ELBA-2023-2483
- ULN >
- Oracle Linux Errata repository >
- ELBA-2023-2483
ELBA-2023-2483 - selinux-policy bug fix and enhancement update
| Type: | BUG |
| Impact: | NA |
| Release Date: | 2023-05-15 |
Description
[38.1.11-2.0.1]
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition [Orabug: 35091334]
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files [Orabug: 35122619]
- Label /var/log/kdump.log with kdump_log_t [Orabug: 33810371]
- Allow rpm_t sys_admin capability [Orabug: 34250651]
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files [Orabug: 33841245]
- Allow nfsd_t to list exports_t dirs [Orabug: 33844301]
- Allow fsadm_t to get attributes of cgroup filesystems [Orabug: 33841268]
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t [Orabug: 33841205]
- Allow tuned_t to read the process state of all domains [Orabug: 33520684]
- Allow initrc_t to manage pid files used by chronyd [Orabug: 33520623]
- Make import-state work with mls policy [Orabug: 32636699]
- Add map permission to lvm_t on lvm_metadata_t. [Orabug: 31405325]
- Add comment for map on lvm_metadata_t. [Orabug: 31405325]
- Make iscsiadm work with mls policy [Orabug: 32725411]
- Make cloud-init work with mls policy [Orabug: 32430460]
- Allow systemd-pstore to transfer files from /sys/fs/pstore [Orabug: 31594666]
- Make smartd work with mls policy [Orabug: 32430379]
- Allow sysadm_t to mmap modules_object_t files [Orabug: 32411855]
- Allow tuned_t to execute systemd_systemctl_exec_t files [Orabug: 32355342]
- Make logrotate work with mls policy [Orabug: 32343731]
- Make udev work with mls policy [Orabug: 31405299]
- Make tuned work with mls policy [Orabug: 31396024]
- Make lsmd, rngd, and kdumpctl work with mls policy [Orabug: 31405378]
- Allow virt_domain to mmap virt_content_t files [Orabug: 30932671]
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection [Orabug: 30537515]
- Enable policykit and sssd policy modules with minimum policy [Orabug: 29744511]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type. [Orabug: 13333429]
[38.1.11-2]
- rebuilt
Resolves: rhbz#2172268
[38.1.11-1]
- Allow passt manage qemu pid sock files
Resolves: rhbz#2172268
- Exclude passt.if from selinux-policy-devel
Resolves: rhbz#2172268
[38.1.10-1]
- Add support for the passt_t domain
Resolves: rhbz#2172268
- Allow virtd_t and svirt_t work with passt
Resolves: rhbz#2172268
- Add new interfaces in the virt module
Resolves: rhbz#2172268
- Add passt interfaces defined conditionally
Resolves: rhbz#2172268
[38.1.9-1]
- Boolean: allow qemu-ga manage ssh home directory
Resolves: rhbz#2178612
- Allow wg load kernel modules, search debugfs dir
Resolves: rhbz#2176487
[38.1.8-1]
- Allow svirt to map svirt_image_t char files
Resolves: rhbz#2170482
- Fix opencryptoki file names in /dev/shm
Resolves: rhbz#2166283
[38.1.7-1]
- Allow staff_t getattr init pid chr & blk files and read krb5
Resolves: rhbz#2112729
- Allow firewalld to rw z90crypt device
Resolves: rhbz#2166877
- Allow httpd work with tokens in /dev/shm
Resolves: rhbz#2166283
[38.1.6-1]
- Allow modemmanager create hardware state information files
Resolves: rhbz#2149560
- Dontaudit ftpd the execmem permission
Resolves: rhbz#2164434
- Allow nm-dispatcher plugins read generic files in /proc
Resolves: rhbz#2164845
- Label systemd-journald feature LogNamespace
Resolves: rhbz#2124797
- Boolean: allow qemu-ga read ssh home directory
Resolves: rhbz#1917024
[38.1.5-1]
- Reuse tmpfs_t also for the ramfs filesystem
Resolves: rhbz#2160391
- Allow systemd-resolved watch tmpfs directories
Resolves: rhbz#2160391
- Allow hostname_t to read network sysctls.
Resolves: rhbz#2161958
- Allow ModemManager all permissions for netlink route socket
Resolves: rhbz#2149560
- Allow unconfined user filetransition for sudo log files
Resolves: rhbz#2160388
- Allow sudodomain use sudo.log as a logfile
Resolves: rhbz#2160388
- Allow nm-cloud-setup dispatcher plugin restart nm services
Resolves: rhbz#2154414
- Allow wg to send msg to kernel, write to syslog and dbus connections
Resolves: rhbz#2149452
- Allow rshim bpf cap2 and read sssd public files
Resolves: rhbz#2080439
- Allow svirt request the kernel to load a module
Resolves: rhbz#2144735
- Rebase selinux-policy to the latest one in rawhide
Resolves: rhbz#2014606
[38.1.4-1]
- Add lpr_roles to system_r roles
Resolves: rhbz#2152150
- Allow insights client work with gluster and pcp
Resolves: rhbz#2152150
- Add interfaces in domain, files, and unconfined modules
Resolves: rhbz#2152150
- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t
Resolves: rhbz#2152150
- Add insights additional capabilities
Resolves: rhbz#2152150
- Revert 'Allow insights-client run lpr and allow the proper role'
Resolves: rhbz#2152150
- Allow prosody manage its runtime socket files
Resolves: rhbz#2157891
- Allow syslogd read network sysctls
Resolves: rhbz#2156068
- Allow NetworkManager and wpa_supplicant the bpf capability
Resolves: rhbz#2137085
- Allow sysadm_t read/write ipmi devices
Resolves: rhbz#2158419
- Allow wireguard to create udp sockets and read net_conf
Resolves: rhbz#2149452
- Allow systemd-rfkill the bpf capability
Resolves: rhbz#2149390
- Allow load_policy_t write to unallocated ttys
Resolves: rhbz#2145181
- Allow winbind-rpcd manage samba_share_t files and dirs
Resolves: rhbz#2150680
[38.1.3-1]
- Allow stalld to read /sys/kernel/security/lockdown file
Resolves: rhbz#2140673
- Allow syslog the setpcap capability
Resolves: rhbz#2151841
- Allow pulseaudio to write to session_dbusd tmp socket files
Resolves: rhbz#2132942
- Allow keepalived to set resource limits
Resolves: rhbz#2151212
- Add policy for mptcpd
Resolves: bz#1972222
- Add policy for rshim
Resolves: rhbz#2080439
- Allow insights-client dbus chat with abrt
Resolves: rhbz#2152166
- Allow insights-client work with pcp and manage user config files
Resolves: rhbz#2152150
- Allow insights-client run lpr and allow the proper role
Resolves: rhbz#2152150
- Allow insights-client tcp connect to various ports
Resolves: rhbz#2152150
- Allow insights-client dbus chat with various services
Resolves: rhbz#2152150
- Allow journalctl relabel with var_log_t and syslogd_var_run_t files
Resolves: rhbz#2152823
[38.1.2-1]
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
Resolves: rhbz#2124549
- Allow insights client read raw memory devices
Resolves: rhbz#2124549
- Allow networkmanager_dispatcher_plugin work with nscd
Resolves: rhbz#2149317
- Allow ipsec_t only read tpm devices
Resolves: rhbz#2147380
- Watch_sb all file type directories.
Resolves: rhbz#2139363
- Add watch and watch_sb dosfs interface
Resolves: rhbz#2139363
- Revert 'define lockdown class and access'
Resolves: rhbz#2145266
- Allow postfix/smtpd read kerberos key table
Resolves: rhbz#2145266
- Remove the lockdown class from the policy
Resolves: rhbz#2145266
- Remove label for /usr/sbin/bgpd
Resolves: rhbz#2145266
- Revert 'refpolicy: drop unused socket security classes'
Resolves: rhbz#2145266
[38.1.1-1]
- Rebase selinux-policy to the latest one in rawhide
Resolves: rhbz#2082524
[34.1.47-1]
- Add domain_unix_read_all_semaphores() interface
Resolves: rhbz#2123358
- Allow chronyd talk with unconfined user over unix domain dgram socket
Resolves: rhbz#2141255
- Allow unbound connectto unix_stream_socket
Resolves: rhbz#2141236
- added policy for systemd-socket-proxyd
Resolves: rhbz#2141606
- Allow samba-dcerpcd use NSCD services over a unix stream socket
Resolves: rhbz#2121729
- Allow insights-client unix_read all domain semaphores
Resolves: rhbz#2123358
- Allow insights-client manage generic locks
Resolves: rhbz#2123358
- Allow insights-client create gluster log dir with a transition
Resolves: rhbz#2123358
- Allow insights-client domain transition on semanage execution
Resolves: rhbz#2123358
- Disable rpm verification on interface_info
Resolves: rhbz#2134515
[34.1.46-1]
- new version
Resolves: rhbz#2134827
[34.1.45-1]
- Add watch_sb interfaces
Resolves: rhbz#2139363
- Add watch interfaces
Resolves: rhbz#2139363
- Allow dhcpd bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow netutils and traceroute bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow pkcs_slotd_t bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow xdm bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow pcscd bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow lldpad bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow keepalived bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow ipsec bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow fprintd bpf capability to run bpf programs
Resolves: rhbz#2134827
- Allow iptables list cgroup directories
Resolves: rhbz#2134829
- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files
Resolves: rhbz#2042515
- Dontaudit dirsrv search filesystem sysctl directories
Resolves: rhbz#2134726
[34.1.44-1]
- Allow insights-client domtrans on unix_chkpwd execution
Resolves: rhbz#2126091
- Allow insights-client connect to postgresql with a unix socket
Resolves: rhbz#2126091
- Allow insights-client send null signal to rpm and system cronjob
Resolves: rhbz#2126091
- Allow insights-client manage samba var dirs
Resolves: rhbz#2126091
- Allow rhcd compute selinux access vector
Resolves: rhbz#2126091
- Add file context entries for insights-client and rhc
Resolves: rhbz#2126161
- Allow pulseaudio create gnome content (~/.config)
Resolves: rhbz#2132942
- Allow rhsmcertd execute gpg
Resolves: rhbz#2130204
- Label ports 10161-10162 tcp/udp with snmp
Resolves: rhbz#2133221
- Allow lldpad send to unconfined_t over a unix dgram socket
Resolves: rhbz#2112044
- Label port 15354/tcp and 15354/udp with opendnssec
Resolves: rhbz#2057501
- Allow aide to connect to systemd_machined with a unix socket.
Resolves: bz#2062936
- Allow ftpd map ftpd_var_run files
Resolves: bz#2124943
- Allow ptp4l respond to pmc
Resolves: rhbz#2131689
- Allow radiusd connect to the radacct port
Resolves: rhbz#2132424
- Allow xdm execute gnome-atspi services
Resolves: rhbz#2132244
- Allow ptp4l_t name_bind ptp_event_port_t
Resolves: rhbz#2130170
- Allow targetclid to manage tmp files
Resolves: rhbz#2127408
- Allow sbd the sys_ptrace capability
Resolves: rhbz#2124695
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 9 (aarch64) | selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_aarch64_appstream |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_aarch64_baseos_latest | |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_aarch64_distro_builder | |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_aarch64_u2_baseos_base | |
| selinux-policy-38.1.11-2.0.1.el9_2.noarch.rpm | 4a0277fd94a012f01a6a63dd202a7950a6b36cfb6e3e376498fd9ee6da195d43 | - | ol9_aarch64_baseos_latest | |
| selinux-policy-38.1.11-2.0.1.el9_2.noarch.rpm | 4a0277fd94a012f01a6a63dd202a7950a6b36cfb6e3e376498fd9ee6da195d43 | - | ol9_aarch64_u2_baseos_base | |
| selinux-policy-devel-38.1.11-2.0.1.el9_2.noarch.rpm | 531e457e06a6a491a0ee09cb6f0ac1422dc5cd0375277bf23745d4216b2601aa | - | ol9_aarch64_appstream | |
| selinux-policy-doc-38.1.11-2.0.1.el9_2.noarch.rpm | 815bff1644cd8e0d6d0b46d738a2f429a75edce1bdea19a28e1d8823ebda7b70 | - | ol9_aarch64_baseos_latest | |
| selinux-policy-doc-38.1.11-2.0.1.el9_2.noarch.rpm | 815bff1644cd8e0d6d0b46d738a2f429a75edce1bdea19a28e1d8823ebda7b70 | - | ol9_aarch64_u2_baseos_base | |
| selinux-policy-mls-38.1.11-2.0.1.el9_2.noarch.rpm | 8e2ec0fcd86e72a483ed2f78d2cd8208a4191c7104a58238f893c9ffa0868af5 | - | ol9_aarch64_baseos_latest | |
| selinux-policy-mls-38.1.11-2.0.1.el9_2.noarch.rpm | 8e2ec0fcd86e72a483ed2f78d2cd8208a4191c7104a58238f893c9ffa0868af5 | - | ol9_aarch64_u2_baseos_base | |
| selinux-policy-sandbox-38.1.11-2.0.1.el9_2.noarch.rpm | 42aae6940d26fd8215be89c3337ef050958d194beed14d71467cc5e7a1d5fd2e | - | ol9_aarch64_baseos_latest | |
| selinux-policy-sandbox-38.1.11-2.0.1.el9_2.noarch.rpm | 42aae6940d26fd8215be89c3337ef050958d194beed14d71467cc5e7a1d5fd2e | - | ol9_aarch64_u2_baseos_base | |
| selinux-policy-targeted-38.1.11-2.0.1.el9_2.noarch.rpm | 956cf994066f640d63fe8042e6278e0da0e80d527d40bf58ce76f6497e038a2c | - | ol9_aarch64_baseos_latest | |
| selinux-policy-targeted-38.1.11-2.0.1.el9_2.noarch.rpm | 956cf994066f640d63fe8042e6278e0da0e80d527d40bf58ce76f6497e038a2c | - | ol9_aarch64_u2_baseos_base | |
| Oracle Linux 9 (x86_64) | selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_x86_64_appstream |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_x86_64_baseos_latest | |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_x86_64_distro_builder | |
| selinux-policy-38.1.11-2.0.1.el9_2.src.rpm | 193669504622e3f747492ccdfdeafd28c4bc1898512cc58229afc6b7d6187613 | - | ol9_x86_64_u2_baseos_base | |
| selinux-policy-38.1.11-2.0.1.el9_2.noarch.rpm | 4a0277fd94a012f01a6a63dd202a7950a6b36cfb6e3e376498fd9ee6da195d43 | - | ol9_x86_64_baseos_latest | |
| selinux-policy-38.1.11-2.0.1.el9_2.noarch.rpm | 4a0277fd94a012f01a6a63dd202a7950a6b36cfb6e3e376498fd9ee6da195d43 | - | ol9_x86_64_u2_baseos_base | |
| selinux-policy-devel-38.1.11-2.0.1.el9_2.noarch.rpm | 531e457e06a6a491a0ee09cb6f0ac1422dc5cd0375277bf23745d4216b2601aa | - | ol9_x86_64_appstream | |
| selinux-policy-doc-38.1.11-2.0.1.el9_2.noarch.rpm | 815bff1644cd8e0d6d0b46d738a2f429a75edce1bdea19a28e1d8823ebda7b70 | - | ol9_x86_64_baseos_latest | |
| selinux-policy-doc-38.1.11-2.0.1.el9_2.noarch.rpm | 815bff1644cd8e0d6d0b46d738a2f429a75edce1bdea19a28e1d8823ebda7b70 | - | ol9_x86_64_u2_baseos_base | |
| selinux-policy-mls-38.1.11-2.0.1.el9_2.noarch.rpm | 8e2ec0fcd86e72a483ed2f78d2cd8208a4191c7104a58238f893c9ffa0868af5 | - | ol9_x86_64_baseos_latest | |
| selinux-policy-mls-38.1.11-2.0.1.el9_2.noarch.rpm | 8e2ec0fcd86e72a483ed2f78d2cd8208a4191c7104a58238f893c9ffa0868af5 | - | ol9_x86_64_u2_baseos_base | |
| selinux-policy-sandbox-38.1.11-2.0.1.el9_2.noarch.rpm | 42aae6940d26fd8215be89c3337ef050958d194beed14d71467cc5e7a1d5fd2e | - | ol9_x86_64_baseos_latest | |
| selinux-policy-sandbox-38.1.11-2.0.1.el9_2.noarch.rpm | 42aae6940d26fd8215be89c3337ef050958d194beed14d71467cc5e7a1d5fd2e | - | ol9_x86_64_u2_baseos_base | |
| selinux-policy-targeted-38.1.11-2.0.1.el9_2.noarch.rpm | 956cf994066f640d63fe8042e6278e0da0e80d527d40bf58ce76f6497e038a2c | - | ol9_x86_64_baseos_latest | |
| selinux-policy-targeted-38.1.11-2.0.1.el9_2.noarch.rpm | 956cf994066f640d63fe8042e6278e0da0e80d527d40bf58ce76f6497e038a2c | - | ol9_x86_64_u2_baseos_base | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
