RHBA-2007:0544 - Bug Fix Advisory

Topic

An updated selinux-policy package that fixes several bugs is now available.

Description

The selinux-policy package contains the rules that govern how confined
processes will run on the system.

Bugs fixed in this release include:

• removed extra quota file context specifications from MLS policy.
• allow vsftpd local logins when system is enforcing MLS policy.
• fixed a typo in the 'kerberos_selinux' man page.
• change /var/log/messages to SystemHig for MLS policy.
• "vgchange -a y" did not detect volume groups running rc.sysinit.
• fix aide policy AVC denials and bad file context specifications.
• fix policy so that userdom_admin_user_template and cron_per_role_template

do not conflict.

• allow logwatch to search httpd content.
• allow login to console on s390 in MLS p.olicy
• fix file context specification on ATI libGL.so.1.2.
• fix SELinux policy for logwatch, ntp, useradd, netlabelctl, xen, nscd,

dovecot, smartd, lvm, ppp, ypserv, samba, snmp, IBM Java, VMWare,
tog-pegasus, dhcp, mtu, cupsd, NetLabel and IPsec management tools.

• allow SELinux MLS administrator access to /boot/efi.
• allow the setup of console login on first boot in MLS policy.

Users are advised to upgrade to these updated selinux-policy packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 213809 - Setup of tog-pegasus SDK fails rhel5 beta2
• BZ - 219192 - LSPP: RHEL5 RC2 1201 MLS Policy Contains Mutiple Quota Fcontext Specs
• BZ - 220085 - LSPP - vsftpd denies local logins when system is enforcing mls policy
• BZ - 222363 - [LSPP] ia64 /boot/efi is unaccessible to sysadm_r
• BZ - 222626 - yum upgrade produces lvm AVC Denial
• BZ - 224441 - AVC while updating machine
• BZ - 225443 - LSPP: No console login on first boot
• BZ - 228448 - dangling symlink
• BZ - 229318 - restorecon can't write to pipe of crond_t
• BZ - 231021 - LSPP: amtu -n fails with MLS policy in enforcing mode
• BZ - 231062 - [LSPP] cupsd is unable to increment pam_tally2's tallylog
• BZ - 231656 - NetLabel and IPsec management tools fail to start at boot
• BZ - 233112 - avc: denied { net_bind_service }
• BZ - 233313 - LSPP: sysadm_r gets permission denied when using netlabelctl
• BZ - 233641 - targeted policy is incomplete for net-snmp daemon
• BZ - 234885 - [LSPP] aide policy causes denials
• BZ - 234889 - [LSPP] querying cups jobs with sysadm_r does not override mls restrictions
• BZ - 235023 - nscd now needs setcap permission
• BZ - 235357 - selinux prevents ifup of eth1.
• BZ - 235360 - SELinux prevents automatic addition of machine accounts in a Samba PDC
• BZ - 235363 - ypserv not binding to a port <1024
• BZ - 235725 - In LSPP configuration /var/log/messages is SystemLow
• BZ - 236060 - LSPP: vgchange -a y does not detect vg's
• BZ - 236479 - LSPP: bad aide fc regex
• BZ - 236794 - ppp targeted policy denials
• BZ - 237128 - Selinux policy prevents removal of volume groups
• BZ - 237133 - [LSPP] userdom_admin_user_template and cron_per_role_template conflict during policy compile
• BZ - 237617 - logwatch_t should be allowed to search httpd_sys_content_t
• BZ - 237703 - LSPP: login as ealuser fails from s390 console
• BZ - 238137 - SELinux blocks logwatch from access to clamav logs
• BZ - 238189 - LSPP: Review audit labeling
• BZ - 238347 - SELinux policy blocks DF from running inside Logwatch
• BZ - 238360 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
• BZ - 238748 - SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read" access to pipe:[9396] (firstboot_t).
• BZ - 238751 - SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
• BZ - 239079 - [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
• BZ - 239460 - upgrading selinux overwrites contexts/users/root
• BZ - 240228 - AVCs with netlabelctl
• BZ - 240368 - "vgchange -an VolGroup01" pops a selinux violation.
• BZ - 240383 - SELinux prevents smartd access to device /dev/twa0
• BZ - 241039 - selinux policy breaks creating LVM snapshots
• BZ - 241621 - ypserv cannot exec ypxfr on x86_64
• BZ - 243693 - selinux blocks dovecot writing to nfs_t with use_nfs_home_dirs=1
• BZ - 244435 - SELinux needs new rule to allow xenconsoled to log in /var/log/xen/console
• BZ - 244489 - ATI libGL.so.1.2 avc: denied
• BZ - 245268 - SELinux is preventing (postfix_smtpd_t) "getattr" to /home (home_root_t)
• BZ - 245599 - service iptables status silently fails when selinux is enforcing
• BZ - 246431 - Updated net-snmp package needs policy upgrade
• BZ - 246795 - SELinux is preventing /usr/sbin/lvm (lvm_t) "write" to .cache (lvm_etc_t).
• BZ - 249754 - File watches using audit fail on files located in user home dirs
• BZ - 259781 - Multiple different specifications for /etc/asound\.state

CVEs

(none)

References

(none)