1.156. selinux-policy
1.156.1. RHBA-2011:1069: selinux-policy bug fix and enhancement update
Updated selinux-policy packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 5.
Important
This update was released as errata RHBA-2011:1069 — selinux-policy bug fix and enhancement update.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
Bug Fixes:
- BZ#610812
- Due to an incorrect SELinux policy, SELinux did not allow FreeRADIUS to disable storing core dump files upon a failure. This update applies a backported patch that addresses this issue, and FreeRADIUS can now be configured not to create core dumps as expected.
- BZ#632573
- Previously, when a leaked file descriptor was detected during a system update, an Access Vector Cache (AVC) message was written to the audit log. With this update, the relevant SELinux policy has been added to prevent SELinux from reporting file descriptors leaked during a system update.
- BZ#651609
- When running in enforcing mode, SELinux did not allow the
clustat
utility to bind to a reserved port. This update adapts the SELinux rules to permit such connection, so thatclustat
is now able to bind to the required port as expected. - BZ#657571
- Prior to this update, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the
modprobe
utility from sending theSIGNULL
signal to all processes. With this update, the relevant policy has been fixed, and SELinux no longer preventsmodprobe
from sendingSIGNULL
to all processes. - BZ#662677
- When Samba is configured to run as a Windows Internet Name Server (WINS) that is integrated to a Name Service Switch (NSS), programs that resolve a NetBIOS name require access to the
/var/cache/samba/unexpected.tdb
file. Previously, SELinux incorrectly denied this access. This update adapts the relevant SELinux policy to allow this access, and programs resolving a NetBIOS name are now able to access this file as expected. - BZ#666513
- Previous versions of the seliux-policy packages did not provide a SELinux policy for the
/var/spool/rsyslog/
directory. With this update, this policy has been added. - BZ#667692
- When the
utmp
option in the/etc/samba/smb.conf
configuration file is set toyes
, Samba records sessions in theutmp
andwtmp
files. Prior to this update, the SELinux policy did not allow thesmbd
daemon to write to thewtmp
file. With this update, the SELinux policy has been corrected, so that Samba is now allowed to work as expected. - BZ#672289
- When running in enforcing mode, SELinux did not allow the
net
utility to create a Kerberos keytab file when the system was joined to a Windows 2003 Active Directory domain. This update corrects this error, and SELinux no longer prevents thenet
utility from creating a Kerberos keytab file. - BZ#672540
- Prior to this update, an attempt to use the System Security Services Daemon (SSSD) with an LDAP domain connected to an OpenLDAP server over the Transport Layer Security (TLS) protocol caused various AVC messages to be written to the audit log. This update applies a backported patch that resolves this issue, so that no unnecessary AVC messages are recorded.
- BZ#674452
- The
rsyslogd
tool allows a user to change the maximum number of open file descriptors by adding the$MaxOpenFiles
directive to the/etc/rsyslog.conf
file. Previously, an attempt to use this directive to set a number that is larger than the default value failed, because SELinux preventedrsyslogd
from accessingsetrlimit
. This update corrects the relevant policy to allow this access, so that thersyslogd
tool is now able to increase the maximum number of open file descriptors as expected. - BZ#674689
- In order to perform its job, the
pyzor
client requires access to certain files in users' home directories. Prior to this update, SELinux did not allowpyzor
to access these files if the home directories were located on an NFS mount point. With this update, SELinux no longer deniespyzor
access to NFS-mounted home directories, allowing it to work correctly. - BZ#678496
- Due to missing SELinux policies, various AVC messages may have been reported when attempting to start the
pulse
oripvsadm
service. This update adds the relevant policies to make sure these services can be started as expected. - BZ#689960
- For debugging purposes, Openswan allows a user to specify a directory in which to store a core dump file in case the
pluto
service crashes. Prior to this update, running SELinux in enforcing mode rendered Openswan unable to create such a core dump. With this update, the relevant policy has been corrected, and SELinux no longer prevents Openswan from creating core dump files. - BZ#693723
- The
sshd
service,ssh
client, and other SSH-aware utilities need to read data from the/dev/random
and/dev/urandom
devices. Prior to this update, SELinux may have incorrectly prevented these programs from accessing these devices. This update adapts the SELinux policy so that these utilities are able to read data from both/dev/random
and/dev/urandom
as expected. - BZ#694865
- Due to an incorrect SELinux policy, the Pyzor spam filtering system was incorrectly denied access to configuration files located in the
/etc/
directory. This update corrects the SELinux policy to make sure Pyzor is no longer prevented from accessing its configuration files. - BZ#697804
- With SELinux running in enforcing mode, any communication via the Stream Control Transmission Protocol (SCTP) was denied. With this update, the relevant SELinux policy has been adapted to allow the SCTP communication.
- BZ#698043
- Prior to this update, restarting the
vsftpd
service by using theservice vsftpd restart
command caused an AVC message to be written to the audit log. With this update, SELinux rules have been added to address this issue, and restarting thevsftpd
service no longer produces AVC messages. - BZ#698257
- With SELinux enabled, running the
named
service in a chroot environment rendered it unable to update log files. This error has been fixed, and SELinux no longer preventsnamed
from updating the log files. - BZ#703458
- Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the
lsusb
command from producing the expected results. This update corrects the relevant policy so that the command works as expected. - BZ#703482
- Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the
kpartx -x
command from producing the expected results. This update corrects the relevant policy so that the command works as expected. - BZ#703714
- Due to an incorrect SELinux policy, when the OpenAIS Standards-Based Cluster Framework was started, various AVC messages were written to the audit log, and the
openais
service was unable to use UDP port 5404. This error has been fixed, the relevant SELinux policy has been corrected, and theopenais
service now works as expected. - BZ#704690
- Previous versions of the selinux-policy packages were missing SELinux rules for the syslog-ng syslog server. With this update, these rules have been added.
- BZ#705327
- Previously, using the
arping
utility on an IBM System z machine incorrectly caused an AVC message to be written to the audit log. This update corrects the relevant SELinux policy, and runningarping
no longer produces unnecessary AVC messages. - BZ#707101
- Prior to this update, SELinux incorrectly prevented the
clamav-milter
utility to from opening a socket, causing it to terminate with an error. With this update, this error has been fixed, andclamav-milter
can now be used as expected. - BZ#707139
- With SELinux running in enforcing mode, the Apache HTTP Server may have been unable to use the worker Multi-Processing Module (MPM). This update applies a backported patch that adds the
httpd_execmem
boolean. As a result, SELinux no longer prevents the Apache HTTP Server from loading the worker MPM. - BZ#708986
- Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the
user_u
andstaff_u
SELinux users from running thessh-keygen
utility. This update fixes the relevant policy, and bothuser_u
andstaff_u
users are now able to runssh-keygen
as expected. - BZ#709045
- Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the
crontab -l
command from producing the expected results. This update corrects the relevant policy so that the command works as expected. - BZ#711725
- Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the
iprinit
,iprdump
, andiprupdate
services from working correctly. With this update, this error no longer occurs, and the aforementioned services are able to work as expected. - BZ#713797
- Due to an error in SELinux rules, running SELinux in enforcing mode rendered the
clustat
utility unable to connect to a cluster port. With this update, the SELinux rules have been updated to permit such connection, resolving this issue. - BZ#714960
- Prior to this update, the
.k5login
files in the users' home directories were labeled with a wrong security context, which caused SELinux to incorrectly prevent thekrb5_child
process from accessing these files. With this update, the security context of the.k5login
files has been corrected so thatkrb5_child
is no longer denied access to these files.
Enhancements:
- BZ#662097
- This update introduces the
squid_selinux
(8) manual page, which provides detailed documentation of the SELinux policy for thesquid
daemon. - BZ#671498
- This update adds a new security context for devices in the
/dev/hpilo/
directory, which provide an interface to the HP Integrated Lights-Out (iLO) remote management functionality.
All users of SELinux are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.