ELBA-2015-1375
- ULN >
- Oracle Linux Errata repository >
- ELBA-2015-1375
ELBA-2015-1375 - selinux-policy bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2015-07-28 |
Description
[3.7.19-278.0.1]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.
- Allow ocfs2 to be mounted with file_t type.
[3.7.19-278]
- Allow logrotate get attributes of all unallocated tty device nodes.
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins.
- Allow glusterd to connect to init.
Resolves:#1230371
- Allow gluster do dbus chat with domain running as initrc_t.
[3.7.19-277]
- Allow glusterd to interact with gluster tools running in a user domain
Resolves:#1229605
[3.7.19-276]
- Allow gluster to manage own log files.
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Label gluster python hooks also as bin_t.
- Allow samba_t net_admin capability to make CIFS mount working.
Resolves:#1229605
- Allow ssh_keygen_t to manage keys located in /var/lib/gluster.
[3.7.19-275]
- Allow glusterd to have transition to insmod.
- Allow glusterd to use geo-replication gluster tool.
- Remove gluster from permissive domains.
Resolves:#1229605
[3.7.19-275]
- Allow glusterd to have mknod capability. It creates a special file using mknod in a brick.
- Update rules related to glusterd_brick_t.
- Allow glusterd to execute lvm tools in the lvm_t target domain.
- Allow glusterd to execute xfs_growfs in the target domain.
- Add support for /usr/sbin/xfs_growfs.
- Allow glusterd to create samba config files if it is started by service script and running with unconfined_u.
Resolves:#1228109
- Fix description for ftpd_use_passive_mode boolean.
[3.7.19-274]
- Don't ship pam_selinux to avoin a conflict with pam package
Resolves:#1220691
[3.7.19-273]
- Fix redis_stream_connect interface.
Resolves:#1220691
- Allow kadmind to bind to kprop port.
- Add new man pages for bacula
[3.7.19-272]
- Allow hypervkvp to read default SELinux contexts.
- Allow hypervkvp to write to /etc directories.
- Update all man pages for RHEL6.7 SELinux domains/roles using the latest sepolicy-manpage from RHEL7.
- Fix labeling for /var/lib/graphite-web
- ALlow kpropd to connect to tcp/754 port.
Resolves:#1220691
- Allow php-fpm write access to /var/run/redis/redis.sock
- Update fs_rw_inherited_nfs_files() to allow search auto mountpoints.
- Dontaudit rpm leaks for prelink_mask_t.
- Allow sysctl to have running under hypervkvp_t domain.
[3.7.19-271]
- Remove ctdbd_manage_var_files() interface which is not used and is declared for the wrong type.
Resolves:#1221929
[3.7.19-270]
- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket instead of afs_t.
- Allow smbd to access /var/lib/ctdb/persistent/secrets.tdb.0.
- Allow glusterd to execute consoletype.
- Glusterd wants to manage samba config files if they are setup together.
Resolves:#1221929
[3.7.19-269]
- Fix labeling for /var/tmp/kiprop_0 to kadmind_tmp_t.
- Allow postdrop runinng as postfix_postdrop_t to access /var/spool/postfix/public/pickup socket.
- Allow gluster hooks scripts to transition to ctdbd_t.
- Update policy rules for afs_fserver_t to allow connectto on unix_stream_socket.
- Allow gluster transition to smbd_t also using samba init script.
Resolves:#1221929
[3.7.19-268]
- Add labeling for /var/run/ctdb and allow samba domains to connect to ctdbd.
Resolves:#1221929
- Allow glusterd to read/write samba config files.
- Update mysqld rules related to mysqld log files.
- Add fixes for hypervkvp realed to ifdown/ifup scripts.
- Update netlink_route_socket for ptp4l.
- Allow sosreport to dbus chat with NM.
- Allow glusterd to connect to /var/run/dbus/system_bus_socket.
- ALlow glusterd to have sys_ptrace capability. Needed by gluster+samba configuration.
- Add new boolean samba_load_libgfapi to allow smbd load libgfapi from gluster. Allow smbd to read gluster config files by default.
- Allow gluster to transition to smbd. It is needed for smbd+gluster configuration.
- Allow glusterd to read /dev/random.
- Label all gluster hooks in /var/lib/gluster as bin_t. Thy are not created on the fly.
- Update nagios_run_sudo boolean to allow run chkpwd.
- Add labeling for /usr/sbin/kpropd.
- Add nagios_run_sudo boolean
- Allow ctdb to create rawip socket.
[3.7.19-267]
- Allow ctdb to create rawip socket.
- ALlow nmbd_t to crate nmbd_var_run_t dir under smbd_var_run_t.
- Make ctdbd as userdom_home_reader.
- Allow ctdbd to bind smbd port.
Resolves:#1219317
[3.7.19-266]
- Add audit_access permissions
- Allow cupsd_t access to files in /etc dir
- Allow hplip to dbus chat with all users.
- Allow sblim-gathered sys_ptrace capability.
- Allow sys_admin capability for gfs_controld
- Add more cobbler labels to /var/lib/tftpboot/
- Add new smbd_tmpfs_t type.
- Add more fixes related to timemaster+ntp+ptp4l.
- Fix cgdcbxd_admin() interface.
- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0.
- Dontaudit read access on admin_home_t for load_policy.
[3.7.19-265]
- Allow redis to create /var/run/redis/redis.sock
- Allow fence_mpathpersist to run mpathpersist which requires sys_admin capability.
Resolves:#1206244
- Allow rhn_check running as rpm to domtrans to shutdown domain
- openshift_cache_t does exist
[3.7.19-264]
- Allow qpidd to read own init script file.
- Allow passenger to accept connection
- Back port hypervkvp fixes from RHEL7
- ALlow load_policy to list inotifyfs filesystem
- Allow cluster domain to execute ldconfig and update lvm_read_config() interface
- Allow sssd_t to connect to samba TCP port
- Allow NetworkManager to run arping
Resolves:#1209854
- Backport RHEL7 redis policy
- Add apache log and lib labels for roundcubemail
[3.7.19-263]
- Allow userdomain to manage pcscd pid fifo files.
- Allow prelink domain access to /dev/console
Resolves:#1145662
- Allow httpd search access on tomcat6 directory
- Allow apcupsd to get attributes of filesystems with xattrs
- Allow qemu-ga getattr access of all filesystems
- Allow abrt to read network state information
- Make collectd_t as unconfined domain.
- Make rpcbind as nsswitch domain.
- Back port labeling for /etc/my.cnf.d dir.
- Allow dhcpd kill capability.
- Allow cachefilesd to create cachefilesd_var_t
- cvs_home backport from RHEL7.
- Add support for new fence agent fence_mpath which is executed by fence_node
- Allow lsmd plugin to run with configured SSSD.
- Allow bacula access to tape devices
- Allow sblim-sfcb setuid.
- Allow sblim domain to read sysctls.
- Allow ntp to read localtime and allow timemaster send a signal to ntpd.
- Add cobblerd_t fixes
- Allow mysqld_t to use pam
- Dontaudit xguest_t communication with avahi_t via dbus
- Allow cobblerd_t to communicate with sssd
- Allow pmwebd to send and receive messages from avahi over dbus
- Allow conman_t to commmunicate with sssd
- Allow mysqld_t to send audit messages
- Allow load_policy rw access to inherited sssd pipes
- Update label for /etc/mcelog/.* files
- Allow bacula_t to connect to psql via tcp/unix socket
- Remove type to only match directories on /boot
- Add more labels for ownCloud
- Dontaudit net_admin capability for munin
[3.7.19-262]
- Allow lsmd_t getattr all exec.
Resolves:#1141719
- Update afs policy
Resolves:#1136396
- Add support for /usr/sbin/named-sdb.
- Add support for mongos service.
- Allow cyrus to use tcp/2005 port.
- More service wants to auth_use_nsswitch.
- Allow apps that need to read sysctl_vm_overcommit_t be able to read it.
- Update passenger rules from RHEL7.
- Allow smartd to manage generich devices if they are created with wrong label.
- Allow sblim-sfcb to execute itself.
[3.7.19-261]
- Allow sys_ptrace and dac_override caps for collectd.
- Add labeling for /etc/rc\.d/init\.d/htcacheclean.
- Allow /usr/sbin/sfcbd to send audit msgs.
- Allow postdrop to connect to master process over unix stream socket.
- Allow ssh_t to connect to all unreserved ports.
- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
- Don't relabel files under /dev/shm/
- Allow munin_disk_plugin_t getattr access on blk_file
- Allow xauth_t and sshd_t to search automount_tmp_t if use_nfs_home_dirs boolean.
- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
- Allow antivirus domains to read all dirs/files regardless of their MCS category set.
- Add labeling for mariadb log/pid files/dirs.
- Allow rsyslogd to read /proc/sys/vm/overcommit_memory file.
- Allow slapd to read /usr/share/cracklib/pw_dict.hwm.
- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling.
- Add support for /usr/libexec/sssd/selinux_child and create sssd_selinux_manager_t domain for it.
- Allow qpidd to read network state and sysctls dirs
Resolves:#1171275
- Add labeling for /var/bacula directory.
- mcelog runs as a daemon domain
- Allow shutdown to r/w iherited rhev-agetnd pipes.
- Allow sshd to seind signull itself.
- Add the 'base_ro_file_type' and 'base_file_type' attributes to RHEL6.
- Allow prelink_mask_t getattr on filesystems that support xattrs
- Allow radious to connect to apache ports to do OCSP check.
- remove transition from unconfined user to auditctl.
- Backport RHEL7 sblim-sfcb fixes.
- Add bacula fixes related to unconfined scripts based on ssekidde@redhat.com patch.
- Allow zebra to communicate with sssd
- Add interfaces fixes.
- Added some optional blogs from timemaster policy to chronyd.
- Added linuxptp policy
- Add interface to read mysql db link files
- Added cinder policy
- Make munin yum plugin as unconfined by default.
- Allow bitlbee connections to the system DBUS.
- Allow hv_vss_daemon to call ioctl(FIFREEZE) on /boot.
- Add rsync_server boolean to don't have a transition from initrc by default.
- Dontaudit to r/w inherited pipes from httpd because of certmonger unconfined scripts.
- Backport all capabilities for cvs from RHEL7.
- Allow dccproc to execute bash.
- Fix labeling for /usr/libexec/nm-dispatcher.action.
- Allow logrotate to manage virt_cache.
- Allow osad to execute rhn_check.
- Make osad_t as unconfined domain.
- Allow osad connect to jabber client port.
- Allow rhev-agentd to access /dev/.udev/db/block:sr0.
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 6 (i386) | selinux-policy-3.7.19-279.0.1.el6.src.rpm | 1161f2c2d4e5fc2a6037d0fcd046fbad7355e01a16733c1168809216a6eabbda | ELBA-2018-1871 | ol6_i386_latest_archive |
| selinux-policy-3.7.19-279.0.1.el6.src.rpm | 1161f2c2d4e5fc2a6037d0fcd046fbad7355e01a16733c1168809216a6eabbda | ELBA-2018-1871 | ol6_u7_i386_base | |
| selinux-policy-3.7.19-279.0.1.el6.noarch.rpm | e8b6427a8e044319eabcb977c4ab9f74682f07c2d62df71e63792939dfde4bcc | ELBA-2018-1871 | ol6_i386_latest_archive | |
| selinux-policy-3.7.19-279.0.1.el6.noarch.rpm | e8b6427a8e044319eabcb977c4ab9f74682f07c2d62df71e63792939dfde4bcc | ELBA-2018-1871 | ol6_u7_i386_base | |
| selinux-policy-doc-3.7.19-279.0.1.el6.noarch.rpm | c7291f385b5cceb3c426d596ae3a86e036dc5503d29fd0181142934d76fa1de1 | ELBA-2018-1871 | ol6_i386_latest_archive | |
| selinux-policy-doc-3.7.19-279.0.1.el6.noarch.rpm | c7291f385b5cceb3c426d596ae3a86e036dc5503d29fd0181142934d76fa1de1 | ELBA-2018-1871 | ol6_u7_i386_base | |
| selinux-policy-minimum-3.7.19-279.0.1.el6.noarch.rpm | 1633fa64da1721471c9c6f1cb4b3b552e5b206e6e0bd9053fa7110627fa777df | ELBA-2018-1871 | ol6_i386_latest_archive | |
| selinux-policy-minimum-3.7.19-279.0.1.el6.noarch.rpm | 1633fa64da1721471c9c6f1cb4b3b552e5b206e6e0bd9053fa7110627fa777df | ELBA-2018-1871 | ol6_u7_i386_base | |
| selinux-policy-mls-3.7.19-279.0.1.el6.noarch.rpm | 6214ec41e887f00d357a3aa6422da311a58e23d69a4be1603a2337255421f14f | ELBA-2018-1871 | ol6_i386_latest_archive | |
| selinux-policy-mls-3.7.19-279.0.1.el6.noarch.rpm | 6214ec41e887f00d357a3aa6422da311a58e23d69a4be1603a2337255421f14f | ELBA-2018-1871 | ol6_u7_i386_base | |
| selinux-policy-targeted-3.7.19-279.0.1.el6.noarch.rpm | 20294e98362f42243c199e80d1f113894b3dd07f2bdc82e7c8c7fbe7c6d326fd | ELBA-2018-1871 | ol6_i386_latest_archive | |
| selinux-policy-targeted-3.7.19-279.0.1.el6.noarch.rpm | 20294e98362f42243c199e80d1f113894b3dd07f2bdc82e7c8c7fbe7c6d326fd | ELBA-2018-1871 | ol6_u7_i386_base | |
| Oracle Linux 6 (x86_64) | selinux-policy-3.7.19-279.0.1.el6.src.rpm | 1161f2c2d4e5fc2a6037d0fcd046fbad7355e01a16733c1168809216a6eabbda | ELBA-2018-1871 | ol6_u7_x86_64_base |
| selinux-policy-3.7.19-279.0.1.el6.src.rpm | 1161f2c2d4e5fc2a6037d0fcd046fbad7355e01a16733c1168809216a6eabbda | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
| selinux-policy-3.7.19-279.0.1.el6.noarch.rpm | e8b6427a8e044319eabcb977c4ab9f74682f07c2d62df71e63792939dfde4bcc | ELBA-2018-1871 | ol6_u7_x86_64_base | |
| selinux-policy-3.7.19-279.0.1.el6.noarch.rpm | e8b6427a8e044319eabcb977c4ab9f74682f07c2d62df71e63792939dfde4bcc | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
| selinux-policy-doc-3.7.19-279.0.1.el6.noarch.rpm | c7291f385b5cceb3c426d596ae3a86e036dc5503d29fd0181142934d76fa1de1 | ELBA-2018-1871 | ol6_u7_x86_64_base | |
| selinux-policy-doc-3.7.19-279.0.1.el6.noarch.rpm | c7291f385b5cceb3c426d596ae3a86e036dc5503d29fd0181142934d76fa1de1 | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
| selinux-policy-minimum-3.7.19-279.0.1.el6.noarch.rpm | 1633fa64da1721471c9c6f1cb4b3b552e5b206e6e0bd9053fa7110627fa777df | ELBA-2018-1871 | ol6_u7_x86_64_base | |
| selinux-policy-minimum-3.7.19-279.0.1.el6.noarch.rpm | 1633fa64da1721471c9c6f1cb4b3b552e5b206e6e0bd9053fa7110627fa777df | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
| selinux-policy-mls-3.7.19-279.0.1.el6.noarch.rpm | 6214ec41e887f00d357a3aa6422da311a58e23d69a4be1603a2337255421f14f | ELBA-2018-1871 | ol6_u7_x86_64_base | |
| selinux-policy-mls-3.7.19-279.0.1.el6.noarch.rpm | 6214ec41e887f00d357a3aa6422da311a58e23d69a4be1603a2337255421f14f | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
| selinux-policy-targeted-3.7.19-279.0.1.el6.noarch.rpm | 20294e98362f42243c199e80d1f113894b3dd07f2bdc82e7c8c7fbe7c6d326fd | ELBA-2018-1871 | ol6_u7_x86_64_base | |
| selinux-policy-targeted-3.7.19-279.0.1.el6.noarch.rpm | 20294e98362f42243c199e80d1f113894b3dd07f2bdc82e7c8c7fbe7c6d326fd | ELBA-2018-1871 | ol6_x86_64_latest_archive | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
