ELBA-2023-3846 Oracle Linux 8 selinux-policy bug fix update
Oracle Linux Bug Fix Advisory ELBA-2023-3846
http://linux.oracle.com/errata/ELBA-2023-3846.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
selinux-policy-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-devel-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-doc-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-minimum-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-mls-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-sandbox-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-targeted-3.14.3-117.0.1.el8_8.2.noarch.rpm
aarch64:
selinux-policy-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-devel-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-doc-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-minimum-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-mls-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-sandbox-3.14.3-117.0.1.el8_8.2.noarch.rpm
selinux-policy-targeted-3.14.3-117.0.1.el8_8.2.noarch.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates//selinux-policy-3.14.3-117.0.1.el8_8.2.src.rpm
Description of changes:
[3.14.3-117.0.1.2]
- Label /var/log/kdump.log with kdump_log_t [Orabug: 32911792]
- Allow tuned_t to manage information from the debugging filesystem [Orabug: 34685730]
- Allow kdumpctl_t to execmem [Orabug: 34712872]
- Allow svirt_t domain to mmap svirt_image_t character files [Orabug: 34314421]
- Allow tuned_t to read the process state of all domains [Orabug: 33520684]
- Allow initrc_t to manage pid files used by chronyd [Orabug: 33520623]
- Make import-state work with mls policy [Orabug: 32636699]
- Add map permission to lvm_t on lvm_metadata_t. [Orabug: 31405325]
- Add comment for map on lvm_metadata_t. [Orabug: 31405325]
- Make iscsiadm work with mls policy [Orabug: 32725411]
- Make cloud-init work with mls policy [Orabug: 32430460]
- Allow systemd-pstore to transfer files from /sys/fs/pstore [Orabug: 31594666]
- Make smartd work with mls policy [Orabug: 32430379]
- Allow sysadm_t to mmap modules_object_t files [Orabug: 32411855]
- Allow tuned_t to execute systemd_systemctl_exec_t files [Orabug: 32355342]
- Make logrotate work with mls policy [Orabug: 32343731]
- Add interface kernel_relabelfrom_usermodehelper() [Orabug: 31396031]
- Allow systemd_tmpfiles_t domain to relabel from usermodehelper_t files [Orabug: 31396031]
- Make udev work with mls policy [Orabug: 31405299]
- Make tuned work with mls policy [Orabug: 31396024]
- Make lsmd, rngd, and kdumpctl work with mls policy [Orabug: 31405378]
- Allow virt_domain to mmap virt_content_t files [Orabug: 30932671]
- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection [Orabug: 30537515]
- Enable policykit and sssd policy modules with minimum policy [Orabug: 29744511]
- Allow udev_t to load modules [Orabug: 28260775]
- Add vhost-scsi to be vhost_device_t type [Orabug: 27774921]
- Fix container selinux policy [Orabug: 26427364]
- Allow ocfs2_dlmfs to be mounted with ocfs2_dlmfs_t type. [Orabug: 13333429]
[3.14.3-117.2]
- Add support for the systemd-pstore service
Resolves: rhbz#2188268
- Add fs_delete_pstore_files() interface
Resolves: rhbz#2188268
- Add fs_read_pstore_files() interface
Resolves: rhbz#2188268
- Label /run/fsck with fsadm_var_run_t
Resolves: rhbz#2212328
[3.14.3-117]
- Fix opencryptoki file names in /dev/shm
Resolves: rhbz#2028637
- Allow system_cronjob_t transition to rpm_script_t
Resolves: rhbz#2154242
- Revert "Allow system_cronjob_t domtrans to rpm_script_t"
Resolves: rhbz#2154242
- Allow httpd work with tokens in /dev/shm
Resolves: rhbz#2028637
- Allow keepalived to set resource limits
Resolves: rhbz#2168638
- Allow insights-client manage fsadm pid files
[3.14.3-116]
- Allow sysadm_t run initrc_t script and sysadm_r role access
Resolves: rhbz#2039662
- Allow insights-client manage fsadm pid files
Resolves: rhbz#2166802
- Add journalctl the sys_resource capability
Resolves: rhbz#2136189
[3.14.3-115]
- Fix syntax problem in redis.te
Resolves: rhbz#2112228
- Allow unconfined user filetransition for sudo log files
Resolves: rhbz#2164047
- Allow winbind-rpcd make a TCP connection to the ldap port
Resolves: rhbz#2152642
- Allow winbind-rpcd manage samba_share_t files and dirs
Resolves: rhbz#2152642
- Allow insights-client work with su and lpstat
Resolves: rhbz#2134125
- Allow insights-client read nvme devices
Resolves: rhbz#2143878
- Allow insights-client tcp connect to all ports
Resolves: rhbz#2143878
- Allow redis-sentinel execute a notification script
Resolves: rhbz#2112228
[3.14.3-114]
- Add interfaces in domain, files, and unconfined modules
Resolves: rhbz#2141311
- Allow sysadm_t read/write ipmi devices
Resolves: rhbz#2148561
- Allow sudodomain use sudo.log as a logfile
Resolves: rhbz#2143762
- Add insights additional capabilities
Resolves: rhbz#2158779
- Allow insights client work with gluster and pcp
Resolves: rhbz#2141311
- Allow prosody manage its runtime socket files
Resolves: rhbz#2157902
- Allow system mail service read inherited certmonger runtime files
Resolves: rhbz#2143337
- Add lpr_roles to system_r roles
Resolves: rhbz#2151111
[3.14.3-113]
- Allow systemd-socket-proxyd get attributes of cgroup filesystems
Resolves: rhbz#2088441
- Allow systemd-socket-proxyd get filesystems attributes
Resolves: rhbz#2088441
- Allow sysadm read ipmi devices
Resolves: rhbz#2148561
- Allow system mail service read inherited certmonger runtime files
Resolves: rhbz#2143337
- Add lpr_roles to system_r roles
Resolves: rhbz#2151111
- Allow insights-client tcp connect to various ports
Resolves: rhbz#2151111
- Allow insights-client work with pcp and manage user config files
Resolves: rhbz#2151111
- Allow insights-client dbus chat with various services
Resolves: rhbz#2152867
- Allow insights-client dbus chat with abrt
Resolves: rhbz#2152867
- Allow redis get user names
Resolves: rhbz#2112228
- Add winbind-rpcd to samba_enable_home_dirs boolean
Resolves: rhbz#2143696
[3.14.3-112]
- Allow ipsec_t only read tpm devices
Resolves: rhbz#2147380
- Allow ipsec_t read/write tpm devices
Resolves: rhbz#2147380
- Label udf tools with fsadm_exec_t
Resolves: rhbz#1972230
- Allow the spamd_update_t domain get generic filesystem attributes
Resolves: rhbz#2144501
- Allow cdcc mmap dcc-client-map files
Resolves: rhbz#2144505
- Allow insights client communicate with cupsd, mysqld, openvswitch, redis
Resolves: rhbz#2143878
- Allow insights client read raw memory devices
Resolves: rhbz#2143878
- Allow winbind-rpcd get attributes of device and pty filesystems
Resolves: rhbz#2107106
- Allow postfix/smtpd read kerberos key table
Resolves: rhbz#1983308
[3.14.3-111]
- Add domain_unix_read_all_semaphores() interface
Resolves: rhbz#2141311
- Allow iptables list cgroup directories
Resolves: rhbz#2134820
- Allow systemd-hostnamed dbus chat with init scripts
Resolves: rhbz#2111632
- Allow systemd to read symlinks in /var/lib
Resolves: rhbz#2118784
- Allow insights-client domain transition on semanage execution
Resolves: rhbz#2141311
- Allow insights-client create gluster log dir with a transition
Resolves: rhbz#2141311
- Allow insights-client manage generic locks
Resolves: rhbz#2141311
- Allow insights-client unix_read all domain semaphores
Resolves: rhbz#2141311
- Allow winbind-rpcd use the terminal multiplexor
Resolves: rhbz#2107106
- Allow mrtg send mails
Resolves: rhbz#2103675
- Allow sssd dbus chat with system cronjobs
Resolves: rhbz#2132922
- Allow postfix/smtp and postfix/virtual read kerberos key table
Resolves: rhbz#1983308
[3.14.3-110]
- Add the systemd_connectto_socket_proxyd_unix_sockets() interface
Resolves: rhbz#208441
- Add the dev_map_vhost() interface
Resolves: rhbz#2122920
- Allow init remount all file_type filesystems
Resolves: rhbz#2122239
- added policy for systemd-socket-proxyd
Resolves: rhbz#2088441
- Allow virt_domain map vhost devices
Resolves: rhbz#2122920
- Allow virt domains to access xserver devices
Resolves: rhbz#2122920
- Allow rotatelogs read httpd_log_t symlinks
Resolves: rhbz#2030633
- Allow vlock search the contents of the /dev/pts directory
Resolves: rhbz#2122838
- Allow system cronjobs dbus chat with setroubleshoot
Resolves: rhbz#2125008
- Allow ptp4l_t name_bind ptp_event_port_t
Resolves: rhbz#2130168
- Allow pcp_domain execute its private memfd: objects
Resolves: rhbz#2090711
- Allow samba-dcerpcd use NSCD services over a unix stream socket
Resolves: rhbz#2121709
- Allow insights-client manage samba var dirs
Resolves: rhbz#2132230
[3.14.3-109]
- Add the files_map_read_etc_files() interface
Resolves: rhbz#2132230
- Allow insights-client manage samba var dirs
Resolves: rhbz#2132230
- Allow insights-client send null signal to rpm and system cronjob
Resolves: rhbz#2132230
- Update rhcd policy for executing additional commands 4
Resolves: rhbz#2132230
- Allow insights-client connect to postgresql with a unix socket
Resolves: rhbz#2132230
- Allow insights-client domtrans on unix_chkpwd execution
Resolves: rhbz#2132230
- Add file context entries for insights-client and rhc
Resolves: rhbz#2132230
- Allow snmpd_t domain to trace processes in user namespace
Resolves: rhbz#2121084
- Allow sbd the sys_ptrace capability
Resolves: rhbz#2124552
- Allow pulseaudio create gnome content (~/.config)
Resolves: rhbz#2124387
A selinux-policy bug fix update has been released for Oracle Linux 8.