1.156. selinux-policy

1.156.1. RHBA-2011:1069: selinux-policy bug fix and enhancement update

Updated selinux-policy packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 5.

Important

This update was released as errata RHBA-2011:1069 — selinux-policy bug fix and enhancement update.
The selinux-policy packages contain the rules that govern how confined processes run on the system.

Bug Fixes:

BZ#610812
Due to an incorrect SELinux policy, SELinux did not allow FreeRADIUS to disable storing core dump files upon a failure. This update applies a backported patch that addresses this issue, and FreeRADIUS can now be configured not to create core dumps as expected.
BZ#632573
Previously, when a leaked file descriptor was detected during a system update, an Access Vector Cache (AVC) message was written to the audit log. With this update, the relevant SELinux policy has been added to prevent SELinux from reporting file descriptors leaked during a system update.
BZ#651609
When running in enforcing mode, SELinux did not allow the clustat utility to bind to a reserved port. This update adapts the SELinux rules to permit such connection, so that clustat is now able to bind to the required port as expected.
BZ#657571
Prior to this update, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the modprobe utility from sending the SIGNULL signal to all processes. With this update, the relevant policy has been fixed, and SELinux no longer prevents modprobe from sending SIGNULL to all processes.
BZ#662677
When Samba is configured to run as a Windows Internet Name Server (WINS) that is integrated to a Name Service Switch (NSS), programs that resolve a NetBIOS name require access to the /var/cache/samba/unexpected.tdb file. Previously, SELinux incorrectly denied this access. This update adapts the relevant SELinux policy to allow this access, and programs resolving a NetBIOS name are now able to access this file as expected.
BZ#666513
Previous versions of the seliux-policy packages did not provide a SELinux policy for the /var/spool/rsyslog/ directory. With this update, this policy has been added.
BZ#667692
When the utmp option in the /etc/samba/smb.conf configuration file is set to yes, Samba records sessions in the utmp and wtmp files. Prior to this update, the SELinux policy did not allow the smbd daemon to write to the wtmp file. With this update, the SELinux policy has been corrected, so that Samba is now allowed to work as expected.
BZ#672289
When running in enforcing mode, SELinux did not allow the net utility to create a Kerberos keytab file when the system was joined to a Windows 2003 Active Directory domain. This update corrects this error, and SELinux no longer prevents the net utility from creating a Kerberos keytab file.
BZ#672540
Prior to this update, an attempt to use the System Security Services Daemon (SSSD) with an LDAP domain connected to an OpenLDAP server over the Transport Layer Security (TLS) protocol caused various AVC messages to be written to the audit log. This update applies a backported patch that resolves this issue, so that no unnecessary AVC messages are recorded.
BZ#674452
The rsyslogd tool allows a user to change the maximum number of open file descriptors by adding the $MaxOpenFiles directive to the /etc/rsyslog.conf file. Previously, an attempt to use this directive to set a number that is larger than the default value failed, because SELinux prevented rsyslogd from accessing setrlimit. This update corrects the relevant policy to allow this access, so that the rsyslogd tool is now able to increase the maximum number of open file descriptors as expected.
BZ#674689
In order to perform its job, the pyzor client requires access to certain files in users' home directories. Prior to this update, SELinux did not allow pyzor to access these files if the home directories were located on an NFS mount point. With this update, SELinux no longer denies pyzor access to NFS-mounted home directories, allowing it to work correctly.
BZ#678496
Due to missing SELinux policies, various AVC messages may have been reported when attempting to start the pulse or ipvsadm service. This update adds the relevant policies to make sure these services can be started as expected.
BZ#689960
For debugging purposes, Openswan allows a user to specify a directory in which to store a core dump file in case the pluto service crashes. Prior to this update, running SELinux in enforcing mode rendered Openswan unable to create such a core dump. With this update, the relevant policy has been corrected, and SELinux no longer prevents Openswan from creating core dump files.
BZ#693723
The sshd service, ssh client, and other SSH-aware utilities need to read data from the /dev/random and /dev/urandom devices. Prior to this update, SELinux may have incorrectly prevented these programs from accessing these devices. This update adapts the SELinux policy so that these utilities are able to read data from both /dev/random and /dev/urandom as expected.
BZ#694865
Due to an incorrect SELinux policy, the Pyzor spam filtering system was incorrectly denied access to configuration files located in the /etc/ directory. This update corrects the SELinux policy to make sure Pyzor is no longer prevented from accessing its configuration files.
BZ#697804
With SELinux running in enforcing mode, any communication via the Stream Control Transmission Protocol (SCTP) was denied. With this update, the relevant SELinux policy has been adapted to allow the SCTP communication.
BZ#698043
Prior to this update, restarting the vsftpd service by using the service vsftpd restart command caused an AVC message to be written to the audit log. With this update, SELinux rules have been added to address this issue, and restarting the vsftpd service no longer produces AVC messages.
BZ#698257
With SELinux enabled, running the named service in a chroot environment rendered it unable to update log files. This error has been fixed, and SELinux no longer prevents named from updating the log files.
BZ#703458
Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the lsusb command from producing the expected results. This update corrects the relevant policy so that the command works as expected.
BZ#703482
Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the kpartx -x command from producing the expected results. This update corrects the relevant policy so that the command works as expected.
BZ#703714
Due to an incorrect SELinux policy, when the OpenAIS Standards-Based Cluster Framework was started, various AVC messages were written to the audit log, and the openais service was unable to use UDP port 5404. This error has been fixed, the relevant SELinux policy has been corrected, and the openais service now works as expected.
BZ#704690
Previous versions of the selinux-policy packages were missing SELinux rules for the syslog-ng syslog server. With this update, these rules have been added.
BZ#705327
Previously, using the arping utility on an IBM System z machine incorrectly caused an AVC message to be written to the audit log. This update corrects the relevant SELinux policy, and running arping no longer produces unnecessary AVC messages.
BZ#707101
Prior to this update, SELinux incorrectly prevented the clamav-milter utility to from opening a socket, causing it to terminate with an error. With this update, this error has been fixed, and clamav-milter can now be used as expected.
BZ#707139
With SELinux running in enforcing mode, the Apache HTTP Server may have been unable to use the worker Multi-Processing Module (MPM). This update applies a backported patch that adds the httpd_execmem boolean. As a result, SELinux no longer prevents the Apache HTTP Server from loading the worker MPM.
BZ#708986
Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the user_u and staff_u SELinux users from running the ssh-keygen utility. This update fixes the relevant policy, and both user_u and staff_u users are now able to run ssh-keygen as expected.
BZ#709045
Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the crontab -l command from producing the expected results. This update corrects the relevant policy so that the command works as expected.
BZ#711725
Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the iprinit, iprdump, and iprupdate services from working correctly. With this update, this error no longer occurs, and the aforementioned services are able to work as expected.
BZ#713797
Due to an error in SELinux rules, running SELinux in enforcing mode rendered the clustat utility unable to connect to a cluster port. With this update, the SELinux rules have been updated to permit such connection, resolving this issue.
BZ#714960
Prior to this update, the .k5login files in the users' home directories were labeled with a wrong security context, which caused SELinux to incorrectly prevent the krb5_child process from accessing these files. With this update, the security context of the .k5login files has been corrected so that krb5_child is no longer denied access to these files.

Enhancements:

BZ#662097
This update introduces the squid_selinux(8) manual page, which provides detailed documentation of the SELinux policy for the squid daemon.
BZ#671498
This update adds a new security context for devices in the /dev/hpilo/ directory, which provide an interface to the HP Integrated Lights-Out (iLO) remote management functionality.
All users of SELinux are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.