RHBA-2009:0163 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix several bugs and add an
enhancement are now available.

Description

The selinux-policy packages contain the rules that govern how confined
processes run on the system.

These updated packages resolve several bugs in Security-Enhanced Linux
(SELinux) policy as shipped with Red Hat Enterprise Linux 5. The majority
of these bugs resulted in SELinux denying legitimate access.

The following is a non-exhaustive, brief list of bugs resolved by this
update:

• denials for "iscsid" and "iscsiadm".
• Common UNIX Printing System (CUPS) issues, such as print jobs failing

when using the Hewlett-Packard Linux Imaging and Printing (HPLIP) software.

• Simple Network Management Protocol (SNMP) issues, such as snmpd hanging

when querying for IPv6 attributes on systems with IPv6 disabled.

• various denials related to D-Bus, causing issues for certain

applications.

• due to incorrect labels, Kernel-based Virtual Machine (KVM) guests that

used virtio drivers failed to mount "/boot" during rc.sysinit.

• the "/boot/efi/" files on Itanium-based systems were labeled incorrectly.
• "/var/lib/iscsi" and "/var/lock/iscsi" were labeled incorrectly.
• denials in certain situations when upgrading from Red Hat Enterprise

Linux 5.1 to 5.2.

• when SNMP support was enabled for Squid, Squid failed to start.
• various denials when using Samba.
• denials when using DHCP.
• in clustered environments, errors occurred when using the Conga web

interface to view storage details. Also, luci may have reported an
incorrect service status.

• denials when using certain procmail scripts, as well as delivery problems

when using a combination of procmail and Dovecot.

• incorrect labeling, causing issues for "kadmind".
• FreeRADIUS was unable to communicate with Net-SNMP.
• corrections to the ftpd_selinux(8) manual page, with regards to using the

"semanage" tool for labeling.

• in Kerberos master and slave environments, replications from the master

to the slave may have caused denials. In this update, a policy has been
added for kpropd (so that it runs confined), which resolves this issue.

Also, in this update, a policy has been added for the IPsec Tools racoon
daemon (so that it runs confined).

This update resolves several bugs not listed here. A more complete list of
changes is available in the selinux-policy package changelog. To view this
information, run the following command after installing or updating the
selinux-policy package:

rpm -q --changelog selinux-policy

All users are advised to upgrade to these updated packages, which resolve
these issues and add this enhancement.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 247510 - There is no selinux module for ipsec-tools (racoon)
• BZ - 437722 - policygentool - missing python module dependency + wrong option
• BZ - 441750 - ia64 selinux: Properly install files and symlinks
• BZ - 442028 - SELinux preventing procmail recipe
• BZ - 447014 - SELinux policy needed for kpropd
• BZ - 447403 - selinux utilities report incorrect context for /var/lib/iscsi* objects
• BZ - 447854 - No SELinux labeling exists for infinibandeventfs
• BZ - 449420 - [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2
• BZ - 450390 - "permission append is not defined for class chr_file" when using the macro dev_rw_null(domain)
• BZ - 451805 - RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message
• BZ - 452787 - squid ceased to work after upgrade to 5.2
• BZ - 454024 - selinux denies snmpd to read from /proc/pid/fd/*
• BZ - 455033 - kadmind is not able to write to /var/kerberos/krbkdc/principal.ok file
• BZ - 455697 - SELinux is preventing perl (logwatch_t) "getattr" to /root (user_home_dir_t)
• BZ - 455784 - AVC denies Conga from using storage in permissive mode
• BZ - 456674 - Selinux does not allow samba to change file owner
• BZ - 457307 - can't run dovecot's deliver from inside .procmailrc
• BZ - 457455 - SELinux is complaining about Novell GroupWise library
• BZ - 459390 - "permission ioctl is not defined for class sock_file" when using nscd_socket_use macro
• BZ - 459570 - SELinux policy needs to be changed to support hal-set-keymap
• BZ - 459888 - SELinux is preventing dhcdbd (dhcpc_t) "read" to /etc/dbus-1/system.d (dbusd_etc_t)
• BZ - 460398 - iscsid needs additional SELinux allow rule for interface binding
• BZ - 460733 - Cannot execute locally installed daemon (pysieved) from stunnel (permission denied)
• BZ - 461040 - Selinux policy prevents freeradius to communicate with net-snmp
• BZ - 461323 - SELinux AVCs when accessing mib .1.3.6.1.2.1.6
• BZ - 461326 - SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t)
• BZ - 461624 - auditd service won't start because of "Unable to open /sbin/audispd (Permission denied)"
• BZ - 461644 - SELinux is preventing snmpd (snmpd_t) "unlink" to master (var_t)
• BZ - 461645 - Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
• BZ - 461769 - luci reports incorrect service status with SELinux enforcing
• BZ - 461814 - avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
• BZ - 462739 - [NetApp-S 5.3 bug] Getting selinux errors when iscsid is shutdown
• BZ - 463267 - SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute_no_trans" to /lib/dbus-1/dbus-daemon-launch-helper (lib_t).
• BZ - 463480 - SELinux is preventing dbus-daemon (system_dbusd_t) "execute_no_trans" to /lib/dbus-1/dbus-daemon-launch-helper (system_dbusd_exec_t)
• BZ - 464079 - avc: denied { search / unlink } for comm="audispd"
• BZ - 464886 - denyhosts requires selinux policy changes to work without disabling other critical services like NFS
• BZ - 465219 - man page ftpd_selinux bugs
• BZ - 466470 - avc: denied { getsched } for pid=12121 comm="snmpd" ...
• BZ - 467369 - avc: denied { getattr } for comm="audispd" path="/sbin/audispd-zos-remote"
• BZ - 467995 - avc: denied { getattr } for comm="perl" path="/root"
• BZ - 470248 - Error installing selinux-policy-strict: libsepol.expand_terule_helper: conflicting TE rule for ...
• BZ - 470574 - SELinux mgetty runs unconfined_t if launched with a parameter in /etc/initttab
• BZ - 470621 - SELinux is preventing cups-deviced (cupsd_t) "signal"
• BZ - 470857 - SELinux policy prevents hplip_t type from reading cupsd_tmp_t files
• BZ - 471160 - RHTS test fails to run correctly - selinux messages only evidence
• BZ - 472373 - bind cannot access to /etc/krb5.keytab
• BZ - 472903 - [RHEL5.3] SELinux AVC Denied: Not allowing install of xen guest
• BZ - 475273 - missing policy

CVEs

(none)

References

(none)