[El-errata] ELBA-2017-1727 Oracle Linux 6 selinux-policy bug fix update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Jul 11 22:06:41 PDT 2017
Oracle Linux Bug Fix Advisory ELBA-2017-1727
http://linux.oracle.com/errata/ELBA-2017-1727.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
i386:
selinux-policy-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-doc-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-minimum-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-mls-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-targeted-3.7.19-307.0.1.el6_9.2.noarch.rpm
x86_64:
selinux-policy-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-doc-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-minimum-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-mls-3.7.19-307.0.1.el6_9.2.noarch.rpm
selinux-policy-targeted-3.7.19-307.0.1.el6_9.2.noarch.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/selinux-policy-3.7.19-307.0.1.el6_9.2.src.rpm
Description of changes:
[3.7.19-307.0.1.2]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type.
- Allow ocfs2 to be mounted with file_t type.
[3.7.19-307.2]
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t.
Resolves: rhbz#1466327
[3.7.19-307.1]
- Allow smbd_t domain generate debugging files under /var/run/gluster.
These files are created through the libgfapi.so library that provides
integration of a GlusterFS client in the Samba (vfs_glusterfs) process.
Resolves: rhbz#1462824
- Disable mysqld_safe_t secure mode environment cleansing.
Resolves: rhbz#1464145
[3.7.19-307]
- Allow glusterd_t send signals to userdomain. Label new glusterd
binaries as glusterd_exec_t
Resolves: rhbz#1404152
- Label /usr/bin/puppet* binaries as puppet_exec_t
Resolves: rhbz#1386181
[3.7.19-306]
- Allow hostname_t domain to manage cluster_tmp_t files
Resolves: rhbz#1400234
- Allow ipsec_mgmt_t domain use nsswitch
Resolves:rhbz#1401611
- Allow conman_t domain to list conman_uconfined_script_exec_t dirs.
Resolves:rhbz#1397117
[3.7.19-305]
- Fix typo bug sepgsql_contexts file
Resolves: rhbz#1397703
- Allow sssd_t domain to manage samba files and dirs.
Resolves: rhbz#1395403
- Create conman_unconfined_script_t type for conman script stored in
/use/share/conman/exec/
Resolves: rhbz#1397117
- Allow consolekit_t domain to manage consolekit_log_t dirs
Resolves: rhbz#1397802
[3.7.19-304]
- Allow _java_t domain to read systemd state.
Resolves:rhbz#1393938
- Allow kdumpgui to read/write to nvme filesystem.
Resolves:rhbz#1323293
[3.7.19-303]
- Dontaudit freeipmi_bmc_watchdog_t to write to /var/lock/kdump/
Resolves: rhbz#1288565
- Allow guest-set-user-passwd to set users password
Resolves: rhbz#1369699
[3.7.19-302]
- Label /var/lock/kdump as kdump_lock_t.
- Dontaudit freeipmi_bmc_watchdog_t to write to /var/lock/kdump/
Resolves: rhbz#1288565
[3.7.19-301]
- Allow hald_t to read nvme devices.
Resolves: rhbz#1389982
- Allow ftpdctl_t domain to manage own sockets
Resolves: rhbz#1392525
[3.7.19-300]
- Allow sblim_reposd_t domain to read cert_f files
Resolves:rhbz#1392382
- Allow runnig php7 in fpm mode. From selinux-policy side, we need to
allow httpd to read/write hugetlbfs.
Resolves: rhbz#1392406
[3.7.19-299]
- Support for InnoDB Tablespace Encryption.
Resolves: rhbz#1391525
[3.7.19-298]
- Allow isnsd_t to accept tcp connections
Resolves:rhbz#1365501
- Add label for alsa_var_lib_t dirs and files.
Resolves: rhbz#1340150
[3.7.19-297]
- Remove setgid and setuid capabilities from userdom_login_user_template
Resolves: rhbz#1378463
- Allow logrotate to read chronyd keys
Resolves: rhbz#1390657
- Allow fail2ban to domtrans to shorewall.
Resolves: rhbz#1390810
[3.7.19-296]
- Allow hypervvssd_t to read all dirs.
Resolves: rhbz#1335733
- Dontaudit abrt_t writing to cert_t files.
Resolves: rhbz#1334606
- Allow isns_t domain to connect on port 51954 labeled as isns_port_t.
Resolves: rhbz#1365501
- Fixed vsftpd can access nfs even if allow_ftpd_use_nfs is off under
specific conditions
Resolves: rhbz#1310077
- Allow asterisk domain to connect on port 5222 labeled as
jabber_client_port_t
Resolves:rhbz#1334756
- Label /etc/puppetlabs as puppet_etc_t.
Resolves:rhbz#1386181
- Allow mount to read nvme devices
Resolves: rhbz#1389982
- Allow roundup to use nsswitch.
Resolves: rhbz#1286994
- Backport domain transition from pegasus_t to rpm_t
- Allow pegasus to read all sysctls
- Allow pegasus to read raw memory.
Resolves:rhbz#980439
[3.7.19-295]
- Allow ipc_lock capability for glusterd.
Resolves: #1384487
[3.7.19-294]
- Added boolean: authlogin_yubikey
Resolves:rhbz#1362033
- Add new type: alsa_lock_t, Allow alsa_t domain creating files in
/var/lock labeled as alsa_lock_t.
Resolves:rhbz#1340150
- Allow bacula send signull itself.
Resolves: rhbz#1313382
- label /var/lib/pcsd/ as cluster_var_lib_t.
Resolves:rhbz#1326718
- Allow httpd also write to anon_inodefs files
Resolves: rhbz#1377644
- Allow lsmd to read localization. Allow lsmd plugins to exec ldconfig
Resolves: rhbz#1336590
- Allow auditctl_t domain read localization.
Resolves:rhbz#1316444
- Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t. Resolves:
rhbz#1318166
- Allow httpd_t domain to list inotify filesystem
Resolves:rhbz#1299552
- Allow dovecot_t send signull to dovecot_deliver_t
Resolves:rhbz#1320037
- Fix couple AVC to start roundup properly
Resolves: rhbz#1286994
- Allow netlabel_peer_t type to flow over netif_t and node_t, and only
be hindered by MLS, need back port to RHEL6
Resolves:rhbz#1299306
- Add sys_ptrace capability to pegasus domain
Resolves:rhbz#980439
- Allow sshd to set mcs process categories.
Resolves: rhbz#1322409
- Add setgid capability to winbind domain. Allow getcap for winbind
domain.
Resolves: rhbz#1336394
- Allow rebuild mdadm arraiy with SELinux enabled in enforcing mode.
Resolves: rhbz#1343754
- Allow kpropd_t domain to use nsswitch.
Resolves: rhbz#1337895
[3.7.19-293]
- Add setgid capability to winbind domain.
- Allow getcap for winbind domain.
Resolves: rhbz#1336394
- Allow rebuild mdadm arraiy with SELinux enabled in enforcing mode.
Resolves: rhbz#1343754
- Allow kpropd_t domain to use nsswitch.
Resolves: rhbz#1337895
- Allow glusterd to manage socket files labeled as glusterd_brick_t.
Resolves: rhbz#1331585
More information about the El-errata
mailing list