RHBA-2023:2965 - Bug Fix Advisory

Topic

An update for selinux-policy is now available for Red Hat Enterprise Linux 8.

Description

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.8 x86_64
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

• BZ - 1983308 - SELinux Blocking Postfix+PostgreSQL
• BZ - 2028637 - httpd fails to start with opencryptoki SW token
• BZ - 2030633 - httpd_rotatelogs_t cannot browse standard symlink /etc/httpd/logs
• BZ - 2088441 - /usr/lib/systemd/systemd-socket-proxyd is not labeled appropriately, making the tool unusable
• BZ - 2090711 - [RHEL8.6/PCP/Bug] SELinux AVC when pmda bcc is enabled
• BZ - 2101341 - AVC when executing "subscription-manager" as sudo'ed sysadm_t
• BZ - 2103675 - mrtg cannot send mails
• BZ - 2111632 - NM dispatcher scripts cannot use hostnamectl and dbus chat with hostnamed
• BZ - 2112228 - AVC denials causing redis service failure with mailx core dump
• BZ - 2118784 - AVC denied read init_t var_lib_t:lnk_file prevent using systemd StateDirectory
• BZ - 2120253 - Please add bfd_multi port in corenetwork
• BZ - 2121084 - SELinux is preventing snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.
• BZ - 2121709 - SELinux prevents the samba-bgpd from writing the /var/run/nscd/socket socket
• BZ - 2122239 - SELinux is preventing ostnamed from remounting container_ro_file_t filesystems
• BZ - 2122838 - SELinux prevents confined users (staff_u, sysadm_u) from successfully running vlock
• BZ - 2123445 - insights-client fails to execute additional services [rhel-8.8.0]
• BZ - 2123610 - insight-client selinux denial creating .unregistered file
• BZ - 2124387 - confined users staff_u are creating AVC errors when pulseaudio starts at GUI login
• BZ - 2124388 - confined users staff_u are creating AVC errors for dbus at GUI login
• BZ - 2124550 - insights-client triggers SELinux denials after selinux-policy update
• BZ - 2124552 - SELinux prevents the sbd processes from readlink syscall { sys_ptrace }
• BZ - 2124661 - RHEL87 - AVC denials journalctl when starting insights-client from timer
• BZ - 2125008 - [RHEL8.6/Insights/SELinux/Regression] SELinux Migration insights-client first from from cronjob and then from systemd not working
• BZ - 2127902 - Insights compliance service is run from cron instead of systemd which have different SELinux context and leads to AVCs
• BZ - 2132229 - [RHEL8.6/Insights/SELinux/Bug] SELinux AVC insights-client with podman containers running
• BZ - 2132230 - [RHEL8/Insights/Bug] SELinux violations insights client with Satellite 6.11
• BZ - 2132922 - system cronjobs can query sssd through but sssd cannot reply
• BZ - 2134125 - [RHEL8/Insights/Bug] SELinux violations insights client SAPHostAgent
• BZ - 2134820 - AVC Denial on iptables / ip6tables on Centos Stream 8
• BZ - 2136189 - Confined user sudo'ing with sysadm_r role sees journalctl AVCs
• BZ - 2141311 - Additional AVC denials for insights-client in RHEL 8.7
• BZ - 2143337 - certmonger emailed alerts incomplete due to local MTA unable to read /run/certmonger temp files
• BZ - 2143696 - [Regression] AVC reported when samba-dcerpcd tries to read Samba shares
• BZ - 2143762 - SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.
• BZ - 2143822 - insights-client-results selinux denials
• BZ - 2143878 - Frequent AVC denial messages in commands executed via insights-client
• BZ - 2144501 - SELinux is preventing systemctl from getattr access on the filesystem /.
• BZ - 2144505 - SELinux is preventing /usr/bin/cdcc from map access on the file /var/lib/dcc/map.
• BZ - 2148215 - SELinux prevents the subscription-manager facts program from mmap()-ing the /dev/mem
• BZ - 2148561 - SELinux is preventing /usr/bin/ipmitool from ioctl access on the chr_file /dev/ipmi0.
• BZ - 2151111 - [RHEL8.7/Insights/SELinux/Bug] Insights-client SELinux AVCs in Satellite 6.12
• BZ - 2152642 - AVC denied errors from samba-dcerpcd on Samba 4.16.4
• BZ - 2154242 - [Regression] Executing bash from a system cronjob ends up executing as rpm_script_t
• BZ - 2156204 - [RHEL8.6/Insights/SELinux/Bug] SELinux AVC with Oracle and SAPHostAgent
• BZ - 2157902 - SELinux prevents the prosody service from creating the /run/prosody/prosody.sock socket
• BZ - 2158605 - [RHEL8.6/Insights/SELinux/Bug] SELinux AVC insights-client with selinux-policy-3.14.3-95.el8_6.5
• BZ - 2158779 - [RHEL8.6/Insights/SELinux/Bug] SELinux AVC with SAPHostAgent with selinux-policy-3.14.3-95.el8_6.5
• BZ - 2164047 - new selinux-policy causes the /var/log/sudo.log to be created in different than expected fcontext
• BZ - 2166802 - [RHEL8.6/insights-compliance/SELinux/Bug] SELinux AVC denials while running insights-client compliance command

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index