Skip to navigation

Bug Fix Advisory selinux-policy bug fix update

Advisory: RHBA-2007:0544-14
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2007-10-30
Last updated on: 2007-11-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

An updated selinux-policy package that fixes several bugs is now available.

The selinux-policy package contains the rules that govern how confined
processes will run on the system.

Bugs fixed in this release include:

* removed extra quota file context specifications from MLS policy.

* allow vsftpd local logins when system is enforcing MLS policy.

* fixed a typo in the 'kerberos_selinux' man page.

* change /var/log/messages to SystemHig for MLS policy.

* "vgchange -a y" did not detect volume groups running rc.sysinit.

* fix aide policy AVC denials and bad file context specifications.

* fix policy so that userdom_admin_user_template and cron_per_role_template
do not conflict.

* allow logwatch to search httpd content.

* allow login to console on s390 in MLS p.olicy

* fix file context specification on ATI libGL.so.1.2.

* fix SELinux policy for logwatch, ntp, useradd, netlabelctl, xen, nscd,
dovecot, smartd, lvm, ppp, ypserv, samba, snmp, IBM Java, VMWare,
tog-pegasus, dhcp, mtu, cupsd, NetLabel and IPsec management tools.

* allow SELinux MLS administrator access to /boot/efi.

* allow the setup of console login on first boot in MLS policy.

Users are advised to upgrade to these updated selinux-policy packages,
which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
selinux-policy-2.4.6-104.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: 18e3dd505f858fb00758299111602eff
 
IA-32:
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHSA-2008:0533
    MD5: e67cd6eec0492c751808f6a57b67ccb0
 
x86_64:
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHSA-2008:0533
    MD5: e67cd6eec0492c751808f6a57b67ccb0
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
selinux-policy-2.4.6-104.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: 18e3dd505f858fb00758299111602eff
 
IA-32:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: e67cd6eec0492c751808f6a57b67ccb0
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
IA-64:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: e67cd6eec0492c751808f6a57b67ccb0
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
PPC:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: e67cd6eec0492c751808f6a57b67ccb0
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
s390x:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: e67cd6eec0492c751808f6a57b67ccb0
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
x86_64:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-devel-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: e67cd6eec0492c751808f6a57b67ccb0
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
selinux-policy-2.4.6-104.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: 18e3dd505f858fb00758299111602eff
 
IA-32:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
x86_64:
selinux-policy-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: fcfe8fb56662d2831d5cce8a5157db75
selinux-policy-mls-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 210d516e6d2f1f3ee9f3d25cfffeecb6
selinux-policy-strict-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 520917135d78cb9001b6defc7d9ab87b
selinux-policy-targeted-2.4.6-104.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 6fb5e821ac880a61d15ebd9e2c496b41
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

213809 - Setup of tog-pegasus SDK fails rhel5 beta2
219192 - LSPP: RHEL5 RC2 1201 MLS Policy Contains Mutiple Quota Fcontext Specs
220085 - LSPP - vsftpd denies local logins when system is enforcing mls policy
222363 - [LSPP] ia64 /boot/efi is unaccessible to sysadm_r
222626 - yum upgrade produces lvm AVC Denial
224441 - AVC while updating machine
225443 - LSPP: No console login on first boot
228448 - dangling symlink
229318 - restorecon can't write to pipe of crond_t
231021 - LSPP: amtu -n fails with MLS policy in enforcing mode
231062 - [LSPP] cupsd is unable to increment pam_tally2's tallylog
231656 - NetLabel and IPsec management tools fail to start at boot
233112 - avc: denied { net_bind_service }
233313 - LSPP: sysadm_r gets permission denied when using netlabelctl
233641 - targeted policy is incomplete for net-snmp daemon
234885 - [LSPP] aide policy causes denials
234889 - [LSPP] querying cups jobs with sysadm_r does not override mls restrictions
235023 - nscd now needs setcap permission
235357 - selinux prevents ifup of eth1.
235360 - SELinux prevents automatic addition of machine accounts in a Samba PDC
235363 - ypserv not binding to a port <1024
235725 - In LSPP configuration /var/log/messages is SystemLow
236060 - LSPP: vgchange -a y does not detect vg's
236479 - LSPP: bad aide fc regex
236794 - ppp targeted policy denials
237128 - Selinux policy prevents removal of volume groups
237133 - [LSPP] userdom_admin_user_template and cron_per_role_template conflict during policy compile
237617 - logwatch_t should be allowed to search httpd_sys_content_t
237703 - LSPP: login as ealuser fails from s390 console
238137 - SELinux blocks logwatch from access to clamav logs
238189 - LSPP: Review audit labeling
238347 - SELinux policy blocks DF from running inside Logwatch
238360 - SELinux targetted policy blocks VMWare-hgfsmounter from mounting shared disks.
238748 - SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read" access to pipe:[9396] (firstboot_t).
238751 - SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
239079 - [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
239460 - upgrading selinux overwrites contexts/users/root
240228 - AVCs with netlabelctl
240368 - "vgchange -an VolGroup01" pops a selinux violation.
240383 - SELinux prevents smartd access to device /dev/twa0
241039 - selinux policy breaks creating LVM snapshots
241621 - ypserv cannot exec ypxfr on x86_64
243693 - selinux blocks dovecot writing to nfs_t with use_nfs_home_dirs=1
244435 - SELinux needs new rule to allow xenconsoled to log in /var/log/xen/console
244489 - ATI libGL.so.1.2 avc: denied
245268 - SELinux is preventing (postfix_smtpd_t) "getattr" to /home (home_root_t)
245599 - service iptables status silently fails when selinux is enforcing
246431 - Updated net-snmp package needs policy upgrade
246795 - SELinux is preventing /usr/sbin/lvm (lvm_t) "write" to .cache (lvm_etc_t).
249754 - File watches using audit fail on files located in user home dirs
259781 - Multiple different specifications for /etc/asound\.state



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/