- Issued:
- 2014-10-13
- Updated:
- 2014-10-13
RHBA-2014:1568 - selinux-policy bug fix and enhancement update
Synopsis
selinux-policy bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated selinux-policy packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Description
The selinux-policy packages contain the rules that govern how confined processes run on the system.
This update fixes the following bugs:
-
SELinux prevented the qemu-guest-agent process from executing the settimeofday() and hwclock() functions. Consequently, qemu-guest-agent was unable to set the system time. A new rule has been added to the SELinux policy and qemu-guest-agent can now set the time as expected. (BZ#1062384)
-
Previously, SELinux did not allow the dhcpd daemon to change file ownership on the system. As a consequence, the ownership of files that dhcpd created was changed from the required dhcpd:dhcpd to root:root. The appropriate SELinux policy has been changed, and dhcpd is now able to change the file ownership on the system. (BZ#1082640)
-
Due to the missing miscfiles_read_public_files Boolean, the user could not allow the sshd daemon to read public files used for file transfer services. The Boolean has been added to the SELinux policy, thus providing the user the ability to set sshd to read public files. (BZ#1097387)
-
Due to a missing SELinux policy rule, the syslog daemon was unable to read the syslogd configuration files labeled with the syslog_conf_t SELinux context. With this update, the SELinux policy has been modified accordingly, and syslog now can read the syslog_conf_t files as expected. (BZ#1111538)
-
Due to an insufficient SELinux policy rule, the thttpd daemon ran in the httpd_t domain. As a consequence, the daemon was unable to change file attributes of its log files. The SELinux policy has been modified to fix this bug, and SELinux no longer prevents thttpd from changing attributes of its log files. (BZ#1111581)
-
Previously, SELinux did not allow the sssd daemon to write to the krb5 configuration file, thus the daemon was unable to make any changes in krb5. The SELinux policy has been changed with this update, and sssd can now write to krb5. (BZ#1122866)
-
Due to a missing SELinux policy rule, the Samba daemons could not list the /tmp/ directory. The SELinux policy has been modified accordingly, and SELinux no longer prevents the Samba daemons from listing the /tmp/ directory. (BZ#1127602)
In addition, this update adds the following enhancements:
-
With this update, new SELinux policy rules have been added, and the following services now run in their own domains, not in the initrc_t domain:
thttpd (BZ#1069843) pcp (BZ#1089912) certmonger (BZ#1117739) haveged (BZ#1107580) swift-proxy-server (BZ#1109803) lsmd (BZ#1111619) swift-object-expirer (BZ#1113146) hv_vss_daemon (BZ#1116318) bacula (BZ#1122545) dhcrelay (BZ#1123338) tgtd (BZ#1128221) nginx (BZ#1045041) glance-scrubber (BZ#1113271)
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- selinux-policy-3.7.19-260.el6.src.rpm
- selinux-policy-minimum-3.7.19-260.el6.noarch.rpm
- selinux-policy-doc-3.7.19-260.el6.noarch.rpm
- selinux-policy-3.7.19-260.el6.noarch.rpm
- selinux-policy-mls-3.7.19-260.el6.noarch.rpm
- selinux-policy-targeted-3.7.19-260.el6.noarch.rpm
Fixes
- This content is not included.BZ - 811350
- This content is not included.BZ - 811355
- This content is not included.BZ - 811366
- This content is not included.BZ - 841086
- This content is not included.BZ - 855774
- This content is not included.BZ - 891510
- This content is not included.BZ - 892137
- This content is not included.BZ - 894387
- This content is not included.BZ - 985331
- This content is not included.BZ - 1004762
- This content is not included.BZ - 1015708
- This content is not included.BZ - 1017107
- This content is not included.BZ - 1018211
- This content is not included.BZ - 1021984
- This content is not included.BZ - 1023202
- This content is not included.BZ - 1023336
- This content is not included.BZ - 1024677
- This content is not included.BZ - 1024715
- This content is not included.BZ - 1024855
- This content is not included.BZ - 1026076
- This content is not included.BZ - 1026078
- This content is not included.BZ - 1029940
- This content is not included.BZ - 1030760
- This content is not included.BZ - 1030762
- This content is not included.BZ - 1032691
- This content is not included.BZ - 1034076
- This content is not included.BZ - 1034206
- This content is not included.BZ - 1035363
- This content is not included.BZ - 1039089
- This content is not included.BZ - 1039644
- This content is not included.BZ - 1039851
- This content is not included.BZ - 1042827
- This content is not included.BZ - 1042832
- This content is not included.BZ - 1042846
- This content is not included.BZ - 1042986
- This content is not included.BZ - 1042998
- This content is not included.BZ - 1043000
- This content is not included.BZ - 1043008
- This content is not included.BZ - 1043211
- This content is not included.BZ - 1045041
- This content is not included.BZ - 1045418
- This content is not included.BZ - 1046100
- This content is not included.BZ - 1047865
- This content is not included.BZ - 1052206
- This content is not included.BZ - 1053205
- This content is not included.BZ - 1055966
- This content is not included.BZ - 1057307
- This content is not included.BZ - 1057732
- This content is not included.BZ - 1057780
- This content is not included.BZ - 1060656
- This content is not included.BZ - 1061733
- This content is not included.BZ - 1062384
- This content is not included.BZ - 1062470
- This content is not included.BZ - 1063890
- This content is not included.BZ - 1064326
- This content is not included.BZ - 1064493
- This content is not included.BZ - 1065580
- This content is not included.BZ - 1065581
- This content is not included.BZ - 1069843
- This content is not included.BZ - 1071145
- This content is not included.BZ - 1072022
- This content is not included.BZ - 1073499
- This content is not included.BZ - 1073904
- This content is not included.BZ - 1078239
- This content is not included.BZ - 1082625
- This content is not included.BZ - 1082640
- This content is not included.BZ - 1082974
- This content is not included.BZ - 1084177
- This content is not included.BZ - 1086898
- This content is not included.BZ - 1087530
- This content is not included.BZ - 1089912
- This content is not included.BZ - 1092150
- This content is not included.BZ - 1101530
- This content is not included.BZ - 1102346
- This content is not included.BZ - 1102366
- This content is not included.BZ - 1102464
- This content is not included.BZ - 1103257
- This content is not included.BZ - 1104845
- This content is not included.BZ - 1105889
- This content is not included.BZ - 1107580
- This content is not included.BZ - 1108367
- This content is not included.BZ - 1110397
- This content is not included.BZ - 1117685
- This content is not included.BZ - 1117739
- This content is not included.BZ - 1121169
- This content is not included.BZ - 1122024
- This content is not included.BZ - 1122106
- This content is not included.BZ - 1122866
- This content is not included.BZ - 1123338
- This content is not included.BZ - 1127602
- This content is not included.BZ - 1130040
- This content is not included.BZ - 1131195
- This content is not included.BZ - 1140614
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.