevents traceroute from using DCCP sockets
• BZ - 1549514 - /var/log/shibboleth-www(/.*) needs httpd_sys_content_rw_t
• BZ - 1551568 - Cannot execute mdadm when policy is MLS
• BZ - 1553303 - [Ganesha] Lots of Selinux AVC denied { search } for ganesha.nfsd process is been observed Post inservice upgrade from RHGS 3.3.1 [RHEL 7.4] to RHGS 3.3.1_Async [RHEL 7.5]
• BZ - 1556798 - SELinux is preventing /usr/sbin/snapperd from mounton access
• BZ - 1559859 - Print to file (PDF) does not work
• BZ - 1560986 - RFE: SELinux boolean to allow antivirus_t to read /proc
• BZ - 1561028 - SELinux is preventing snapperd from unmount access on the filesystem
• BZ - 1563423 - SELinux prevents Postfix/cleanup from accessing OpenDKIM UNIX socket
• BZ - 1565226 - Red Hat Certificate System (RHCS) gets execstack denial during startup
• BZ - 1567753 - SELinux is preventing chronyd from 'search' accesses on the directory /var/lib/libvirt.
• BZ - 1568281 - SELinux is preventing chronyc from 'write' accesses on the directory chrony.
• BZ - 1569344 - [Ganesha] Observing "Failed to open v4 recovery dir" message in ganesha.log when ganesha cluster goes to 90 seconds of GRACE period and selinux is in ENFORCING mode
• BZ - 1571202 - SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file
• BZ - 1571591 - sysadm_u cannot work with SCTP sockets
• BZ - 1572584 - (RHEL7) SELinux prevents ctdb from running commands to disable event scripts
• BZ - 1574383 - map AVCs for dhclient after selinux-policy update
• BZ - 1574392 - map AVCs for google-chrome after selinux-policy update
• BZ - 1574418 - Cannot redirect output of command chronyc to a file
• BZ - 1574537 - svnserve cannot contact saslauthd service
• BZ - 1576555 - /usr/libexec/rhsmcertd-worker (rhsmcertd_t) sends signull to httpd_t
• BZ - 1578883 - selinux issues with timemaster
• BZ - 1579219 - httpd/CGI scripts cannot connect to MongoDB database
• BZ - 1581225 - allow hypervvssd_t to perform stat() on devices
• BZ - 1581551 - RHEL 7.5: cannot ssh to host after updating selinux-policy and selinux-policy-targeted pkgs to version 3.13.1-193.el7 with kernel version 3.10.0-889.el7
• BZ - 1582205 - usbmuxd triggers SELinux violation, simply reading
• BZ - 1583080 - SELinux is preventing abrt-dbus from map access on the file /usr/sbin/abrt-dbus
• BZ - 1583082 - SELinux is preventing /usr/bin/pkla-check-authorization from map access on the file /usr/bin/pkla-check-authorization
• BZ - 1583084 - SELinux is preventing ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so
• BZ - 1583086 - SELinux is preventing /usr/sbin/nscd from map access on the file /usr/sbin/nscd
• BZ - 1583087 - SELinux is preventing /usr/sbin/postalias from map access on the file /usr/sbin/postalias
• BZ - 1583088 - SELinux is preventing /usr/libexec/postfix/qmgr from map access on the file /usr/libexec/postfix/qmgr
• BZ - 1583089 - SELinux is preventing /usr/bin/ssh-keygen from map access on the file /usr/bin/ssh-keygen
• BZ - 1583090 - SELinux is preventing /usr/sbin/setfiles from map access on the file /usr/sbin/setfiles
• BZ - 1583091 - SELinux is preventing /usr/libexec/postfix/pickup from map access on the file /usr/libexec/postfix/pickup
• BZ - 1583830 - SELinux prevents systemd-networkd from reading/writing tun tap device
• BZ - 1584011 - vhost-vsock cannot be labeled by libvirt
• BZ - 1585325 - x86, ppc64le: SSH Key Generation fails when run as systemd service on RHEL 7.6 VMs
• BZ - 1585328 - SELinux prevents zoneminder from connecting to remote mysql database
• BZ - 1586029 - SELinux is preventing /usr/sbin/named-pkcs11 from map access on the file /usr/share/GeoIP/GeoIPv6-initial.dat
• BZ - 1586031 - SELinux is preventing java from map access on the file /tmp/hsperfdata_pkiuser/25250
• BZ - 1586033 - SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/libexec/ipa/ipa-dnskeysync-replica
• BZ - 1586042 - SElinux troubleshooter is not started in enforcing mode
• BZ - 1588119 - /usr/libexec/rhsmcertd-worker (rhsmcertd_t) sends signull to postgresql_t
• BZ - 1589257 - SELinux map denials for dlm_controld
• BZ - 1589295 - SELinux map denials for iscsid
• BZ - 1591191 - several abrt related AVCs
• BZ - 1592016 - SELinux is preventing /usr/sbin/slapd from map access on the file /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
• BZ - 1592019 - SELinux is preventing /usr/libexec/sssd/sssd_be from map access on the file /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
• BZ - 1592022 - SELinux is preventing /usr/libexec/oddjob/mkhomedir from map access on the file /usr/libexec/oddjob/mkhomedir
• BZ - 1592025 - SELinux is preventing /usr/sbin/mount.nfs from map access on the file /usr/bin/umount
• BZ - 1592026 - SELinux is preventing /usr/libexec/sssd/selinux_child from map access on the file /usr/libexec/sssd/selinux_child
• BZ - 1592028 - SELinux is preventing systemd-journal from map access on the file /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal
• BZ - 1592032 - SELinux is preventing /usr/sbin/ypserv from map access on the file /var/yp/ipatest/group.byname
• BZ - 1592688 - SELinux is preventing /usr/libexec/qemu-kvm from map access
• BZ - 1593130 - SELinux is preventing /usr/sbin/glusterfsd from map access on the file under /var/tmp
• BZ - 1593728 - SELinux prevents abrt-hook-ccpp from mmap()-ing /usr/bin/strace file
• BZ - 1593740 - SELinux is preventing virtlogd from 'write' accesses on the fifo_file /run/systemd/inhibit/36.ref.
• BZ - 1594661 - [RHEL7.6] arping, ip, hostname, dhcp affected when selinux enabled
• BZ - 1594729 - New selinux-policy causes openvswitch_t/modules_object_t AVC denial
• BZ - 1595328 - various postfix* processes trigger SELinux denials with { map }
• BZ - 1595667 - allow user add for gnome-control-center
• BZ - 1596065 - SELinux is preventing ping from map access on the file /usr/bin/ping
• BZ - 1596072 - SELinux is preventing /usr/sbin/load_policy from map access on the file /usr/sbin/load_policy
• BZ - 1596141 - Selinux cause lsmcli list --type PLUGINS leads to TRANSPORT_COMMUNICATION(400)
• BZ - 1596367 - tomcat_var_lib_t needed on /var/lib/tomcats directory
• BZ - 1596509 - /usr/sbin/rhn_check* should have same context as /usr/sbin/rhn_check
• BZ - 1596563 - SELinux prevents chronyc from accessing nscd socket
• BZ - 1598388 - avc: denied { map } for comm="local" path="/usr/libexec/postfix/local
• BZ - 1598392 - virtlogd entered failed state with "Permission denied" error after reload
• BZ - 1598506 - SELinux prevents NetworkManager from mmap()-ing /usr/sbin/dnsmasq
• BZ - 1598593 - SELinux is preventing "virtlogd" from read access to virt_etc_t symlink
• BZ - 1599714 - denied { map } for pid=9121 comm="cleanup" path="/usr/libexec/postfix/cleanup"
• BZ - 1599720 - avc: denied { map } for pid=19056 comm="smtpd" path="/usr/libexec/postfix/smtpd"
• BZ - 1599726 - selinux blocks slapd access to cracklib
• BZ - 1600528 - SELinux is preventing /usr/sbin/nscd from map access on the file /etc/group
• BZ - 1600572 - SELinux interferes with the netlabel service
• BZ - 1600578 - SELinux prevents haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy
• BZ - 1600597 - SELinux prevents ntpdate-wrapper from 'execute_no_trans' accesses on the file /usr/sbin/ntpdate
• BZ - 1600705 - SELinux prevents the kprop service from starting
• BZ - 1600997 - selinux blocks {map} from automount_t to fsadm_exec_t
• BZ - 1601004 - selinux blocks {map} from kadmind_t to krb5kdc_principal_t
• BZ - 1601151 - SELinux prevents /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-6.b04.el7.x86_64/jre/bin/java from searching under /sys/fs/cgroup/ directory
• BZ - 1601389 - SELinux is preventing abrt-action-ins from read access on the file /var/lib/rhsm/repo_server_val/redhat.repo
• BZ - 1601863 - /etc/selinux/targeted/contexts/customizable_types not including 'container_file_t'
• BZ - 1601975 - libreswan has started to produce avc: denied { execute_no_trans }
• BZ - 1603135 - AVC denials seen during install of ipa-server
• BZ - 1607994 - Cannot Connect To VPN After Update Due To SELinux
• BZ - 1608421 - avc: denied { map } for pid=8885 comm="eu-unstrip" path="/tmp/tmp.jEtebk00cB/suidedexecutable" dev="dm-0"
• BZ - 1608545 - avc failure reported while testing oracleasm
• BZ - 1612143 - the hsqldb service triggers SELinux denials
• BZ - 1612456 - [ALT-7.6][selinux-policy] avc: denied { search } for pid=3409 comm="rngd" name="pki" dev="dm-0"
• BZ - 1612984 - avc denied errors generated after restarting ipmi service
• BZ - 1613898 - mysqld_safe-scl-help is not able to exec mysqld_safe
• BZ - 1614236 - Selinux is preventing gnome-disk-utility from benchmarking the disk
• BZ - 1614965 - avc denied message when attempting to get stdout remotely from sanlock
• BZ - 1615995 - Need rsyslog policy for /var files, elasticsearch, kubernetes
• BZ - 1619252 - SELinux prevents kpropd from mmap()-ing /var/kerberos/krb5kdc/principal.ulog file
• BZ - 1622602 - SELinux prevents 389-admin from managing certificates
• BZ - 1622617 - /dev/tpmrm0 file has wrong SELinux file context
• BZ - 1623124 - /dev/mtd0 is a character device and should have a more specific label than device_t
• BZ - 1623589 - SELinux policy blocking iscsiuio from managing UIO interface to bnx2i/qedi drivers
• BZ - 1624224 - SELinux is preventing /usr/libexec/qemu-kvm from map access on the blk_file /dev/pmem0
• BZ - 1624289 - AVC denials noticed during test execution for SUB-CA test-suite in FIPS mode
• BZ - 1624351 - SELinux is preventing gsd-smartcard from 'map' accesses on the file /etc/pki/ca-trust/source/README.
• BZ - 1624810 - SELinux is preventing /opt/google/chrome/chrome from execute_no_trans access on the file /opt/google/chrome/chrome-sandbox
• BZ - 1625613 - SELinux is preventing /usr/libexec/qemu-kvm from ioctl/open/read/write/map/mem/execmem access on the chr_file /dev/dri/renderD128
• BZ - 1625678 - SELinux prevents remove_name for Tomcat
• BZ - 1627114 - sbd is unable to list watchdogs with selinux enabled
• BZ - 1629041 - SELinux is preventing mysqld from using the 'sys_nice' capabilities.
• BZ - 1631666 - AVC denial by tomcat, reading /dev/random

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index