RHBA-2011:0526 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix a number of bugs and add various
enhancements are now available.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.1 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/index.html

All users of SELinux are advised to upgrade to these updated packages, which
provide numerous bug fixes and enhancements.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 615731 - SELinux is preventing /usr/bin/wodim "setrlimit" access .
• BZ - 630827 - Guest OS customization cannot work with the current SELinux policy setting
• BZ - 631523 - Suspending VMware virtual machines is slow or fails when selinux is enabled.
• BZ - 631564 - remove boolean for corosync to remove potential for selinux avcs with enforcing mode
• BZ - 631952 - policy prevents qemu-kvm wrapper script
• BZ - 634084 - Start of tgtd service emits AVC denials
• BZ - 634089 - running cmirrord on boot generates AVC denial
• BZ - 634357 - fence_scsi fails to unfence with selinux AVC denials
• BZ - 634945 - smbcontrol doesn't work because selinux denies it access to pid files
• BZ - 636683 - unable to mount gfs2 filesystems that exist in fstab with selinux on
• BZ - 637109 - which context is correct for /root/.ssh directory ?
• BZ - 637135 - SELinux is preventing /usr/sbin/rpc.rquotad "quotamod" access
• BZ - 638661 - avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables"
• BZ - 639074 - NetworkManager writing out resolv.conf with wrong context
• BZ - 639083 - SELinux prevents passwd from working in runlevel 1
• BZ - 639230 - SELinux is preventing /usr/lib/vte/gnome-pty-helper "open" access on wtmp
• BZ - 639233 - SELinux is preventing /usr/bin/ck-history "read" access on history
• BZ - 639266 - suspend/resume SELinux denials (dbus)
• BZ - 640642 - SELinux is preventing /usr/sbin/certmonger "search" access on /etc/httpd.
• BZ - 644799 - SELinux denies staff_u and user_u user to run ssh ProxyCommands
• BZ - 646365 - /etc/sysconfig/iptables.save vs. /etc/sysconfig/ip6tables.save context
• BZ - 650136 - copy&paste errors in 'semanage boolean -l' output
• BZ - 655206 - Need dirsrv and dirsrv-admin policy modules merged into base policy
• BZ - 655693 - udevadm settle takes 3 minutes to complete - 3mins is the default timeout value
• BZ - 657521 - selinux-policy-mls produce mount AVC during system startup
• BZ - 657568 - selinux MLS policy prevents executing of run_init in single user mode
• BZ - 658410 - SELinux denials with Cobbler on RHEL 6
• BZ - 658591 - certmonger cannot track 389-ds certificates
• BZ - 658599 - SELinux prevents node_bind for ns-slapd
• BZ - 663054 - user_ping boolean not working
• BZ - 663940 - avc: denied { read } for pid=... comm="shutdown" path="pipe:[32156]" ...
• BZ - 667071 - enforcing MLS: 'rpm -qa' displays nothing in single user mode
• BZ - 667076 - MLS: 'reboot' leads to AVCs in single-user mode
• BZ - 667370 - enforcing MLS -- security_validate_transition: denied for oldcontext=... newcontext=...
• BZ - 667622 - selinux doesn't allow samba utmp = yes
• BZ - 669045 - openssh need udp port for radius auth
• BZ - 669362 - enforcing MLS -- avc: denied { read } for ... comm="sh" path="/dev/kmsg" ...
• BZ - 669402 - Are iprinit, iprdump and iprupdate services supported in MLS policy ?
• BZ - 670774 - enforcing MLS: "crontab -l" does not work well
• BZ - 673112 - Multiple jabberd_t - related denials
• BZ - 675000 - cgrulesengd cannot be started from initscript with selinux target policy enabled
• BZ - 675782 - [SELinux AVC Alert] SELinux is preventing /usr/sbin/ns-slapd from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts
• BZ - 676664 - avc denied message when starting cmirrord
• BZ - 677802 - cluster daemons need access to dbus
• BZ - 677986 - /dev/tgt does not have SELinux label
• BZ - 677989 - /dev/dasd_eer does not have SELinux label
• BZ - 678044 - avc: denied { module_request } for pid=... comm="console-kit-dae" ...
• BZ - 680388 - MLS in single-user mode: /var/lock/lvm: setfscreatecon failed: Permission denied
• BZ - 680426 - MLS: lsusb works but AVCs appear
• BZ - 680428 - MLS: lsblk works but AVCs appear
• BZ - 680539 - dnsmasq supports enable-dbus, but selinux says no
• BZ - 681151 - MLS: udevadm works but AVCs appear
• BZ - 681887 - MLS -- AVCs appear when running: kpartx -v /dev/sda
• BZ - 682219 - MLS -- AVCs appear when running: rpm -Uvh ...
• BZ - 682416 - SELinux is preventing /usr/bin/spice-vdagent "write" access on spice-vdagent-sock
• BZ - 682974 - MLS: under root ssh-keygen creates .ssh and underlying files with bad context
• BZ - 682999 - SELinux is preventing /usr/libexec/gdm-session-worker "write" access on /root.
• BZ - 683367 - avc: denied { search } for ... comm="polkit-agent-he" name="faillock" ... scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
• BZ - 683377 - SELinux prevents pxe installation to work
• BZ - 683988 - MLS: USER_AVC ... denied { send_msg } for ... interface=net.reactivated.Fprint.Manager ...
• BZ - 684198 - /usr/bin/paster cannot work in /var/lib/luci/etc/ because of SELinux
• BZ - 684611 - SELinux prevents httpd from mounting autofs
• BZ - 685116 - mls: selinux blocks console login
• BZ - 687867 - SELinux is preventing /usr/bin/python "search" access on /root/.local.
• BZ - 689431 - selinux blocks rsyslogd from opening more file descriptors
• BZ - 689953 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit
• BZ - 690466 - SELinux is preventing /usr/kerberos/sbin/klogind "read" access on .k5login
• BZ - 691665 - AVCs appear when evince is running in sandbox
• BZ - 692296 - MLS policy roles are more separate than with RHEL5
• BZ - 692457 - MLS: under root ssh cannot create .ssh and underlying files
• BZ - 692571 - selinux policies do not allow cluster to run
• BZ - 692828 - MLS: under staff_u and user_u user ssh-keygen creates .ssh and underlying files with bad context
• BZ - 693420 - /dev/random inaccessible by ssh-keygen
• BZ - 693590 - Add selinux policy for matahari services
• BZ - 693792 - Please include selinux policy for foghorn
• BZ - 694551 - SSH login as sysadm_r is not allowed with ssh_sysadm_login SELinux boolean set in SELinux MLS policy
• BZ - 696092 - squid: denials for squid_kerb_auth when using kerberos authentication
• BZ - 696161 - Selinux alert for wpa_supplicant in CSB 6.1
• BZ - 697812 - sudo -r ... cannot read /etc/selinux/targeted/contexts/default_type
• BZ - 697924 - faillock avcs when booting with mls policy
• BZ - 698144 - AVCs appear when starting tgtd
• BZ - 699063 - netlabelctl can't be run by init
• BZ - 699449 - mislabelled files after boot
• BZ - 699699 - AVCs and USER_AVCs appear when somebody logs in as Guest via GDM
• BZ - 700330 - SELinux is preventing /bin/chown "write" access on /var/lib/sss/pipes/nss.

CVEs

(none)

References

• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/index.html