Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES Manual page 250

Chapter 1. Package Updates
• Instances of #!/usr/bin/env python have been removed from SELinux policy source code, as
using this technique to call python in the top of an executable python file is being discontinued by
Red Hat developers.
• Support for Red Hat Cluster Suite has been added to SELinux policy. Please note that SELinux
policy only provides coverage for the infrastructure components. Services directly managed
by Cluster Suite will require their own policies and are not covered by this enhancement.
1921
(BZ#522158 )
• SELinux policy has been modified so that cyrus-imapd is now able to register its SNMP sub-agent
by connecting to a socket upon startup.
• An SELinux denial was triggered when configuring the SNMP daemon to listen on TCP or UDP
ports for AgentX sub-agents. Policy has been modified so that this daemon can now bind TCP/UDP
sockets to AgentX ports.
• SELinux denials were caused when implementing user quotas over NFS (Network File System)
shares. Policy has been modified to properly allow for the normal operation of quotas when using
NFS shares. (BZ#525420
• Upon updating the udev daemon to the latest version and restarting it, the SELinux context for udev
was changed from the default, causing errors. This update ensures that this context remains correct
when restarting udev.
• SELinux policy has been modified to not trigger an error when the virDomainSave() API is called
from qemu-kvm. (BZ#530552
• procmail was causing an AVC denial when attempting to read files used by spamassassin.
Rules have been added to policy so that these applications can communicate normally via pipes.
1927
(BZ#530750 )
• The ability to send and receive unlabeled packets was added to policy rules.
• A bug prevented the installation of the selinux-policy-strict package because the requirements
of aisexec were not properly met. The strict policy can now be installed as expected.
1929
(BZ#531196 )
• Real Time Kernel support was added to selinux-policy.
• The e4fsck command was not properly labeled, causing execution to fail. Policy permissions have
been fixed so that e4fsck is now correctly labeled.
• Permissions were modified to allow pluto to write logs properly.
• This update includes updated policy rules for IPsec, fixing the AVC denials that prevented pluto
from running properly. After applying this update, pluto runs as expected. Note that this is necessary
for FIPS-140 security compliance.
• vhostmd is a daemon that provides a communication channel between a host and its hosted
virtual machines. Implementing a vhostmd daemon caused AVC denial errors when launching it
via service vhostmd start. SELinux policy rules have been added to protect the vhostmd
daemon. The daemon starts and operates normally after applying the update.
240
1920
(BZ#521284 )
(BZ#523548
1923
(BZ#523773 )
1924
)
1925
(BZ#526640 )
1926
)
(BZ#537133
1922
)
1930
(BZ#531230
1931
(BZ#532565 )
(BZ#537106
1933
)
1928
(BZ#530809 )
)
1932
)
1934
(BZ#543941 )