RHBA-2005:251 - Bug Fix Advisory

Topic

Updated selinux-policy-targeted packages that fix several bugs for various
daemons are now available.

Description

Security-enhanced Linux is a patch of the Linux kernel and a number of
utilities with enhanced security functionality designed to add mandatory
access controls to Linux. The Security-enhanced Linux kernel contains new
architectural components originally developed to improve the security of
the Flask operating system. These architectural components provide general
support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement,
Role-based Access Control, and Multi-level Security.

This package contains the SELinux example policy configuration along with
the Flask configuration information and the application configuration files.

These updated packages address the following issues:

• - Apache
• Squirrelmail did not work properly while using either postfix or

sendmail. Fixed spell checking bugs, as well as bugs with sending and
attaching documents.

• Mailman did not work properly. Fixed bugs in regards to creating new

lists and adding multiple members at once.

• Fixed a bug with accessibility to postgres from Apache.
• Fixed a bug with accessibility to mysql from Apache.
• - Windbind
• Fixed a bug related to starting the service
• Fixed a bug related to the resolving of passwords
• - Postgres
• Fixed a bug related to starting and initializing of the postgres

database.

• - Mysql
• Fixed a bug related to starting and initializing of the mysql

database.

• - Squid
• Fixed a bug related to starting the squid daemon.
• - syslog
• Fixed a bug related to setting log processes to a different machine.
• Fixed incorrect labeling on /emul directory. Contexts on shared

libraries are now correct (shlib_t).

• - nscd
• Fixed a bug related to the starting of nscd while using certificates.

All users of selinux-policy-targetted should upgrade to these updated
packages, which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 138421 - httpd cannot connect to mysqld through socket /var/lib/mysql/mysql.sock
• BZ - 138911 - nscd breaks LDAP authentication
• BZ - 139895 - httpd cannot connect to postgresql database using sockets
• BZ - 140403 - Cannot use exec() with php and selinux
• BZ - 140962 - mv getting permission denied when relocating files to a mounted smb share
• BZ - 142812 - booleans files is not set to config(noreplace)
• BZ - 143454 - squid message queue avc denied
• BZ - 143561 - selinux, sendmail & TLS don't play nice (including suggested fix)
• BZ - 143564 - SElinux-targeted does not allow to start Winbind
• BZ - 143745 - policy wouldnt allow ldconfig to run
• BZ - 143957 - can't connect to /var/lib/mysql/mysql.sock from apache/php
• BZ - 143962 - programs launched from apache can't read system fonts
• BZ - 144208 - Target policy prevents reading ssl certificates with nscd enabled
• BZ - 144316 - policycoreutils should be a dependency of selinux-policy-targeted
• BZ - 144512 - RFE: Document Existing selinux types and how to make new ones
• BZ - 144731 - nscd denied access to system SSL certificates
• BZ - 144950 - Still need a couple selinux tweaks for PostgreSQL
• BZ - 145039 - Unchanged selinux install needing .rpmnew files, anyway
• BZ - 145139 - selinux starts shouting when launching squid
• BZ - 146208 - pg_dump is broken
• BZ - 146471 - httpd UserDir doesn't work
• BZ - 146844 - dhcpd won't start with ddns enabled
• BZ - 147183 - SELinux blocks normal winbindd operations
• BZ - 147466 - Policy for Mailman too strict about temporary files
• BZ - 147471 - selinux blocks advanced syslog.conf logging options

CVEs

(none)

References

(none)