- Issued:
- 2024-11-12
- Updated:
- 2024-11-12
RHBA-2024:9337 - Bug Fix Advisory
Synopsis
selinux-policy bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for selinux-policy is now available for Red Hat Enterprise Linux 9.
Description
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.5 Beta Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- RHEL-22960 - As a contributor, I want to be able to contribute fixes to selinux-policy
- RHEL-24346 - SELinux prevents NetworkManager from using the sys_ptrace capability in user namespaces
- RHEL-25978 - Selinux prevents systemd_timedated from checking timemaster status
- RHEL-30271 - postfix qmgr cannot delete mails in bounce/ directory
- RHEL-22172 - SELinux policy (daemons) changes required for package: rust-bootupd
- RHEL-22173 - Remove domains from permissive
- RHEL-28080 - [rhel-9] more specific label for /dev/mmcblk0rpmb device
- RHEL-31888 - Confined user cannot list/edit a crontab via sudo [rhel-9]
- RHEL-32296 - selinux prevents qemu-kvm from read access to max_map_count
- RHEL-33994 - SELinux is preventing /usr/bin/numad from sys_ptrace access on the cap_userns labeled numad_t
- RHEL-31211 - RHEL 9.3 release notes mention the addition of new boolean `virt_qemu_ga_run_unconfined` but its only available on RHEL 8.9
- RHEL-32290 - SELinux blocks avahi dbus notifications to cronjob_t
- RHEL-34078 - SELinux prevents the setroubleshootd process from getattr on /proc/sys/vm/max_map_count file [rhel-9]
- RHEL-34135 - SELinux prevents the sendmail process from searching /proc/sys/net/ipv6/conf/all/disable_ipv6
- RHEL-36289 - SELinux prevents the bootupd daemon from getattr+search on /sys/firmware/efi/efivars/ [rhel-9]
- RHEL-37663 - New sap selinux policy requires unconfined policy module
- RHEL-38833 - rpcbind AVC occurs on s390x rhel9.5 when running socat test
- RHEL-36293 - SELinux prevents the collectd from using sys_ptrace in user namespaces
- RHEL-38905 - [ptp4l service]denied { module_request } tcontext=system_u:system_r:kernel_t:s0
- RHEL-39937 - [rhel-9] SELinux prevents systemd-coredump from reading the /proc/PID/ns/mnt file
- RHEL-40374 - [rhel-9] SELinux confined (staff_t) user's systemd-tmpfiles-setup.service fails to start
- RHEL-28777 - selinux policy doesn't allow timemaster to write to /sys
- RHEL-36587 - nodejs executables in /usr/lib/node_modules/npm/bin are not properly labeled
- RHEL-44680 - [rhel-9] SELinux prevents sbd from using sys_ptrace in cap_userns
- RHEL-33361 - [rhel9] various systemd programs want to access /dev/z90crypt
- RHEL-35782 - Ensure dbus communication is allowed bidirectionally
- RHEL-16104 - [rhel-9] AVCs when confined user tries to sudo while sudo-io is configured
- RHEL-25724 - Add support for samba-gpupdate [SELinux]
- RHEL-27141 - TCG VM can not use hugepages as "Permission denied"
- RHEL-38614 - coreos-installer hitting multiple denials during install tests
- RHEL-45245 - [RHEL-9.5] SELinux denials appear when sd-parse-elf is executed by systemd-coredump
- RHEL-26821 - SELinux prevents the reload_microcode process from creating the /sys/devices/system/cpu/microcode/reload file
- RHEL-45033 - SELinux prevents systemd-hostnamed from admin access to nscd
- RHEL-45528 - SELinux prevents systemd-pstore from writing to /dev/kmsg and systemd journal socket
- RHEL-46332 - [rhel-9] SELinux prevents Postfix from mapping LMDB databases
- RHEL-49735 - afterburn.service and user@afterburn-ssh-keys fail in CS9 (SCOS) with SELinux enabled
- RHEL-50922 - Need to label the /dev/sgx* devices.
- RHEL-6776 - postfix-pgsq can't connect to the database using sockets
- RHEL-17404 - passwd and chpasswd (passwd_exec_t) should always run confined as "passwd_t"
- RHEL-25514 - AVC "sendto" when executing systemd-notify from a service unit [rhel-9]
- RHEL-47033 - systemd-network-generator.service hitting AVC denials
CVEs
(none)
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 9
| SRPM | |
|---|---|
| selinux-policy-38.1.45-3.el9_5.src.rpm | SHA-256: 746f69f084a907fe8d3c6f5076b6677e209081e91a5c406f224750d268fd7807 |
| x86_64 | |
| selinux-policy-38.1.45-3.el9_5.noarch.rpm | SHA-256: 217d992f42cab6cae7b0236daeefe78d067f882481f20316198e0736f1325ab2 |
| selinux-policy-devel-38.1.45-3.el9_5.noarch.rpm | SHA-256: e1429958ce13167c28a688b1cf5316930626d79ca8b68fd30431e04ca015d335 |
| selinux-policy-doc-38.1.45-3.el9_5.noarch.rpm | SHA-256: 0134c5804a562df531322398c5127547e524bf8885389ee8f8ee4eecf19e5f4f |
| selinux-policy-mls-38.1.45-3.el9_5.noarch.rpm | SHA-256: 3563efff0c71e44f30c13d5810463158707ccab57b27173f5282018a930a81bf |
| selinux-policy-sandbox-38.1.45-3.el9_5.noarch.rpm | SHA-256: cd6cacc70b2a9649b88153b671eaa608e5a41636dd408b83acecb791f7321083 |
| selinux-policy-targeted-38.1.45-3.el9_5.noarch.rpm | SHA-256: 575305a4fc873ef9b1fcaf6005a6f04be6d3ff4a5887d6db8ed97cef23c501c5 |
Red Hat Enterprise Linux for IBM z Systems 9
| SRPM | |
|---|---|
| selinux-policy-38.1.45-3.el9_5.src.rpm | SHA-256: 746f69f084a907fe8d3c6f5076b6677e209081e91a5c406f224750d268fd7807 |
| s390x | |
| selinux-policy-38.1.45-3.el9_5.noarch.rpm | SHA-256: 217d992f42cab6cae7b0236daeefe78d067f882481f20316198e0736f1325ab2 |
| selinux-policy-devel-38.1.45-3.el9_5.noarch.rpm | SHA-256: e1429958ce13167c28a688b1cf5316930626d79ca8b68fd30431e04ca015d335 |
| selinux-policy-doc-38.1.45-3.el9_5.noarch.rpm | SHA-256: 0134c5804a562df531322398c5127547e524bf8885389ee8f8ee4eecf19e5f4f |
| selinux-policy-mls-38.1.45-3.el9_5.noarch.rpm | SHA-256: 3563efff0c71e44f30c13d5810463158707ccab57b27173f5282018a930a81bf |
| selinux-policy-sandbox-38.1.45-3.el9_5.noarch.rpm | SHA-256: cd6cacc70b2a9649b88153b671eaa608e5a41636dd408b83acecb791f7321083 |
| selinux-policy-targeted-38.1.45-3.el9_5.noarch.rpm | SHA-256: 575305a4fc873ef9b1fcaf6005a6f04be6d3ff4a5887d6db8ed97cef23c501c5 |
Red Hat Enterprise Linux for Power, little endian 9
| SRPM | |
|---|---|
| selinux-policy-38.1.45-3.el9_5.src.rpm | SHA-256: 746f69f084a907fe8d3c6f5076b6677e209081e91a5c406f224750d268fd7807 |
| ppc64le | |
| selinux-policy-38.1.45-3.el9_5.noarch.rpm | SHA-256: 217d992f42cab6cae7b0236daeefe78d067f882481f20316198e0736f1325ab2 |
| selinux-policy-devel-38.1.45-3.el9_5.noarch.rpm | SHA-256: e1429958ce13167c28a688b1cf5316930626d79ca8b68fd30431e04ca015d335 |
| selinux-policy-doc-38.1.45-3.el9_5.noarch.rpm | SHA-256: 0134c5804a562df531322398c5127547e524bf8885389ee8f8ee4eecf19e5f4f |
| selinux-policy-mls-38.1.45-3.el9_5.noarch.rpm | SHA-256: 3563efff0c71e44f30c13d5810463158707ccab57b27173f5282018a930a81bf |
| selinux-policy-sandbox-38.1.45-3.el9_5.noarch.rpm | SHA-256: cd6cacc70b2a9649b88153b671eaa608e5a41636dd408b83acecb791f7321083 |
| selinux-policy-targeted-38.1.45-3.el9_5.noarch.rpm | SHA-256: 575305a4fc873ef9b1fcaf6005a6f04be6d3ff4a5887d6db8ed97cef23c501c5 |
Red Hat Enterprise Linux for ARM 64 9
| SRPM | |
|---|---|
| selinux-policy-38.1.45-3.el9_5.src.rpm | SHA-256: 746f69f084a907fe8d3c6f5076b6677e209081e91a5c406f224750d268fd7807 |
| aarch64 | |
| selinux-policy-38.1.45-3.el9_5.noarch.rpm | SHA-256: 217d992f42cab6cae7b0236daeefe78d067f882481f20316198e0736f1325ab2 |
| selinux-policy-devel-38.1.45-3.el9_5.noarch.rpm | SHA-256: e1429958ce13167c28a688b1cf5316930626d79ca8b68fd30431e04ca015d335 |
| selinux-policy-doc-38.1.45-3.el9_5.noarch.rpm | SHA-256: 0134c5804a562df531322398c5127547e524bf8885389ee8f8ee4eecf19e5f4f |
| selinux-policy-mls-38.1.45-3.el9_5.noarch.rpm | SHA-256: 3563efff0c71e44f30c13d5810463158707ccab57b27173f5282018a930a81bf |
| selinux-policy-sandbox-38.1.45-3.el9_5.noarch.rpm | SHA-256: cd6cacc70b2a9649b88153b671eaa608e5a41636dd408b83acecb791f7321083 |
| selinux-policy-targeted-38.1.45-3.el9_5.noarch.rpm | SHA-256: 575305a4fc873ef9b1fcaf6005a6f04be6d3ff4a5887d6db8ed97cef23c501c5 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
