1.136. selinux-policy
1.136.1. RHBA-2011:0026: selinux-policy bug fix and enhancement update
Updated selinux-policy packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated packages provide fixes for the following bugs:
- BZ#477103
- When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.
- BZ#514506
- Prior to this update, SELinux prevented the
httpd
service from loading the/usr/lib/libnnz11.so
(or/usr/lib64/libnnz11.so
on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default totextrel_shlib_t
, so that the library can now be loaded as expected. - BZ#525859
- When a Samba server,
smbd
, attempted to access the content of the/var/lib/mysql/
directory, SELinux denied this access, and reported this event in the audit log. However, this access is not necessary for Samba to work properly. With this update, appropriate SELinux rules have been added to address this issue, and such access denial is no longer logged. - BZ#533500
- Various SELinux policy issues were discovered by a customer during the configuration of Red Hat Enterprise Linux 5 hosts. These updated packages include several SELinux rules that resolve these issues.
- BZ#551380
- With SELinux running in the enforcing mode, the Prelude Manager was unable to connect to a MySQL server, and did not work properly. With this update, the SELinux rules have been updated to permit such connection, so that the Prelude Manager can access the server as expected.
- BZ#570481
- Previously, the
httpd_can_network_connect_db
boolean did not allow thehttpd
service to connect to Microsoft SQL Server (MSSQL). This error has been fixed, the boolean has been modified, and the relevant policy code has been added to definemssql
port. - BZ#571319
- When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the
/var/log/messages
log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations. - BZ#575203
- When SELinux was enabled, an attempt to generate a key pair from an init script using the following command failed with an error:
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
These updated selinux-policy packages provide corrected SELinux rules that allow thessh_keygen_t
domain to search the content of the/root/.ssh/
directory, so that the key pair creation no longer fails. - BZ#576059
- Due to an incorrect SELinux policy, an attempt to connect to VPN from NetworkManager could fail. With this update, the relevant policy has been corrected, and such connections can now be established as expected.
- BZ#578187
- A new version of Berkeley Internet Name Domain (BIND) required various additional changes in SELinux policy. These updated packages introduce the adjusted SELinux rules, and add the SELinux context for the
/var/named/data/
and/var/named/slaves/
directories. - BZ#579105
- When the
httpd
service was configured to use themod_auth_pam
module withwinbind
, users were denied access, even though theallow_httpd_mod_auth_pam
andhttpd_can_network_connect
booleans were set toon
. With this update,allow_httpd_mod_auth_pam
has been corrected, and users are no longer denied access with this configuration. - BZ#579497
- After upgrading to Red Hat Enterprise Linux 5.5, the Xen hypervisor was unable to auto-start domains linked to in the
/etc/xen/auto/
directory. This was caused by the default Red Hat Enterprise Linux 5.5 SELinux policy preventing thexm
daemon from reading symbolic links in the/etc/xen/auto/
directory, with the result that thexm
daemon could not start virtual guests. These updated selinux-policy packages contain an updated SELinux policy that allows thexm
daemon to correctly read the symbolic links in/etc/xen/auto/
. Thexm
service is now able to auto-start virtual guests upon system startup. - BZ#579547
- When SELinux was configured to run in the permissive mode, and the
snmpd
service attempted to access removable devices, this access was denied and relevant AVC messages were written to the audit log. Since this access is not necessary forsnmpd
to work properly, appropriate SELinux rules have been added to prevent these denials from being logged. - BZ#582613
- Due to missing SELinux policy rules, sVirt, an integrated solution for securing Linux-based virtualization using SELinux, was not fully supported. With this update, relevant sVirt policy rules have been included in the selinux-policy packages to provide this support.
- BZ#584447
- Prior to this update, SELinux did not support Piranha, a set of miscellaneous tools to administer and configure the Linux Virtual server, as well as heartbeating and failover components. Consequent to this, users of Piranha with SELinux running in the enforcing mode could encounter various issues. With this update, a new SELinux policy for these tools have been added, resolving these issues.
- BZ#588902
- Due to an error in the SELinux rules, when SELinux was running in the enforcing mode, a dead cluster node could not be fenced, rendering rgmanager unable to migrate a resource. To address this issue, relevant SELinux rules have been updated, and such cluster node is now fenced as expected, allowing rgmanager to migrate the resource.
- BZ#591975
- During an Openswan connection, SELinux did not allow the access to the socket, and relevant AVC messages were written to the audit log. With this update, a patch has been applied to add required SELinux rules, so that SELinux no longer denies this access.
- BZ#592752
- Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
- BZ#592805
- Due to an error in SELinux rules, the
vsftpd
daemon may have been unable to write to a file or create a directory inside~/public_html/
, reporting the following error message:550 Create directory operation failed.
This update fixes the SELinux rules, andvsftpd
now works as expected. - BZ#593139
- With SELinux running in the enforcing mode, an attempt to run the
rsyslogd
service with GnuTLS modules enabled could fail with the following error message:Starting system logger: Fatal: no entropy gathering module detected
With this update, relevant rules have been modified to resolve this issue, andrsyslogd
no longer fails to run. - BZ#598646
- When a system was configured to use winbind for authentication using the
winbind refresh tickets = true
configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected. - BZ#612823
- When SELinux was running in the enforcing mode, the
snmpd
daemon was incorrectly denied access to the/var/net-snmp/snmpd.conf
configuration file. With this update, the SELinux context for the/var/net-snmp/
directory has been corrected. - BZ#613551
- Recently, the OpenAIS Standards-Based Cluster Framework, an open implementation of the Application Interface Specification (AIS), started using POSIX semaphores instead of the SysV semaphores. With this update, relevant SELinux rules have been adjusted to reflect this change.
- BZ#614796
- With SELinux running in the enforcing mode, an attempt to start the
qpidd
service when theaisexec
was already running failed, and the following error message was written to theqpidd.log
:Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time)
This was caused by SELinux incorrectly denyingqpidd
the access to OpenAIS. This update corrects the SELinux policy, resolving this issue. - BZ#616793
- Previously, the
/etc/oddjobd.conf
configuration file for theoddjobd
service was not portable between different architectures. To resolve this issue, the proper SELinux context for the oddjob libraries has been added, so that the configuration file can be ported to different architectures as expected. - BZ#617763
- Prior to this update, the
xm_t
domain was not allowed to search directories with theautofs_t
security context. Consequent to this, virtual machines could not be stored on automatically mounted file systems. With this update, the SELinux rules have been adjusted to permit such search, so that the virtual machines can now be stored on an automatically mounted file system as expected. - BZ#621057
- The SELinux policy for
rpc.quotad
has been adjusted in order to make it work properly. - BZ#621885
- Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the
/usr/lib/oracle/
directory has been changed totextrel_shlib_t
. - BZ#625498
- The
ftpd_selinux
manual page describes how to allowFTP
servers to read from and write to the/var/ftp/incoming/
directory. However, these instructions contained an error, and running therestorecon
command with the recommended command line options did not produce the expected results. With this update, the manual page has been corrected, and no longer contains misleading information. - BZ#626858
- The SELinux policy has been updated to reflect the latest changes in the hplip (Hewlett-Packard Linux Imaging and Printing Project) packages.
- BZ#633705
- With SELinux running in the enforcing mode, using the
postfix set-permissions
command failed with the following error message:/etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied
With this update, thepostfix_domtrans_master(unconfined_t)
transition has been removed, and the above command no longer fails to run. - BZ#633901
- Due to an incorrect SELinux policy, the
aisexec
service was unable to use shared memory segments as an unprivileged user. This error has been fixed, the relevant SELinux policy has been corrected, andaisexec
now works as expected. - BZ#637843
- Prior to this update, several messages were written to the audit log when Sendmail leaked file descriptors. To prevent this, the SELinux policy has been corrected, and these events are no longer logged.
- BZ#639259
- Due to an error in a SELinux policy, messages similar to the following could be written to the
/var/log/messages
log file:restorecon: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/NetworkManager/dispatcher\.d(/.*).
These updated packages correct this error, and the above message no longer appears in the log. - BZ#641872
- All selinux-policy subpackages now provide versioned selinux-policy-base.
- BZ#643824
- When using SELinux in the enforcing mode, the Postfix services were unable to retrieve information about the network state. With this update, the SELinux rules have been updated to allow the required access.
- BZ#644276
- With SELinux running in the enforcing mode, using a pass-through PCI device with sVirt rendered KVM (Kernel-based Virtual Machine) unable to start a virtual machine. With this update, the
virt_use_sysfs
boolean has been updated to resolve this issue, and virtual machines no longer fail to start. - BZ#644333
- Under certain circumstances, SELinux could report that
Internet Protocol Security
(IPsec) management tools require read access to the content of a user's home directory. This error no longer occurs, and an appropriate SELinux rule has been added to resolve this issue. - BZ#646731
- Due to an error in an SELinux policy, the
system-config-printer
utility could terminate unexpectedly with the following message written to the standard error:ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings
To resolve this issue, relevant SELinux rules have been corrected, so that thesystem-config-printer
utility no longer crashes. - BZ#646801
- By setting the
fail_action
option tohalt
, theaudisp-remote
plug-in can be configured to shut down the system when an error is reported. However, consequent to an error in the SELinux rules, when a network connection failed, SELinux incorrectly denied thehalt
action. With this update, the SELinux rules have been corrected, andaudisp-remote
is now allowed to shut down the system as expected. - BZ#649492
- With SELinux running in the enforcing mode, the
smbcontrol
utility was unable to ping Samba services such assmbd
,nmbd
, orwinbindd
. This error no longer occurs, andsmbcontrol
now works as expected. - BZ#649691
- Prior to this update, performing certain
iscsiadm
actions could cause AVC messages to be written to the audit log. With this update, the SELinux rules have been corrected to address this issue. - BZ#650141
- Previously, SELinux prevented the
winbindd
service from connecting to MS-RPC. This has been fixed, appropriate SELinux rules have been added, andwinbindd
is now allowed to establish a connection with MS-RPC as expected. - BZ#652074
- Under certain circumstances, a system may have been unable to automatically load certain modules at a boot time. When this happened, network interfaces may not have been started during the boot, and had to be started manually. With this update, several rules have been added to the SELinux MLS (Multilevel Security) policy to allow the use of shared memory, resolving this issue.
- BZ#652199
- With SELinux enabled, the
winbindd
service was unable to connect to the port135
. This error has been fixed, and relevant SELinux rules have been added to allow such connections. - BZ#652644
- Due to an error in the SELinux policy, SELinux prevented the
qemu-kvm
command from accessingHugeTLBfs
devices. This update corrects the SELinux rules to allow this access. - BZ#652660
- Previously, running the
sa1
command from the sysstat package caused various denial messages to be written in the audit log. This update addresses this issue, and the above command now works as expected. - BZ#656255
- With SELinux enabled, an attempt to run the
run_init
command in single user mode failed with the following error message:sh: /usr/sbin/run_init: permission denied
This update adds SELinux rules to address this issue, and therun_init
command no longer fails to run. - BZ#656290
- When SELinux was running in the enforcing mode, an SELinux MLS policy did not allow the
udevmonitor
to create a socket. As a result, an attempt to run this command in single user mode failed with the following error message:error getting socket: Permission denied
With this update, the SELinux policy has been fixed to permit the creation of such socket, andudevmonitor
can now be run as expected. - BZ#656809
- Under certain circumstances, using SELinux with the MLS policy in the permissive mode could cause the following messages to appear at a boot time:
/dev/mapper/control: open failed: Permission denied Failure to communicate with kernel device-mapper driver.
With this update, appropriate SELinux rules have been added to address this issue, and the system now boots without these errors. - BZ#657262
- Previously, the SELinux MLS policy prevented the
udevinfo
command from producing the expected results. This update fixes the relevant policy, so that the command no longer fails. - BZ#657268
- Due to the SELinux MLS policy, the
udevcontrol
command failed to run, and a denial message was written to the audit log. With this update, this issue has been resolved, and SELinux no longer preventsudevcontrol
from running. - BZ#657271
- With the SELinux MLS policy enabled, running the
semodule
command could cause various AVC messages to be written to the log. This error has been fixed, andsemodule
no longer causes such messages to appear. - BZ#657365
- Due to an error in the SELinux MLS policy, running the
run_init service cpuspeed start
command in single user mode caused an AVC message to appear in the audit log. With this update, the SELinux MLS policy has been corrected, so that the above command works as expected. - BZ#658145
- Due to an error in an SELinux policy, pre-installation and post-installation scripts in RPM packages were unable to write to a pipe. This has been fixed, and SELinux no longer prevents these scripts from performing their work.
- BZ#658436
- When the
snmpd
service attempted to change the user identifier (UID) or group identifier (GID), SELinux denied this action, and an appropriate message was written to the audit log. These updated selinux-policy packages provide corrected SELinux rules that permit this operation, and SELinux no longer preventssnmpd
from changing the user and group identifier. - BZ#659372
- Previously, running the
vbetool
utility could cause AVC messages to be written to the audit log. With this update, the SELinux policy has been updated to address this issue, and such messages no longer appear. - BZ#659777
- An updated SELinux rule for the
consoletype
command has been backported from Red Hat Enterprise Linux 6. - BZ#661368
- Prior to this update, the SELinux MLS policy prevented
modprobe
from reading an SHM (shared memory) object. This update corrects the SELinux policy, andmodprobe
now works as expected.
As well, these updated packages add the following enhancement:
- BZ#637182
- The
httpd_setrlimit
boolean has been added to allow thehttpd
service to change its maximum limit of the file descriptors.
All users of selinux-policy are advised to upgrade to these updated packages, which resolve these issues, and add this enhancement.
1.136.2. RHBA-2010:0832: bug fix update
Updated selinux-policy packages that resolve an issue are now available for Red Hat Enterprise Linux 5.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
This update fixes the following bug:
* Due to incorrect SELinux policy, cmirror was unable to start properly, and as a result, cluster mirrors could not be started at all. This error has been fixed, and SELinux no longer prevents cluster mirrors from being started. ( BZ#644821)
All users of selinux-policy are advised to upgrade to these updated packages, which resolve this issue.
1.136.3. RHBA-2010:0561: bug fix update
Updated selinux-policy packages that resolve an issue are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages fix the following bug:
* after upgrading to Red Hat Enterprise Linux 5.5, the Xen hypervisor was unable to auto-start domains linked to in the /etc/xen/auto/ directory. This was caused by the default Red Hat Enterprise Linux 5.5 SELinux policy preventing the xm daemon from reading the symlinks in the /etc/xen/auto directory, with the result that the xm daemon could not start the virtual guests. These updated selinux-policy packages contain an updated SELinux policy that allows the xm daemon to correctly read the symbolic links in /etc/xen/auto. The xm service is now able to auto-start virtual guests upon system startup. ( BZ#617169)
All users of selinux-policy are advised to upgrade to these updated packages, which resolve this issue.