RHBA-2010:0845 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix various bugs are now available.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages fix the following bugs:

• Due to incorrect SELinux policy, attempting to use the guest operating system

customization in vCenter failed. With this update, the relevant policy code has
been added, and SELinux no longer prevents users from customizing guest
operating systems. (BZ#637081)

• When SELinux was enabled, suspending VMware virtual machines was either slowed

down, or failed. With this update, the relevant policy has been corrected, and
VMware virtual machines are now suspended as expected. (BZ#637082)

• When the cluster was configured to use fence_scsi, running the cman startup

script or using the "fence_node -U <nodename>" command failed. These updated
selinux-policy packages contain updated SELinux rules and add the security file
context for the /var/lib/cluster directory, which allows the cluster with
fence_scsi enabled to work properly. (BZ#636489)

• Previously, the "allow_corosync_rw_tmpfs" boolean allowed third party

applications to create, write and read generic tmpfs files. To prevent this, the
boolean has been removed, and unless the unconfined policy is disabled, generic
tmpfs files can now be managed using Corosync. (BZ#636488)

• Due to SELinux policies, certmonger was not permitted to search through

directories that contain certificates. This error has been fixed, and
selinux-policy packages now contain updated SELinux rules, which allow
certmonger to access these directories. (BZ#642607)

• When SELinux was enabled, users were unable to mount GFS2 file systems listed

in /etc/fstab. With this update, SELinux rules have been added to allow the
mount process to communicate with gfs_controld, so that such file systems can
now be mount as expected. (BZ#642609)

• Due to incorrect SELinux policy, smbcontrol, a utility that sends messages to

the smbd, nmbd, or winbindd service, did not work properly. This error has been
fixed, the relevant policy code has been added, and SELinux no longer prevents
smbcontrol from working. (BZ#644807)

• With SELinux running in the enforcing mode, resuming the system from the

Suspend mode failed, because the /etc/resolv.conf file did not have the correct
security context. This was caused by NetworkManager, which was running under
wrong SELinux domain, "devicekit_power_t". With this update, the proper SELinux
domain transition from DeviceKit-power to NetworkManager has been added, and
resuming from the Suspend mode now works as expected. (BZ#644808)

• Prior to this update, running the passwd command in the single user mode (that

is, runlevel 1) failed when SELinux was enabled. To address this issue, the
SELinux rules have been updated, so that passwd can now access the console, as
well as all terminals (TTYs) and pseudo terminals (PTYs). (BZ#644820)

• Due to SELinux policy rules, certain iptables commands such as "iptables-save"

or "iptables -L" were unable to write to files with output redirection. With
this update, the SELinux domain transition from "unconfined_t" to the
"iptables_t" domain has been removed, and such commands now work as expected.
(BZ#645658)

All users of selinux-policy are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 636488 - remove boolean for corosync to remove potential for selinux avcs with enforcing mode
• BZ - 636489 - fence_scsi fails to unfence with selinux AVC denials
• BZ - 637081 - Guest OS customization cannot work with the current SELinux policy setting
• BZ - 637082 - Suspending VMware virtual machines is slow or fails when selinux is enabled.
• BZ - 642607 - SELinux is preventing /usr/sbin/certmonger "search" access on /etc/httpd.
• BZ - 642609 - unable to mount gfs2 filesystems that exist in fstab with selinux on
• BZ - 644807 - smbcontrol doesn't work because selinux denies it access to pid files
• BZ - 644808 - NetworkManager writing out resolv.conf with wrong context
• BZ - 644820 - SELinux prevents passwd from working in runlevel 1
• BZ - 645658 - avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables"

CVEs

(none)

References

(none)