RHBA-2014:1205 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix several bugs are now available for Red
Hat Enterprise Linux 5.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

This update fixes the following bugs:

• Due to missing rules in the SELinux policy, the sssd_t domain could not

connect to port 464. With this update, the appropriate rules have been added to
the policy and sssd_t now connects to that port as expected. (BZ#959217)

• Previously, SELinux prevented the fence_xvm agent from fencing nodes even if

the fenced_can_network_connect Boolean was enabled. The SELinux policy has been
modified to fix this bug and SELinux no longer blocks fence_xvm in the described
scenario. (BZ#984453)

• Due to missing rules in the SELinux policy, SELinux did not allow the

dovecot_deliver_t process to send the SIGNULL signal. With this update, the
SELinux rules have been modified accordingly and SELinux no longer prevents
dovecot_deliver_t from sending SIGNULL. (BZ#997710)

• Previously, SELinux prevented the iptables_t process from using the inotify

utility to monitor file system activity. This update adds appropriate SELinux
rules and iptables_t can use inotify as expected. (BZ#1005589)

• When SELinux was in enforcing mode, the glibc library was unable to update the

/etc/localtime file. The SELinux policy has been modified to fix this bug and
glibc can now update the file as expected. (BZ#1008472)

• Due to missing SELinux rules, the automount utility could not read symbolic

links, which caused the AVC denial messages to return. With this update, the
SELinux policy has been modified and SELinux no longer prevents automount from
reading symbolic links. (BZ#1053050)

• Previously, the restorecon command failed to restore the SELinux context on a

file located in a symbolically linked directory. The underlying source code has
been modified to fix this bug and restorecon now works correctly in the
described scenario. (BZ#1078357)

• Previously, the smbd daemon service was unable to connect to the nmbd service

using a Unix stream socket, which caused AVC messages to be logged in the
/var/log/audit/audit.log file. To fix this bug, a set of new rules has been
added to the SELinux policy to allow smbd to connect to nmbd. (BZ#1083491)

• An attempt to start a clustered service with the postgres-8 resource script

failed due to a bug in the SELinux policy. With this update, the policy has been
modified and the service now starts as expected. (BZ#1089006)

• Due to missing rules in the SELinux policy, the radiusd daemon was unable to

write to the /tmp/ directory. Consequently, when radiusd was integrated with the
Kerberos network authentication system, an attempt to authenticate a user
failed. This update applies a new SELinux policy module so that radiusd works
correctly in the described scenario. (BZ#1096891)

• The zarafa-indexer package has been replaced with the zarafa-search package.

Previously, the zarafa-search utility was not labeled with the same SELinux
context as the zarafa-indexer utility. With this update, the appropriate SELinux
policy rules have been modified and zarafa-search now runs in the
zarafa_indexer_t domain as expected. (BZ#1098031)

Users of selinux-policy are advised to upgrade to these updated packages, which
fix these bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 959217 - SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket
• BZ - 984453 - fence_xvm not working when SELinux is enforcing (even though fenced_can_network_connect is on)
• BZ - 997710 - SELinux is preventing deliver (dovecot_deliver_t) "signull" to <Unknown> (dovecot_deliver_t).
• BZ - 1005589 - SELinux is preventing iptables (iptables_t) "read" to inotify (inotifyfs_t)
• BZ - 1083491 - Samba and strange avc
• BZ - 1096891 - radiusd cannot write to tmp
• BZ - 1098031 - zarafa-search runs as initrc_t (zarafa-search replaces zarafa-indexer)

CVEs

(none)

References

(none)