RHBA-2013:0314 - Bug Fix Advisory

Topic

Updated selinux packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and various
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes for
information on the most significant of these changes:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/selinux-policy.html

All users of selinux-policy are advised to upgrade to these updated packages,
which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 695698 - Wordpress needs a bit of SELinux love to run in the Enforcing mode
• BZ - 770065 - SELinux AVC denials for check_icmp
• BZ - 790967 - additional permissions for certmonger_t
• BZ - 801493 - Please create policy for pacemaker
• BZ - 807157 - numad runs as initrc_t
• BZ - 807678 - bcfg2-server runs as initrc_t
• BZ - 809877 - selinux-policy does not always have a correct label for files in /var/log/ which were processed by logrotate before
• BZ - 811304 - glusterd runs as initrc_t
• BZ - 811319 - fence_virtd runs as initrc_t
• BZ - 811361 - svnserve runs as initrc_t
• BZ - 816251 - SELinux blocks /bin/ping from read access to dhclient.suspend file on resume from hibernate
• BZ - 821483 - SpamAssassin needs write access to spamd_etc_t
• BZ - 821887 - RHEV Hypervisors are setting selinux context on /etc/mtab improperly.
• BZ - 823647 - typo errors and missing patterns in /etc/selinux/targeted/contexts/files/file_contexts
• BZ - 825221 - restorecon disregards custom rules for sym links
• BZ - 827389 - Gitolite3 policy missing
• BZ - 829274 - MLS: chkconfig SERVICE on/off doesn't work well for root:sysadm_r:sysadm_t
• BZ - 831068 - SELinux problem passwd
• BZ - 831908 - AVC denied errors on sanlock
• BZ - 833557 - No SELinux policies for xl2tpd
• BZ - 834994 - rhnsd runs as initrc_t
• BZ - 835269 - additional permissions for certmonger_t
• BZ - 835923 - OpenMPI problem with SELinux (Grid - parallel universe)
• BZ - 835936 - [selinux-policy] AVC when trying to start qemu-kvm domain (guest) on posix compliant file-system
• BZ - 836241 - selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
• BZ - 836311 - New corosync SELinux policy makes heartbeat unusable by default
• BZ - 837815 - MLS user with category s8:c101 cannot ssh to the system
• BZ - 838260 - SELinux policy denies fsav(1) usage in amavisd-new
• BZ - 839250 - service amavisd-snmp restart produces AVCs
• BZ - 839831 - deny qemu guest agent read/write operations by default
• BZ - 840093 - staff_u cannot send mail
• BZ - 840667 - SELinux policy denies clamd(1) usage in amavisd-new
• BZ - 841329 - SELinux targeted policy prevents confined users from using gpgsm with gpg-agent
• BZ - 841950 - SELinux uselessly cripples sadc in root cron jobs
• BZ - 842818 - SELinux problem saslauthd cannot work with MECH=shadow
• BZ - 842905 - user_u crontab_t autofs .viminfo
• BZ - 842927 - selinux policy prevents procmail access to Maildir
• BZ - 842968 - dovecot can't access ~/Maildir
• BZ - 843455 - munin_stats broken after upgrade to 6.3
• BZ - 843543 - starting libvirt default network causes avc: denied { write } comm="dnsmasq" scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
• BZ - 843814 - Need update of selinux policy related to SSSD
• BZ - 844448 - munin exim selinux configurations missing
• BZ - 845033 - selinux policy for iucvtty
• BZ - 845201 - Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs
• BZ - 845417 - Add SELinux policy for openvswitch daemons
• BZ - 846340 - VMware virtual ethernet service fails to start on RHEL 6.3
• BZ - 848915 - slpd runs as initrc_t
• BZ - 848918 - sensord runs as initrc_t
• BZ - 849262 - SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock_file /var/run/cman_client (corosync_var_run_t)
• BZ - 849671 - SELinux doesn't allow /etc/init.d/clamd.amavisd to write PID file
• BZ - 849745 - SELinux prevents pppd from working in targeted mode when using L2TP IPSec mode
• BZ - 851113 - incorrect label on /var/run/cachefilesd.pid file
• BZ - 851128 - rpc.rstatd and rpc.rusersd run as initrc_t
• BZ - 851241 - cpglockd runs as initrc_t
• BZ - 851289 - unbound not able to bind to port 80, despite dns_port_t set correctly
• BZ - 851483 - spice-vdagent(d) is moving to syslog, needs selinux policy adjustment
• BZ - 852544 - SELinux targeted policy prevents confined users from using sandbox
• BZ - 852763 - root can't mount any file via loop device with enforcing mls policy
• BZ - 853453 - SELinux vs .forward script on nfs
• BZ - 853852 - SELinux Boolean for NFS failed to prevent nfs client access
• BZ - 853970 - RHCS cluster node does not auto-join cluster ring after power fencing due to corosync SELinux AVCs (avc: denied { name_bind } for pid=1516 comm="corosync" src=122[89] scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:*_port_t:s0...
• BZ - 854620 - AVCs when running lvmetad test with disabled unconfined and unlabelednet
• BZ - 854671 - selinux avcs when running openswan on a system with fips enabled
• BZ - 855286 - SELinux is preventing /usr/sbin/sanlock from getattr access on Posix Compliant FS storage type
• BZ - 855295 - AVCs when running rhsmcertd test with disabled unconfined and unlabelednet
• BZ - 855311 - AVCs when running tgtd test with disabled unconfined and unlabelednet
• BZ - 855314 - Saving ebtables is blocked when unconfined module is disabled
• BZ - 855889 - libselinux should support per-user login contexts
• BZ - 855895 - AVCs when running cyrus-imapd test with disabled unconfined and unlabelednet
• BZ - 856580 - nslcd - denied sys_nice
• BZ - 858235 - rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0
• BZ - 858406 - PostgreSQL PITR setup with SELinux feature request
• BZ - 858784 - pulse fails to start IPVS sync daemon
• BZ - 859231 - krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
• BZ - 860087 - Update SELinux policies for pppd
• BZ - 860858 - RHEL5/RHEL6 selinux-policy needs clamscan_can_scan_system tunable
• BZ - 861980 - selinux, afs, and readahead
• BZ - 863407 - SELinux policy doesn't allow freshclam to update through http proxy
• BZ - 864546 - SELinux prevents puppet master from running as passenger web app
• BZ - 865390 - SELinux denies getattr to perl strict.pm module
• BZ - 865567 - avc denials on fail2ban restart
• BZ - 865759 - Root can ssh when ssh_sysadm_login --> off in MLS
• BZ - 867001 - rsyslog cannot access krb5 ticket and keytab
• BZ - 867002 - SELinux is preventing /usr/sbin/sshd from read access on the file /var/lib/sss/mc/passwd
• BZ - 867628 - stale man pages (specifically ricci_selinux(8))
• BZ - 868959 - AVCs for cluster-cim w/ Pegasus server
• BZ - 869059 - SELinux blocks postfix <-> dspam
• BZ - 869304 - AVC while starting VMs hosted on RHS
• BZ - 871038 - SELinux prevents /sbin/cgrulesengd (cgred_t) from searching in /proc/irq (sysctl_irq_t)
• BZ - 871106 - [PATCH] Munin plugins can't run unconfined
• BZ - 871816 - rhel6.4 ipactl restart avc denials for various services
• BZ - 874843 - Zarafa webapp generates AVC when writing to /var/lib/zarafa-webapp/tmp/session/
• BZ - 875602 - SELinux prevents rsyslogd from writing to /var/lib/net-snmp/mib_indexes/0 file
• BZ - 875839 - Please ship the openshift SELinux policy with RHEL 6.4
• BZ - 878212 - Cannot log into 6.4 nightlies with fips mode + selinux in enforcing mode
• BZ - 880369 - Unable to create quota system on openshift_var_lib_t
• BZ - 880407 - incorrect SELinux file contexts on /etc/multipath*
• BZ - 881413 - SELinux errors when including domain-realm mapping directory
• BZ - 881445 - SELinux is preventing /usr/sbin/sshd "search" access on /var/lib/mysql
• BZ - 881993 - rsyncd fails to chdir with autofs mounted nfs directory
• BZ - 883143 - git-daemon and httpd can't serve the same dir
• BZ - 885432 - selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent
• BZ - 885518 - PostgreSQL and .ssh context
• BZ - 886563 - selinux denies dovecot scripts
• BZ - 886619 - Passenger prespawn does not work
• BZ - 888164 - AVC reported by rpc.rusersd
• BZ - 888440 - Apcupsd SNMP monitoring blocked
• BZ - 889251 - SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket
• BZ - 890687 - rsyncd cannot append to tcontext=system_u:object_r:var_log_t
• BZ - 895220 - SELinux error managing certmonger certificates in rpm post script

CVEs

(none)

References

• https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/selinux-policy.html