RHBA-2015:1375 - Bug Fix Advisory

Topic

Updated selinux-policy packages that fix several bugs and add one enhancement
are now available for Red Hat Enterprise Linux 6.

Description

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

This update fixes the following bugs:

• When the /etc/nsswitch.conf file was modified so that the SSSD service was

used for various lookups, certain services were not able to communicate with
SSSD due to insufficient SELinux policy rules. With this update, the SELinux
policy has been modified to allow the services to work as expected in this
situation. (BZ#1198047, BZ#1198057, BZ#1198060, BZ#1198064, BZ#1198071,
BZ#1198077, BZ#1198165, BZ#1202935, BZ#1203756, BZ#1207140, BZ#1212729)

• With this update, SELinux policy rules for the glusterd, ctdbd, samba, and

nagios services have been fixed to allow the Gluster layer product to work with
SELinux properly. (BZ#1198436, BZ#1215632, BZ#1228197, BZ#1228197, BZ#1219317,
BZ#1221929)

In addition, this update adds the following enhancement:

• When writing SELinux policy rules that allow random services to read or

execute general files located, for example, in the /etc/ or /usr/ directories,
policy writers had to add additional rules for each service. These updated
selinux-policy packages introduce the new "base_ro_file_type" and
"base_file_type" SELinux attributes, which policy writers can use to declare
global rules against a rule per service. (BZ#1153712)

Users of selinux-policy are advised to upgrade to these updated packages, which
fix these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 919518 - SELinux prevents dccproc from started dccifd
• BZ - 1013195 - When rhn_check initiates reboot, shutdown runs with incorrect SELinux context
• BZ - 1042838 - nm-dispatcher.action runs as initrc_t
• BZ - 1042864 - mirrormanager publiclist selinux policy
• BZ - 1060653 - SELinux errors with temporary files
• BZ - 1103439 - open_socket / permission dennied warnings
• BZ - 1106526 - SELinux silent denials of Nagios NRPE check_nagios
• BZ - 1126538 - SELinux blocks Munin plugin 'yum' from executing yum
• BZ - 1128838 - auditctl can not write to files
• BZ - 1131459 - SELinux prevents escd from writing to /var/run/pcscd.events directory
• BZ - 1134370 - SELinux prevents xguest from D-bus talking to avahi server
• BZ - 1136396 - selinux-policy prevents openafs-1.6 fileserver from starting
• BZ - 1142720 - SELinux prevents freeradius to perform OCSP check
• BZ - 1145662 - avc: denied { append } for pid=2762 comm="prelink" path="/dev/console" dev=devtmpfs ino=2464 scontext=unconfined_u:unconfined_r:prelink_mask_t:s0-s0:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
• BZ - 1148369 - AVC denial during chrooted sshd restart
• BZ - 1148572 - SELinux prevents zebra from communicating with sssd
• BZ - 1153333 - SELinux (still) prevents logrotate from reading /var/log/core directory
• BZ - 1154158 - New SELinux policy for bacula doesn't allow running (unconfined) "Run Before Job"
• BZ - 1154164 - New SELinux policy for bacula doesn't allow writing backup files to NFS/CIFS share
• BZ - 1154646 - New SELinux policy for bacula doesn't seem to support /usr/sbin/bacula-dir.sqlite
• BZ - 1158369 - SELinux policy for bacula doesn't allow writing to tape devices
• BZ - 1158653 - RFE: add policy for ownCloud (EPEL)
• BZ - 1158998 - RHEL6.5 AVC Denial during abrt processing of crash
• BZ - 1159386 - SELinux is preventing /usr/sbin/mcelog from write access on the chr_file /dev/pts/0.
• BZ - 1159391 - selinux policy prevents smartd from creating /dev/megaraid_sas_ioctl_node
• BZ - 1161331 - SELinux policy for bacula doesn't allow creating directory in /tmp (using tmpfs for /tmp)
• BZ - 1163884 - Bacula storage daemon on disk location
• BZ - 1164433 - selinux-policy-3.7.19-260.el6.noarch started confining collectd
• BZ - 1167277 - selinux prevents hosted engine to be deployed on RHEL 6.6 with iscsi support
• BZ - 1171275 - Qpid policy needs to be rewritten.
• BZ - 1172148 - SELinux prevents /usr/sbin/httpd from unlink access on the file /var/lib/roundcubemail/*
• BZ - 1178136 - SELinux prevents collectd from opening and reading /proc/%i/io
• BZ - 1178210 - php-fpm can't write into redis' socket
• BZ - 1178746 - /etc/init.d/htcacheclean should have httpd SELinux context
• BZ - 1179364 - AVCs for postdrop
• BZ - 1179968 - The setfiles utility is prevented from reading files of type admin_home_t
• BZ - 1187141 - dirsrv won't start after restorecon -R /dev
• BZ - 1187222 - Munin plugin diskstats can't monitor devices of type svirt_image_t
• BZ - 1193156 - antivirus_t unable to read files due to MCS separation
• BZ - 1194027 - Please backport the selinux-policy sssd changes from rhel-7
• BZ - 1194206 - Undefined context for /var/log/mariadb
• BZ - 1195733 - selinux blocks slapd access to cracklib
• BZ - 1196535 - avc in mod_passenger
• BZ - 1196569 - named-sdb runs as initrc_t
• BZ - 1196596 - AVC denials when running cluster tests
• BZ - 1197036 - No context defined for mongos binary and initscript
• BZ - 1197689 - SELinux is preventing /usr/bin/nsupdate from search access on the directory .
• BZ - 1198047 - SELinux prevents portreserve from communicating with sssd
• BZ - 1198436 - [SELinux] [Nagios] Selinux blocks gluster-nagios plugins in the nagios server - RHEL-6.7
• BZ - 1198462 - cyrus-imapd cannot bind to the csync port
• BZ - 1201413 - MariaDB auth_pam.so plugin or other auth plugins cannot be used
• BZ - 1203153 - SELinux prevents avahi from sending a D-bus message to pmwebd (a PCP service)
• BZ - 1203756 - SELinux prevents conman from communicating with sssd
• BZ - 1203994 - Undefined context for /etc/my.cnf.d/*cnf configuration files in mysql/mariadb
• BZ - 1206244 - Fence agent can't run mpathpersist
• BZ - 1207732 - Selinux policy for cachefilesd
• BZ - 1208015 - typo error in section which should make freeipmi_bmc_watchdog_t permissive
• BZ - 1208818 - [Hyper-V][RHEL6.7] There are many hypervkvpd related AVC logs after run Hyper-V Replica Failover and IP injection
• BZ - 1209854 - Update SELinux policy to allow NetworkManager to access and execute arping
• BZ - 1210320 - SELinux causes SSSD GPO feature to fail
• BZ - 1210421 - SELinux is preventing kadmind from unlink and write access on the file kadmin_0
• BZ - 1210598 - Please allow abrtd to read /dev/mem
• BZ - 1212436 - hplip printer and denials
• BZ - 1215632 - [SELinux] [RHGS] Update the labelling for all the executable hooks under /var/lib/glusterd/hooks/ on RHEL-6.7
• BZ - 1219317 - Update SELinux policies for Samba and CTDB in RHEL 6.6
• BZ - 1219644 - mysqld daemon cannot write log into the fifo file
• BZ - 1220691 - /usr/sbin/kpropd is labeled bin_t instead of kpropd_exec_t
• BZ - 1221929 - [SELinux] Update SELinux policies for samba (connect and read access)in RHEL6.6
• BZ - 1222845 - [SELinux] [nfs-ganesha]: Volume export fails when SELinux is in Enforcing mode - RHEL-6.7
• BZ - 1229605 - [SELinux] Change glusterd_t to enforcing domain from the current mode of permissive domain to make RHGS3.1 fully SELinux ready
• BZ - 1230370 - [SELinux]: [geo-rep]: SELinux policy updates required in RHEL-6.7 for geo-rep
• BZ - 1230371 - [SELinux]: [Snapshot]: SELinux policy updates required in RHEL-6.7 for gluster-snapshot

CVEs

(none)

References

(none)