selinux-policy bug fix and enhancement update

Updated selinux-policy packages that fix several bugs and add an
enhancement are now available.

The selinux-policy packages contain the rules that govern how confined
processes run on the system.

These updated packages resolve several bugs in Security-Enhanced Linux
(SELinux) policy as shipped with Red Hat Enterprise Linux 5. The majority
of these bugs resulted in SELinux denying legitimate access.

The following is a non-exhaustive, brief list of bugs resolved by this
update:

* denials for "iscsid" and "iscsiadm".

* Common UNIX Printing System (CUPS) issues, such as print jobs failing
when using the Hewlett-Packard Linux Imaging and Printing (HPLIP) software.

* Simple Network Management Protocol (SNMP) issues, such as snmpd hanging
when querying for IPv6 attributes on systems with IPv6 disabled.

* various denials related to D-Bus, causing issues for certain
applications.

* due to incorrect labels, Kernel-based Virtual Machine (KVM) guests that
used virtio drivers failed to mount "/boot" during rc.sysinit.

* the "/boot/efi/" files on Itanium-based systems were labeled incorrectly.

* "/var/lib/iscsi" and "/var/lock/iscsi" were labeled incorrectly.

* denials in certain situations when upgrading from Red Hat Enterprise
Linux 5.1 to 5.2.

* when SNMP support was enabled for Squid, Squid failed to start.

* various denials when using Samba.

* denials when using DHCP.

* in clustered environments, errors occurred when using the Conga web
interface to view storage details. Also, luci may have reported an
incorrect service status.

* denials when using certain procmail scripts, as well as delivery problems
when using a combination of procmail and Dovecot.

* incorrect labeling, causing issues for "kadmind".

* FreeRADIUS was unable to communicate with Net-SNMP.

* corrections to the ftpd_selinux(8) manual page, with regards to using the
"semanage" tool for labeling.

* in Kerberos master and slave environments, replications from the master
to the slave may have caused denials. In this update, a policy has been
added for kpropd (so that it runs confined), which resolves this issue.

Also, in this update, a policy has been added for the IPsec Tools racoon
daemon (so that it runs confined).

This update resolves several bugs not listed here. A more complete list of
changes is available in the selinux-policy package changelog. To view this
information, run the following command after installing or updating the
selinux-policy package:

rpm -q --changelog selinux-policy

All users are advised to upgrade to these updated packages, which resolve
these issues and add this enhancement.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

247510 - There is no selinux module for ipsec-tools (racoon)
437722 - policygentool - missing python module dependency + wrong option
441750 - ia64 selinux: Properly install files and symlinks
442028 - SELinux preventing procmail recipe
447014 - SELinux policy needed for kpropd
447403 - selinux utilities report incorrect context for /var/lib/iscsi* objects
447854 - No SELinux labeling exists for infinibandeventfs
449420 - [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2
450390 - "permission append is not defined for class chr_file" when using the macro dev_rw_null(domain)
451805 - RHEL5.2 |SELINUX: Restarting portmap service shows "not registered portmapper" message
452787 - squid ceased to work after upgrade to 5.2
454024 - selinux denies snmpd to read from /proc/pid/fd/*
455033 - kadmind is not able to write to /var/kerberos/krbkdc/principal.ok file
455697 - SELinux is preventing perl (logwatch_t) "getattr" to /root (user_home_dir_t)
455784 - AVC denies Conga from using storage in permissive mode
456674 - Selinux does not allow samba to change file owner
457307 - can't run dovecot's deliver from inside .procmailrc
457455 - SELinux is complaining about Novell GroupWise library
459390 - "permission ioctl is not defined for class sock_file" when using nscd_socket_use macro
459570 - SELinux policy needs to be changed to support hal-set-keymap
459888 - SELinux is preventing dhcdbd (dhcpc_t) "read" to /etc/dbus-1/system.d (dbusd_etc_t)
460398 - iscsid needs additional SELinux allow rule for interface binding
460733 - Cannot execute locally installed daemon (pysieved) from stunnel (permission denied)
461040 - Selinux policy prevents freeradius to communicate with net-snmp
461323 - SELinux AVCs when accessing mib .1.3.6.1.2.1.6
461326 - SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t)
461624 - auditd service won't start because of "Unable to open /sbin/audispd (Permission denied)"
461644 - SELinux is preventing snmpd (snmpd_t) "unlink" to master (var_t)
461645 - Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
461769 - luci reports incorrect service status with SELinux enforcing
461814 - avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
462739 - [NetApp-S 5.3 bug] Getting selinux errors when iscsid is shutdown
463267 - SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute_no_trans" to /lib/dbus-1/dbus-daemon-launch-helper (lib_t).
463480 - SELinux is preventing dbus-daemon (system_dbusd_t) "execute_no_trans" to /lib/dbus-1/dbus-daemon-launch-helper (system_dbusd_exec_t)
464079 - avc: denied { search / unlink } for comm="audispd"
464886 - denyhosts requires selinux policy changes to work without disabling other critical services like NFS
465219 - man page ftpd_selinux bugs
466470 - avc: denied { getsched } for pid=12121 comm="snmpd" ...
467369 - avc: denied { getattr } for comm="audispd" path="/sbin/audispd-zos-remote"
467995 - avc: denied { getattr } for comm="perl" path="/root"
470248 - Error installing selinux-policy-strict: libsepol.expand_terule_helper: conflicting TE rule for ...
470574 - SELinux mgetty runs unconfined_t if launched with a parameter in /etc/initttab
470621 - SELinux is preventing cups-deviced (cupsd_t) "signal"
470857 - SELinux policy prevents hplip_t type from reading cupsd_tmp_t files
471160 - RHTS test fails to run correctly - selinux messages only evidence
472373 - bind cannot access to /etc/krb5.keytab
472903 - [RHEL5.3] SELinux AVC Denied: Not allowing install of xen guest
475273 - missing policy