1.261. selinux-policy

Updated selinux-policy packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
BZ#615731
Previously, an incorrect SELinux policy prevented the wodim CD and DVD authoring software from working correctly. This update corrects the SELinux policy, and wodim now works as expected.
BZ#630827
Due to an incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy has been added, and SELinux no longer prevents users from customizing guest operating systems.
BZ#631523
When SELinux was enabled, suspending VMware virtual machines was either slowed down, or failed. With this update, the relevant SELinux policy has been corrected, and VMware virtual machines now suspend as expected.
BZ#631564
Previously, the allow_corosync_rw_tmpfs Boolean value allowed third party applications to create, write and read generic tmpfs (temporary file system) files. To prevent this undesired behavior, the Boolean value has been removed, and unless the unconfined policy is disabled, generic tmpfs files can now be managed using the Corosync Cluster Engine.
BZ#631952
When SELinux ran in enforcing mode, an incorrect SELinux policy prevented a custom qemu-kvm wrapper script, which is used to execute the qemu-kvm binary file, from running. With this update, the SELinux policy has been fixed so that the binary file can now be run as expected.
BZ#633959
Previously, the SELinux Multi-Level Security (MLS) policy prevented the virsh dominfo command from producing the expected results. This update fixes the relevant policy so that the command now works as expected.
BZ#634084
With SELinux running in enforcing mode, an attempt to run the tgtd service emitted Access Vector Cache (AVC) messages. With this update, the relevant policy rules have been modified to resolve this issue, and running the tgtd service no longer emits AVC messages.
BZ#634089
Due to an incorrect SELinux policy, running cmirror resulted in Access Vector Cache (AVC) messages. This bug has been fixed in this update so that cmirror now runs as expected.
BZ#634357
When a cluster was configured to use the fence_scsi I/O fencing agent, running either the cman startup script, or using the fence_node -U [nodename] command, resulted in failure. This update contains updated SELinux rules and adds the security file context for the /var/lib/cluster/ directory, which allows a cluster with fence_scsi enabled to work properly.
BZ#634945
Due to an incorrect SELinux policy, the smbcontrol utility that sends messages to the smbd, nmbd, or winbindd service did not work properly. This bug has been fixed, the relevant policy has been added, and SELinux no longer prevents smbcontrol from working properly.
BZ#636683
When SELinux was enabled, users were unable to mount GFS2 file systems listed in the /etc/fstab file. With this update, SELinux rules have been added to allow the mount process to communicate with the gfs_controld service so that GFS2 file systems can now be mounted as expected.
BZ#637109
Previously, the SELinux security context was declared erroneously for the /root/.ssh/ directory, which caused the restorecon command not to function properly. With this update, the relevant security context has been modified in order to fix this bug.
BZ#637135
The SELinux policy for the rpc.quotad service has been adjusted in order to make it work properly.
BZ#645658
Due to incorrect SELinux policy rules, certain iptables commands, such as iptables-save or iptables -L, were unable to write to files with output redirection. With this update, the SELinux domain transition from the unconfined_t to iptables_t domain has been removed, and such commands now work as expected.
BZ#639074
With SELinux running in enforcing mode, resuming the operating system from suspend mode failed because of the /etc/resolv.conf file not having the correct security context. This was caused by NetworkManager, which ran under an incorrect SELinux domain (devicekit_power_t). With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from suspend mode now works as expected.
BZ#639266
Due to incorrect SELinux policy rules, when a user tried to suspend or resume a laptop computer, Access Vector Cache (AVC) messages were displayed. This update fixes the relevant policy so that the suspend/resume actions no longer produce AVC messages.
BZ#639083
Previously, running the passwd command in single user mode failed when SELinux was enabled. With this update, the SELinux policy rules have been updated so that passwd can now access the system console as well as all terminals (TTYs) and pseudo-terminals (PTYs) on the operating system.
BZ#639230
Previously, the SELinux "xguest" user was trying to read login records. With this update, the SELinux policy rules have been updated, and the problem with the "xguest" user does not occur anymore.
BZ#639233
Previously, the SELinux "xguest" user was trying to read the ConsoleKit "history" log file. With this update, the SELinux rules have been updated so that the problem with the "xguest" user does not occur anymore.
BZ#640642
Due to incorrect SELinux policies, the certmonger service was not permitted to search through directories that contained certificates. This bug has been fixed by updating SELinux policy rules so that they now allow certmonger to access these directories.
BZ#644799
When a new user confined to SELinux was created and configured as the "staff_u" or "user_u" user, it was not possible to run the ssh command with a ProxyCommand option. With this update, the relevant SELinux policy has been corrected so that the ssh command with a ProxyCommand option works as expected.
BZ#646365
With this update, the SELinux security context for the /etc/sysconfig/ip6tables.save file has been corrected.
BZ#646856
Due to an incorrect SELinux policy, loading a kernel module that tried to create an entry in the /sys/kernel/debug/ directory was not possible. This error has been fixed so that the updated SELinux policy rules now allow mounting of the /sys/kernel/debug/ directory.
BZ#650136
The description of the allow_httpd_mod_auth_ntlm_winbind policy was fixed in this update.
BZ#651462
A new Pluggable Authentication Module (PAM) that replaces the pam_tally2 module was added. The new module uses the /var/run/faillock/ directory to store files that record recent login failures for individual users. Due to this change, a new SELinux security context was added for this directory.
BZ#655693
Due to incorrect SELinux policy rules, the udevadm settle command was very slow and took several minutes to complete. This update fixes the relevant policy so that the command now runs much faster.
BZ#657521
When the SELinux Multi-Level Security (MLS) policy was enabled, the mount command resulted Access Vector Cache (AVC) messages during the system startup. With this update, the relevant policy has been corrected and mount no longer produces AVC messages.
BZ#657568
Previously, the SELinux Multi-Level Security (MLS) policy prevented networking from starting successfully in runlevel 1. This update corrects the SELinux policy, and network can now be started as expected.
BZ#658410
When SELinux ran in enforcing mode, the Cobbler server did not work correctly. With this update, the SELinux policy has been fixed to permit requested accesses and Cobbler now works correctly.
BZ#658591
The certmonger service was not able to track 389-ds certificates due to an incorrect SELinux policy. This update corrects the SELinux policy so that certmonger is now able to track these certificates.
BZ#649432
When a user attempted to run the slapi-nis Network Information Service (NIS) server plug-in, Access Vector Cache (AVC) messages were displayed. This update fixes the relevant SELinux policy so that AVC messages do not appear anymore.
BZ#663054
Due to an incorrect SELinux policy, users confined to SELinux were not allowed to run the ping command if the user_ping Boolean value was enabled. With this update, the relevant policy has been corrected, and users confined to SELinux can run ping as expected.
BZ#663940
Previously, an Access Vector Cache (AVC) message could have been displayed when rebooting in single user mode with the SELinux Multi-Level Security (MLS) policy enabled. This update corrects the SELinux policy, and the AVC message no longer appears.
BZ#667071
Previously, the SELinux Multi-Level Security (MLS) policy prevented the rpm -qa command from producing the expected results. This update fixes the relevant policy so that the command works as expected.
Enhancements
BZ#655206
With this update, the number of packages in which the two SELinux policy modules used for the 389 Directory Server were distributed has been reduced so that the modules are no longer distributed separately.
BZ#669439
To enable polyinstantiation with the SELinux Multi-Level Security (MLS), a new SELinux policy has been added for the namespace_init script.
BZ#682416
A new SELinux policy for the spice-vdagent command has been introduced in this update to enable the SPICE protocol features with SELinux.
All users of SELinux are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements.
Updated selinux-policy packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
BZ#719352
Prior to this update, the SELinux policy package did not allow the Red Hat Enterprise Virtualization agent to execute. This update adds the policy for Red Hat Enterprise Virtualization agents, so that they can be executed as expected.
BZ#727039
Previously, several labels were incorrect and rules for creating new 389-ds instances were missing. As a result, access vector caches (AVC) appeared when a new 389-ds instance was created through the 389-console. This update fixes the labels and adds the missing rules. Now, new 389-ds instances are created without further errors.
BZ#727078
Prior to this update, AVC error messages occurred in the audit.log file. With this update, the labels causing the error messages have been fixed, thus preventing this bug.
All users of SELinux policy are advised to upgrade to these updated packages, which fix these bugs.
Updated selinux-policy packages that fix various bugs are now available for Red Hat Enterprise Linux 6.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes
BZ#712410
Due to a constraint violation, the xinetd daemon was unable to connect to localhost in the enforcing mode, causing the operation to fail. With this update, the xinetd daemon is now trusted to write outbound packets regardless of the network's or node's MLS (Multi-Level Security) range, and the bug no longer occurs.
BZ#712194
Previously, a secadm SELinux user was not allowed to modify SELinux configuration files. With this update, the relevant SELinux policy has been fixed, and the secadm SELinux user can now modify these configuration files.
BZ#717688
Previously, the rsyslogd daemon was unable to send messages encrypted with the TLS (Transport Layer Security) protocol. This bug has been fixed, and rsyslogd now sends these encrypted messages as expected.
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.