RHBA-2014:1568 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix multiple bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

This update fixes the following bugs:

• SELinux prevented the qemu-guest-agent process from executing the

settimeofday() and hwclock() functions. Consequently, qemu-guest-agent was
unable to set the system time. A new rule has been added to the SELinux policy
and qemu-guest-agent can now set the time as expected. (BZ#1062384)

• Previously, SELinux did not allow the dhcpd daemon to change file ownership on

the system. As a consequence, the ownership of files that dhcpd created was
changed from the required dhcpd:dhcpd to root:root. The appropriate SELinux
policy has been changed, and dhcpd is now able to change the file ownership on
the system. (BZ#1082640)

• Due to the missing miscfiles_read_public_files Boolean, the user could not

allow the sshd daemon to read public files used for file transfer services. The
Boolean has been added to the SELinux policy, thus providing the user the
ability to set sshd to read public files. (BZ#1097387)

• Due to a missing SELinux policy rule, the syslog daemon was unable to read the

syslogd configuration files labeled with the syslog_conf_t SELinux context. With
this update, the SELinux policy has been modified accordingly, and syslog now
can read the syslog_conf_t files as expected. (BZ#1111538)

• Due to an insufficient SELinux policy rule, the thttpd daemon ran in the

httpd_t domain. As a consequence, the daemon was unable to change file
attributes of its log files. The SELinux policy has been modified to fix this
bug, and SELinux no longer prevents thttpd from changing attributes of its log
files. (BZ#1111581)

• Previously, SELinux did not allow the sssd daemon to write to the krb5

configuration file, thus the daemon was unable to make any changes in krb5. The
SELinux policy has been changed with this update, and sssd can now write to
krb5. (BZ#1122866)

• Due to a missing SELinux policy rule, the Samba daemons could not list the

/tmp/ directory. The SELinux policy has been modified accordingly, and SELinux
no longer prevents the Samba daemons from listing the /tmp/ directory.
(BZ#1127602)

In addition, this update adds the following enhancements:

• With this update, new SELinux policy rules have been added, and the following

services now run in their own domains, not in the initrc_t domain:

thttpd (BZ#1069843)
pcp (BZ#1089912)
certmonger (BZ#1117739)
haveged (BZ#1107580)
swift-proxy-server (BZ#1109803)
lsmd (BZ#1111619)
swift-object-expirer (BZ#1113146)
hv_vss_daemon (BZ#1116318)
bacula (BZ#1122545)
dhcrelay (BZ#1123338)
tgtd (BZ#1128221)
nginx (BZ#1045041)
glance-scrubber (BZ#1113271)

Users of selinux-policy are advised to upgrade to these updated packages, which
fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 811350 - isnsd runs as initrc_t
• BZ - 811355 - sfcbd runs as initrc_t
• BZ - 811366 - stap-serverd runs as initrc_t
• BZ - 841086 - Tomcat6 runs as unconfined_java_t
• BZ - 855774 - AVCs when running ncftool test with disabled unconfined and unlabelednet
• BZ - 891510 - rtas_errd runs as initrc_t
• BZ - 892137 - hypervkvpd daemon is not confined by SELinux (hv_kvp_daemon runs as initrc_t)
• BZ - 894387 - SELinux is preventing /usr/bin/icecast from name_bind access on the tcp_socket (when not using port 8000)
• BZ - 985331 - osad runs as initrc_t
• BZ - 1004762 - lsmd runs as initrc_t
• BZ - 1015708 - /usr/lib64/nagios/plugins/check_pgsql has no access to /tmp/.s.PGSQL.5432
• BZ - 1017107 - radiusd cannot write to tmp
• BZ - 1018211 - zabbix-proxy runs as initrc_t
• BZ - 1021984 - create a MLS policy for lldpad
• BZ - 1023202 - luci: started python process has "unconfined_u:system_r:initrc_t:s0" label
• BZ - 1023336 - system-config-kdump runs chkconfig which reads various initscript files
• BZ - 1024677 - SELinux prevents dspam from using port tcp/24
• BZ - 1024715 - collectd runs as initrc_t
• BZ - 1024855 - default label of /var/run/fence_sanlockd/fence_sanlockd.fifo is not correct
• BZ - 1026076 - SELinux prevents arpwatch from creating a netlink_socket
• BZ - 1026078 - SELinux prevents varnishd from searching in /sys/devices/system/cpu directory
• BZ - 1029940 - Allow /var/log/mcelog to be read by more processes
• BZ - 1030760 - SELinux is preventing /usr/bin/abrt-cli from 'read' accesses on the directory abrt.
• BZ - 1030762 - SELinux is preventing /bin/dmesg from 'use' accesses on the fd fd.
• BZ - 1032691 - [selinux policy] Zabbix agent monitoring access denied
• BZ - 1034076 - SELinux prevents zabbix_agentd from reading /sys/devices/system/cpu/online file
• BZ - 1034206 - AVC message is seen when mcolletive facts update cron job is running.
• BZ - 1035363 - incorrect selinux policy prevents smartd from accessing LSI Megaraid connected drives
• BZ - 1039089 - SELinux policy prevents console/gdm (local_login_t/xdm_t) from updating expired passwords
• BZ - 1039644 - SELinux is preventing /usr/sbin/clamd from name_bind access on the tcp_socket
• BZ - 1039851 - [selinux policy] Zabbix agent monitoring access denied
• BZ - 1042827 - conmand runs as initrc_t
• BZ - 1042832 - htcacheclean runs as initrc_t
• BZ - 1042846 - openwsmand runs as initrc_t
• BZ - 1042986 - ipmiseld runs as initrc_t
• BZ - 1042998 - ipmidetectd runs as initrc_t
• BZ - 1043000 - bmc-watchdog runs as initrc_t
• BZ - 1043008 - mip6d runs as initrc_t
• BZ - 1043211 - Cannot create file '/var/cache/ddclient/ddclient.cache'
• BZ - 1045041 - Support for nginx (runs as initrc_t)
• BZ - 1045418 - SELinux is preventing /usr/sbin/smbd from using the signull access on a process
• BZ - 1046100 - type=AVC msg=audit(1387816233.086:23656): avc: denied { read write } for pid=2264 comm="ip" path="/var/cache/chef/XXX.pid" dev=dm-1 ino=531721 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
• BZ - 1047865 - SElinux policy preventing creation of cgrulesengd template subgroup
• BZ - 1052206 - enable selinux for glusterfs server
• BZ - 1053205 - Support for zabbix 2.2
• BZ - 1055966 - rsyslog cannot access krb5 ticket file and gives error as: Credentials cache permissions incorrect
• BZ - 1057307 - SELinux prevents communication between postfix and cyrus-imapd deliver
• BZ - 1057732 - SELinux denies setroubleshootd_t to get oracleasmfs_t attributes
• BZ - 1057780 - RFE seboolean to enable OpenShift gears to read from NFS mounts
• BZ - 1060656 - Should procmail be allowed to run zarafa-dagent?
• BZ - 1061733 - [PATCH] varnish: Killing children upon cleanup is disallowed
• BZ - 1062384 - qemu-guest-agent lacks SELinux permission to execute settimeofday and hwclock
• BZ - 1062470 - SELinux is preventing /usr/sbin/certmonger from read access on the file *.pem in /var/lib/puppet/certs
• BZ - 1063890 - bacula daemons run as initrc_t
• BZ - 1064326 - SELinux prevents logrotate from reading /var/log/core directory
• BZ - 1064493 - Google Chrome on CSB causes SELinux alerts - shutdown called on socket
• BZ - 1065580 - lastlog_t not accessible by sysadm_t or staff_sudo_t
• BZ - 1065581 - crond_t cannot read/write lastlog_t without unconfined module
• BZ - 1069843 - Support thttpd (runs as initrc_t)
• BZ - 1071145 - httpd from httpd24 SCL can't run mod_passenger from ruby193 SCL
• BZ - 1072022 - Getattr AVC errors when running sudo
• BZ - 1073499 - selinux: iscsiuio logrotate fails when using cron
• BZ - 1073904 - tcp syslog ports in /etc/services and selinux not same
• BZ - 1078239 - snmpd_t needs to be able to getattr on disk device types
• BZ - 1082625 - Please backport OpenShift rsyslog7 policy additions to RHEL 6.5
• BZ - 1082640 - chown capability for dhcpd_t
• BZ - 1082974 - An AVC denial appears for klogind from time to time
• BZ - 1084177 - Utilizing winbind for authentication to AD. Receiving numerous avc:denied messages concerning winbindd when user logs into system
• BZ - 1086898 - Additional selinux policy changes for RHEL 6.5, OpenShift metrics support
• BZ - 1087530 - SELinux policy (daemons) changes required for package: hyperv-daemons
• BZ - 1089912 - SELinux policy (daemons) changes required for package: pcp
• BZ - 1092150 - Asterisk AGI script blocked by SELinux
• BZ - 1101530 - SELinux policy (daemons) changes required for package: preupgrade-assistant
• BZ - 1102346 - SELinux prevents squid runing in SMP mode
• BZ - 1102366 - Policy needed for ipa-server-smartproxy
• BZ - 1102464 - ssh fails to read $HOME/.ssh (nfs home area)
• BZ - 1103257 - SELinux is preventing /usr/sbin/mcelog from write access on the chr_file /dev/pts/0.
• BZ - 1104845 - RHEL6.5 avc denial for AD user passwd change
• BZ - 1105889 - clamav-milter selinux rules missing
• BZ - 1107580 - haveged runs as initrc_t
• BZ - 1108367 - Modify selinux policy to allow syslog to use inotify
• BZ - 1110397 - SELinux prevents /usr/sbin/rndc from reading /dev/urandom and /dev/random
• BZ - 1117685 - /var/run/tuned directory gets a wrong label because it is not a regular file
• BZ - 1117739 - Lots of avc denial messages while installing IPA Server
• BZ - 1121169 - missing interface definitions
• BZ - 1122024 - selinux doesn't allow read for /usr/sbin/nmbd and /usr/bin/ntlm_auth on /var/tmp /usr/tmp and /tmp
• BZ - 1122106 - conman initscripts AVC denials on rhel 6
• BZ - 1122866 - debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd startup
• BZ - 1123338 - dhcrelay runs as initrc_t
• BZ - 1127602 - SELinux prevents nmbd from reading /tmp
• BZ - 1130040 - SElinux: AVC denials on iSCSI target (tgtd)
• BZ - 1131195 - SELinux prevents plymouth-log-viewer from calling stat on /var/spool/plymouth/boot.log
• BZ - 1140614 - sblim-sfcb cimserver is blocked by selinux

CVEs

(none)

References

(none)