4.233. policycoreutils

Updated policycoreutils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The policycoreutils packages contain the core utilities that are required for the basic operation of a Security-Enhanced Linux (SELinux) system and its policies.

Bug Fixes

BZ#662064
Due to the wrong run_init pseudo terminal (pty) handling, it was not possible to start the sshd daemon properly with the run_init utility. With this update, the bug has been fixed so that run_init now works, as expected.
BZ#666861
If the "-D" option was used with the "semanage module" command, it resulted in a traceback. With this update, the functionality that allowed removal of every single policy module from a system has been removed from the semanage utility so that the bug is now fixed.
BZ#677541, BZ#677542
Previously, the semanage(8) man page did not describe certain options. This update corrects the man page so that these options are now described, as expected.
BZ#689153, BZ#695288, BZ#696809, BZ#735044
Previously, the SELinux graphical tools and the common SELinux tools did not work on systems with SELinux disabled. This bug has been fixed by allowing the SELinux graphical tools and the common SELinux tools to run on these systems.
BZ#690502
Previously, running the "sandbox -H /tmp/testuserhome ls ~" command resulted in a traceback. With this update, the command now works as expected.
BZ#702860
Previously, the gnome-python2-gtkhtml2 package was required by the policycoreutils-gui package. As a result, the Automatic Bug Reporting Tool (ABRT) utilities generated a traceback. With this update, the gnome-python2-gtkhtml2 package is no longer required by the policycoreutils-gui package, thus the bug is fixed.
BZ#705027
Previously, the sestatus(8) man page missed the description of the "-b" option. This update corrects the man page so that this option is now described, as expected.
BZ#715021
Previously, polyinstantiated directories had the wrong multilevel secure (MLS) range set for a user. As a result, the user was not able to create files in the /tmp/ directory, or, under certain circumstances, to log in. This update fixes the bug by correcting the namespace.init script.
BZ#734467
Previously, the rsync package was not required by any of the policycoreutils packages, although the "seunshare" command, which is provided by the policycoreutils-sandbox package, requires the rsync package to work properly. With this update, the rsync package is now required by the policycoreutils-sandbox package, thus the bug is fixed.
BZ#736153
Previously, it was possible to change the USER, ROLE, and MLS ranges on an object with the "restorecon" command even if the "-F" option was not specified. This update fixes the unintended behavior by disallowing "restorecon" to change the USER, ROLE or MLS ranges on the object unless the "-F" option is specified.
BZ#739587, BZ#740669
If the "restorecon" command was successful, the return code "1" was erroneously returned. This unintended behavior has been fixed with this update so that "restorecon" now returns the code "0", as expected.
BZ#750594
If booting with the "SELinux=disabled" option set in the /etc/selinux/config file (but without specifying the "selinux=0" option at the kernel prompt), dracut output the following error:
dracut: /sbin/load_policy: Can't load policy: No such file or directory
With this update, dracut no longer outputs this error.
All users of policycoreutils are advised to upgrade to these updated packages, which fix these bugs.
Updated policycoreutils packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The policycoreutils packages contain the core utilities that are required for the basic operation of a Security-Enhanced Linux (SELinux) system and its policies.

Bug Fixes

BZ#785678
The semanage utility did not produce correct audit messages in the Common Criteria certified environment. This update modifies semanage so that it now sends correct audit events when the user is assigned to or removed from a new role.
This update also modifies behavior of semanage concerning the user's SELinux Multi-Level Security (MLS) and Multi-Category Security (MCS) range. The utility now works with the user's default range of the MLS/MCS security level instead of the lowest.
In addition, the semange(8) manual page has been corrected to reflect the current semanage functionality.
BZ#787579
The missing exit(1) function call in the underlying code of the sepolgen-ifgen utility could cause the restorecond daemon to access already freed memory when retrieving user's information. This would cause restorecond to terminate unexpectedly with a segmentation fault. With this update, restorecond has been modified to check the return value of the getpwuid() function to avoid this situation.
BZ#787605
When installing packages on the system in Federal Information Processing Standard (FIPS) mode, parsing errors could occur and installation failed. This was caused by the "/usr/lib64/python2.7/site-packages/sepolgen/yacc.py" parser, which used MD5 checksums that are not supported in FIPS mode. This update modifies the parser to use SHA-256 checksums and installation process is now successful.
All users of policycoreutils are advised to upgrade to these updated packages, which fix these bugs.