Skip to navigation

Bug Fix Advisory selinux-policy bug fix update

Advisory: RHBA-2008:0465-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2008-05-21
Last updated on: 2008-05-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

Updated selinux-policy packages that resolve a number of issues are now
available.

The selinux-policy packages contain the rules that govern how confined
processes will run on the system.

These updated selinux-policy packages contain the following changes to
SELinux policy rules:

* Apache now prompts for the passphrase for encrypted private keys.
* DF now runs inside Logwatch
* postfix now accesses NFS files with "use_nfs_home_dirs=1".
* snmpconf now generates the snmpd.conf configuration file with the correct
SELINUX context.
* radiusd now works properly.
* ntpd (ntpd_t) now works properly.
* hald "getattr" access to device /dev/drbd0.
* automount now works properly.
* dovecot performs kerberos authentications.
* smbd now performs kerberos authentication.
* nagios now works properly.
* clvmd can now create volume group nodes.
* vbetool "append" to /var/lib/hal/system-power-suspend-output.
* postcat now works properly.
* netplugd "signal" access to ifconfig_t.
* Mailman now works properly.
* yum-updatesd/puplet now work properly.
* httpd is now reading and writing http files when twiki pages are browsed.
* terminal output from lvm commands when using rlogin.
* vsftp login now works properly.
* rsync server now works properly
* spamassassin can now access the home directory.
* postfix now uses dovecot's deliver LDA.
* moving files on or off encrypted mount.
* integration of SpamAssassin with DCC.
* pyzor integration with SpamAssassin.
* mailman and postfix now interact.
* the oddjob_request "mkhomedirfor" command now works properly.
* hal-storage-mount "getattr" now has access access to /swapfile.
* Files created in NFS-mounted home directories now have proper context on
server.
* iscsid now execute setrlimit.
* support for Apache's mod_auth_shadow.
* samba password when configured to synchronize UNIX® password.
* Xorg now has mmap_zero access.
* multipathd now works properly.
* procmail is now able to run spamc.
* vpnc now works properly.
* java-1.5.0-ibm now runs.
* temporary queued mails in postfix are now delivered.
* restart of nscd now works.
* hald "setsched" to kernel.
* vbetool "mmap_zero".
* genfs_context nfs_t to lustre and panfs.
* proper labeling has been applied to
/usr/local/matlab2007b/bin/glnxa64/MATLAB.
* tcpdump now works properly.
* hald_t now has read access to /dev/random.
* krb5kdc is able to start from the command line.

More information on all of the numerous changes is available in the package
changelog. To view this information, run the following command after the
package is installed:

rpm -q --changelog selinux-policy

All users of selinux-policy are advised to upgrade to these updated
packages, which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
selinux-policy-2.4.6-137.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: d42e61b675cfe14d3c584d68824aec31
 
IA-32:
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHSA-2008:0533
    MD5: 337fccdc81b126854492125342501499
 
x86_64:
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHSA-2008:0533
    MD5: 337fccdc81b126854492125342501499
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
selinux-policy-2.4.6-137.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: d42e61b675cfe14d3c584d68824aec31
 
IA-32:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 337fccdc81b126854492125342501499
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
IA-64:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 337fccdc81b126854492125342501499
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
PPC:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 337fccdc81b126854492125342501499
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
s390x:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 337fccdc81b126854492125342501499
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
x86_64:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-devel-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 337fccdc81b126854492125342501499
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
selinux-policy-2.4.6-137.el5.src.rpm
File outdated by:  RHSA-2008:0533
    MD5: d42e61b675cfe14d3c584d68824aec31
 
IA-32:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
x86_64:
selinux-policy-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 0a7162353e3c301d8d26bc625906f563
selinux-policy-mls-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: ad8f11b1ba544dfb8048ed34113dd345
selinux-policy-strict-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 2f6491f33247a33c4f5f2266838a5dba
selinux-policy-targeted-2.4.6-137.el5.noarch.rpm
File outdated by:  RHBA-2013:1312
    MD5: 35d8281db8ac98a58d9b46f5d4eee9d3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

230497 - Apache won't prompt for passphrase for encrypted private keys
238347 - SELinux policy blocks DF from running inside Logwatch
245605 - SELinux prevents postfix from accessing NFS files with use_nfs_home_dirs=1
247461 - snmpconf generates snmpd.conf file with wrong SELINUX context
248467 - radiusd not working with selinux
248838 - SELinux is preventing /usr/sbin/ntpd (ntpd_t) "read write" access to
250447 - SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
251712 - [rhts] selinux warnings with automount
251841 - selinux forbids dovecot perform gssapi authentications
253999 - selinux prevents smbd from kerberos authenticationa
266341 - nagios avc denials
288771 - SELinux "denied access" error attempting to execute SDK samples.
326631 - targeted policy prevents postcat from working
350511 - Mailman AVC messages when mailman runs in mailman_mail_t domain
351051 - yum-updatesd / puplet doesn't work
353781 - SELinux prevented httpd reading and writing access to http files when twiki pages are browsed.
359701 - RHEL5: The system doesn't boot after updating selinux policy to selinux-policy-2.4.6-106.el5
366461 - RHEL5 | SELinux: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "create"
374431 - selinux prevents terminal output from lvm commands when using rlogin
383191 - pam-0.99.6.2-3.26.el5 breaks vsftp login under selinux
383231 - Unable to build policy due to typo in /usr/share/selinux/devel/include/services/kerberos.if
386481 - avc messaged caused by autofs enhancements for RHEL 5 update 2
390771 - rsync server doesn't work
403241 - Targeted policy breaks rsync as daemon and rsyncd.log logging
410781 - Selinux-policy preventing spamassassin from accessing home directory
414891 - postfix cannot use dovecot's deliver LDA because of selinux
414951 - [RHEL5.2 - ecryptfs] cannot mv files on or off encrypted mount - AVC denial
416541 - DCC policy does not allow integration of SpamAssassin with DCC
416561 - pyzor module does not allow integration of SpamAssassin with pyzor
425806 - mailman and postfix cannot interact
426077 - avc: denied { transition } for comm="userhelper" path="/usr/share/system-config-display/system-config-display"
427517 - running `oddjob_request mkhomedirfor $user` causes AVC denial
429549 - SELinux is preventing /usr/libexec/hal-storage-mount (hald_t) "getattr" access to /swapfile (swapfile_t).
430577 - Files created in NFS mounted home directories have user_home_dir_t context on server
430639 - Stopping mailman causes Permission denied and AVC
430669 - avc: denied { setrlimit } for comm="iscsid"
430702 - selinux needs to support apache mod_auth_shadow
430969 - selinux prevent changing samba password when configured to synchronize unix password.
431023 - SELinux is preventing /usr/bin/Xorg (xdm_t) "mmap_zero" access to <Unknown> (xdm_t).
431240 - Postfix default SELinux policy generates SE alerts.
431413 - [regression] policygentool is broken
431689 - After update, multipathd does not start any more
431797 - selinux prevents procmail from running spamc
433237 - iscsid needs access to setrlimit (regession with 5.1)
433703 - update iscsi policy for isns
434843 - IMAP server "dovecot" policy fix
435112 - Temporary queued mails in postfix can't be delivered
435162 - selinux is preventing paranoia restart of nscd
435824 - ibm java plugin is blocked by selinux avc
435935 - SELinux is preventing vbetool (vbetool_t) "mmap_zero" to <Unknown> (vbetool_t).
437793 - RFE: please apply genfs_context nfs_t to lustre and panfs
437794 - [RHEL5 U2] SELinux AVC Denied message when opening a document
438234 - [RHEL5.2] selinux-policy Can no longer compile policys
438308 - changes in rhel5.2 gcc caused gdb.base/prelink.exp to FAIL
438453 - SELinux is preventing /usr/local/matlab2007b/bin/glnxa64/MATLAB from changing the access protection of memory on the heap.
438865 - SELinux denied access ntpd ntpd_t "read write" socket:[42433541] (unconfined_t)
439018 - tcpdump causes avc messages when running autofs regression tests
439748 - cannot print
439860 - wrong logfile name in clamav policy
440599 - Multiple SELinux denials for snapshot #4
440685 - AVC denial for RHTS test /kernel/filesystems/nfs/nfs4-krb5
443427 - krb5kdc fails to start from command-line with AVC
443950 - avc: denied { getattr } for comm="mdadm" path="/dev/.udev"



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/