Skip to navigation

Bug Fix Advisory selinux-policy bug fix and enhancement update

Advisory: RHBA-2011:1511-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-12-06
Last updated on: 2011-12-06
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated selinux-policy packages that fix several bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.2 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/selinux-policy.html#RHBA-2011-1511

All users of SELinux are advised to upgrade to these updated packages, which
provide numerous bug fixes and enhancements.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
selinux-policy-3.7.19-126.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 57f2e0ac6b8fc4972523b7b9fbbf7a0a
SHA-256: a786ba63c1a8ab6b403a35b797c3b98c4172bf82d6914fdcb102bf2be9a6ac50
 
IA-32:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
x86_64:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
selinux-policy-3.7.19-126.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 57f2e0ac6b8fc4972523b7b9fbbf7a0a
SHA-256: a786ba63c1a8ab6b403a35b797c3b98c4172bf82d6914fdcb102bf2be9a6ac50
 
x86_64:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
selinux-policy-3.7.19-126.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 57f2e0ac6b8fc4972523b7b9fbbf7a0a
SHA-256: a786ba63c1a8ab6b403a35b797c3b98c4172bf82d6914fdcb102bf2be9a6ac50
 
IA-32:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
PPC:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
s390x:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
x86_64:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
selinux-policy-3.7.19-126.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 57f2e0ac6b8fc4972523b7b9fbbf7a0a
SHA-256: a786ba63c1a8ab6b403a35b797c3b98c4172bf82d6914fdcb102bf2be9a6ac50
 
IA-32:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
x86_64:
selinux-policy-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: a482c75d487570215af5a311a49872ac
SHA-256: 653a506f0ef40c40fd365bd4e042a8fb886896df94883ae8b1bd0d468a8255e2
selinux-policy-doc-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 10972a5549bbf82dd55b9ce29c1c8639
SHA-256: 7a31da8a97b2648daa4fdb73714cc979b89653470acd3d827ccd5fcd9e748bd4
selinux-policy-minimum-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 21f7e7386e24306d62b654f61d117059
SHA-256: bd557e292ddf6b29f8c54913d80df48d940942b5f8a9ffc0cf148d29212d8158
selinux-policy-mls-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 7fab16cd2aa8ef89bae8dbdaf42b1441
SHA-256: 88d5278b564d690ba76db884a6f62620c28e1534875424f0cfa819aed234a2fe
selinux-policy-targeted-3.7.19-126.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: dfdb8226ec386f189f5aaa37a8803c35
SHA-256: f54af8b6770ccdde592b8184fd2274d1fdf5ba869f3e3a2abf7d3ebaa6ae9a7a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

665176 - There is no selinux man page for mysql
691828 - include sanlock
693810 - Targeted policy doesn't fit new drupal* installations
694031 - enforcing MLS: userdel -r USERNAME causes AVCs
694087 - AVC: load-policy: install IPA Server
694879 - [RFE] subscription-manager does not have it's own policy
694881 - Please add policy for corosync-notifyd
698923 - selinux prevents kadmin from setsched operation
700495 - xguest login produce USER_AVC denial { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.Compliance
701885 - typo errors in 'semanage boolean -l' output
702351 - ntpd produces an AVC when started from firstboot GUI
704191 - secadm_r doesn't have write permission to selinux_config_t
705277 - rsyslogd cannot search /var/spool/rsyslog and cannot read /dev/random
706448 - avc: denied when a NIS user is configured in /etc/cgrules.conf
707616 - MLS selinux mode: cannot register machine
710292 - setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module
712961 - SELinux policy missing access for /var/spool/rsyslogd
713218 - Add policy to allow kerberos kadmind to communicate with openldap via ldapi
715038 - AVCs when trying to create new 389-ds instance through 389-console
716973 - selinux prevents rsyslogd to send messages encrypted with TLS
718268 - [RHEL6.2] AVC denied comm="qmgr"
718390 - Shipped SELinux policy prevents Puppet 2.6/2.7 from working
719261 - SELinux policy forbidds resending of queued e-mails in Postfix mail queue
719738 - CTDB/Samba fails when selinux is enabled
719929 - httpd_selinux missing information
720463 - Zarafa needs a SELinux treatment to work (currently works only in the permissive mode)
720603 - SELinux avoids logrotate if /var/lib/logrotate.status is a symlink due to DRBD/drbdlinks
720939 - Various AVC denied for initrc_t:unix_stream_socket { read write }
722381 - selinux policy does not allow squeezeboxserver to start
722429 - Problem with SELinux and the script resource agent
722506 - some .te files cannot be compiled because interfaces contain errors
723258 - SELinux "targeted" policy blocks web access to files in directories named "logs"
723911 - some .pp files cannot be loaded because interfaces contain errors
723947 - pppoe-server runs as initrc_t
723958 - lldpad runs as initrc_t
723964 - fcoemon runs as initrc_t
723977 - cimserver runs as initrc_t
725414 - Targeted: add rule for ssh-keygen to be able to create .ssh folder with correct context
725767 - abrt-dump-oops runs as initrc_t
726031 - tomcat6 can not run successfully under mls policy
726324 - SELinux is preventing /usr/libexec/qemu-kvm from 'getattr' accesses on the filesystem /home.
726339 - denied sys_module for /sbin/ip capability
726696 - uuidd runs as initrc_t
726699 - gatherd and reposd run as initrc_t
727130 - SELinux is preventing /sbin/grubby "search" access to /boot/efi
727150 - selinux prevents rsyslogd to access snmpd_var_lib_t
727160 - SELinux is preventing /bin/bash from write access on the directory cluster.
727290 - SELinux is preventing /usr/sbin/lldpad from using the 'sys_module' capabilities.
728591 - selinux policy restricts rsyslog clients from connecting to port 6514
728699 - SELinux prevents hddtemp from listening on 'localhost'
728790 - fence_kdump agent bind to port causes AVC denial
729073 - SELinux prevents openvpn to set its process priority
729175 - [RHEL6.2] avc: denied { read } for pid=5541 comm="abrt-dump-oops"
729365 - qemu should be allowed to connect to libguestfs socket
729648 - In a chrooted sftp environment, selinux is preventing the users from uploading new files to their home directories.
730218 - selinux preventing procmail to execute hostname command
730837 - SELinux prevents puppet running as Passenger webapp
730852 - memcached requires CAP_SYS_RESOURCE if max connections is set to greater than 1024
731760 - SELinux is preventing /usr/sbin/wpa_supplicant from 'create' accesses on the netlink_socket Unknown.
732196 - SELinux module needed for ssh access to git
732757 - Authentication issues while using Kerberos and SELinux in enforcing mode
733002 - There is no selinux man page for squid
733039 - There is no selinux man page for ABRT
733337 - cluster tools cause AVCs
733869 - selinux policy for qmail service prevents qmail-inject/sendmail
734123 - SELinux is preventing /usr/bin/virsh from read access on the chr_file /dev/random
734568 - postdrop causing avc failure
734722 - avc messages on mailman downgrade test and binary completeness test
735198 - selinux-policy denies write for sulogin to /dev/pts/0 in single user mode
735729 - SELinux is preventing /bin/cp from relabelfrom operation on the file rng_update.lock
736300 - SELinux is preventing smbcontrol from read/write operation on /dev/console
736388 - SELinux is preventing /usr/sbin/pulse from executing /usr/sbin/fos
736623 - cgit does not work with default selinux policy
737495 - selinux prevets radiusd search on /tmp
737571 - SELinux is preventing dhcpd setgid/setuid access
737635 - AVC denial when starting luci
737790 - SELinux is preventing /usr/bin/spice-vdagent "write" access on spice-vdagent-sock
738156 - different contexts on configs / init scripts related to dhcpd / dhcpd6
738188 - SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock
738529 - SELinux prevents sanlock work
738994 - cyrus-imapd downgrade selinux test fail
739047 - Update against RHN Live-selinux Test fails
739065 - fence_scsi.key moved from /var/lib/cluster/ to /var/run/cluster/ but SELinux context did not follow
739618 - Chrome/Chromium cannot start due to text relocations
739628 - seinfo -r displays 12 roles and 1 type
739883 - SELinux is preventing /usr/sbin/abrtd from 'create' access on the lnk_file .lock
740180 - SELinux is preventing pwupdate from getattr operation on /bin/mailx
740514 - rsyslog not able to connect to smtp port
740925 - ns-slapd dirsrv_t netlink_route_socket denials
741271 - selinux-policy spice-vdagent rules need update because of new agent features
741967 - SE Linux policies for Clustered Samba commands
743245 - If secmark packets are rejected by SELinux, the calling app should get a eperm returned
744817 - /dev/bsr4096_* are labelled system_u:object_r:device_t:s0
745113 - matahari-net was renamed to matahari-network but SELinux context did not follow
745208 - 389-ds-base: PAM Pass through authentication fails when selinux mode is in "Enforcing".
745531 - Cloudform need SELinux policies support
746265 - sssd needs to be allowed to create, delete and read symlinks in /var/lib/sss/pipes/private
746348 - SELinux is preventing /usr/bin/Xorg from 'unix_read, unix_write' accesses on the shared memory Unknown.
746616 - ntpd_t and dhcpc_t generate AVC fails
746764 - piranha-gui: error opening or creating the lvs.cf configuration file
747321 - SELinux is preventing /usr/sbin/sshd from getattr operation on /root/.hushlogin file
748755 - SELinux is preventing /bin/bash (xdm_t) from write access on the directory /etc (etc_t)
749568 - finger cannot access /var/run/nslcd
749690 - dovecot denials
751892 - SSO: Selinux error prevent login to virtual terminal (CTRL+ALT+F2) with a smart card.
752376 - vhostmd service dies in enforcing mode


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/