1.187. selinux-policy

1.187.1. RHBA-2009:1495: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1495
Updated selinux-policy packages that fix a bug are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated packages fix the following bug:
* the cyrus-imapd daemon is compiled with net-snmp support and it attempts to register its snmp sub-agent during startup. This was not allowed by previous SELinux policy. These updated packages include updated policy that allows cyrus-imapd to register its snmp sub-agent during startup, as expected. (BZ#523548)
All users are advised to upgrade to these updated packages, which resolves these issue.

1.187.2. RHBA-2010:0013: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0013
Updated selinux-policy packages that fix several bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide fixes for the following bugs:
* the "setkey" utility from the ipsec-tools package manipulates and dumps the kernel's Security Policy Database (SPD) entries and Security Association Database (SAD) entries. The current selinux-policy did not allow users running under the "sysadm" role to use setkey. This update allows users running under the sysadm SELinux role to use the setkey utility from the ipsec-tools package. (BZ#538449)
* using the Openswan implementation of IPsec could have resulted in AVC (Access Vector Cache) denials causing the integrity check to fail, which in turn would cause the pluto key management daemon not to start. This update includes updated policy rules for IPsec which fix the AVC denials so that pluto is allowed to run as expected. Note that this is necessary for FIPS-140 compliance. (BZ#538452)
* SELinux denials caused by the ssh-keygen's "system_u:object_r:initrc_exec_t" context caused ssh-keygen to fail to generate public/private RSA key pairs. These updated SELinux policy rules allow ssh-keygen to successfully generate public/private RSA key pairs as expected. (BZ#538453)
* when the "ifup" script was run manually in order to activate the first IPsec interface, which then attempts to start racoon, racoon incorrectly ran under the "unconfined_t" context instead of under the expected "racoon_t", thus preventing it from starting. Note that this did not happen when the IPsec network interface configuration file contained an "ONBOOT=yes" parameter; racoon successfully started in this case. With this update, racoon possesses the correct context, "racoon_t", which allows it to run when started via the ifup network startup script. (BZ#538503)
All users are advised to upgrade to these updated packages, which resolve these issues.

1.187.3. RHBA-2010:0063: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0063
Updated selinux-policy packages that fix a regression that prevented postfix-driven systems from sending e-mail via sendmail are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide the fix for the following bug:
* selinux-policy errata update RHBA-2010:0013 introduced a regression which prevented postfix-driven systems from sending e-mail using sendmail if SELinux was in enforcing mode. With this update, postfix_postdrop can read and write sendmail unix_stream_sockets, correcting the regression and allowing e-mails to be sent using sendmail. (BZ#555793)
Note: a workaround involving the manual creation of a mypostfix.te was documented in BZ#553492 (see References below). Once this update is installed, the workaround and manually created file are no longer required.
All users should upgrade to these updated packages, which resolve this issue.

1.187.4. RHBA-2010:0182: bug fix update

Updated selinux-policy packages that fix numerous bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages contain the following changes to SELinux policy rules:
  • The coolkey library used by some Kerberos implementations caused an SELinux denial when credentials were sent to an NFS server, and during the creation of a cache directory. This package modifies SELinux policy so that the coolkey Kerberos library is excluded from being audited when performing this operation. (BZ#294651)
  • A leaked file descriptor in cupsd caused an SELinux error or denial. SELinux policy has been modified to allow this activity and not to cause a denial when this activity takes place. (BZ#483395)
  • The /root/.ssh directory contained incorrect SELinux permissions if it was deleted and re-created. This permission error caused the ssh-keygen command to fail when creating keys in this directory from an init script, as it was not labelled correctly. SELinux policy has been modified to enable the correct permissions on the /root/.ssh directory if it is removed and re-added. Having the correct permission on this directory results in ssh-keygen now being able to successfully generate keys as expected. (BZ#492519)
  • Hosts with SELinux in enforcing mode were not able to create a cluster with Red Hat Cluster Suite (RHCS) when running service cman start because aisexec could not allocate shared memory. Support has been added in SELinux policy for Cluster Suite, which resolves these issues. (BZ#503141)
  • An SELinux denial was triggered when the coolkey command integrated with samba to join an Active Directory service. SELinux policy has been modified to allow for proper coolkey cache management in the samba policy module. (BZ#507797)
  • SELinux policy has been modified to allow proper operation of the rsync command when it is used via the SSH protocol. (BZ#510748)
  • A problematic library file for the Oracle sqlplus command caused an SELinux denial. Policy has been modified to label this file correctly to allow for its unexpected behavior. The sqlplus command functions normally after applying this update. (BZ#512375)
  • Users operating in the sysadm SELinux role can now use the setkey utility from the ipsec-tools package. (BZ#513447)
  • A transition rule has been added to SELinux policy that allows vbetool the permissions it needs to operate normally. (BZ#515491)
  • When setkey was executed from a network startup script, an SELinux denial was triggered. An interface has been added to enable integration with temporary files when using setkey within the MLS SELinux policy. (BZ#515687)
  • The protection offered over the rsync command has changed. rsync is now protected only when started from inetd or xinetd. Other usages of rsync are considered client-side operations and are not protected any further than that of utilities such as cp or scp. (BZ#516780)
  • The sudo command was not properly launching an intermediary shell to authenticate users with correct sudo role privileges. This fix allows transitions to operate normally and allows users to execute commands as root via sudo, when configured to do so. (BZ#519017)
  • Launching an ipsec connection by using the service network restart command did not succeed. The ipsec connection did not start as it was started from the init_t domain. Policy for setkey has been modified so that it can now read temporary data from init scripts, and ipsec connections now start normally from the init_t domain. (BZ#519363)
  • Scripts for mod_fcgid, a CGI plugin for the Apache HTTP server caused SELinux permission errors when used. Policy has been modified to both allow mod_fcgid scripts the required permissions, and to allow CGI applications to use their own mail modules to send mail, instead of calling sendmail. (BZ#519369)
  • Instances of #!/usr/bin/env python have been removed from SELinux policy source code, as using this technique to call python in the top of an executable python file is being discontinued by Red Hat developers. (BZ#521284)
  • Support for Red Hat Cluster Suite has been added to SELinux policy. Please note that SELinux policy only provides coverage for the infrastructure components. Services directly managed by Cluster Suite will require their own policies and are not covered by this enhancement. (BZ#522158)
  • SELinux policy has been modified so that cyrus-imapd is now able to register its SNMP sub-agent by connecting to a socket upon startup. (BZ#523548)
  • An SELinux denial was triggered when configuring the SNMP daemon to listen on TCP or UDP ports for AgentX sub-agents. Policy has been modified so that this daemon can now bind TCP/UDP sockets to AgentX ports. (BZ#523773)
  • SELinux denials were caused when implementing user quotas over NFS (Network File System) shares. Policy has been modified to properly allow for the normal operation of quotas when using NFS shares. (BZ#525420)
  • Upon updating the udev daemon to the latest version and restarting it, the SELinux context for udev was changed from the default, causing errors. This update ensures that this context remains correct when restarting udev. (BZ#526640)
  • SELinux policy has been modified to not trigger an error when the virDomainSave() API is called from qemu-kvm. (BZ#530552)
  • procmail was causing an AVC denial when attempting to read files used by spamassassin. Rules have been added to policy so that these applications can communicate normally via pipes. (BZ#530750)
  • The ability to send and receive unlabeled packets was added to policy rules. (BZ#530809)
  • A bug prevented the installation of the selinux-policy-strict package because the requirements of aisexec were not properly met. The strict policy can now be installed as expected. (BZ#531196)
  • Real Time Kernel support was added to selinux-policy. (BZ#531230)
  • The e4fsck command was not properly labeled, causing execution to fail. Policy permissions have been fixed so that e4fsck is now correctly labeled. (BZ#532565)
  • Permissions were modified to allow pluto to write logs properly. (BZ#537106)
  • This update includes updated policy rules for IPsec, fixing the AVC denials that prevented pluto from running properly. After applying this update, pluto runs as expected. Note that this is necessary for FIPS-140 security compliance. (BZ#537133)
  • vhostmd is a daemon that provides a communication channel between a host and its hosted virtual machines. Implementing a vhostmd daemon caused AVC denial errors when launching it via service vhostmd start. SELinux policy rules have been added to protect the vhostmd daemon. The daemon starts and operates normally after applying the update. (BZ#543941)
  • SELinux AVC denial errors were triggered when using the sysadm SELinux user to connect to racoon using a UNIX domain stream socket. After applying this update, access functions as expected. (BZ#545369)
  • When using the MLS functionality, iptables can now start properly and has proper permissions to read configuration files. (BZ#546604)
  • Policy has been modified to give the smartd daemon the ability to read from and write to generic SCSI devices. (BZ#547387)
  • SELinux policy has been modified to fix a segfault error when using an iSCSI target with the bnx2i interface type. (BZ#548599)
  • The /var/vdsm directory was incorrectly labeled by SELinux, showing two different SELinux contexts. After applying this update, the directory is now correctly labeled with a single label. (BZ#549492)
  • When using the '-i' option to the lpadmin command to set an interface script for a printer, SELinux error messages are triggered. A new type, cupsd_interface_t, has been added to policy to allow cupsd to properly utilize a System V style interface script. (BZ#550015)
  • The postgresql regression tests include libraries that need to be dynamically loaded by the postgresql server. Some of these libraries were incorrectly labeled, which caused the regression tests to fail and SELinux errors to appear. This update applies the correct permissions to the libraries, and the postgresql regression tests now operate as expected. (BZ#551063)
  • prelink is a utility that can reduce the startup times of applications by linking to libraries and storing the linking in the executable. prelink is now allowed under SELinux policy to load and execute functions from shared libraries, with legacy support included for older libraries. (BZ#551664)
  • qemu-kvm caused SELinux errors when creating or starting a virtual machine when Transport Layer Security (TLS) is enabled in qemu.conf for an environment using a Public Key Infrastructure (PKI). This error occurred because qemu-kvm did not have sufficient permission to read from a random number generator (/dev/random and /dev/urandom) in order to gather its entropy. Permissions have been modified so that qemu-kvm can now read from these random number generators. (BZ#552763)
  • A regression error was discovered when installing new SELinux packages. The postfix_postdrop command was unable to use sockets. This resulted in emails not being sent. After applying this update, postfix is able to read and write sendmail unix_stream_sockets and emails can be sent using sendmail as expected. (BZ#553492)
  • The /etc/xen was incorrectly labeled. This caused errors when using automated scripts for staging Xen guest virtual machines. A fix was applied to correctly label the directory, which resolved the problem. Xen guests are now functioning as expected. (BZ#554777)
  • Restarting networking services using the service network restart command resulted in an AVC denial caused by dhcpc_t being unable to relabel to and from net_conf_t. This update allows this with the result that restarting networking succeeds without SELinux denials. (BZ#559355)
  • The iscsid daemon, which implements the control path of the iSCSI protocol along with management functions, could not create its log file due to an incorrect SELinux context. (BZ#562303)
  • The context for the named name server daemon, when running in a chrooted environment, was incorrect, and with this update is labeled correctly. (BZ#562833)
  • Attempting to save the firewall configuration with the service iptables save command triggered an AVC denial. This update changes the default context for the /sbin/iptables-save application to iptabels_exec_t so that the firewall configuration can be saved. (BZ#564376)
  • Attempting to run a CGI script from a cgi-bin directory mounted on an NFS share resulted in an AVC denial, whereas serving static pages from a public_html directory worked as expected. CGI scripts can now be run from NFS-mounted directories given the correct permissions. (BZ#566557)
  • When the SELinux boolean ftp_home_dir was enabled, the allow_ftpd_anon_write boolean did not take effect, and users could upload files to their home directories via anonymous FTP even though write access should have been restricted by the value of allow_ftpd_anon_write. With this update, the value of allow_ftpd_anon_write allows or permits anonymous FTP writes, as expected. (BZ#566975)
All users are advised to upgrade to these updated packages, which resolve these issues.