RHBA-2013:1608 - Bug Fix Advisory

Topic

Updated policycoreutils packages that fix several bugs and add one enhancement
are now available for Red Hat Enterprise Linux 6.

Description

The policycoreutils packages contain the core utilities that are required for
the basic operation of a Security-Enhanced Linux (SELinux) system and its
policies.

This update fixes the following bugs:

• Previously, several semanage command-line options did not work as expected.

With this update, these options have been corrected and now work proprerly.
(BZ#860506)

• With this update, the semanage man page has been updated to be consistent with

information contained in the semanage help page. (BZ#868218)

• Due to a bug in the policycoreutils package, installation of the

ipa-server-selinux package failed. This bug has been fixed and
ipa-server-selinux can now be installed without complications. (BZ#886059)

• Prior to this update, the sandbox utility did not accept symbolic links

specified in the /etc/sysconfig/sandbox file. Consequently, executing the
"sandbox -M" command failed with a "No such file or directory" message. The
underlying source code has been modified and symlinks can now be configured in
/etc/sysconfig/sandbox without complications. (BZ#913175)

• Previously, the fixfiles script did not recognize a change in the regular

expression describing the /sbin/ip6?tables-multi* files. Consequently, these
files were labeled incorrectly after updating the system with the yum update
command. With this update, fixfiles has been corrected to accept the change of
regular expression. (BZ#916727)

• Prior to this update, after executing the "semanage boolean -m" command, a

traceback was returned. This bug has been fixed and tracebacks are no longer
displayed in the aforementioned scenario. (BZ#918460)

• Previously, the semanage utility did not allow to set the "none" context on

directories and files. Consequently, the following message was displayed when
attempting to do so:

/usr/sbin/semanage: Type none is invalid, must be a file or device type

This bug has been fixed, and it is now possible to set the "none" context
without complications. (BZ#928320, BZ#947504)

• Prior to this update, the "-o" option of the audit2allow command overwrote the

contents of the output file instead of just appending the new content. This bug
has been fixed, and "audit2allow -o" now works as expected. (BZ#967728)

• After attempting to enable a SELinux boolean that did not exist, a brief error

message was generated. This update modifies this message to be more informative.
(BZ#984484)

• After attempting to permanently change a boolean that did not exist, an

incorrect error message was generated. This message has been modified to provide
correct information about the cause of the problem. (BZ#998974)

In addition, this update adds the following enhancement:

• This update adds a possibility to exclude selected files when running the

restorecon utility, which can significantly reduce execution times. (BZ#916734)

Users of policycoreutils are advised to upgrade to these updated packages, which
fix these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 868218 - semanage man page and help are inconsistent (role/roles)
• BZ - 916727 - yum update from el6.3 to el6.4 causes wrong labeling of /sbin/ip6?tables-multi.*
• BZ - 916734 - need a way to exclude dirs from restorecon
• BZ - 918460 - semanage boolean -m BOOLEAN_NAME tracebacks
• BZ - 928320 - semanage fails to set up <<none>> context on directories and files
• BZ - 947504 - [PATCH] 6.4 Regression: <<none>> no longer works
• BZ - 984484 - make setsebool error message saying boolean do not exist more user friendly
• BZ - 998974 - setsebool prints bad nonexisting-boolean error message, only once after permanent booleans change

CVEs

(none)

References

(none)