ELBA-2024-2402
- ULN >
- Oracle Linux Errata repository >
- ELBA-2024-2402
ELBA-2024-2402 - selinux-policy bug fix and enhancement update
| Type: | BUG |
| Severity: | NA |
| Release Date: | 2024-05-03 |
Description
[38.1.35-2.0.1]
- Allow exim_t to read exim_log_t and manage exim_spool_t link files [Orabug: 36430005]
- Allow cgred_t to get attributes of cgroup filesystems [Orabug: 36176655]
- Allow kdumpctl_t to execmem [Orabug: 35381156]
- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition [Orabug: 35091334]
- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files [Orabug: 35122619]
- Label /var/log/kdump.log with kdump_log_t [Orabug: 33810371]
- Allow rpm_t sys_admin capability [Orabug: 34250651]
- Make systemd_tmpfiles_t MLS trusted for lowering the level of files [Orabug: 33841245]
- Allow nfsd_t to list exports_t dirs [Orabug: 33844301]
- Allow fsadm_t to get attributes of cgroup filesystems [Orabug: 33841268]
- Allow tuned_t to read the process state of all domains [Orabug: 33520684]
- Make import-state work with mls policy [Orabug: 32636699]
- Add map permission to lvm_t on lvm_metadata_t. [Orabug: 31405325]
- Add comment for map on lvm_metadata_t. [Orabug: 31405325]
- Make iscsiadm work with mls policy [Orabug: 32725411]
- Make cloud-init work with mls policy [Orabug: 32430460]
- Allow systemd-pstore to transfer files from /sys/fs/pstore [Orabug: 31594666]
- Make smartd work with mls policy [Orabug: 32430379]
- Allow sysadm_t to mmap modules_object_t files [Orabug: 32411855]
- Allow tuned_t to execute systemd_systemctl_exec_t files [Orabug: 32355342]
- Make udev work with mls policy [Orabug: 31405299]
- Make tuned work with mls policy [Orabug: 31396024]
- Make lsmd, rngd, and kdumpctl work with mls policy [Orabug: 31405378]
- Allow virt_domain to mmap virt_content_t files [Orabug: 30932671]
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection [Orabug: 30537515]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type. [Orabug: 13333429]
[38.1.35-2]
- Rebuild
Resolves: RHEL-26663
[38.1.35-1]
- Allow wdmd read hardware state information
Resolves: RHEL-26663
[38.1.34-1]
- Allow wdmd list the contents of the sysfs directories
Resolves: RHEL-26663
- Allow linuxptp configure phc2sys and chronyd over a unix domain socket
Resolves: RHEL-26660
[38.1.33-1]
- Allow thumb_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-26073
- Allow opafm create NFS files and directories
Resolves: RHEL-17820
- Label /tmp/libdnf.* with user_tmp_t
Resolves: RHEL-11250
[38.1.32-1]
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-21635
- Allow xdm_t to watch and watch_reads mount_var_run_t
Resolves: RHEL-24841
- Allow unix dgram sendto between exim processes
Resolves: RHEL-21902
- Allow utempter_t use ptmx
Resolves: RHEL-24946
- Only allow confined user domains to login locally without unconfined_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_confined_admin_users interface
Resolves: RHEL-1551
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
Resolves: RHEL-1551
- Add userdom_spec_domtrans_admin_users interface
Resolves: RHEL-1551
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
Resolves: RHEL-1551
[38.1.31-1]
- Allow chronyd-restricted read chronyd key files
Resolves: RHEL-18219
- Allow conntrackd_t to use bpf capability2
Resolves: RHEL-22277
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
Resolves: RHEL-14735
- Allow hypervkvp_t write access to NetworkManager_etc_rw_t
Resolves: RHEL-14505
- Add interface for write-only access to NetworkManager rw conf
Resolves: RHEL-14505
- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes
Resolves: RHEL-11792
[38.1.30-1]
- Allow sysadm execute traceroute in sysadm_t domain using sudo
Resolves: RHEL-14077
- Allow qatlib set attributes of vfio device files
Resolves: RHEL-19051
- Allow qatlib load kernel modules
Resolves: RHEL-19051
- Allow qatlib run lspci
Resolves: RHEL-19051
- Allow qatlib manage its private runtime socket files
Resolves: RHEL-19051
- Allow qatlib read/write vfio devices
Resolves: RHEL-19051
- Allow syslog to run unconfined scripts conditionally
Resolves: RHEL-11174
- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
Resolves: RHEL-11174
- Allow sendmail MTA connect to sendmail LDA
Resolves: RHEL-15175
- Allow sysadm execute tcpdump in sysadm_t domain using sudo
Resolves: RHEL-15432
- Allow opafm search nfs directories
Resolves: RHEL-17820
- Allow mdadm list stratisd data directories
Resolves: RHEL-19276
- Update cyrus_stream_connect() to use sockets in /run
Resolves: RHEL-19282
- Allow collectd connect to statsd port
Resolves: RHEL-21044
- Allow insights-client transition to sap unconfined domain
Resolves: RHEL-21452
- Create the sap module
Resolves: RHEL-21452
[38.1.29-1]
- Add init_explicit_domain() interface
Resolves: RHEL-18219
- Allow dovecot_auth_t connect to postgresql using UNIX socket
Resolves: RHEL-16850
- Allow keepalived_t to use sys_ptrace of cap_userns
Resolves: RHEL-17156
- Make bootc be install_exec_t
Resolves: RHEL-19199
- Add support for chronyd-restricted
Resolves: RHEL-18219
- Label /dev/vas with vas_device_t
Resolves: RHEL-17336
- Allow gpsd use /dev/gnss devices
Resolves: RHEL-16676
- Allow sendmail manage its runtime files
Resolves: RHEL-15175
- Add support for syslogd unconfined scripts
Resolves: RHEL-11174
[38.1.28-1]
- Create interface selinux_watch_config and add it to SELinux users
Resolves: RHEL-1555
- Allow winbind_rpcd_t processes access when samba_export_all_* is on
Resolves: RHEL-16273
- Allow samba-dcerpcd connect to systemd_machined over a unix socket
Resolves: RHEL-16273
- Allow winbind-rpcd make a TCP connection to the ldap port
Resolves: RHEL-16273
- Allow sudodomain read var auth files
Resolves: RHEL-16708
- Allow auditd read all domains process state
Resolves: RHEL-14285
- Allow rsync read network sysctls
Resolves: RHEL-14638
- Add dhcpcd bpf capability to run bpf programs
Resolves: RHEL-15326
- Allow systemd-localed create Xserver config dirs
Resolves: RHEL-16716
- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t
Resolves: RHEL-1553
- Update sendmail policy module for opensmtpd
Resolves: RHEL-15175
[38.1.27-1]
- Remove glusterd module
Resolves: RHEL-1548
- Improve default file context(None) of /var/lib/authselect/backups
Resolves: RHEL-15220
- Set default file context of /var/lib/authselect/backups to <
Resolves: RHEL-15220
- Create policy for afterburn
Resolves: RHEL-12591
- Allow unconfined_domain_type use io_uring cmd on domain
Resolves: RHEL-11792
- Add policy for coreos installer
Resovles: RHEL-5164
- Add policy for nvme-stas
Resolves: RHEL-1557
- Label /var/run/auditd.state as auditd_var_run_t
Resolves: RHEL-14374
- Allow ntp to bind and connect to ntske port.
Resolves: RHEL-15085
- Allow ip an explicit domain transition to other domains
Resolves: RHEL-14246
- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
Resolves: RHEL-14289
- Allow sssd domain transition on passkey_child execution conditionally
Resolves: RHEL-14014
- Allow sssd use usb devices conditionally
Resolves: RHEL-14014
- Allow kdump create and use its memfd: objects
Resolves: RHEL-14413
[38.1.26-1]
- Allow kdump create and use its memfd: objects
Resolves: RHEL-14413
[38.1.25-1]
- Add map_read map_write to kernel_prog_run_bpf
Resolves: RHEL-2653
- Allow sysadm_t read nsfs files
Resolves: RHEL-5146
- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t
Resolves: RHEL-14029
- Allow system_mail_t manage exim spool files and dirs
Resolves: RHEL-14110
- Label /run/pcsd.socket with cluster_var_run_t
Resolves: RHEL-1664
[38.1.24-1]
- Allow cupsd_t to use bpf capability
Resolves: RHEL-3633
- Label /dev/gnss[0-9] with gnss_device_t
Resolves: RHEL-9936
- Dontaudit rhsmcertd write memory device
Resolves: RHEL-1547
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory | Channel Label |
| Oracle Linux 9 (aarch64) | selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_aarch64_appstream |
| selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_aarch64_baseos_latest | |
| selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_aarch64_u4_baseos_base | |
| selinux-policy-38.1.35-2.0.1.el9_4.noarch.rpm | 0717d9a3bcb25c7f0ac89b1e9438f6bc | - | ol9_aarch64_baseos_latest | |
| selinux-policy-38.1.35-2.0.1.el9_4.noarch.rpm | 0717d9a3bcb25c7f0ac89b1e9438f6bc | - | ol9_aarch64_u4_baseos_base | |
| selinux-policy-devel-38.1.35-2.0.1.el9_4.noarch.rpm | d65d19018330c96836695bef4a847b66 | - | ol9_aarch64_appstream | |
| selinux-policy-doc-38.1.35-2.0.1.el9_4.noarch.rpm | 888959361616ff4c731883f158457b22 | - | ol9_aarch64_baseos_latest | |
| selinux-policy-doc-38.1.35-2.0.1.el9_4.noarch.rpm | 888959361616ff4c731883f158457b22 | - | ol9_aarch64_u4_baseos_base | |
| selinux-policy-mls-38.1.35-2.0.1.el9_4.noarch.rpm | abe158db4e7b12d948f872f538e15ecb | - | ol9_aarch64_baseos_latest | |
| selinux-policy-mls-38.1.35-2.0.1.el9_4.noarch.rpm | abe158db4e7b12d948f872f538e15ecb | - | ol9_aarch64_u4_baseos_base | |
| selinux-policy-sandbox-38.1.35-2.0.1.el9_4.noarch.rpm | bcf6cbc708879d066f2839ad64ce20db | - | ol9_aarch64_baseos_latest | |
| selinux-policy-sandbox-38.1.35-2.0.1.el9_4.noarch.rpm | bcf6cbc708879d066f2839ad64ce20db | - | ol9_aarch64_u4_baseos_base | |
| selinux-policy-targeted-38.1.35-2.0.1.el9_4.noarch.rpm | f0d036cd2e09d902ac3440177df8319d | - | ol9_aarch64_baseos_latest | |
| selinux-policy-targeted-38.1.35-2.0.1.el9_4.noarch.rpm | f0d036cd2e09d902ac3440177df8319d | - | ol9_aarch64_u4_baseos_base | |
| Oracle Linux 9 (x86_64) | selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_x86_64_appstream |
| selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_x86_64_baseos_latest | |
| selinux-policy-38.1.35-2.0.1.el9_4.src.rpm | d644dddd85354b73e6ad73a1a31b779c | - | ol9_x86_64_u4_baseos_base | |
| selinux-policy-38.1.35-2.0.1.el9_4.noarch.rpm | 0717d9a3bcb25c7f0ac89b1e9438f6bc | - | ol9_x86_64_baseos_latest | |
| selinux-policy-38.1.35-2.0.1.el9_4.noarch.rpm | 0717d9a3bcb25c7f0ac89b1e9438f6bc | - | ol9_x86_64_u4_baseos_base | |
| selinux-policy-devel-38.1.35-2.0.1.el9_4.noarch.rpm | d65d19018330c96836695bef4a847b66 | - | ol9_x86_64_appstream | |
| selinux-policy-doc-38.1.35-2.0.1.el9_4.noarch.rpm | 888959361616ff4c731883f158457b22 | - | ol9_x86_64_baseos_latest | |
| selinux-policy-doc-38.1.35-2.0.1.el9_4.noarch.rpm | 888959361616ff4c731883f158457b22 | - | ol9_x86_64_u4_baseos_base | |
| selinux-policy-mls-38.1.35-2.0.1.el9_4.noarch.rpm | abe158db4e7b12d948f872f538e15ecb | - | ol9_x86_64_baseos_latest | |
| selinux-policy-mls-38.1.35-2.0.1.el9_4.noarch.rpm | abe158db4e7b12d948f872f538e15ecb | - | ol9_x86_64_u4_baseos_base | |
| selinux-policy-sandbox-38.1.35-2.0.1.el9_4.noarch.rpm | bcf6cbc708879d066f2839ad64ce20db | - | ol9_x86_64_baseos_latest | |
| selinux-policy-sandbox-38.1.35-2.0.1.el9_4.noarch.rpm | bcf6cbc708879d066f2839ad64ce20db | - | ol9_x86_64_u4_baseos_base | |
| selinux-policy-targeted-38.1.35-2.0.1.el9_4.noarch.rpm | f0d036cd2e09d902ac3440177df8319d | - | ol9_x86_64_baseos_latest | |
| selinux-policy-targeted-38.1.35-2.0.1.el9_4.noarch.rpm | f0d036cd2e09d902ac3440177df8319d | - | ol9_x86_64_u4_baseos_base | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
