RHBA-2009:1242 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix several bugs are now available.

Description

The selinux-policy packages contain the rules that govern how confined
processes run on the system.

These updated packages resolve several bugs in Security-Enhanced Linux
(SELinux) policy as shipped with Red Hat Enterprise Linux 5. The majority
of these bugs resulted in SELinux denying legitimate access.

Refer to the Red Hat Enterprise Linux 5.4 Technical Notes for detailed
documentation on the bug fixes applied by this update. A link to
the section for this selinux-policy update is in the "References" below.

All users are advised to upgrade to these updated packages, which resolve
these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 429726 - Allow samba to change unix passwords
• BZ - 475562 - SELinux is preventing perl (logwatch_t) "write" to ./services (etc_t).
• BZ - 477123 - Typo errors in man pages
• BZ - 479819 - postgrey avc: denied socket connection
• BZ - 480943 - SELinux is preventing nm-system-setti after update to 5.3
• BZ - 481387 - selinux prevents "getattr" and "execute"
• BZ - 481628 - AVCs for system_dbusd_t -> [ hal_t, unconfined_t
• BZ - 481706 - SELinux is preventing automount (automount_t) "signal" to <Unknown> (mount_t).
• BZ - 483173 - SELinux prevents nm-system-setti (system_dbusd_t) "getsched"
• BZ - 484146 - setsebool -P samba_enable_home_dirs=1 is not completely effective.
• BZ - 485078 - Wrong security context for sysstat package
• BZ - 485107 - Cannot execute spamc from procmail
• BZ - 485111 - samba not able to access users' public_html directory
• BZ - 486187 - RHEL-5.3 selinux-policy broke spamassassin
• BZ - 486354 - Cannot boot RHEL5.3 with strict enforcing selinux
• BZ - 486965 - cannot open matlab on redhat EL 5.3, unless I override / change selinux settings
• BZ - 487021 - Selinux prevents Samba from rotating log files.
• BZ - 489899 - selinux-policy: allow dbus to domain_read_all_domains_state [rhel-5.4]
• BZ - 490024 - nscd_t needs search permissions on sbin_t
• BZ - 492567 - restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too)
• BZ - 495010 - SELinux is preventing /sbin/restorecon (restorecon_t) "read" to inotify (inotifyfs_t).
• BZ - 496867 - SELinux issue causing libvirtd launched dnsmasq to fail
• BZ - 497168 - updated openswan package creating AVCs
• BZ - 497273 - Comming autofs update needs Selinux policy update
• BZ - 498596 - selinux-policy-targeted blocking amanda client operation
• BZ - 499249 - [RHEL5.4] selinux AVC: denials when trying to start a xen guest
• BZ - 499691 - SELinux is preventing hp (hplip_t) "read write" to socket (cupsd_t).
• BZ - 499701 - spamassassin spamd dies because of SElinux when it is HUP(ed)
• BZ - 499888 - selinux denials when migration tests over ssh is being done:
• BZ - 500392 - Problems with clamav-milter 0.95.1
• BZ - 500395 - selinux-policy: setkey executed from initrc_t from if{up,down}-ipsec fails to set policies
• BZ - 502182 - error installing selinux-policy-minimum: could not read file 'unconfined.pp'
• BZ - 504238 - kvm guest installations are failing with selinux-policy-targeted < 2.4.6-245.el5
• BZ - 504738 - Packets are lost when transfer from bridge to physical nic
• BZ - 504805 - selinux is denying cyrus-master from binding the mupdate port
• BZ - 504872 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
• BZ - 506057 - iscsid generates lots of AVC messages
• BZ - 507712 - Selinux directed me to report this bug -- pasted Selinux information below
• BZ - 508348 - selinux policy blocks postgresql dblink_connect
• BZ - 511143 - selinux policy allows addr 0 mappings by default
• BZ - 511359 - avcs when running pluto with selinux in enforcing mode
• BZ - 511927 - SELinux: should automount have access to winbind pipe?
• BZ - 512301 - Multiple different specifications for /var/vdsm(/.*)?
• BZ - 513208 - VDSM selinux context errors

CVEs

(none)

References

• http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_Notes/selinux-policy.html