1.136. selinux-policy

1.136.1. RHBA-2011:0026: selinux-policy bug fix and enhancement update

Updated selinux-policy packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated packages provide fixes for the following bugs:
BZ#477103
When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.
BZ#514506
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to textrel_shlib_t, so that the library can now be loaded as expected.
BZ#525859
When a Samba server, smbd, attempted to access the content of the /var/lib/mysql/ directory, SELinux denied this access, and reported this event in the audit log. However, this access is not necessary for Samba to work properly. With this update, appropriate SELinux rules have been added to address this issue, and such access denial is no longer logged.
BZ#533500
Various SELinux policy issues were discovered by a customer during the configuration of Red Hat Enterprise Linux 5 hosts. These updated packages include several SELinux rules that resolve these issues.
BZ#551380
With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.
BZ#570481
Previously, the httpd_can_network_connect_db boolean did not allow the httpd service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to define mssql port.
BZ#571319
When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.
BZ#575203
When SELinux was enabled, an attempt to generate a key pair from an init script using the following command failed with an error:
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
These updated selinux-policy packages provide corrected SELinux rules that allow the ssh_keygen_t domain to search the content of the /root/.ssh/ directory, so that the key pair creation no longer fails.
BZ#576059
Due to an incorrect SELinux policy, an attempt to connect to VPN from NetworkManager could fail. With this update, the relevant policy has been corrected, and such connections can now be established as expected.
BZ#578187
A new version of Berkeley Internet Name Domain (BIND) required various additional changes in SELinux policy. These updated packages introduce the adjusted SELinux rules, and add the SELinux context for the /var/named/data/ and /var/named/slaves/ directories.
BZ#579105
When the httpd service was configured to use the mod_auth_pam module with winbind, users were denied access, even though the allow_httpd_mod_auth_pam and httpd_can_network_connect booleans were set to on. With this update, allow_httpd_mod_auth_pam has been corrected, and users are no longer denied access with this configuration.
BZ#579497
After upgrading to Red Hat Enterprise Linux 5.5, the Xen hypervisor was unable to auto-start domains linked to in the /etc/xen/auto/ directory. This was caused by the default Red Hat Enterprise Linux 5.5 SELinux policy preventing the xm daemon from reading symbolic links in the /etc/xen/auto/ directory, with the result that the xm daemon could not start virtual guests. These updated selinux-policy packages contain an updated SELinux policy that allows the xm daemon to correctly read the symbolic links in /etc/xen/auto/. The xm service is now able to auto-start virtual guests upon system startup.
BZ#579547
When SELinux was configured to run in the permissive mode, and the snmpd service attempted to access removable devices, this access was denied and relevant AVC messages were written to the audit log. Since this access is not necessary for snmpd to work properly, appropriate SELinux rules have been added to prevent these denials from being logged.
BZ#582613
Due to missing SELinux policy rules, sVirt, an integrated solution for securing Linux-based virtualization using SELinux, was not fully supported. With this update, relevant sVirt policy rules have been included in the selinux-policy packages to provide this support.
BZ#584447
Prior to this update, SELinux did not support Piranha, a set of miscellaneous tools to administer and configure the Linux Virtual server, as well as heartbeating and failover components. Consequent to this, users of Piranha with SELinux running in the enforcing mode could encounter various issues. With this update, a new SELinux policy for these tools have been added, resolving these issues.
BZ#588902
Due to an error in the SELinux rules, when SELinux was running in the enforcing mode, a dead cluster node could not be fenced, rendering rgmanager unable to migrate a resource. To address this issue, relevant SELinux rules have been updated, and such cluster node is now fenced as expected, allowing rgmanager to migrate the resource.
BZ#591975
During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
BZ#592752
Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
BZ#592805
Due to an error in SELinux rules, the vsftpd daemon may have been unable to write to a file or create a directory inside ~/public_html/, reporting the following error message:
550 Create directory operation failed.
This update fixes the SELinux rules, and vsftpd now works as expected.
BZ#593139
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message:
Starting system logger: Fatal: no entropy gathering module detected
With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
BZ#598646
When a system was configured to use winbind for authentication using the winbind refresh tickets = true configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected.
BZ#612823
When SELinux was running in the enforcing mode, the snmpd daemon was incorrectly denied access to the /var/net-snmp/snmpd.conf configuration file. With this update, the SELinux context for the /var/net-snmp/ directory has been corrected.
BZ#613551
Recently, the OpenAIS Standards-Based Cluster Framework, an open implementation of the Application Interface Specification (AIS), started using POSIX semaphores instead of the SysV semaphores. With this update, relevant SELinux rules have been adjusted to reflect this change.
BZ#614796
With SELinux running in the enforcing mode, an attempt to start the qpidd service when the aisexec was already running failed, and the following error message was written to the qpidd.log:
Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time)
This was caused by SELinux incorrectly denying qpidd the access to OpenAIS. This update corrects the SELinux policy, resolving this issue.
BZ#616793
Previously, the /etc/oddjobd.conf configuration file for the oddjobd service was not portable between different architectures. To resolve this issue, the proper SELinux context for the oddjob libraries has been added, so that the configuration file can be ported to different architectures as expected.
BZ#617763
Prior to this update, the xm_t domain was not allowed to search directories with the autofs_t security context. Consequent to this, virtual machines could not be stored on automatically mounted file systems. With this update, the SELinux rules have been adjusted to permit such search, so that the virtual machines can now be stored on an automatically mounted file system as expected.
BZ#621057
The SELinux policy for rpc.quotad has been adjusted in order to make it work properly.
BZ#621885
Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the /usr/lib/oracle/ directory has been changed to textrel_shlib_t.
BZ#625498
The ftpd_selinux manual page describes how to allow FTP servers to read from and write to the /var/ftp/incoming/ directory. However, these instructions contained an error, and running the restorecon command with the recommended command line options did not produce the expected results. With this update, the manual page has been corrected, and no longer contains misleading information.
BZ#626858
The SELinux policy has been updated to reflect the latest changes in the hplip (Hewlett-Packard Linux Imaging and Printing Project) packages.
BZ#633705
With SELinux running in the enforcing mode, using the postfix set-permissions command failed with the following error message:
/etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied
With this update, the postfix_domtrans_master(unconfined_t) transition has been removed, and the above command no longer fails to run.
BZ#633901
Due to an incorrect SELinux policy, the aisexec service was unable to use shared memory segments as an unprivileged user. This error has been fixed, the relevant SELinux policy has been corrected, and aisexec now works as expected.
BZ#637843
Prior to this update, several messages were written to the audit log when Sendmail leaked file descriptors. To prevent this, the SELinux policy has been corrected, and these events are no longer logged.
BZ#639259
Due to an error in a SELinux policy, messages similar to the following could be written to the /var/log/messages log file:
restorecon: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/NetworkManager/dispatcher\.d(/.*).
These updated packages correct this error, and the above message no longer appears in the log.
BZ#641872
All selinux-policy subpackages now provide versioned selinux-policy-base.
BZ#643824
When using SELinux in the enforcing mode, the Postfix services were unable to retrieve information about the network state. With this update, the SELinux rules have been updated to allow the required access.
BZ#644276
With SELinux running in the enforcing mode, using a pass-through PCI device with sVirt rendered KVM (Kernel-based Virtual Machine) unable to start a virtual machine. With this update, the virt_use_sysfs boolean has been updated to resolve this issue, and virtual machines no longer fail to start.
BZ#644333
Under certain circumstances, SELinux could report that Internet Protocol Security (IPsec) management tools require read access to the content of a user's home directory. This error no longer occurs, and an appropriate SELinux rule has been added to resolve this issue.
BZ#646731
Due to an error in an SELinux policy, the system-config-printer utility could terminate unexpectedly with the following message written to the standard error:
ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings
To resolve this issue, relevant SELinux rules have been corrected, so that the system-config-printer utility no longer crashes.
BZ#646801
By setting the fail_action option to halt, the audisp-remote plug-in can be configured to shut down the system when an error is reported. However, consequent to an error in the SELinux rules, when a network connection failed, SELinux incorrectly denied the halt action. With this update, the SELinux rules have been corrected, and audisp-remote is now allowed to shut down the system as expected.
BZ#649492
With SELinux running in the enforcing mode, the smbcontrol utility was unable to ping Samba services such as smbd, nmbd, or winbindd. This error no longer occurs, and smbcontrol now works as expected.
BZ#649691
Prior to this update, performing certain iscsiadm actions could cause AVC messages to be written to the audit log. With this update, the SELinux rules have been corrected to address this issue.
BZ#650141
Previously, SELinux prevented the winbindd service from connecting to MS-RPC. This has been fixed, appropriate SELinux rules have been added, and winbindd is now allowed to establish a connection with MS-RPC as expected.
BZ#652074
Under certain circumstances, a system may have been unable to automatically load certain modules at a boot time. When this happened, network interfaces may not have been started during the boot, and had to be started manually. With this update, several rules have been added to the SELinux MLS (Multilevel Security) policy to allow the use of shared memory, resolving this issue.
BZ#652199
With SELinux enabled, the winbindd service was unable to connect to the port 135. This error has been fixed, and relevant SELinux rules have been added to allow such connections.
BZ#652644
Due to an error in the SELinux policy, SELinux prevented the qemu-kvm command from accessing HugeTLBfs devices. This update corrects the SELinux rules to allow this access.
BZ#652660
Previously, running the sa1 command from the sysstat package caused various denial messages to be written in the audit log. This update addresses this issue, and the above command now works as expected.
BZ#656255
With SELinux enabled, an attempt to run the run_init command in single user mode failed with the following error message:
sh: /usr/sbin/run_init: permission denied
This update adds SELinux rules to address this issue, and the run_init command no longer fails to run.
BZ#656290
When SELinux was running in the enforcing mode, an SELinux MLS policy did not allow the udevmonitor to create a socket. As a result, an attempt to run this command in single user mode failed with the following error message:
error getting socket: Permission denied
With this update, the SELinux policy has been fixed to permit the creation of such socket, and udevmonitor can now be run as expected.
BZ#656809
Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:
/dev/mapper/control: open failed: Permission denied
Failure to communicate with kernel device-mapper driver.
With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors.
BZ#657262
Previously, the SELinux MLS policy prevented the udevinfo command from producing the expected results. This update fixes the relevant policy, so that the command no longer fails.
BZ#657268
Due to the SELinux MLS policy, the udevcontrol command failed to run, and a denial message was written to the audit log. With this update, this issue has been resolved, and SELinux no longer prevents udevcontrol from running.
BZ#657271
With the SELinux MLS policy enabled, running the semodule command could cause various AVC messages to be written to the log. This error has been fixed, and semodule no longer causes such messages to appear.
BZ#657365
Due to an error in the SELinux MLS policy, running the run_init service cpuspeed start command in single user mode caused an AVC message to appear in the audit log. With this update, the SELinux MLS policy has been corrected, so that the above command works as expected.
BZ#658145
Due to an error in an SELinux policy, pre-installation and post-installation scripts in RPM packages were unable to write to a pipe. This has been fixed, and SELinux no longer prevents these scripts from performing their work.
BZ#658436
When the snmpd service attempted to change the user identifier (UID) or group identifier (GID), SELinux denied this action, and an appropriate message was written to the audit log. These updated selinux-policy packages provide corrected SELinux rules that permit this operation, and SELinux no longer prevents snmpd from changing the user and group identifier.
BZ#659372
Previously, running the vbetool utility could cause AVC messages to be written to the audit log. With this update, the SELinux policy has been updated to address this issue, and such messages no longer appear.
BZ#659777
An updated SELinux rule for the consoletype command has been backported from Red Hat Enterprise Linux 6.
BZ#661368
Prior to this update, the SELinux MLS policy prevented modprobe from reading an SHM (shared memory) object. This update corrects the SELinux policy, and modprobe now works as expected.
As well, these updated packages add the following enhancement:
BZ#637182
The httpd_setrlimit boolean has been added to allow the httpd service to change its maximum limit of the file descriptors.
All users of selinux-policy are advised to upgrade to these updated packages, which resolve these issues, and add this enhancement.

1.136.2. RHBA-2010:0832: bug fix update

Updated selinux-policy packages that resolve an issue are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
This update fixes the following bug:
* Due to incorrect SELinux policy, cmirror was unable to start properly, and as a result, cluster mirrors could not be started at all. This error has been fixed, and SELinux no longer prevents cluster mirrors from being started. ( BZ#644821)
All users of selinux-policy are advised to upgrade to these updated packages, which resolve this issue.

1.136.3. RHBA-2010:0561: bug fix update

Updated selinux-policy packages that resolve an issue are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages fix the following bug:
* after upgrading to Red Hat Enterprise Linux 5.5, the Xen hypervisor was unable to auto-start domains linked to in the /etc/xen/auto/ directory. This was caused by the default Red Hat Enterprise Linux 5.5 SELinux policy preventing the xm daemon from reading the symlinks in the /etc/xen/auto directory, with the result that the xm daemon could not start the virtual guests. These updated selinux-policy packages contain an updated SELinux policy that allows the xm daemon to correctly read the symbolic links in /etc/xen/auto. The xm service is now able to auto-start virtual guests upon system startup. ( BZ#617169)
All users of selinux-policy are advised to upgrade to these updated packages, which resolve this issue.