[El-errata] ELBA-2015-1552 Oracle Linux 7 selinux-policy bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Aug 5 21:20:30 PDT 2015 

Oracle Linux Bug Fix Advisory ELBA-2015-1552

http://linux.oracle.com/errata/ELBA-2015-1552.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
selinux-policy-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-devel-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-doc-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-minimum-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-mls-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-sandbox-3.13.1-23.0.1.el7_1.13.noarch.rpm
selinux-policy-targeted-3.13.1-23.0.1.el7_1.13.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/selinux-policy-3.13.1-23.0.1.el7_1.13.src.rpm



Description of changes:

[3.13.1-23.0.1.el7_1.13]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.

[3.13.1-23.el7_1.13]
- glusterd call pcs utility which calls find for cib.* files and runs 
pstree under glusterd. Dontaudit access to security files and update 
gluster boolean to reflect these changes.
-  Allow glusterd to communicate with cluster domains over stream socket.
Resolves:#1238963

[3.13.1-23.el7_1.12]
- Allow iptables to read ctdbd lib files.
Resolves:#1238965

[3.13.1-23.el7_1.11]
- Allow glusterd to manage nfsd and rpcd services.
- Allow samba_t net_admin capability to make CIFS mount working.
Resolves:#1238965
- Dontaudit smbd_t block_suspend capability.

[3.13.1-23.el7_1.10]
- Allow gluster to connect to all ports. It is required by random 
services executed by gluster.
- Allow glusterd to execute showmount in the showmount domain.
- Add samba_signull_unconfined_net()
- Add samba_signull_winbind()
Resolves:#1232755
- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow 
transition to nagios unconfined plugins.
Resolves:#1238963
- Label gluster python hooks also as bin_t.
Resolves:#1238965
- We allow can_exec() on ssh_keygen on gluster. But there is a 
transition defined by init_initrc_domain() because we need to allow 
execute unconfined services by glusterd. So ssh-keygen ends up with 
ssh_keygen_t and we need to allow to manage 
/var/lib/glusterd/geo-replication/secret.pem.

[3.13.1-23.el7_1.9]
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
- Allow glusterd to interact with gluster tools running in a user domain
- nrpe needs kill capability to make gluster moniterd nodes working.
Resolves:#1238964
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to 
be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" 
permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process 
exists.

More information about the El-errata mailing list