Issued:
2007-10-30
Updated:
2007-11-07

RHBA-2007:0544 - Bug Fix Advisory

Synopsis

selinux-policy bug fix update

Type/Severity

Bug Fix Advisory

Topic

An updated selinux-policy package that fixes several bugs is now available.

Description

The selinux-policy package contains the rules that govern how confined
processes will run on the system.

Bugs fixed in this release include:

  • removed extra quota file context specifications from MLS policy.
  • allow vsftpd local logins when system is enforcing MLS policy.
  • fixed a typo in the 'kerberos_selinux' man page.
  • change /var/log/messages to SystemHig for MLS policy.
  • "vgchange -a y" did not detect volume groups running rc.sysinit.
  • fix aide policy AVC denials and bad file context specifications.
  • fix policy so that userdom_admin_user_template and cron_per_role_template
    do not conflict.
  • allow logwatch to search httpd content.
  • allow login to console on s390 in MLS p.olicy
  • fix file context specification on ATI libGL.so.1.2.
  • fix SELinux policy for logwatch, ntp, useradd, netlabelctl, xen, nscd,
    dovecot, smartd, lvm, ppp, ypserv, samba, snmp, IBM Java, VMWare,
    tog-pegasus, dhcp, mtu, cupsd, NetLabel and IPsec management tools.
  • allow SELinux MLS administrator access to /boot/efi.
  • allow the setup of console login on first boot in MLS policy.

Users are advised to upgrade to these updated selinux-policy packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 213809 - Setup of tog-pegasus SDK fails rhel5 beta2
  • BZ - 219192 - LSPP: RHEL5 RC2 1201 MLS Policy Contains Mutiple Quota Fcontext Specs
  • BZ - 220085 - LSPP - vsftpd denies local logins when system is enforcing mls policy
  • BZ - 222363 - [LSPP] ia64 /boot/efi is unaccessible to sysadm_r
  • BZ - 222626 - yum upgrade produces lvm AVC Denial
  • BZ - 224441 - AVC while updating machine
  • BZ - 225443 - LSPP: No console login on first boot
  • BZ - 228448 - dangling symlink
  • BZ - 229318 - restorecon can't write to pipe of crond_t
  • BZ - 231021 - LSPP: amtu -n fails with MLS policy in enforcing mode
  • BZ - 231062 - [LSPP] cupsd is unable to increment pam_tally2's tallylog
  • BZ - 231656 - NetLabel and IPsec management tools fail to start at boot
  • BZ - 233112 - avc: denied { net_bind_service }
  • BZ - 233313 - LSPP: sysadm_r gets permission denied when using netlabelctl
  • BZ - 233641 - targeted policy is incomplete for net-snmp daemon
  • BZ - 234885 - [LSPP] aide policy causes denials
  • BZ - 234889 - [LSPP] querying cups jobs with sysadm_r does not override mls restrictions
  • BZ - 235023 - nscd now needs setcap permission
  • BZ - 235357 - selinux prevents ifup of eth1.
  • BZ - 235360 - SELinux prevents automatic addition of machine accounts in a Samba PDC
  • BZ - 235363 - ypserv not binding to a port <1024
  • BZ - 235725 - In LSPP configuration /var/log/messages is SystemLow
  • BZ - 236060 - LSPP: vgchange -a y does not detect vg's
  • BZ - 236479 - LSPP: bad aide fc regex
  • BZ - 236794 - ppp targeted policy denials
  • BZ - 237128 - Selinux policy prevents removal of volume groups
  • BZ - 237133 - [LSPP] userdom_admin_user_template and cron_per_role_template conflict during policy compile
  • BZ - 237617 - logwatch_t should be allowed to search httpd_sys_content_t
  • BZ - 237703 - LSPP: login as ealuser fails from s390 console
  • BZ - 238137 - SELinux blocks logwatch from access to clamav logs
  • BZ - 238189 - LSPP: Review audit labeling
  • BZ - 238347 - SELinux policy blocks DF from running inside Logwatch
  • BZ - 238360 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
  • BZ - 238748 - SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read" access to pipe:[9396] (firstboot_t).
  • BZ - 238751 - SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
  • BZ - 239079 - [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
  • BZ - 239460 - upgrading selinux overwrites contexts/users/root
  • BZ - 240228 - AVCs with netlabelctl
  • BZ - 240368 - "vgchange -an VolGroup01" pops a selinux violation.
  • BZ - 240383 - SELinux prevents smartd access to device /dev/twa0
  • BZ - 241039 - selinux policy breaks creating LVM snapshots
  • BZ - 241621 - ypserv cannot exec ypxfr on x86_64
  • BZ - 243693 - selinux blocks dovecot writing to nfs_t with use_nfs_home_dirs=1
  • BZ - 244435 - SELinux needs new rule to allow xenconsoled to log in /var/log/xen/console
  • BZ - 244489 - ATI libGL.so.1.2 avc: denied
  • BZ - 245268 - SELinux is preventing (postfix_smtpd_t) "getattr" to /home (home_root_t)
  • BZ - 245599 - service iptables status silently fails when selinux is enforcing
  • BZ - 246431 - Updated net-snmp package needs policy upgrade
  • BZ - 246795 - SELinux is preventing /usr/sbin/lvm (lvm_t) "write" to .cache (lvm_etc_t).
  • BZ - 249754 - File watches using audit fail on files located in user home dirs
  • BZ - 259781 - Multiple different specifications for /etc/asound\.state

CVEs

(none)

References

(none)

Red Hat Enterprise Linux Server 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
x86_64
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74
ia64
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74
i386
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

Red Hat Enterprise Linux Workstation 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
x86_64
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74
i386
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

Red Hat Enterprise Linux Desktop 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
x86_64
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74
i386
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
s390x
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

Red Hat Enterprise Linux for Power, big endian 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
ppc
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

Red Hat Enterprise Linux Server from RHUI 5

SRPM
selinux-policy-2.4.6-104.el5.src.rpm SHA-256: 43fb7e124ff5dac70b9131104912dbd1fb6be445edc7d8aa85cb7f7f40e14d2a
x86_64
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74
i386
selinux-policy-2.4.6-104.el5.noarch.rpm SHA-256: a5e9aac1323f75307449d7179f36c107e64a2145895a3f92d5910ae57a200cd2
selinux-policy-devel-2.4.6-104.el5.noarch.rpm SHA-256: c6ba80d50c2f658d8444710c61e379f528f7f2fdaa1301aebfa9b7bbc28f5916
selinux-policy-mls-2.4.6-104.el5.noarch.rpm SHA-256: efe2054603e9e9e50df3481bca7a77cfe1adf84b9d2a3022b0ed5e8390ed00a0
selinux-policy-strict-2.4.6-104.el5.noarch.rpm SHA-256: c44dca1e8476f24f063075fa0e1efcc79adaaf4d059e58dcb616ae7db1458fe0
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm SHA-256: af6f19e119cd33b1cac71b142f42487cb3bcd2eb2a9590d99092869313d88e74

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.