1.187. selinux-policy
1.187.1. RHBA-2009:1495: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2009:1495
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated packages fix the following bug:
* the cyrus-imapd daemon is compiled with net-snmp support and it attempts to register its snmp sub-agent during startup. This was not allowed by previous SELinux policy. These updated packages include updated policy that allows cyrus-imapd to register its snmp sub-agent during startup, as expected. (BZ#523548)
All users are advised to upgrade to these updated packages, which resolves these issue.
1.187.2. RHBA-2010:0013: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2010:0013
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide fixes for the following bugs:
* the "setkey" utility from the ipsec-tools package manipulates and dumps the kernel's Security Policy Database (SPD) entries and Security Association Database (SAD) entries. The current selinux-policy did not allow users running under the "sysadm" role to use setkey. This update allows users running under the sysadm SELinux role to use the setkey utility from the ipsec-tools package. (BZ#538449)
* using the Openswan implementation of IPsec could have resulted in AVC (Access Vector Cache) denials causing the integrity check to fail, which in turn would cause the pluto key management daemon not to start. This update includes updated policy rules for IPsec which fix the AVC denials so that pluto is allowed to run as expected. Note that this is necessary for FIPS-140 compliance. (BZ#538452)
* SELinux denials caused by the ssh-keygen's "system_u:object_r:initrc_exec_t" context caused ssh-keygen to fail to generate public/private RSA key pairs. These updated SELinux policy rules allow ssh-keygen to successfully generate public/private RSA key pairs as expected. (BZ#538453)
* when the "ifup" script was run manually in order to activate the first IPsec interface, which then attempts to start racoon, racoon incorrectly ran under the "unconfined_t" context instead of under the expected "racoon_t", thus preventing it from starting. Note that this did not happen when the IPsec network interface configuration file contained an "ONBOOT=yes" parameter; racoon successfully started in this case. With this update, racoon possesses the correct context, "racoon_t", which allows it to run when started via the ifup network startup script. (BZ#538503)
All users are advised to upgrade to these updated packages, which resolve these issues.
1.187.3. RHBA-2010:0063: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2010:0063
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide the fix for the following bug:
* selinux-policy errata update RHBA-2010:0013 introduced a regression which prevented postfix-driven systems from sending e-mail using sendmail if SELinux was in enforcing mode. With this update, postfix_postdrop can read and write sendmail unix_stream_sockets, correcting the regression and allowing e-mails to be sent using sendmail. (BZ#555793)
Note: a workaround involving the manual creation of a mypostfix.te was documented in BZ#553492 (see References below). Once this update is installed, the workaround and manually created file are no longer required.
All users should upgrade to these updated packages, which resolve this issue.
1.187.4. RHBA-2010:0182: bug fix update
Updated
selinux-policy
packages that fix numerous bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages contain the following changes to SELinux policy rules:
- The
coolkey
library used by some Kerberos implementations caused an SELinux denial when credentials were sent to an NFS server, and during the creation of a cache directory. This package modifies SELinux policy so that the coolkey Kerberos library is excluded from being audited when performing this operation. (BZ#294651) - A leaked file descriptor in
cupsd
caused an SELinux error or denial. SELinux policy has been modified to allow this activity and not to cause a denial when this activity takes place. (BZ#483395) - The
/root/.ssh
directory contained incorrect SELinux permissions if it was deleted and re-created. This permission error caused thessh-keygen
command to fail when creating keys in this directory from an init script, as it was not labelled correctly. SELinux policy has been modified to enable the correct permissions on the/root/.ssh
directory if it is removed and re-added. Having the correct permission on this directory results inssh-keygen
now being able to successfully generate keys as expected. (BZ#492519) - Hosts with SELinux in enforcing mode were not able to create a cluster with Red Hat Cluster Suite (RHCS) when running
service cman start
becauseaisexec
could not allocate shared memory. Support has been added in SELinux policy for Cluster Suite, which resolves these issues. (BZ#503141) - An SELinux denial was triggered when the
coolkey
command integrated withsamba
to join an Active Directory service. SELinux policy has been modified to allow for proper coolkey cache management in the samba policy module. (BZ#507797) - SELinux policy has been modified to allow proper operation of the
rsync
command when it is used via the SSH protocol. (BZ#510748) - A problematic library file for the Oracle
sqlplus
command caused an SELinux denial. Policy has been modified to label this file correctly to allow for its unexpected behavior. The sqlplus command functions normally after applying this update. (BZ#512375) - Users operating in the
sysadm
SELinux role can now use thesetkey
utility from theipsec-tools
package. (BZ#513447) - A transition rule has been added to SELinux policy that allows
vbetool
the permissions it needs to operate normally. (BZ#515491) - When
setkey
was executed from a network startup script, an SELinux denial was triggered. An interface has been added to enable integration with temporary files when using setkey within the MLS SELinux policy. (BZ#515687) - The protection offered over the
rsync
command has changed. rsync is now protected only when started from inetd or xinetd. Other usages of rsync are considered client-side operations and are not protected any further than that of utilities such ascp
orscp
. (BZ#516780) - The
sudo
command was not properly launching an intermediary shell to authenticate users with correct sudo role privileges. This fix allows transitions to operate normally and allows users to execute commands as root via sudo, when configured to do so. (BZ#519017) - Launching an
ipsec
connection by using theservice network restart
command did not succeed. The ipsec connection did not start as it was started from the init_t domain. Policy forsetkey
has been modified so that it can now read temporary data from init scripts, and ipsec connections now start normally from the init_t domain. (BZ#519363) - Scripts for
mod_fcgid
, a CGI plugin for the Apache HTTP server caused SELinux permission errors when used. Policy has been modified to both allow mod_fcgid scripts the required permissions, and to allow CGI applications to use their own mail modules to send mail, instead of callingsendmail
. (BZ#519369) - Instances of
#!/usr/bin/env python
have been removed from SELinux policy source code, as using this technique to callpython
in the top of an executable python file is being discontinued by Red Hat developers. (BZ#521284) - Support for Red Hat Cluster Suite has been added to SELinux policy. Please note that SELinux policy only provides coverage for the infrastructure components. Services directly managed by Cluster Suite will require their own policies and are not covered by this enhancement. (BZ#522158)
- SELinux policy has been modified so that
cyrus-imapd
is now able to register its SNMP sub-agent by connecting to a socket upon startup. (BZ#523548) - An SELinux denial was triggered when configuring the
SNMP
daemon to listen on TCP or UDP ports for AgentX sub-agents. Policy has been modified so that this daemon can now bind TCP/UDP sockets to AgentX ports. (BZ#523773) - SELinux denials were caused when implementing user quotas over
NFS
(Network File System) shares. Policy has been modified to properly allow for the normal operation of quotas when using NFS shares. (BZ#525420) - Upon updating the
udev
daemon to the latest version and restarting it, the SELinux context for udev was changed from the default, causing errors. This update ensures that this context remains correct when restarting udev. (BZ#526640) - SELinux policy has been modified to not trigger an error when the virDomainSave() API is called from
qemu-kvm
. (BZ#530552) procmail
was causing an AVC denial when attempting to read files used byspamassassin
. Rules have been added to policy so that these applications can communicate normally via pipes. (BZ#530750)- The ability to send and receive unlabeled packets was added to policy rules. (BZ#530809)
- A bug prevented the installation of the selinux-policy-strict package because the requirements of
aisexec
were not properly met. The strict policy can now be installed as expected. (BZ#531196) - Real Time Kernel support was added to selinux-policy. (BZ#531230)
- The
e4fsck
command was not properly labeled, causing execution to fail. Policy permissions have been fixed so that e4fsck is now correctly labeled. (BZ#532565) - Permissions were modified to allow
pluto
to write logs properly. (BZ#537106) - This update includes updated policy rules for
IPsec
, fixing the AVC denials that preventedpluto
from running properly. After applying this update, pluto runs as expected. Note that this is necessary for FIPS-140 security compliance. (BZ#537133) vhostmd
is a daemon that provides a communication channel between a host and its hosted virtual machines. Implementing avhostmd
daemon caused AVC denial errors when launching it viaservice vhostmd start
. SELinux policy rules have been added to protect the vhostmd daemon. The daemon starts and operates normally after applying the update. (BZ#543941)- SELinux AVC denial errors were triggered when using the sysadm SELinux user to connect to
racoon
using a UNIX domain stream socket. After applying this update, access functions as expected. (BZ#545369) - When using the MLS functionality,
iptables
can now start properly and has proper permissions to read configuration files. (BZ#546604) - Policy has been modified to give the
smartd
daemon the ability to read from and write to generic SCSI devices. (BZ#547387) - SELinux policy has been modified to fix a segfault error when using an iSCSI target with the
bnx2i
interface type. (BZ#548599) - The
/var/vdsm
directory was incorrectly labeled by SELinux, showing two different SELinux contexts. After applying this update, the directory is now correctly labeled with a single label. (BZ#549492) - When using the '-i' option to the
lpadmin
command to set an interface script for a printer, SELinux error messages are triggered. A new type,cupsd_interface_t
, has been added to policy to allowcupsd
to properly utilize a System V style interface script. (BZ#550015) - The
postgresql
regression tests include libraries that need to be dynamically loaded by the postgresql server. Some of these libraries were incorrectly labeled, which caused the regression tests to fail and SELinux errors to appear. This update applies the correct permissions to the libraries, and the postgresql regression tests now operate as expected. (BZ#551063) prelink
is a utility that can reduce the startup times of applications by linking to libraries and storing the linking in the executable. prelink is now allowed under SELinux policy to load and execute functions from shared libraries, with legacy support included for older libraries. (BZ#551664)qemu-kvm
caused SELinux errors when creating or starting a virtual machine whenTransport Layer Security
(TLS) is enabled in qemu.conf for an environment using a Public Key Infrastructure (PKI). This error occurred because qemu-kvm did not have sufficient permission to read from a random number generator (/dev/random
and/dev/urandom
) in order to gather its entropy. Permissions have been modified so that qemu-kvm can now read from these random number generators. (BZ#552763)- A regression error was discovered when installing new SELinux packages. The
postfix_postdrop
command was unable to use sockets. This resulted in emails not being sent. After applying this update, postfix is able to read and write sendmail unix_stream_sockets and emails can be sent using sendmail as expected. (BZ#553492) - The
/etc/xen
was incorrectly labeled. This caused errors when using automated scripts for staging Xen guest virtual machines. A fix was applied to correctly label the directory, which resolved the problem. Xen guests are now functioning as expected. (BZ#554777) - Restarting networking services using the
service network restart
command resulted in an AVC denial caused by dhcpc_t being unable to relabel to and from net_conf_t. This update allows this with the result that restarting networking succeeds without SELinux denials. (BZ#559355) - The
iscsid
daemon, which implements the control path of the iSCSI protocol along with management functions, could not create its log file due to an incorrect SELinux context. (BZ#562303) - The context for the
named
name server daemon, when running in a chrooted environment, was incorrect, and with this update is labeled correctly. (BZ#562833) - Attempting to save the firewall configuration with the
service iptables save
command triggered an AVC denial. This update changes the default context for the/sbin/iptables-save
application to iptabels_exec_t so that the firewall configuration can be saved. (BZ#564376) - Attempting to run a CGI script from a
cgi-bin
directory mounted on an NFS share resulted in an AVC denial, whereas serving static pages from apublic_html
directory worked as expected. CGI scripts can now be run from NFS-mounted directories given the correct permissions. (BZ#566557) - When the SELinux boolean ftp_home_dir was enabled, the allow_ftpd_anon_write boolean did not take effect, and users could upload files to their home directories via anonymous FTP even though write access should have been restricted by the value of allow_ftpd_anon_write. With this update, the value of allow_ftpd_anon_write allows or permits anonymous FTP writes, as expected. (BZ#566975)
All users are advised to upgrade to these updated packages, which resolve these issues.