ELBA-2018-3111

ULN >
Oracle Linux Errata repository >
ELBA-2018-3111

ELBA-2018-3111 - selinux-policy bug fix and enhancement update

Type:	BUG
Impact:	NA
Release Date:	2018-11-06

Description

[3.13.1-229.0.1]
- SELinux support for cgroup2 filesystem. [OraBug 28127822]
- refpolicy: Define getrlimit permission for class process [OraBug 28229492]
- Add vhost-scsi to be vhost_device_t type [OraBug 27774921]
- Obsolete docker-engine-selinux [OraBug 26439663]
- Fix container selinux policy [OraBug 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.

[3.13.1-229]
- Allow neutron domain to read/write /var/run/utmp
Resolves: rhbz#1630318

[3.13.1-228]
- Allow tomcat_domain to read /dev/random
Resolves: rhbz#1631666
- Allow neutron_t domain to use pam
Resolves: rhbz#1630318

[3.13.1-227]
- Add interface apache_read_tmp_dirs()
- Allow dirsrvadmin_script_t domain to list httpd_tmp_t dirs
Resolves: rhbz#1622602

[3.13.1-226]
- Allow tomcat servers to manage usr_t files
Resolves: rhbz#1625678
- Dontaudit tomcat serves to append to /dev/random device
Resolves: rhbz#1625678
- Allow sys_nice capability to mysqld_t domain
- Allow dirsrvadmin_script_t domain to read httpd tmp files
Resolves: rhbz#1622602
- Allow syslogd_t domain to manage cert_t files
Resolves: rhbz#1615995

[3.13.1-225]
- Allow sbd_t domain to getattr of all char files in /dev and read sysfs_t files and dirs
Resolves: rhbz#1627114
- Expand virt_read_lib_files() interface to allow list dirs with label virt_var_lib_t
Resolves: rhbz#1567753

[3.13.1-224]
- Allow tomcat Tomcat to delete a temporary file used when compiling class files for JSPs.
Resolves: rhbz#1625678
- Allow chronyd_t domain to read virt_var_lib_t files
- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
Resolves: rhbz#1625613
- Allow tomcat services create link file in /tmp
Resolves: rhbz#1624289
- Add boolean: domain_can_mmap_files.
Resolves: rhbz#1460322

[3.13.1-223]
- Make working SELinux sandbox with Wayland.
Resolves: rhbz#1624308
- Allow svirt_t domain to mmap svirt_image_t block files
Resolves: rhbz#1624224
- Add caps dac_read_search and dav_override to pesign_t domain
- Allow iscsid_t domain to mmap userio chr files
Resolves: rhbz#1623589
- Add boolean: domain_can_mmap_files.
Resolves: rhbz#1460322
- Add execute_no_trans permission to mmap_exec_file_perms pattern
- Allow sudodomain to search caller domain proc info
- Allow xdm_t domain to mmap and read cert_t files
- Replace optional policy blocks to make dbus interfaces effective
Resolves: rhbz#1624414
- Add interface dev_map_userio_dev()

[3.13.1-222]
- Allow readhead_t domain to mmap own pid files
Resolves: rhbz#1614169

[3.13.1-221]
- Allow ovs-vswitchd labeled as openvswitch_t domain communicate with qemu-kvm via UNIX stream socket
- Allow httpd_t domain to mmap tmp files
Resolves: rhbz#1608355
- Update dirsrv_read_share() interface to allow caller domain to mmap dirsrv_share_t files
- Update dirsrvadmin_script_t policy to allow read httpd_tmp_t symlinks
- Label /dev/tpmrm[0-9]* as tpm_device_t
- Allow semanage_t domain mmap usr_t files
Resolves: rhbz#1622607
- Update dev_filetrans_all_named_dev() to allow create event22-30 character files with label event_device_t

[3.13.1-220]
- Allow nagios_script_t domain to mmap nagios_log_t files
Resolves: rhbz#1620013
- Allow nagios_script_t domain to mmap nagios_spool_t files
Resolves: rhbz#1620013
- Update userdom_security_admin() and userdom_security_admin_template() to allow use auditctl
Resolves: rhbz#1622197
- Update selinux_validate_context() interface to allow caller domain to mmap security_t files
Resolves: rhbz#1622061

[3.13.1-219]
- Allow virtd_t domain to create netlink_socket
- Allow rpm_t domain to write to audit
- Allow rpm domain to mmap rpm_var_lib_t files
Resolves: rhbz#1619785
- Allow nagios_script_t domain to mmap nagios_etc_t files
Resolves: rhbz#1620013
- Update nscd_socket_use() to allow caller domain to stream connect to nscd_t
Resolves: rhbz#1460715
- Allow secadm_t domain to mmap audit config and log files
- Allow insmod_t domain to read iptables pid files
- Allow systemd to mounton /etc
Resolves: rhbz#1619785

[3.13.1-218]
- Allow kdumpctl_t domain to getattr fixed disk device in mls
Resolves: rhbz#1615342
- Allow initrc_domain to mmap all binaries labeled as systemprocess_entry
Resolves: rhbz#1615342

[3.13.1-217]
- Allow virtlogd to execute itself
Resolves: rhbz#1598392

[3.13.1-216]
- Allow kdumpctl_t domain to manage kdumpctl_tmp_t fifo files
Resolves: rhbz#1615342
- Allow kdumpctl to write to files on all levels
Resolves: rhbz#1615342
- Fix typo in radius policy
Resolves: rhbz#1619197
- Allow httpd_t domain to mmap httpd_config_t files
Resolves: rhbz#1615894
- Add interface dbus_acquire_svc_system_dbusd()
- Allow sanlock_t domain to connectto to unix_stream_socket
Resolves: rhbz#1614965
- Update nfsd_t policy because of ganesha features
Resolves: rhbz#1511489
- Allow conman to getattr devpts_t
Resolves: rhbz#1377915
- Allow tomcat_domain to connect to smtp ports
Resolves: rhbz#1253502
- Allow tomcat_t domain to mmap tomcat_var_lib_t files
Resolves: rhbz#1618519
- Allow slapd_t domain to mmap slapd_var_run_t files
Resolves: rhbz#1615319
- Allow nagios_t domain to mmap nagios_log_t files
Resolves: rhbz#1618675
- Allow nagios to exec itself and mmap nagios spool files BZ(1559683)
- Allow nagios to mmap nagios config files BZ(1559683)
- Allow kpropd_t domain to mmap krb5kdc_principal_t files
Resolves: rhbz#1619252
- Update syslogd policy to make working elasticsearch
- Label tcp and udp ports 9200 as wap_wsp_port
- Allow few domains to rw inherited kdumpctl tmp pipes
Resolves: rhbz#1615342

[3.13.1-215]
- Allow systemd_dbusd_t domain read/write to nvme devices
Resolves: rhbz#1614236
- Allow mysqld_safe_t do execute itself
- Allow smbd_t domain to chat via dbus with avahi daemon
Resolves: rhbz#1600157
- cupsd_t domain will create /etc/cupsd/ppd as cupsd_etc_rw_t
Resolves: rhbz#1452595
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
Resolves: rhbz#1452444
- Update screen_role_template to allow caller domain to have screen_exec_t as entrypoint do new domain
Resolves: rhbz#1384769
- Add alias httpd__script_t to _script_t to make sepolicy generate working
Resolves: rhbz#1271324
- Allow kprop_t domain to read network state
Resolves: rhbz#1600705
- Allow sysadm_t domain to accept socket
Resolves: rhbz#1557299
- Allow sshd_t domain to mmap user_tmp_t files
Resolves: rhbz#1613437

[3.13.1-214]
- Allow sshd_t domain to mmap user_tmp_t files
Resolves: rhbz#1613437

[3.13.1-213]
- Allow kprop_t domain to read network state
Resolves: rhbz#1600705

[3.13.1-212]
- Allow kpropd domain to exec itself
Resolves: rhbz#1600705
- Allow ipmievd_t to mmap kernel modules BZ(1552535)
- Allow hsqldb_t domain to mmap own temp files
Resolves: rhbz#1612143
- Allow hsqldb_t domain to read cgroup files
Resolves: rhbz#1612143
- Allow rngd_t domain to read generic certs
Resolves: rhbz#1612456
- Allow innd_t domain to mmap own var_lib_t files
Resolves: rhbz#1600591
- Update screen_role_temaplate interface
Resolves: rhbz#1384769
- Allow cupsd_t to create cupsd_etc_t dirs
Resolves: rhbz#1452595
- Allow chronyd_t domain to mmap own tmpfs files
Resolves: rhbz#1596563
- Allow cyrus domain to mmap own var_lib_t and var_run files
Resolves: rhbz#1610374
- Allow sysadm_t domain to create rawip sockets
Resolves: rhbz#1571591
- Allow sysadm_t domain to listen on socket
Resolves: rhbz#1557299
- Update sudo_role_template() to allow caller domain also setattr generic ptys
Resolves: rhbz#1564470
- Allow netutils_t domain to create bluetooth sockets
Resolves: rhbz#1600586

[3.13.1-211]
- Allow innd_t domain to mmap own var_lib_t files
Resolves: rhbz#1600591
- Update screen_role_temaplate interface
Resolves: rhbz#1384769
- Allow cupsd_t to create cupsd_etc_t dirs
Resolves: rhbz#1452595
- Allow chronyd_t domain to mmap own tmpfs files
Resolves: rhbz#1596563
- Allow cyrus domain to mmap own var_lib_t and var_run files
Resolves: rhbz#1610374
- Allow sysadm_t domain to create rawip sockets
Resolves: rhbz#1571591
- Allow sysadm_t domain to listen on socket
Resolves: rhbz#1557299
- Update sudo_role_template() to allow caller domain also setattr generic ptys
Resolves: rhbz#1564470
- Allow netutils_t domain to create bluetooth sockets
Resolves: rhbz#1600586

[3.13.1-210]
- Allow virtlogd_t domain to chat via dbus with systemd_logind
Resolves: rhbz#1593740

[3.13.1-209]
- Allow sblim_sfcbd_t domain to mmap own tmpfs files
Resolves: rhbz#1609384
- Update logging_manage_all_logs() interface to allow caller domain map all logfiles
Resolves: rhbz#1592028

[3.13.1-208]
- Dontaudit oracleasm_t domain to request sys_admin capability
- Allow iscsid_t domain to load kernel module
Resolves: rhbz#1589295
- Update rhcs contexts to reflects the latest fenced changes
- Allow httpd_t domain to rw user_tmp_t files
Resolves: rhbz#1608355
- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t
Resolves: rhbz#1521063
- Allow tangd_t dac_read_search
Resolves: rhbz#1607810
- Allow glusterd_t domain to mmap user_tmp_t files
- Allow mongodb_t domain to mmap own var_lib_t files
Resolves: rhbz#1607729
- Allow iscsid_t domain to mmap sysfs_t files
Resolves: rhbz#1602508
- Allow tomcat_domain to search cgroup dirs
Resolves: rhbz#1600188
- Allow httpd_t domain to mmap own cache files
Resolves: rhbz#1603505
- Allow cupsd_t domain to mmap cupsd_etc_t files
Resolves: rhbz#1599694
- Allow kadmind_t domain to mmap krb5kdc_principal_t
Resolves: rhbz#1601004
- Allow virtlogd_t domain to read virt_etc_t link files
Resolves: rhbz#1598593
- Allow dirsrv_t domain to read crack db
Resolves: rhbz#1599726
- Dontaudit pegasus_t to require sys_admin capability
Resolves: rhbz#1374570
- Allow mysqld_t domain to exec mysqld_exec_t binary files
- Allow abrt_t odmain to read rhsmcertd lib files
Resolves: rhbz#1601389
- Allow winbind_t domain to request kernel module loads
Resolves: rhbz#1599236
- Allow gpsd_t domain to getsession and mmap own tmpfs files
Resolves: rhbz#1598388
- Allow smbd_t send to nmbd_t via dgram sockets BZ(1563791)
Resolves: rhbz#1600157
- Allow tomcat_domain to read cgroup_t files
Resolves: rhbz#1601151
- Allow varnishlog_t domain to mmap varnishd_var_lib_t files
Resolves: rhbz#1600704
- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415)
Resolves: rhbz#1600692
- Fix ntp SELinux module
- Allow innd_t domain to mmap news_spool_t files
Resolves: rhbz#1600591
- Allow haproxy daemon to reexec itself. BZ(1447800)
Resolves: rhbz#1600578
- Label HOME_DIR/mozilla.pdf file as mozilla_home_t instead of user_home_t
Resolves: rhbz#1559859
- Allow pkcs_slotd_t domain to mmap own tmpfs files
Resolves: rhbz#1600434
- Allow fenced_t domain to reboot
Resolves: rhbz#1293384
- Allow bluetooth_t domain listen on bluetooth sockets BZ(1549247)
Resolves: rhbz#1557299
- Allow lircd to use nsswitch. BZ(1401375)
- Allow targetd_t domain mmap lvm config files
Resolves: rhbz#1546671
- Allow amanda_t domain to read network system state
Resolves: rhbz#1452444
- Allow abrt_t domain to read rhsmcertd logs
Resolves: rhbz#1492059
- Allow application_domain_type also mmap inherited user temp files BZ(1552765)
Resolves: rhbz#1608421
- Allow ipsec_t domain to read l2tpd pid files
Resolves: rhbz#1607994
- Allow systemd_tmpfiles_t do mmap system db files
- Improve domain_transition_pattern to allow mmap entrypoint bin file.
Resolves: rhbz#1460322
- Allow nsswitch_domain to mmap passwd_file_t files BZ(1518655)
Resolves: rhbz#1600528
- Dontaudit syslogd to watching top llevel dirs when imfile module is enabled
Resolves: rhbz#1601928
- Allow ipsec_t can exec ipsec_exec_t
Resolves: rhbz#1600684
- Allow netutils_t domain to mmap usmmon device
Resolves: rhbz#1600586
- Allow netlabel_mgmt_t domain to read sssd public files, stream connect to sssd_t BZ(1483655)
- Allow userdomain sudo domains to use generic ptys
Resolves: rhbz#1564470
- Allow traceroute to create icmp packets
Resolves: rhbz#1548350
- Allow systemd domain to mmap lvm config files BZ(1594584)
- Add new interface lvm_map_config
- refpolicy: Update for kernel sctp support Resolves: rhbz#1597111 Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16

[3.13.1-207]
- Update oddjob_domtrans_mkhomedir() interface to allow caller domain also mmap oddjob_mkhomedir_exec_t files
Resolves: rhbz#1596306
- Update rhcs_rw_cluster_tmpfs() interface to allow caller domain to mmap cluster_tmpfs_t files
Resolves: rhbz#1589257
- Allow radiusd_t domain to read network sysctls
Resolves: rhbz#1516233
- Allow chronyc_t domain to use nscd shm
Resolves: rhbz#1596563
- Label /var/lib/tomcats dir as tomcat_var_lib_t
Resolves: rhbz#1596367
- Allow lsmd_t domain to mmap lsmd_plugin_exec_t files
Resolves: rhbz#bea0c8174
- Label /usr/sbin/rhn_check-[0-9]+.[0-9]+ as rpm_exec_t
Resolves: rhbz#1596509
- Update seutil_exec_loadpolicy() interface to allow caller domain to mmap load_policy_exec_t files
Resolves: rhbz#1596072
- Allow xdm_t to read systemd hwdb
Resolves: rhbz#1596720
- Allow dhcpc_t domain to mmap files labeled as ping_exec_t
Resolves: rhbz#1596065

[3.13.1-206]
- Allow tangd_t domain to create tcp sockets
Resolves: rhbz#1595775
- Update postfix policy to allow postfix_master_t domain to mmap all postfix* binaries
Resolves: rhbz#1595328
- Allow amanda_t domain to have setgid capability
Resolves: rhbz#1452444
- Update usermanage_domtrans_useradd() to allow caller domain to mmap useradd_exec_t files
Resolves: rhbz#1595667

[3.13.1-205]
- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t
Resolves: rhbz#1591191
- Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label
Resolves: rhbz#1452595
- Allow abrt_t domain to write to rhsmcertd pid files
Resolves: rhbz#1492059
- Allow pegasus_t domain to eexec lvm binaries and allow read/write access to lvm control
Resolves: rhbz#1463470
- Add vhostmd_t domain to read/write to svirt images
Resolves: rhbz#1465276
- Dontaudit action when abrt-hook-ccpp is writing to nscd sockets
Resolves: rhbz#1460715
- Update openvswitch policy
Resolves: rhbz#1594729
- Update kdump_manage_kdumpctl_tmp_files() interface to allow caller domain also mmap kdumpctl_tmp_t files
Resolves: rhbz#1583084
- Allow sssd_t and slpad_t domains to mmap generic certs
Resolves: rhbz#1592016
Resolves: rhbz#1592019
- Allow oddjob_t domain to mmap binary files as oddjob_mkhomedir_exec_t files
Resolves: rhbz#1592022
- Update dbus_system_domain() interface to allow system_dbusd_t domain to mmap binary file from second parameter
Resolves: rhbz#1583080
- Allow chronyc_t domain use inherited user ttys
Resolves: rhbz#1593267
- Allow stapserver_t domain to mmap own tmp files
Resolves: rhbz#1593122
- Allow sssd_t domain to mmap files labeled as sssd_selinux_manager_exec_t
Resolves: rhbz#1592026
- Update policy for ypserv_t domain
Resolves: rhbz#1592032
- Allow abrt_dump_oops_t domain to mmap all non security files
Resolves: rhbz#1593728
- Allow svirt_t domain mmap svirt_image_t files
Resolves: rhbz#1592688
- Allow virtlogd_t domain to write inhibit systemd pipes.
Resolves: rhbz#1593740
- Allow sysadm_t and staff_t domains to use sudo io logging
Resolves: rhbz#1564470
- Allow sysadm_t domain create sctp sockets
Resolves: rhbz#1571591
- Update mount_domtrans() interface to allow caller domain mmap mount_exec_t
Resolves: rhbz#1592025
- Allow dhcpc_t to mmap all binaries with label hostname_exec_t, ifconfig_exec_t and netutils_exec_t
Resolves: rhbz#1594661

[3.13.1-204]
- Fix typo in logwatch interface file
- Allow spamd_t to manage logwatch_cache_t files/dirs
- Allow dnsmasw_t domain to create own tmp files and manage mnt files
- Allow fail2ban_client_t to inherit rlimit information from parent process
Resolves: rhbz#1513100
- Allow nscd_t to read kernel sysctls
Resolves: rhbz#1512852
- Label /var/log/conman.d as conman_log_t
Resolves: rhbz#1538363
- Add dac_override capability to tor_t domain
Resolves: rhbz#1540711
- Allow certmonger_t to readwrite to user_tmp_t dirs
Resolves: rhbz#1543382
- Allow abrt_upload_watch_t domain to read general certs
Resolves: rhbz#1545098
- Update postfix_domtrans_master() interface to allow caller domain also mmap postfix_master_exec_t binary
Resolves: rhbz#1583087
- Allow postfix_domain to mmap postfix_qmgr_exec_t binaries
Resolves: rhbz#1583088
- Allow postfix_domain to mmap postfix_pickup_exec_t binaries
Resolves: rhbz#1583091
- Allow chornyd_t read phc2sys_t shared memory
Resolves: rhbz#1578883
- Allow virt_qemu_ga_t read utmp
Resolves: rhbz#1571202
- Add several allow rules for pesign policy: Resolves: rhbz#1468744 - Allow pesign domain to read /dev/random - Allow pesign domain to create netlink_kobject_uevent_t sockets - Allow pesign domain create own tmp files
- Add setgid and setuid capabilities to mysqlfd_safe_t domain
Resolves: rhbz#1474440
- Add tomcat_can_network_connect_db boolean
Resolves: rhbz#1477948
- Update virt_use_sanlock() boolean to read sanlock state
Resolves: rhbz#1448799
- Add sanlock_read_state() interface
- Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
Resolves: rhbz#1563423
- Update abrt_domtrans and abrt_exec() interfaces to allow caller domain to mmap binary file
Resolves:rhbz#1583080
- Update nscd_domtrans and nscd_exec interfaces to allow caller domain also mmap nscd binaries
Resolves: rhbz#1583086
- Update snapperd_domtrans() interface to allow caller domain to mmap snapperd_exec_t file
Resolves: rhbz#1583802
- Allow zoneminder_t to getattr of fs_t
Resolves: rhbz#1585328
- Fix denials during ipa-server-install process on F27+
Resolves: rhbz#1586029
- Allow ipa_dnskey_t to exec ipa_dnskey_exec_t files
Resolves: rhbz#1586033
- Allow rhsmcertd_t domain to send signull to postgresql_t domain
Resolves: rhbz#1588119
- Allow policykit_t domain to dbus chat with dhcpc_t
Resolves: rhbz#1364513
- Adding new boolean keepalived_connect_any()
Resolves: rhbz#1443473
- Allow amanda to create own amanda_tmpfs_t files
Resolves: rhbz#1452444
- Add amanda_tmpfs_t label. BZ(1243752)
- Allow gdomap_t domain to connect to qdomap_port_t
Resolves: rhbz#1551944
- Fix typos in sge
- Fix typo in openvswitch policy
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow sshd_keygen_t to execute plymouthd
Resolves: rhbz#1583531
- Update seutil_domtrans_setfiles() interface to allow caller domain to do mmap on setfiles_exec_t binary
Resolves: rhbz#1583090
- Allow systemd_networkd_t create and relabel tun sockets
Resolves: rhbz#1583830
- Allow map audisp_exec_t files fordomains executing this binary
Resolves: rhbz#1586042
- Add new interface postgresql_signull()
- Add fs_read_xenfs_files() interface.

[3.13.1-203]
- /usr/libexec/bluetooth/obexd should have only obexd_exec_t instead of bluetoothd_exec_t type
- Allow dac override capability to mandb_t domain BZ(1529399)
Resolves: rhbz#1423361
- Allow inetd_child process to chat via dbus with abrt
Resolves: rhbz#1428805
- Allow zabbix_agent_t domain to connect to redis_port_t
Resolves: rhbz#1418860
- Allow rhsmcertd_t domain to read xenfs_t files
Resolves: rhbz#1405870
- Allow zabbix_agent_t to run zabbix scripts
Resolves: rhbz#1380697
- Allow rabbitmq_t domain to create own tmp files/dirs
Resolves: rhbz#1546897
- Allow policykit_t mmap policykit_auth_exec_t files
Resolves: rhbz#1583082
- Allow ipmievd_t domain to read general certs
Resolves: rhbz#1514591
- Add sys_ptrace capability to pcp_pmie_t domain
- Allow squid domain to exec ldconfig
Resolves: rhbz#1532017
- Make working gpg agent in gpg_agent_t domain
Resolves: rhbz#1535109
- Update gpg SELinux policy module
- Allow kexec to read kernel module files in /usr/lib/modules.
Resolves: rhbz#1536690
- Allow mailman_domain to read system network state
Resolves: rhbz#1413510
- Allow mailman_mail_t domain to search for apache configs
Resolves: rhbz#1413510
- Allow openvswitch_t domain to read neutron state and read/write fixed disk devices
Resolves: rhbz#1499208
- Allow antivirus_domain to read all domain system state
Resolves: rhbz#1560986
- Allow targetd_t domain to red gconf_home_t files/dirs
Resolves: rhbz#1546671
- Allow freeipmi domain to map sysfs_t files
Resolves: rhbz#1575918
- Label /usr/libexec/bluetooth/obexd as obexd_exec_t
Resolves: rhbz#1351750
- Update rhcs SELinux module
Resolves: rhbz#1589257
- Allow iscsid_t domain mmap kernel modules
Resolves: rhbz#1589295
- Allow iscsid_t domain mmap own tmp files
Resolves: rhbz#1589295
- Update iscsid_domtrans() interface to allow mmap iscsid_exec_t binary
Resolves: rhbz#1589295
- Update nscd_socket_use interface to allow caller domain also mmap nscd_var_run_t files.
Resolves: rhbz#1589271
- Allow nscd_t domain to mmap system_db_t files
Resolves: rhbz#1589271
- Add interface nagios_unconfined_signull()
- Allow lircd_t domain read sssd public files Add setgid capability to lircd_t domain
Resolves: rhbz#1550700
- Add missing requires
- Allow tomcat domain sends email
Resolves: rhbz#1585184
- Allow memcached_t domain nnp_transition becuase of systemd security features BZ(1514867)
Resolves: rhbz#1585714
- Allow kdump_t domain to map /boot files
Resolves: rhbz#1588884
- Fix typo in netutils policy
- Allow confined users get AFS tokens
Resolves: rhbz#1417671
- Allow sysadm_t domain to chat via dbus
Resolves: rhbz#1582146
- Associate sysctl_kernel_t type with filesystem attribute
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
Resolves: rhbz#1557299
- Allow user_t and staff_t domains create netlink tcpdiag sockets
Resolves: rhbz#1557281
- Add interface dev_map_sysfs
- Allow xdm_t domain to execute xdm_var_lib_t files
Resolves: rhbz#1589139
- Allow syslogd_t domain to send signull to nagios_unconfined_plugin_t
Resolves: rhbz#1569344
- Label /dev/vhost-vsock char device as vhost_device_t
- Add files_map_boot_files() interface
Resolves: rhbz#1588884
- Update traceroute_t domain to allow create dccp sockets
Resolves: rhbz#1548350

[3.13.1-202]
- Update ctdb domain to support gNFS setup
Resolves: rhbz#1576818
- Allow authconfig_t dbus chat with policykit
Resolves: rhbz#1551241
- Allow lircd_t domain to read passwd_file_t
Resolves: rhbz:#1550700
- Allow lircd_t domain to read system state
Resolves: rhbz#1550700
- Allow smbcontrol_t to mmap samba_var_t files and allow winbind create sockets BZ(1559795)
Resolves: rhbz#1574521
- Allow tangd_t domain read certs
Resolves: rhbz#1509055
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on
Resolves: rhbz:#1579219
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
Resolves: rhbz#1574418
- Allow ctdb_t domain modify ctdb_exec_t files
Resolves: rhbz#1572584
- Allow chrome_sandbox_t to mmap tmp files
Resolves: rhbz#1574392
- Allow ulogd_t to create netlink_netfilter sockets.
Resolves: rhbz#1575924
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
Resolves: rhbz#1576555
- Allow freeipmi domain to read sysfs_t files
Resolves: rhbz#1575918
- Allow smbcontrol_t to create dirs with samba_var_t label
Resolves: rhbz#1574521
- Allow swnserve_t domain to stream connect to sasl domain
Resolves: rhbz#1574537
- Allow SELinux users (except guest and xguest) to using bluetooth sockets
Resolves: rhbz#1557299
- Allow confined users to use new socket classes for bluetooth, alg and tcpdiag sockets
Resolves: rhbz#1557299
- Fix broken sysadm SELinux module
Resolves: rhbz#1557311
- Allow user_t and staff_t domains create netlink tcpdiag sockets
Resolves: rhbz#1557281
- Update ssh_domtrans_keygen interface to allow mmap ssh_keygen_exec_t binary file
Resolves: rhbz#1583089
- Allow systemd_networkd_t to read/write tun tap devices
Resolves: rhbz#1583830
- Add bridge_socket, dccp_socket, ib_socket and mpls_socket to socket_class_set
Resolves: rhbz#1583771
- Allow audisp_t domain to mmap audisp_exec_t binary
Resolves: rhbz#1583551
- Fix duplicates in sysadm.te file
Resolves: rhbz#1307183
- Allow sysadm_u use xdm
Resolves: rhbz#1307183
- Fix typo in sysnetwork.if file
Resolves: rhbz#1581551

[3.13.1-201]
- Fix duplicates in sysadm.te file
Resolves: rhbz#1307183

[3.13.1-200]
- Allow sysadm_u use xdm
Resolves: rhbz#1307183

[3.13.1-199]
- Allow httpd_sys_script_t to connect to mongodb_port_t if boolean httpd_can_network_connect_db is turned on
Resolves: rhbz:#1579219
- Allow chronyc_t to redirect ourput to /var/lib /var/log and /tmp
Resolves: rhbz#1574418
- Allow chrome_sandbox_t to mmap tmp files
Resolves: rhbz#1574392
- Allow ulogd_t to create netlink_netfilter sockets.
Resolves: rhbz#1575924
- Update ulogd SELinux security policy
- Allow rhsmcertd_t domain send signull to apache processes
Resolves: rhbz#1576555
- Allow freeipmi domain to read sysfs_t files
Resolves: rhbz#1575918
- Allow smbcontrol_t to create dirs with samba_var_t label
Resolves: rhbz#1574521
- Allow swnserve_t domain to stream connect to sasl domain
Resolves: rhbz#1574537
- Fix typo in sysnetwork.if file
Resolves: rhbz#1581551

[3.13.1-198]
- Fix typo in sysnetwork.if file
Resolves: rhbz#1581551

[3.13.1-197]
- Improve procmail_domtrans() to allow mmaping procmail_exec_t
- Allow hypervvssd_t domain to read fixed disk devices
Resolves: rhbz#1581225
- Improve modutils_domtrans_insmod() interface to mmap insmod_exec_t binaries
Resolves: rhbz#1581551
- Improve iptables_domtrans() interface to allow mmaping iptables_exec_t binary
Resolves: rhbz#1581551
- Improve auth_domtrans_login_programinterface to allow also mmap login_exec_t binaries
Resolves: rhbz#1581551
- Improve auth_domtrans_chk_passwd() interface to allow also mmaping chkpwd_exec_t binaries.
Resolves: rhbz#1581551
- Allow mmap dhcpc_exec_t binaries in sysnet_domtrans_dhcpc interface

[3.13.1-196]
- Add dbus_stream_connect_system_dbusd() interface.
- Allow pegasus_t domain to mount tracefs_t filesystem
Resolves:rhbz#1374570
- Allow psad_t domain to read all domains state
Resolves: rhbz#1558439
- Add net_raw capability to named_t domain BZ(1545586)
- Allow tomcat_t domain to connect to mongod_t tcp port
Resolves:rhbz#1539748
- Allow dovecot and postfix to connect to systemd stream sockets
Resolves: rhbz#1368642
- Label /usr/libexec/bluetooth/obexd as bluetoothd_exec_t to run process as bluetooth_t
Resolves:rhbz#1351750
- Rename tang policy to tangd
- Add interface systemd_rfkill_domtrans()
- Allow users staff and sysadm to run wireshark on own domain
Resolves:rhbz#1546362
- Allow systemd-bootchart to create own tmpfs files
Resolves:rhbz#1510412

[3.13.1-195]
- Rename tang policy to tangd
- Allow virtd_t domain to relabel virt_var_lib_t files
Resolves: rhbz#1558121
- Allow logrotate_t domain to stop services via systemd
Resolves: rhbz#1527522
- Add tang policy
Resolves: rhbz#1509055
- Allow mozilla_plugin_t to create mozilla.pdf file in user homedir with label mozilla_home_t
Resolves: rhbz#1559859
- Improve snapperd SELinux policy
Resolves: rhbz#1365555
- Allow snapperd_t daemon to create unlabeled dirs.
Resolves: rhbz#1365555
- We have inconsistency in cgi templates with upstream, we use _content_t, but refpolicy use httpd__content_t. Created aliasses to make it consistence
Resolves: rhbz#1271324
- Allow Openvswitch adding netdev bridge ovs 2.7.2.10 FDP
Resolves: rhbz#1503835
- Add new Boolean tomcat_use_execmem
Resolves: rhbz#1565226
- Allow domain transition from logrotate_t to chronyc_t
Resolves: rhbz#1568281
- Allow nfsd_t domain to read/write sysctl fs files
Resolves: rhbz#1516593
- Allow conman to read system state
Resolves: rhbz#1377915
- Allow lircd_t to exec shell and add capabilities dac_read_search and dac_override
Resolves: rhbz#1550700
- Allow usbmuxd to access /run/udev/data/+usb:*.
Resolves: rhbz#1521054
- Allow abrt_t domain to manage kdump crash files
Resolves: rhbz#1491585
- Allow systemd to use virtio console
Resolves: rhbz#1558121
- Allow transition from sysadm role into mdadm_t domain.
Resolves: rhbz#1551568
- Label /dev/op_panel and /dev/opal-prd as opal_device_t
Resolves: rhbz#1537618
- Label /run/ebtables.lock as iptables_var_run_t
Resolves: rhbz#1511437
- Allow udev_t domain to manage udev_rules_t char files.
Resolves: rhbz#1545094
- Allow nsswitch_domain to read virt_var_lib_t files, because of libvirt NSS plugin.
Resolves: rhbz#1567753
- Fix filesystem inteface file, we dont have nsfs_fs_t type, just nsfs_t
Resolves: rhbz#1547700
- Allow iptables_t domain to create dirs in etc_t with system_conf_t labels

[3.13.1-194]
- Add new boolean redis_enable_notify()
Resolves: rhbz#1421326
- Label /var/log/shibboleth-www(/.*) as httpd_sys_rw_content_t
Resolves: rhbz#1549514
- Add new label for vmtools scripts and label it as vmtools_unconfined_t stored in /etc/vmware-tools/
Resolves: rbhz#1463593
- Remove labeling for /etc/vmware-tools to bin_t it should be vmtools_unconfined_exec_t
Resolves: rbhz#1463593

[3.13.1-193]
- Backport several changes for snapperdfrom Fedora Rawhide
Resolves: rhbz#1556798
- Allow snapperd_t to set priority for kernel processes
Resolves: rhbz#1556798
- Make ganesha nfs server.
Resolves: rhbz#1511489
- Allow vxfs filesystem to use SELinux labels
Resolves: rhbz#1482880
- Add map permission to selinux-policy
Resolves: rhbz#1460322

Updated Packages

Release/Architecture

Filename

sha256

Superseded By Advisory

Channel Label

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691