RHBA-2013:1598 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix a number of bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes for
information on the most significant of these changes:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/selinux-policy.html#RHBA-2013-1598

Users of selinux-policy are advised to upgrade to these updated packages, which
fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 781556 - AVC denied for write for sendmail_t in dovecot_deliver_tmp_t
• BZ - 854963 - pand runs as initrc_t
• BZ - 859651 - 3.7.19-155.el6_3.4 seems to break git-shell
• BZ - 872542 - AWStats SELinux module lacks tunable for PurgeLogFile=1 setup
• BZ - 876334 - haproxy runs as initrc_t
• BZ - 878148 - cannot login to cobbler web-ui
• BZ - 881834 - watchdog runs as initrc_t
• BZ - 889120 - AVC denials for sanlock and fence_sanlock
• BZ - 890554 - SELinux issues with zabbix
• BZ - 890646 - SELinux don't allow postfix to connect MySQL database
• BZ - 890647 - SELinux don't allow postqueue to run under sysadm_t
• BZ - 891779 - lldpad runs as initrc_t
• BZ - 892024 - SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access on the directory /var/tmp
• BZ - 903316 - SELinux is preventing /usr/bin/bash from 'execute' accesses on the file /usr/sbin/mdadm.
• BZ - 903371 - Selinux blocks gdm/Xorg from starting x11vnc
• BZ - 906773 - SELinux drops an error after sendmail installation by yum-builddep
• BZ - 909857 - tgtd: it is not able to start or stop if it is configured to use iser with selinux
• BZ - 910430 - SELinux is preventing /usr/sbin/sshd from using the 'sys_admin' capabilities.
• BZ - 913669 - SELinux denied getattr to postdrop on pipe
• BZ - 913673 - cgrulesengd has "AVC" record in /var/log/audit/audit.log
• BZ - 915151 - Please create (working) policy for pacemaker
• BZ - 917157 - SELinux blocks Nagios/NRPE plugins which use sudo
• BZ - 917379 - SELinux prevents postfix spawn to execute_no_trans SPF perl script
• BZ - 919192 - Admin server restart from console denied by SELinux
• BZ - 919456 - context aliases for /var/lib/dspam/data ?
• BZ - 919893 - new selinux policy utterly breaks shorewall
• BZ - 919914 - Postfix with LDAP virtual alias maps has dontaudit denials
• BZ - 922028 - SELinux prevents snmptthandler from writing into /var/spool/snmptt/ directory
• BZ - 922135 - SELinux is preventing nagios_t to make changes within /var/spool/nagios/checkresults/ directory
• BZ - 922732 - SELinux prevents openvpn_t to write inside the /var/lib/openvpn directory
• BZ - 923246 - scsi fencing does not work in enforcing mode
• BZ - 924843 - Various AVC denieds related to corosync policy for heartbeat
• BZ - 926022 - SELinux prevents vsftpd (ftpd_t) access to glusterfs-fuse mount ('fusefs_t') provided by Red Hat Storage (RHS) server
• BZ - 927003 - avc: denied { name_connect } for yppush when called from yppasswdd on NIS master
• BZ - 927339 - SELinux is preventing /usr/bin/df from 'getattr' accesses on the blk_file /dev/dm-2.
• BZ - 928020 - SELinux forbids freshclam cronjob to notify Clamd instance for Amavisd-New
• BZ - 947772 - Allow sanlock-helper to use SIGKILL on any process registered to sanlock
• BZ - 949974 - Non-compilable interfaces in selinux-policy
• BZ - 950103 - selinux denies pegasus to access mount
• BZ - 952621 - sandbox and sandbox_net_t/sandbox_web_t types don't work
• BZ - 952827 - SELinux policy prevents mongod to bind to ports 27018, 27019, 28017, 28018 and 28019
• BZ - 953652 - cron job will generate avc denied message when selinux-policy-targeted-3.7.19-195.el6_4.1.noarch is installed on node.
• BZ - 953754 - Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t
• BZ - 955189 - SELinux prevents amavisd to execute 7za
• BZ - 955774 - [RFE] tftp booleans for NFS/CIFS access
• BZ - 956720 - File name transition rule for /etc/security/opasswd is missing
• BZ - 957023 - SELinux is preventing /usr/bin/svnserve from 'name_bind' accesses on the tcp_socket .
• BZ - 957525 - Policy for procmail_t overly restrictive for tmp files
• BZ - 963465 - openshift_cron_t needs to be able to read symlinks
• BZ - 966106 - AVC denials when using netns
• BZ - 966387 - wrong permissions for openvpn
• BZ - 966635 - Munin CGI graphs produce SELinux AVCs
• BZ - 968344 - pam_cgroup and pam_namespace AVC denials with Openshift Enterprise 1.2 Candidate
• BZ - 969485 - mcollective service contexts
• BZ - 971594 - AVC denial when attaching volume to RHOS 3 instance
• BZ - 971814 - automount cannot mount into public_content_t
• BZ - 972956 - More AVC denials when using netns
• BZ - 973156 - /etc/yaboot.conf (bootloader_t) is symlink pointing to file with type boot_t
• BZ - 974932 - selinux denies rsyslog to drop priviliges
• BZ - 974973 - success=yes AVC when running fail2ban service
• BZ - 977047 - feature request: add zfs to the list of xattr supported file systems
• BZ - 977415 - AVC denials when using openvswitch logrotate
• BZ - 979421 - SELinux complains about execution of bash related to 7z and amavisd-new
• BZ - 979432 - SELinux forbids iptables(1) calls from OpenVPN client-(dis)connect scripts
• BZ - 980509 - some *_use_nfs booleans don't contain rules for autofs_t access
• BZ - 983217 - SELinux prevents dovecot from using pam_oddjob_mkhomedir to create a new user's home directory
• BZ - 983551 - SELinux blocks OpenDMARC (<-> Postfix)
• BZ - 983601 - selinux: tgtd fails to start using pass-through with bs-type SG
• BZ - 983639 - R-Studio generated files are not accessible to samba because of default label they get stuck with
• BZ - 984903 - system-config-kdump needs write access to /boot/efi/EFI/redhat/grub.cfg
• BZ - 985452 - SELinux AVC denials for deferred messages in Postfix after restoring default context
• BZ - 986196 - different booleans which have the same description
• BZ - 986197 - libsepol "Duplicate declaration" error when installing selinux-policy-3.7.19-208.el6
• BZ - 986198 - *_selinux man pages files are owned by two rpms (selinux-policy, selinux-policy-doc)
• BZ - 986883 - strongswan file contexts should mirror the current ipsec contexts
• BZ - 991024 - SELinux is preventing /bin/df from read access on the directory var.
• BZ - 995434 - Cannot create virtual machine in VirtManager in enforcing after system update
• BZ - 996499 - SELinux is preventing /usr/lib64/valgrind/memcheck-amd64-linux from using the transition access on a process
• BZ - 998663 - Current selinux policy prevents running a VM with volumes under /var/run/vdsm/storage
• BZ - 999471 - AVC denials caused by amavisd-snmp service start/restart
• BZ - 1000521 - openhpid runs as initrc_t
• BZ - 1002593 - Antiviruses' policy comparison regarding the move to antivirus_t
• BZ - 1003571 - selinux: does not allow connection to tgtd when using iSNS
• BZ - 1006370 - The openstack-selinux policies need to be updated for the quantum -> neutron rename
• BZ - 1006952 - Unable to start a QEMU process due to selinux permission errors
• BZ - 1009977 - 60+ second delay when launching a LXC container in 6.4
• BZ - 1010324 - missing allow rule for symlinks labeled git_system_content_t
• BZ - 1011963 - selinux avc denial on cluster nodes
• BZ - 1011973 - Port 9000 needs to be http_port_t
• BZ - 1018306 - selinux policy causes pulse daemon not working properly
• BZ - 1021566 - iser: selinux does not allow login to the session

CVEs

(none)

References

• https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Technical_Notes/selinux-policy.html#RHBA-2013-1598