RHBA-2009:1026 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix various bugs are now available.

Description

Security-enhanced Linux is a patch of the Linux® kernel and a number of
utilities with enhanced security functionality designed to add mandatory
access controls to Linux. The Security-enhanced Linux kernel contains new
architectural components originally developed to improve the security of
the Flask operating system. These architectural components provide general
support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement®,
Role-based Access Control, and Multi-level Security.

This package contains the SELinux example policy configuration along with
the Flask configuration information and the application configuration files.

These updated selinux-policy-targeted packages provide fixes for the
following bugs:

• virtio block devices on KVM guests did not properly label those devices

as "system_u:object_r:fixed_disk_device_t". This update properly labels
virtio block devices, which is necessary for virtio support.

• SquirrelMail's configtest failed when in SELinux Enforcing mode because

the httpd process was unable to read symbolic links in the /sbin directory,
which is required for configtest. This policy update allows httpd to read
from /sbin, thus resolving this Enforcing-mode access violation.

• SELinux prevented Samba's winbind from creating directories under the

/var/cache/samba/ directory, which was required in order for Samba to work
as part as an Active Directory Services (ADS) domain. This policy update
enables winbind to create directories under the /var/cache/samba/
directory, thus resolving the problem.

All users of selinux-policy-targeted are advised to upgrade to these
updated packages, which resolve these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 201658 - Squirrelmail configuration problems.
• BZ - 479237 - RHEL4 kvm virtio: selinux-policy-targeted support for virtio block devices
• BZ - 487001 - selinux prevents winbind from creating its kerberos config file

CVEs

(none)

References

(none)