1003177 – SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1003177 - SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket

Summary: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-31 14:04 UTC by Vladislav Grigoryev
Modified:	2015-04-02 02:44 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.12.1-74.18.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-17 21:07:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vladislav Grigoryev 2013-08-31 14:04:17 UTC

Description of problem:
SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/opendkim to bind to network port 29735
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 29735

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that opendkim should be allowed name_bind access on the  udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep opendkim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dkim_milter_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ udp_socket ]
Source                        opendkim
Source Path                   /usr/sbin/opendkim
Port                          29735
Host                          srv6.kola.fad.ru
Source RPM Packages           opendkim-2.8.4-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     srv6.kola.fad.ru
Platform                      Linux srv6.kola.fad.ru 3.10.9-200.fc19.x86_64 #1
                              SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   3200
First Seen                    2013-07-29 20:30:23 MSK
Last Seen                     2013-08-31 17:40:10 MSK
Local ID                      e858d3de-30c9-4dcd-ad2f-0b03946eb17c

Raw Audit Messages
type=AVC msg=audit(1377956410.532:347): avc:  denied  { name_bind } for  pid=1009 comm="opendkim" src=29735 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1377956410.532:347): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f8dfc2466d0 a2=1c a3=7f8dfbffe6c4 items=0 ppid=1 pid=1009 auid=4294967295 uid=987 gid=986 euid=987 suid=987 fsuid=987 egid=986 sgid=986 fsgid=986 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Hash: opendkim,dkim_milter_t,unreserved_port_t,udp_socket,name_bind

Version-Release number of selected component (if applicable):
opendkim-2.8.4-1.fc19.x86_64
selinux-policy-3.12.1-73.fc19.noarch

How reproducible:
Always.

Comment 1 Vladislav Grigoryev 2013-09-18 04:59:09 UTC

I suppose 'name_bind' access to 'unreserved_port_t' for 'dkim_milter_t' is required to allow DKIM TXT records lookup to verify incoming emails signatures.

Comment 2 Lukas Vrabec 2013-09-18 11:08:58 UTC

Could you update selinux-policy package and try if problem still persists?

$ audit2allow -i avc 


#============= dkim_milter_t ==============

#!!!! This avc is allowed in the current policy
allow dkim_milter_t unreserved_port_t:udp_socket name_bind;

$ rpm -q selinux-policy
selinux-policy-3.12.1-74.4.fc19.noarch

Comment 3 Vladislav Grigoryev 2013-09-19 06:00:45 UTC

I've done full yum update and reboot the server.

# cat avc 
allow dkim_milter_t unreserved_port_t:udp_socket name_bind;

# audit2allow -i avc
Nothing to do

# rpm -q selinux-policy opendkim
selinux-policy-3.12.1-74.3.fc19.noarch
opendkim-2.8.4-1.fc19.x86_64

But setroubleshoot is still flooding to the log.
Some of the latest records:
# grep SELinux /var/log/messages | tail -n3
Sep 19 09:28:50 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
Sep 19 09:31:26 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
Sep 19 09:42:51 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c

Sealert details:
# sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/opendkim to bind to network port 64803
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 64803

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that opendkim should be allowed name_bind access on the  udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep opendkim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dkim_milter_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ udp_socket ]
Source                        opendkim
Source Path                   /usr/sbin/opendkim
Port                          64803
Host                          srv6.kola.fad.ru
Source RPM Packages           opendkim-2.8.4-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.3.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     srv6.kola.fad.ru
Platform                      Linux srv6.kola.fad.ru 3.10.11-200.fc19.x86_64 #1
                              SMP Mon Sep 9 13:03:01 UTC 2013 x86_64 x86_64
Alert Count                   5332
First Seen                    2013-07-29 20:30:23 MSK
Last Seen                     2013-09-19 09:55:45 MSK
Local ID                      e858d3de-30c9-4dcd-ad2f-0b03946eb17c

Raw Audit Messages
type=AVC msg=audit(1379570145.913:1085): avc:  denied  { name_bind } for  pid=2182 comm="opendkim" src=64803 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1379570145.913:1085): arch=x86_64 syscall=bind success=yes exit=0 a0=e a1=7f9e2c2876b0 a2=10 a3=7f9e3378a6cc items=0 ppid=1 pid=2182 auid=4294967295 uid=987 gid=986 euid=987 suid=987 fsuid=987 egid=986 sgid=986 fsgid=986 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Hash: opendkim,dkim_milter_t,unreserved_port_t,udp_socket,name_bind

Comment 4 Vladislav Grigoryev 2013-09-19 06:24:46 UTC

(In reply to Lukas Vrabec from comment #2)
> $ rpm -q selinux-policy
> selinux-policy-3.12.1-74.4.fc19.noarch

Looks like I should enable updates-testing repo.
Please wait, I'll try it again.

Comment 5 Vladislav Grigoryev 2013-09-19 08:59:01 UTC

Finally I have:
# rpm -q selinux-policy 
selinux-policy-3.12.1-74.4.fc19.noarch

But result is the same:
# grep SELinux /var/log/messages | tail -n1
Sep 19 12:34:39 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c

Comment 6 Miroslav Grepl 2013-09-25 19:32:36 UTC

So are you getting exactly the same AVC msg?

Comment 7 Vladislav Grigoryev 2013-09-26 04:57:15 UTC

(In reply to Miroslav Grepl from comment #6)
> So are you getting exactly the same AVC msg?
Yes, excluding timestamp and other random unreserved UDP port.

# grep SELinux.*dkim /var/log/messages | tail -n3
Sep 26 07:58:14 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
Sep 26 08:12:12 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
Sep 26 08:25:08 srv6 setroubleshoot: SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket . For complete SELinux messages. run sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c

# sealert -l e858d3de-30c9-4dcd-ad2f-0b03946eb17c
SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/opendkim to bind to network port 23467
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 23467

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that opendkim should be allowed name_bind access on the  udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep opendkim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dkim_milter_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ udp_socket ]
Source                        opendkim
Source Path                   /usr/sbin/opendkim
Port                          23467
Host                          srv6.kola.fad.ru
Source RPM Packages           opendkim-2.8.4-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.4.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     srv6.kola.fad.ru
Platform                      Linux srv6.kola.fad.ru 3.10.11-200.fc19.x86_64 #1
                              SMP Mon Sep 9 13:03:01 UTC 2013 x86_64 x86_64
Alert Count                   6161
First Seen                    2013-07-29 20:30:23 MSK
Last Seen                     2013-09-26 08:40:10 MSK
Local ID                      e858d3de-30c9-4dcd-ad2f-0b03946eb17c

Raw Audit Messages
type=AVC msg=audit(1380170410.449:9862): avc:  denied  { name_bind } for  pid=1071 comm="opendkim" src=23467 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1380170410.449:9862): arch=x86_64 syscall=bind success=yes exit=0 a0=a a1=7f7b7c072a00 a2=1c a3=7f7b80c906c4 items=0 ppid=1 pid=1071 auid=4294967295 uid=987 gid=986 euid=987 suid=987 fsuid=987 egid=986 sgid=986 fsgid=986 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Hash: opendkim,dkim_milter_t,unreserved_port_t,udp_socket,name_bind

Comment 8 Fedora Update System 2013-09-26 09:42:04 UTC

selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19

Comment 9 Fedora Update System 2013-09-27 00:47:04 UTC

Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2013-09-30 00:34:26 UTC

selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Michael Cronenworth 2013-11-18 18:36:15 UTC

This is not fixed.

$ rpm -q selinux-policy
selinux-policy-3.12.1-74.12.fc19.noarch

type=AVC msg=audit(1384798087.49:43344): avc:  denied  { name_bind } for  pid=3373 comm="opendkim" src=64003 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:traceroute_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1384798087.49:43344): arch=x86_64 syscall=bind success=no exit=EACCES a0=12 a1=7fe54406df70 a2=10 a3=7fe5494c56dc items=0 ppid=1 pid=3373 auid=4294967295 uid=109 gid=108 euid=109 suid=109 fsuid=109 egid=108 sgid=108 fsgid=108 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)


type=AVC msg=audit(1384798087.49:43345): avc:  denied  { name_bind } for  pid=3373 comm="opendkim" src=12137 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1384798087.49:43345): arch=x86_64 syscall=bind success=no exit=EACCES a0=12 a1=7fe54406df70 a2=10 a3=7fe5494c56dc items=0 ppid=1 pid=3373 auid=4294967295 uid=109 gid=108 euid=109 suid=109 fsuid=109 egid=108 sgid=108 fsgid=108 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Comment 12 Edward Kuns 2013-11-21 22:59:27 UTC

I agree that this is not fixed:

$ rpm -q selinux-policy
selinux-policy-3.12.1-74.13.fc19.noarch

type=AVC msg=audit(1385074343.789:1229): avc:  denied  { name_bind } for  pid=3188 comm="opendkim" src=9369 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1385074343.789:1229): arch=x86_64 syscall=bind success=no exit=EACCES a0=d a1=7f922c064180 a2=10 a3=7f923304c6dc items=0 ppid=1 pid=3188 auid=4294967295 uid=977 gid=972 euid=977 suid=977 fsuid=977 egid=972 sgid=972 fsgid=972 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Hash: opendkim,dkim_milter_t,unreserved_port_t,udp_socket,name_bind

Comment 13 Vladislav Grigoryev 2013-11-22 04:07:29 UTC

(In reply to Edward Kuns from comment #12)
> I agree that this is not fixed:
Confirm.

# LANG=C sealert -l e2a7ea78-1c2c-4f72-b6fc-53f47af5a6e2
SELinux is preventing /usr/sbin/opendkim from name_bind access on the udp_socket .

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/sbin/opendkim to bind to network port 17268
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 17268

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that opendkim should be allowed name_bind access on the  udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep opendkim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dkim_milter_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ udp_socket ]
Source                        opendkim
Source Path                   /usr/sbin/opendkim
Port                          17268
Host                          srv6.kola.fad.ru
Source RPM Packages           opendkim-2.8.4-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.13.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     srv6.kola.fad.ru
Platform                      Linux srv6.kola.fad.ru 3.11.8-200.fc19.x86_64 #1
                              SMP Wed Nov 13 16:29:59 UTC 2013 x86_64 x86_64
Alert Count                   6219
First Seen                    2013-10-04 08:45:18 MSK
Last Seen                     2013-11-22 07:36:43 MSK
Local ID                      e2a7ea78-1c2c-4f72-b6fc-53f47af5a6e2

Raw Audit Messages
type=AVC msg=audit(1385091403.722:996): avc:  denied  { name_bind } for  pid=1555 comm="opendkim" src=17268 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1385091403.722:996): arch=x86_64 syscall=bind success=yes exit=0 a0=d a1=7f9c5c2877f0 a2=1c a3=7f9c6098b6d4 items=0 ppid=1 pid=1555 auid=4294967295 uid=987 gid=986 euid=987 suid=987 fsuid=987 egid=986 sgid=986 fsgid=986 ses=4294967295 tty=(none) comm=opendkim exe=/usr/sbin/opendkim subj=system_u:system_r:dkim_milter_t:s0 key=(null)

Hash: opendkim,dkim_milter_t,unreserved_port_t,udp_socket,name_bind

Comment 14 Michael Cronenworth 2013-12-04 19:13:27 UTC

Any update on this?

Comment 15 Miroslav Grepl 2013-12-05 08:11:20 UTC

Does opendkim use random ports? Do you have NIS enabled?

Comment 16 Michael Cronenworth 2013-12-05 15:20:49 UTC

Miroslav, see comment #1. Yes, they would be random, but OpenDKIM is not listening on these ports. No, this has nothing to do with NIS. The note in sealert is a false positive.

Comment 17 Edward Kuns 2013-12-05 16:19:42 UTC

I also do not have NIS enabled.  The ports complained about appear to be outgoing ports (?), not ones it is listening on.  I have it listening on whatever the default is.  I have not changed that.

Comment 18 Daniel Walsh 2013-12-05 17:03:59 UTC

I would just allow it to bind to all udp ports.

Comment 19 Miroslav Grepl 2013-12-06 11:47:55 UTC

(In reply to Michael Cronenworth from comment #16)
> Miroslav, see comment #1. Yes, they would be random, but OpenDKIM is not
> listening on these ports. No, this has nothing to do with NIS. The note in
> sealert is a false positive.

Yeap, I overlooked it. Thx.

Comment 20 Edward Kuns 2014-01-18 19:28:26 UTC

What do we need to do to progress this?  Do we just need to figure out the correct change to selinux policy?

Comment 21 Matt Domsch 2014-01-20 04:38:03 UTC

On EL6, I found I also needed this change with opendkim-2.9.0-2.el6.i686:


module opendkim 1.0;

require {
        type dkim_milter_t;
        class process signull;
}

#============= dkim_milter_t ==============
# src="dkim_milter_t" tgt="dkim_milter_t" class="process", perms="signull"
# comm="opendkim" exe="" path=""
allow dkim_milter_t self:process signull;


due to these:
type=AVC msg=audit(1390189131.016:48625): avc:  denied  { signull } for  pid=17318 comm="opendkim" scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=process
type=SYSCALL msg=audit(1390189131.016:48625): arch=40000003 syscall=270 success=no exit=-13 a0=43a6 a1=43ad a2=0 a3=b5800758 items=0 ppid=1 pid=17318 auid=500 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4301 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

Comment 22 Miroslav Grepl 2014-01-20 09:26:24 UTC

I added fixes.

Comment 23 Fedora Update System 2014-02-11 22:09:35 UTC

selinux-policy-3.12.1-74.18.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.18.fc19

Comment 24 Fedora Update System 2014-02-12 14:49:29 UTC

Package selinux-policy-3.12.1-74.18.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.18.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2409/selinux-policy-3.12.1-74.18.fc19
then log in and leave karma (feedback).

Comment 25 Fedora Update System 2014-02-17 21:07:27 UTC

selinux-policy-3.12.1-74.18.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Steve Jenkins 2015-03-30 15:24:26 UTC

This is a year old, and I'm assuming it's fixed, since there's been no more chatter.

Commenting here just to clear my needinfo = ? flag.

Comment 27 Matt Domsch 2015-04-01 20:26:39 UTC

It's not fixed on EL6, but it may be fixed in Fedora.

Comment 28 Steve Jenkins 2015-04-02 02:44:54 UTC

Thanks, Matt.

Since EOL for EL6 is still a ways out, do you think it's worth trying to nudge the SELinux guys into taking another crack at it (and I'm assuming it's no bueno for EL5, as well)?

Note You need to log in before you can comment on or make changes to this bug.