Skip to navigation

Bug Fix Advisory selinux-policy bug fix and enhancement update

Advisory: RHBA-2011:0526-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated selinux-policy packages that fix a number of bugs and add various
enhancements are now available.

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.1 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.1_Technical_Notes/index.html

All users of SELinux are advised to upgrade to these updated packages, which
provide numerous bug fixes and enhancements.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
selinux-policy-3.7.19-93.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7586f3b95c4d5428329ee360cda49467
SHA-256: 5d67cba56208aca1fb06313a5ed3363fc5bee9c1f9ab1b9c885ff34c70525588
 
IA-32:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
x86_64:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
selinux-policy-3.7.19-93.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7586f3b95c4d5428329ee360cda49467
SHA-256: 5d67cba56208aca1fb06313a5ed3363fc5bee9c1f9ab1b9c885ff34c70525588
 
x86_64:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
selinux-policy-3.7.19-93.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7586f3b95c4d5428329ee360cda49467
SHA-256: 5d67cba56208aca1fb06313a5ed3363fc5bee9c1f9ab1b9c885ff34c70525588
 
IA-32:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
PPC:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
s390x:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
x86_64:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
selinux-policy-3.7.19-93.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7586f3b95c4d5428329ee360cda49467
SHA-256: 5d67cba56208aca1fb06313a5ed3363fc5bee9c1f9ab1b9c885ff34c70525588
 
IA-32:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
x86_64:
selinux-policy-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 462a155924a4a021911937bbe9e16ae4
SHA-256: 64a097a2c445d61e1cfea73ea4a92d5f74ccbd5b55559a7b6db93169d4292299
selinux-policy-doc-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ba0d96a5d2da6e41ff249eb47ea583f1
SHA-256: bfd82e5fb627cf7ff83f4d24191941563613c0ec4321210fd6c29871fa8826e3
selinux-policy-minimum-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9a5497c34ef29c18125033cf2e49ac1
SHA-256: 6ad6decf43d5f3cf7dfef0d336c8110aa9795c692a28f6dceb45e8be867eaea7
selinux-policy-mls-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 0ba7b9daefb2533e8841b60b2fd86c74
SHA-256: 6498c957c49e62f29ab985801d8c40d243c0130ddea8c3f054f524f1b89c0f06
selinux-policy-targeted-3.7.19-93.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 6aa83f35f7dc4876ee11c47d2b25eadf
SHA-256: 17bcf321cb76b85d07f2ebd13e69e4a4e8a0fe3e28c166989d87c2ac76350665
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

615731 - SELinux is preventing /usr/bin/wodim "setrlimit" access .
630827 - Guest OS customization cannot work with the current SELinux policy setting
631523 - Suspending VMware virtual machines is slow or fails when selinux is enabled.
631564 - remove boolean for corosync to remove potential for selinux avcs with enforcing mode
631952 - policy prevents qemu-kvm wrapper script
634084 - Start of tgtd service emits AVC denials
634089 - running cmirrord on boot generates AVC denial
634357 - fence_scsi fails to unfence with selinux AVC denials
634945 - smbcontrol doesn't work because selinux denies it access to pid files
636683 - unable to mount gfs2 filesystems that exist in fstab with selinux on
637109 - which context is correct for /root/.ssh directory ?
637135 - SELinux is preventing /usr/sbin/rpc.rquotad "quotamod" access
638661 - avc: denied { write } for comm="iptables-save" path="/etc/sysconfig/iptables"
639074 - NetworkManager writing out resolv.conf with wrong context
639083 - SELinux prevents passwd from working in runlevel 1
639230 - SELinux is preventing /usr/lib/vte/gnome-pty-helper "open" access on wtmp
639233 - SELinux is preventing /usr/bin/ck-history "read" access on history
639266 - suspend/resume SELinux denials (dbus)
640642 - SELinux is preventing /usr/sbin/certmonger "search" access on /etc/httpd.
644799 - SELinux denies staff_u and user_u user to run ssh ProxyCommands
646365 - /etc/sysconfig/iptables.save vs. /etc/sysconfig/ip6tables.save context
650136 - copy&paste errors in 'semanage boolean -l' output
655206 - Need dirsrv and dirsrv-admin policy modules merged into base policy
655693 - udevadm settle takes 3 minutes to complete - 3mins is the default timeout value
657521 - selinux-policy-mls produce mount AVC during system startup
657568 - selinux MLS policy prevents executing of run_init in single user mode
658410 - SELinux denials with Cobbler on RHEL 6
658591 - certmonger cannot track 389-ds certificates
658599 - SELinux prevents node_bind for ns-slapd
663054 - user_ping boolean not working
663940 - avc: denied { read } for pid=... comm="shutdown" path="pipe:[32156]" ...
667071 - enforcing MLS: 'rpm -qa' displays nothing in single user mode
667076 - MLS: 'reboot' leads to AVCs in single-user mode
667370 - enforcing MLS -- security_validate_transition: denied for oldcontext=... newcontext=...
667622 - selinux doesn't allow samba utmp = yes
669045 - openssh need udp port for radius auth
669362 - enforcing MLS -- avc: denied { read } for ... comm="sh" path="/dev/kmsg" ...
669402 - Are iprinit, iprdump and iprupdate services supported in MLS policy ?
670774 - enforcing MLS: "crontab -l" does not work well
673112 - Multiple jabberd_t - related denials
675000 - cgrulesengd cannot be started from initscript with selinux target policy enabled
675782 - [SELinux AVC Alert] SELinux is preventing /usr/sbin/ns-slapd from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts
676664 - avc denied message when starting cmirrord
677802 - cluster daemons need access to dbus
677986 - /dev/tgt does not have SELinux label
677989 - /dev/dasd_eer does not have SELinux label
678044 - avc: denied { module_request } for pid=... comm="console-kit-dae" ...
680388 - MLS in single-user mode: /var/lock/lvm: setfscreatecon failed: Permission denied
680426 - MLS: lsusb works but AVCs appear
680428 - MLS: lsblk works but AVCs appear
680539 - dnsmasq supports enable-dbus, but selinux says no
681151 - MLS: udevadm works but AVCs appear
681887 - MLS -- AVCs appear when running: kpartx -v /dev/sda
682219 - MLS -- AVCs appear when running: rpm -Uvh ...
682416 - SELinux is preventing /usr/bin/spice-vdagent "write" access on spice-vdagent-sock
682974 - MLS: under root ssh-keygen creates .ssh and underlying files with bad context
682999 - SELinux is preventing /usr/libexec/gdm-session-worker "write" access on /root.
683367 - avc: denied { search } for ... comm="polkit-agent-he" name="faillock" ... scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
683377 - SELinux prevents pxe installation to work
683988 - MLS: USER_AVC ... denied { send_msg } for ... interface=net.reactivated.Fprint.Manager ...
684198 - /usr/bin/paster cannot work in /var/lib/luci/etc/ because of SELinux
684611 - SELinux prevents httpd from mounting autofs
685116 - mls: selinux blocks console login
687867 - SELinux is preventing /usr/bin/python "search" access on /root/.local.
689431 - selinux blocks rsyslogd from opening more file descriptors
689953 - openswan debugging facility which allows coredumps in case of problems is broken by selinux policy dontaudit
690466 - SELinux is preventing /usr/kerberos/sbin/klogind "read" access on .k5login
691665 - AVCs appear when evince is running in sandbox
692296 - MLS policy roles are more separate than with RHEL5
692457 - MLS: under root ssh cannot create .ssh and underlying files
692571 - selinux policies do not allow cluster to run
692828 - MLS: under staff_u and user_u user ssh-keygen creates .ssh and underlying files with bad context
693420 - /dev/random inaccessible by ssh-keygen
693590 - Add selinux policy for matahari services
693792 - Please include selinux policy for foghorn
694551 - SSH login as sysadm_r is not allowed with ssh_sysadm_login SELinux boolean set in SELinux MLS policy
696092 - squid: denials for squid_kerb_auth when using kerberos authentication
696161 - Selinux alert for wpa_supplicant in CSB 6.1
697812 - sudo -r ... cannot read /etc/selinux/targeted/contexts/default_type
697924 - faillock avcs when booting with mls policy
698144 - AVCs appear when starting tgtd
699063 - netlabelctl can't be run by init
699449 - mislabelled files after boot
699699 - AVCs and USER_AVCs appear when somebody logs in as Guest via GDM
700330 - SELinux is preventing /bin/chown "write" access on /var/lib/sss/pipes/nss.


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/