RHBA-2011:1511 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix several bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.2 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/selinux-policy.html#RHBA-2011-1511

All users of SELinux are advised to upgrade to these updated packages, which
provide numerous bug fixes and enhancements.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 665176 - There is no selinux man page for mysql
• BZ - 691828 - include sanlock
• BZ - 693810 - Targeted policy doesn't fit new drupal* installations
• BZ - 694031 - enforcing MLS: userdel -r USERNAME causes AVCs
• BZ - 694087 - AVC: load-policy: install IPA Server
• BZ - 694879 - [RFE] subscription-manager does not have it's own policy
• BZ - 694881 - Please add policy for corosync-notifyd
• BZ - 698923 - selinux prevents kadmin from setsched operation
• BZ - 700495 - xguest login produce USER_AVC denial { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.Compliance
• BZ - 701885 - typo errors in 'semanage boolean -l' output
• BZ - 702351 - ntpd produces an AVC when started from firstboot GUI
• BZ - 704191 - secadm_r doesn't have write permission to selinux_config_t
• BZ - 705277 - rsyslogd cannot search /var/spool/rsyslog and cannot read /dev/random
• BZ - 706448 - avc: denied when a NIS user is configured in /etc/cgrules.conf
• BZ - 707616 - MLS selinux mode: cannot register machine
• BZ - 710292 - setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module
• BZ - 712961 - SELinux policy missing access for /var/spool/rsyslogd
• BZ - 713218 - Add policy to allow kerberos kadmind to communicate with openldap via ldapi
• BZ - 715038 - AVCs when trying to create new 389-ds instance through 389-console
• BZ - 716973 - selinux prevents rsyslogd to send messages encrypted with TLS
• BZ - 718268 - [RHEL6.2] AVC denied comm="qmgr"
• BZ - 718390 - Shipped SELinux policy prevents Puppet 2.6/2.7 from working
• BZ - 719261 - SELinux policy forbidds resending of queued e-mails in Postfix mail queue
• BZ - 719738 - CTDB/Samba fails when selinux is enabled
• BZ - 719929 - httpd_selinux missing information
• BZ - 720463 - Zarafa needs a SELinux treatment to work (currently works only in the permissive mode)
• BZ - 720603 - SELinux avoids logrotate if /var/lib/logrotate.status is a symlink due to DRBD/drbdlinks
• BZ - 720939 - Various AVC denied for initrc_t:unix_stream_socket { read write }
• BZ - 722381 - selinux policy does not allow squeezeboxserver to start
• BZ - 722429 - Problem with SELinux and the script resource agent
• BZ - 722506 - some .te files cannot be compiled because interfaces contain errors
• BZ - 723258 - SELinux "targeted" policy blocks web access to files in directories named "logs"
• BZ - 723911 - some .pp files cannot be loaded because interfaces contain errors
• BZ - 723947 - pppoe-server runs as initrc_t
• BZ - 723958 - lldpad runs as initrc_t
• BZ - 723964 - fcoemon runs as initrc_t
• BZ - 723977 - cimserver runs as initrc_t
• BZ - 725414 - Targeted: add rule for ssh-keygen to be able to create .ssh folder with correct context
• BZ - 725767 - abrt-dump-oops runs as initrc_t
• BZ - 726031 - tomcat6 can not run successfully under mls policy
• BZ - 726324 - SELinux is preventing /usr/libexec/qemu-kvm from 'getattr' accesses on the filesystem /home.
• BZ - 726339 - denied sys_module for /sbin/ip capability
• BZ - 726696 - uuidd runs as initrc_t
• BZ - 726699 - gatherd and reposd run as initrc_t
• BZ - 727130 - SELinux is preventing /sbin/grubby "search" access to /boot/efi
• BZ - 727150 - selinux prevents rsyslogd to access snmpd_var_lib_t
• BZ - 727160 - SELinux is preventing /bin/bash from write access on the directory cluster.
• BZ - 727290 - SELinux is preventing /usr/sbin/lldpad from using the 'sys_module' capabilities.
• BZ - 728591 - selinux policy restricts rsyslog clients from connecting to port 6514
• BZ - 728699 - SELinux prevents hddtemp from listening on 'localhost'
• BZ - 728790 - fence_kdump agent bind to port causes AVC denial
• BZ - 729073 - SELinux prevents openvpn to set its process priority
• BZ - 729175 - [RHEL6.2] avc: denied { read } for pid=5541 comm="abrt-dump-oops"
• BZ - 729365 - qemu should be allowed to connect to libguestfs socket
• BZ - 729648 - In a chrooted sftp environment, selinux is preventing the users from uploading new files to their home directories.
• BZ - 730218 - selinux preventing procmail to execute hostname command
• BZ - 730837 - SELinux prevents puppet running as Passenger webapp
• BZ - 730852 - memcached requires CAP_SYS_RESOURCE if max connections is set to greater than 1024
• BZ - 731760 - SELinux is preventing /usr/sbin/wpa_supplicant from 'create' accesses on the netlink_socket Unknown.
• BZ - 732196 - SELinux module needed for ssh access to git
• BZ - 732757 - Authentication issues while using Kerberos and SELinux in enforcing mode
• BZ - 733002 - There is no selinux man page for squid
• BZ - 733039 - There is no selinux man page for ABRT
• BZ - 733337 - cluster tools cause AVCs
• BZ - 733869 - selinux policy for qmail service prevents qmail-inject/sendmail
• BZ - 734123 - SELinux is preventing /usr/bin/virsh from read access on the chr_file /dev/random
• BZ - 734568 - postdrop causing avc failure
• BZ - 734722 - avc messages on mailman downgrade test and binary completeness test
• BZ - 735198 - selinux-policy denies write for sulogin to /dev/pts/0 in single user mode
• BZ - 735729 - SELinux is preventing /bin/cp from relabelfrom operation on the file rng_update.lock
• BZ - 736300 - SELinux is preventing smbcontrol from read/write operation on /dev/console
• BZ - 736388 - SELinux is preventing /usr/sbin/pulse from executing /usr/sbin/fos
• BZ - 736623 - cgit does not work with default selinux policy
• BZ - 737495 - selinux prevets radiusd search on /tmp
• BZ - 737571 - SELinux is preventing dhcpd setgid/setuid access
• BZ - 737635 - AVC denial when starting luci
• BZ - 737790 - SELinux is preventing /usr/bin/spice-vdagent "write" access on spice-vdagent-sock
• BZ - 738156 - different contexts on configs / init scripts related to dhcpd / dhcpd6
• BZ - 738188 - SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock
• BZ - 738529 - SELinux prevents sanlock work
• BZ - 738994 - cyrus-imapd downgrade selinux test fail
• BZ - 739047 - Update against RHN Live-selinux Test fails
• BZ - 739065 - fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow
• BZ - 739618 - Chrome/Chromium cannot start due to text relocations
• BZ - 739628 - seinfo -r displays 12 roles and 1 type
• BZ - 739883 - SELinux is preventing /usr/sbin/abrtd from 'create' access on the lnk_file .lock
• BZ - 740180 - SELinux is preventing pwupdate from getattr operation on /bin/mailx
• BZ - 740514 - rsyslog not able to connect to smtp port
• BZ - 740925 - ns-slapd dirsrv_t netlink_route_socket denials
• BZ - 741271 - selinux-policy spice-vdagent rules need update because of new agent features
• BZ - 741967 - SE Linux policies for Clustered Samba commands
• BZ - 743245 - If secmark packets are rejected by SELinux, the calling app should get a eperm returned
• BZ - 744817 - /dev/bsr4096_* are labelled system_u:object_r:device_t:s0
• BZ - 745113 - matahari-net was renamed to matahari-network but SELinux context did not follow
• BZ - 745208 - 389-ds-base: PAM Pass through authentication fails when selinux mode is in "Enforcing".
• BZ - 745531 - Cloudform need SELinux policies support
• BZ - 746265 - sssd needs to be allowed to create, delete and read symlinks in /var/lib/sss/pipes/private
• BZ - 746348 - SELinux is preventing /usr/bin/Xorg from 'unix_read, unix_write' accesses on the shared memory Unknown.
• BZ - 746616 - ntpd_t and dhcpc_t generate AVC fails
• BZ - 746764 - piranha-gui: error opening or creating the lvs.cf configuration file
• BZ - 747321 - SELinux is preventing /usr/sbin/sshd from getattr operation on /root/.hushlogin file
• BZ - 748755 - SELinux is preventing /bin/bash (xdm_t) from write access on the directory /etc (etc_t)
• BZ - 749568 - finger cannot access /var/run/nslcd
• BZ - 749690 - dovecot denials
• BZ - 751892 - SSO: Selinux error prevent login to virtual terminal (CTRL+ALT+F2) with a smart card.
• BZ - 752376 - vhostmd service dies in enforcing mode

CVEs

(none)

References

• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/selinux-policy.html#RHBA-2011-1511