This article applies to BoKS Manager 6.7.0 and 6.7.1.

Description

A number of SELinux denials have been identified, some of which prevent BoKS from operating normally.


Resolution / Workaround

Apply hotfix HFBM-0098, available for download from the HelpSystems Community Portal.

This hotfix adds additional rules to the BoKS SELinux policy.

It improves BoKS 6.7.0 with hotfixes HFBM-0038 andHFBM-0061 installed in the following ways (see below for 6.7.1):

Module boks_ftpd.pp:

  • Improved support for SecurID.
  • Improved support for offline mode.

Module boks_kslog.pp:

  • Allow processes running in the initrc_t domain to be keystroke logged.
  • Improved support for sssd.
  • Improved support for Kerberos.
  • Various minor fixes.

Module boks_login.pp:

  • Improved support for SecurID.
  • Improved support for offline mode.
  • Various fixes to make the r-tools work more reliably.

Module boks_sshd.pp:

  • Improved support for SecurID.

Module boks_suexec.pp:

  • Allow processes running in the initrc_t domain to run suexec.
  • Improved support for SecurID.
  • Improved support for sssd.
  • Improved support for Kerberos.
  • Various minor fixes.

Module boks_xdm.pp:

  • Improved support for offline mode.

boks_clntd, offlinepsw:

  • Attempt to fix a difficult-to-reproduce problem with updating /etc/passwd and /etc/shadow when SELinux is disabled.

BoKS 6.7.1 already includes most of the above fixes, but this hotfix adds a couple:

boks_kslog.pp:

  • Allow processes running in initrc_t to be keystroke logged.
  • Improved support for Kerberos.

boks_suexec.pp:

  • Allow processes running in initrc_t to run suexec.
  • Improved support for Kerberos.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018