Product SiteDocumentation Site

1.204.  selinux-policy

1.204.1. RHBA-2009:1242

The selinux-policy packages contain the rules that govern how confined processes run on the system.
The selinux-policy package has been updated, providing the following enhanced policy changes for SELinux:
  • samba previously could not directly change a user's password via the passwd program.(BZ#429726)
  • newer versions of the system RAID utilities were previously blocked from logging properly when running SELinux in Enforcing mode.(BZ#475562)
  • the postgrey utility can now operate properly over a network socket.(BZ#479819)
  • the installation of RPM files on the PowerPC architecture is no longer blocked.(BZ#480163)
  • NetworkManager is now permitted to discover the priority of related processes.(BZ#480943)
  • procmail is now permitted to operate with and call the spamassassin application.(BZ#481387)
  • hald is now permitted to send messages via dbus bi-directionally.(BZ#481628)
  • system signals are now permitted to be sent properly to the automount daemon.(BZ#481706)
  • the samba_enable_home_dirs Boolean now allows access to hidden files in home directories.(BZ#484146)
  • the default context for files related to the sysstat package have been corrected.(BZ#485078)
  • procmail now permitted to execute anti-spam daemons.(BZ#485107)
  • samba can now access public_html directories.(BZ#485111)
  • the default label for the sa-learn binary used by spamassassin has been modified to the correct value.(BZ#486187)
  • the building of policies for a low-privileged user is now permitted when using selinux-policy-strict.(BZ#486354)
  • library files for the MATLAB environment are now correctly labelled. (BZ#486965)
  • samba is now permitted to properly rotate log files.(BZ#487021)
  • dbus is now permitted to read parts of the proc file system for its system messages.(BZ#489899)
  • the name service cache daemon no longer unexpectedly restarts due to a lack of search permissions.(BZ#490024)
  • the proc file system is now correctly labelled by the restorecon command.(BZ#492567)
  • search privileges are now granted to dnsmasq (when dnsmasq is launched using libvirt).(BZ#496867)
  • Openswan can now correctly access the Network Security Services libraries.(BZ#497168)
  • autofs now restarts normally when active mounts exist.(BZ#497273)
  • the amanda backup utility can now send all required signals to the system.(BZ#498596)
  • proper operation of xen guests via the virsh utility is now permitted.(BZ#499249)
  • HP printers now properly scan and operate over a network socket.(BZ#499691, BZ#504398)
  • spamd now restarts properly when a HUP signal is issued.(BZ#499701)
  • the clamav-milter binary was previously labeled with an incorrect context, preventing clamd from running in the correct domain.(BZ#500392)
  • setkey_t subjects can now read required files, such as those created by initscripts.(BZ#500395)
  • previously, a SELinux-related file in the selinux-policy-minimum package was unable to be properly installed.(BZ#502182)
  • the state of the qemu_full_network=1 Boolean is now enabled by default.(BZ#504238)
  • TUN/TAP drivers are now given full network socket access.(BZ#504738)
  • the required TCP port is added for the Cyrus IMAP Aggregator (mupdate).(BZ#504805)
  • Host-Guest File Systems under VMware can now be properly mounted.(BZ#504872)
  • iscsi-initiator can now run with full capability without causing denials. (BZ#506057)
  • previously, procmail application may have caused an fsetid denial. (BZ#507712)
  • the connection created by the dblink_connect functionality of PostgreSQL is no longer blocked. (BZ#508348)
  • the Winbind subsystem can now modify Kerberos related configuration files. (BZ#509174)
  • the attributes of the lsmod command have been updated allowing lsmod to properly query the state of kernel modules. 510188
  • the allow_unconfined_mmap_low boolean setting was not properly applied to the unconfined_t domain - even when turned off, unconfined_t processes were still allowed to map low memory pages. Note: Refer to Knowledgebase article DOC-18042 for more information about the handling of the low memory pages mapping restriction on systems with SELinux. (BZ#511143)
  • This update allows objects and processes running in the ipsec_t domain to read files labeled as initrc_exec_t. This is required for the /etc/rc.d/init.d/ipsec file to be launched properly. (BZ#511359)
  • the automount subsystem can now use the winbind mechanism as specified in /etc/nsswitch.conf. (BZ#511927)
  • all files in the /var/vdsm directory have the same SELinux file contexts. (BZ#512301, BZ#513208)
Additionally, minor typographical errors have been fixed in the httpd_selinux, kerberos_selinux, nfs_selinux and rsync_selinux man pages. (BZ#477123)
All users are advised to upgrade to these updated packages, which resolve these issues.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.