RHBA-2008:0465 - Bug Fix Advisory

Topic

Updated selinux-policy packages that resolve a number of issues are now
available.

Description

The selinux-policy packages contain the rules that govern how confined
processes will run on the system.

These updated selinux-policy packages contain the following changes to
SELinux policy rules:

• Apache now prompts for the passphrase for encrypted private keys.
• DF now runs inside Logwatch
• postfix now accesses NFS files with "use_nfs_home_dirs=1".
• snmpconf now generates the snmpd.conf configuration file with the correct

SELINUX context.

• radiusd now works properly.
• ntpd (ntpd_t) now works properly.
• hald "getattr" access to device /dev/drbd0.
• automount now works properly.
• dovecot performs kerberos authentications.
• smbd now performs kerberos authentication.
• nagios now works properly.
• clvmd can now create volume group nodes.
• vbetool "append" to /var/lib/hal/system-power-suspend-output.
• postcat now works properly.
• netplugd "signal" access to ifconfig_t.
• Mailman now works properly.
• yum-updatesd/puplet now work properly.
• httpd is now reading and writing http files when twiki pages are browsed.
• terminal output from lvm commands when using rlogin.
• vsftp login now works properly.
• rsync server now works properly
• spamassassin can now access the home directory.
• postfix now uses dovecot's deliver LDA.
• moving files on or off encrypted mount.
• integration of SpamAssassin with DCC.
• pyzor integration with SpamAssassin.
• mailman and postfix now interact.
• the oddjob_request "mkhomedirfor" command now works properly.
• hal-storage-mount "getattr" now has access access to /swapfile.
• Files created in NFS-mounted home directories now have proper context on

server.

• iscsid now execute setrlimit.
• support for Apache's mod_auth_shadow.
• samba password when configured to synchronize UNIX(r) password.
• Xorg now has mmap_zero access.
• multipathd now works properly.
• procmail is now able to run spamc.
• vpnc now works properly.
• java-1.5.0-ibm now runs.
• temporary queued mails in postfix are now delivered.
• restart of nscd now works.
• hald "setsched" to kernel.
• vbetool "mmap_zero".
• genfs_context nfs_t to lustre and panfs.
• proper labeling has been applied to

/usr/local/matlab2007b/bin/glnxa64/MATLAB.

• tcpdump now works properly.
• hald_t now has read access to /dev/random.
• krb5kdc is able to start from the command line.

More information on all of the numerous changes is available in the package
changelog. To view this information, run the following command after the
package is installed:

rpm -q --changelog selinux-policy

All users of selinux-policy are advised to upgrade to these updated
packages, which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 230497 - Apache won't prompt for passphrase for encrypted private keys
• BZ - 238347 - SELinux policy blocks DF from running inside Logwatch
• BZ - 245605 - SELinux prevents postfix from accessing NFS files with use_nfs_home_dirs=1
• BZ - 247461 - snmpconf generates snmpd.conf file with wrong SELINUX context
• BZ - 248467 - radiusd not working with selinux
• BZ - 248838 - SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read write" access to
• BZ - 250447 - SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
• BZ - 251712 - [rhts] selinux warnings with automount
• BZ - 251841 - selinux forbids dovecot perform gssapi authentications
• BZ - 253999 - selinux prevents smbd from kerberos authenticationa
• BZ - 266341 - nagios avc denials
• BZ - 288771 - SELinux "denied access" error attempting to execute SDK samples.
• BZ - 326631 - targeted policy prevents postcat from working
• BZ - 350511 - Mailman AVC messages when mailman runs in mailman_mail_t domain
• BZ - 351051 - yum-updatesd / puplet doesn't work
• BZ - 353781 - SELinux prevented httpd reading and writing access to http files when twiki pages are browsed.
• BZ - 359701 - RHEL5: The system doesn't boot after updating selinux policy to selinux-policy-2.4.6-106.el5
• BZ - 366461 - RHEL5 | SELinux: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "create"
• BZ - 374431 - selinux prevents terminal output from lvm commands when using rlogin
• BZ - 383191 - pam-0.99.6.2-3.26.el5 breaks vsftp login under selinux
• BZ - 383231 - Unable to build policy due to typo in /usr/share/selinux/devel/include/services/kerberos.if
• BZ - 386481 - avc messaged caused by autofs enhancements for RHEL 5 update 2
• BZ - 390771 - rsync server doesn't work
• BZ - 403241 - Targeted policy breaks rsync as daemon and rsyncd.log logging
• BZ - 410781 - Selinux-policy preventing spamassassin from accessing home directory
• BZ - 414891 - postfix cannot use dovecot's deliver LDA because of selinux
• BZ - 414951 - [RHEL5.2 - ecryptfs] cannot mv files on or off encrypted mount - AVC denial
• BZ - 416541 - DCC policy does not allow integration of SpamAssassin with DCC
• BZ - 416561 - pyzor module does not allow integration of SpamAssassin with pyzor
• BZ - 425806 - mailman and postfix cannot interact
• BZ - 426077 - avc: denied { transition } for comm="userhelper" path="/usr/share/system-config-display/system-config-display"
• BZ - 427517 - running `oddjob_request mkhomedirfor $user` causes AVC denial
• BZ - 429549 - SELinux is preventing /usr/libexec/hal-storage-mount (hald_t) "getattr" access to /swapfile (swapfile_t).
• BZ - 430577 - Files created in NFS mounted home directories have user_home_dir_t context on server
• BZ - 430639 - Stopping mailman causes Permission denied and AVC
• BZ - 430669 - avc: denied { setrlimit } for comm="iscsid"
• BZ - 430702 - selinux needs to support apache mod_auth_shadow
• BZ - 430969 - selinux prevent changing samba password when configured to synchronize unix password.
• BZ - 431023 - SELinux is preventing /usr/bin/Xorg (xdm_t) "mmap_zero" access to <Unknown> (xdm_t).
• BZ - 431240 - Postfix default SELinux policy generates SE alerts.
• BZ - 431413 - [regression] policygentool is broken
• BZ - 431689 - After update, multipathd does not start any more
• BZ - 431797 - selinux prevents procmail from running spamc
• BZ - 433237 - iscsid needs access to setrlimit (regession with 5.1)
• BZ - 433703 - update iscsi policy for isns
• BZ - 434843 - IMAP server "dovecot" policy fix
• BZ - 435112 - Temporary queued mails in postfix can't be delivered
• BZ - 435162 - selinux is preventing paranoia restart of nscd
• BZ - 435824 - ibm java plugin is blocked by selinux avc
• BZ - 435935 - SELinux is preventing vbetool (vbetool_t) "mmap_zero" to <Unknown> (vbetool_t).
• BZ - 437793 - RFE: please apply genfs_context nfs_t to lustre and panfs
• BZ - 437794 - [RHEL5 U2] SELinux AVC Denied message when opening a document
• BZ - 438234 - [RHEL5.2] selinux-policy Can no longer compile policys
• BZ - 438308 - changes in rhel5.2 gcc caused gdb.base/prelink.exp to FAIL
• BZ - 438453 - SELinux is preventing /usr/local/matlab2007b/bin/glnxa64/MATLAB from changing the access protection of memory on the heap.
• BZ - 438865 - SELinux denied access ntpd ntpd_t "read write" socket:[42433541] (unconfined_t)
• BZ - 439018 - tcpdump causes avc messages when running autofs regression tests
• BZ - 439748 - cannot print
• BZ - 439860 - wrong logfile name in clamav policy
• BZ - 440599 - Multiple SELinux denials for snapshot #4
• BZ - 440685 - AVC denial for RHTS test /kernel/filesystems/nfs/nfs4-krb5
• BZ - 443427 - krb5kdc fails to start from command-line with AVC
• BZ - 443950 - avc: denied { getattr } for comm="mdadm" path="/dev/.udev"

CVEs

(none)

References

(none)