Enhanced libsepol packages are now available for Red Hat Enterprise Linux 6.
The libsepol library provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform specific transformations on binary policies (for example, customizing policy boolean settings).
- Previously, the libsepol packages were compiled without the RELRO (read-only relocations) flag. As a consequence, programs provided by this package and also programs built against the libsepol libraries were vulnerable to various attacks based on overwriting the ELF section of a program. To increase the security of libsepol programs and libraries, the libsepol spec file has been modified to use the "-Wl,-z,relro" flags when compiling the packages. As a result, the libsepol packages are now provided with partial RELRO protection.
Users of libsepol are advised to upgrade to these updated packages, which add this enhancement.