RHBA-2012:0780 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix a number of bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/selinux-policy.html#RHBA-2012-0780

All users of SELinux are advised to upgrade to these updated packages, which fix
a number of bugs and add various enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 666332 - sshd service startup failing after destroy when guest install complete
• BZ - 708223 - SELinux httpd_can_network_connect_db denied messages are not logged
• BZ - 718273 - Need policy for gridengine mpi jobs
• BZ - 722896 - interface body is not consistent with interface header
• BZ - 727145 - /var/cfengine/output shouldn't be labelled as var_log_t
• BZ - 738628 - avc denial 'sys_rawio' for rpc.mountd
• BZ - 739886 - avc: denied { read } for pid=19050 comm="rndc" path="/proc/loadavg"
• BZ - 744291 - [RHEL6.2] AVC denied comm="hald-probe-stor" comm="hald-probe-volu"
• BZ - 746961 - ssh-keygen cannot create key outside of ~/.ssh directory
• BZ - 747239 - quota_nld runs as initrc_t
• BZ - 747993 - Re-confining of Firefox plugins
• BZ - 748190 - Missing SELinux rules block use of munins plugin selinux_avcstat
• BZ - 748971 - missing SELinux rules cause openswan labeled IPsec to fail
• BZ - 749200 - matahari-qmf-sysconfigd and matahari-qmf-sysconfig-consoled run as initrc_t
• BZ - 749311 - targeted selinux policy breaks nagios checks and event handlers
• BZ - 749501 - SELinux is preventing /opt/google/chrome/chrome from executing nacl_helper_bootstrap
• BZ - 750869 - sudo/newrole cannot validate logins
• BZ - 751555 - audit logs show crond_t requesting nlmsg_tty_audit
• BZ - 751558 - cannot view mail when unconfined is removed
• BZ - 751732 - SELinux is preventing /usr/libexec/rhsmd from read on /proc/2038/net/psched file
• BZ - 753184 - MLS policy doesn't allow running root created cron jobs
• BZ - 753396 - virsh iface-start and iface-destroy commands lead to a "very long wait" before finally succeeding
• BZ - 754455 - SELinux prevents rsyslog-5.8.6 from running
• BZ - 754646 - SELinux is preventing /usr/sbin/sanlock from search access on NFS directory
• BZ - 759403 - Selinux disallow creating ssh keys for OpenMPI job (sshd.sh script)
• BZ - 760537 - SELinux "targeted" policy blocks web access to files in directories named "logs"
• BZ - 761495 - Some munin plugins lack proper SELinux policies
• BZ - 767195 - SELinux is preventing httpd (namely Trac) from RO access on git files
• BZ - 767579 - selinux prevents quota from setting quota on homedirs
• BZ - 768055 - SELinux silent denials of Nagios NRPE check of /boot
• BZ - 768065 - Incorrect labeling on files from perl-Razor-Agent
• BZ - 768312 - Logging into CVS server causes AVC denial
• BZ - 769301 - SELinux is preventing /usr/sbin/sssd from using the sys_admin capability.
• BZ - 769352 - SELinux prevents qpidd (qpidd_t) from search operation on /sys (sysfs_t) directory
• BZ - 769819 - selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix
• BZ - 769859 - selinux-policy-* packages seem to be testing SELinux status incorrectly
• BZ - 772717 - selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing it not to start
• BZ - 773641 - SELinux prevents ssh-keygen write access to NFS home dirs
• BZ - 781556 - AVC denied for write for sendmail_t in dovecot_deliver_tmp_t
• BZ - 783592 - need SELinux policy for ipa_memcached service
• BZ - 784411 - restorecon uses wrong context for /etc/ssh/ssh_known_hosts or policy wonked
• BZ - 786467 - SELinux prevents clustered qpidd (qpidd_t) from name_connect (tcp_socket, amqp_port_t)
• BZ - 786597 - munin_mail_plugin_t is denied searching in /var/lib
• BZ - 788492 - SELinux is preventing /usr/sbin/matahari-qmf-hostd.#prelink#.TUumNu (deleted) from using the 'sys_ptrace' capabilities.
• BZ - 788601 - AVC denied for httpd_t on zarafa_var_lib_t if it's lnk_file
• BZ - 790980 - Google Chrome has problems with SELinux rules when home directory is in NFS
• BZ - 791294 - SELinux prevents clustered qpidd (qpidd_t) from name_connect (tcp_socket, amqp_port_t)
• BZ - 795474 - Request for rsync network filesystem (nfs/cifs) booleans
• BZ - 796351 - AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
• BZ - 796711 - selinux denial for mailx when used in cron (& screen)
• BZ - 799102 - selinux-policy updates break ldapi samba connection to 389ds (IPA)
• BZ - 799968 - Policy for SSSD should allow CAP_SYS_RESOURCE
• BZ - 801015 - matahari-qmf-rpcd runs as initrc_t
• BZ - 801163 - SELinux prevents chsh from working with Kerberos auth
• BZ - 801408 - SELinux is always hammered for lack of documentation, need to back port new man pages.
• BZ - 803422 - SELinux denies writing /sbin/quotacheck to nfs_t folder
• BZ - 804186 - AVCs when sending mail to root, using postfix + ~/Maildir
• BZ - 805217 - AVC when connecting to internal-sftp using unconfined user in targeted
• BZ - 805742 - SELINUX_ERR when using config tools to install packages
• BZ - 806220 - list of permissive domains is not empty after disabling permissivedomains module
• BZ - 807590 - virtual network looses network connection
• BZ - 807682 - [RFE] ssh_to_job for VM/Java/Sched/Local universe
• BZ - 807824 - cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
• BZ - 808451 - wrong(?) label on postgresql postmaster.pid file
• BZ - 808624 - dovecot lmtp exec access denied to sendmail.postfix
• BZ - 809356 - libvirt-qmf runs as initrc_t
• BZ - 809746 - SELinux prevents heartbeat service from starting
• BZ - 810273 - lvmetad runs as initrc_t
• BZ - 811532 - feature request: add zfs to the list of xattr supported file systems
• BZ - 812854 - package-cleanup fails to remove kernels when called from cron
• BZ - 813803 - /etc/zipl.conf must be labelled as boot_t
• BZ - 814091 - fence-agents are unable to run snmpwalk/snmpget
• BZ - 818082 - ssh-copy-id from root to guest_u account causes denial
• BZ - 818611 - X11 forwarding does not work for xguest_u
• BZ - 821004 - Cannot create crontabs for users under MLS

CVEs

(none)

References

• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/selinux-policy.html#RHBA-2012-0780