Skip to navigation

Bug Fix Advisory selinux-policy bug fix and enhancement update

Advisory: RHBA-2012:0780-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2012-06-20
Last updated on: 2012-06-20
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated selinux-policy packages that fix a number of bugs and add various
enhancements are now available for Red Hat Enterprise Linux 6.

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for
information on the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.3_Technical_Notes/selinux-policy.html#RHBA-2012-0780

All users of SELinux are advised to upgrade to these updated packages, which fix
a number of bugs and add various enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
selinux-policy-3.7.19-154.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 5989f534943923db057cf6d82e368296
SHA-256: 3dacdcd53e197dc94f09340646c89cf75712ccb4a9846265f1345ecad027bd81
 
IA-32:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
x86_64:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
selinux-policy-3.7.19-154.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 5989f534943923db057cf6d82e368296
SHA-256: 3dacdcd53e197dc94f09340646c89cf75712ccb4a9846265f1345ecad027bd81
 
x86_64:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
selinux-policy-3.7.19-154.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 5989f534943923db057cf6d82e368296
SHA-256: 3dacdcd53e197dc94f09340646c89cf75712ccb4a9846265f1345ecad027bd81
 
IA-32:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
PPC:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
s390x:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
x86_64:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
selinux-policy-3.7.19-154.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: 5989f534943923db057cf6d82e368296
SHA-256: 3dacdcd53e197dc94f09340646c89cf75712ccb4a9846265f1345ecad027bd81
 
IA-32:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
x86_64:
selinux-policy-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ca20b72ff60f550a21837bd63fd7700c
SHA-256: 3686c366dc30cd1b5b02c7bda4eb276ccfda241136275a6e7e612383e84b5c8a
selinux-policy-doc-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8f12de6b9fde2ad95d27d35ba39fca6e
SHA-256: 12d0087b7f2b86a4cf0a33d2a5c0072c2442d7730be796a1fc4c8693ab340de4
selinux-policy-minimum-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: ab8f270451fe79518c6e70c3b428e81e
SHA-256: eff4f7070325b02533c7c94c6043529978bd33588519aa2d26d9e2ff6d9dbe90
selinux-policy-mls-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: e6bc6cedde5ef7d54f59fe1104cb45d6
SHA-256: 8f333e19541e5c8921a1a067527fc27993debe6f5460ee9b583e72d4701d03a2
selinux-policy-targeted-3.7.19-154.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: deb23cba0fb1035f3eb63bc1f5d5fabc
SHA-256: 5d841e267d91ecfbb32b6aa9b459fe567105e8bf4d5fb35fb4cc78ed65576288
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

666332 - sshd service startup failing after destroy when guest install complete
708223 - SELinux httpd_can_network_connect_db denied messages are not logged
718273 - Need policy for gridengine mpi jobs
722896 - interface body is not consistent with interface header
727145 - /var/cfengine/output shouldn't be labelled as var_log_t
738628 - avc denial 'sys_rawio' for rpc.mountd
739886 - avc: denied { read } for pid=19050 comm="rndc" path="/proc/loadavg"
744291 - [RHEL6.2] AVC denied comm="hald-probe-stor" comm="hald-probe-volu"
746961 - ssh-keygen cannot create key outside of ~/.ssh directory
747239 - quota_nld runs as initrc_t
747993 - Re-confining of Firefox plugins
748190 - Missing SELinux rules block use of munins plugin selinux_avcstat
748971 - missing SELinux rules cause openswan labeled IPsec to fail
749200 - matahari-qmf-sysconfigd and matahari-qmf-sysconfig-consoled run as initrc_t
749311 - targeted selinux policy breaks nagios checks and event handlers
749501 - SELinux is preventing /opt/google/chrome/chrome from executing nacl_helper_bootstrap
750869 - sudo/newrole cannot validate logins
751555 - audit logs show crond_t requesting nlmsg_tty_audit
751558 - cannot view mail when unconfined is removed
751732 - SELinux is preventing /usr/libexec/rhsmd from read on /proc/2038/net/psched file
753184 - MLS policy doesn't allow running root created cron jobs
753396 - virsh iface-start and iface-destroy commands lead to a "very long wait" before finally succeeding
754455 - SELinux prevents rsyslog-5.8.6 from running
754646 - SELinux is preventing /usr/sbin/sanlock from search access on NFS directory
759403 - Selinux disallow creating ssh keys for OpenMPI job (sshd.sh script)
760537 - SELinux "targeted" policy blocks web access to files in directories named "logs"
761495 - Some munin plugins lack proper SELinux policies
767195 - SELinux is preventing httpd (namely Trac) from RO access on git files
767579 - selinux prevents quota from setting quota on homedirs
768055 - SELinux silent denials of Nagios NRPE check of /boot
768065 - Incorrect labeling on files from perl-Razor-Agent
768312 - Logging into CVS server causes AVC denial
769301 - SELinux is preventing /usr/sbin/sssd from using the sys_admin capability.
769352 - SELinux prevents qpidd (qpidd_t) from search operation on /sys (sysfs_t) directory
769819 - selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix
769859 - selinux-policy-* packages seem to be testing SELinux status incorrectly
772717 - selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing it not to start
773641 - SELinux prevents ssh-keygen write access to NFS home dirs
781556 - AVC denied for write for sendmail_t in dovecot_deliver_tmp_t
783592 - need SELinux policy for ipa_memcached service
784411 - restorecon uses wrong context for /etc/ssh/ssh_known_hosts or policy wonked
786467 - SELinux prevents clustered qpidd (qpidd_t) from name_connect (tcp_socket, amqp_port_t)
786597 - munin_mail_plugin_t is denied searching in /var/lib
788492 - SELinux is preventing /usr/sbin/matahari-qmf-hostd.#prelink#.TUumNu (deleted) from using the 'sys_ptrace' capabilities.
788601 - AVC denied for httpd_t on zarafa_var_lib_t if it's lnk_file
790980 - Google Chrome has problems with SELinux rules when home directory is in NFS
791294 - SELinux prevents clustered qpidd (qpidd_t) from name_connect (tcp_socket, amqp_port_t)
795474 - Request for rsync network filesystem (nfs/cifs) booleans
796351 - AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
796711 - selinux denial for mailx when used in cron (& screen)
799102 - selinux-policy updates break ldapi samba connection to 389ds (IPA)
799968 - Policy for SSSD should allow CAP_SYS_RESOURCE
801015 - matahari-qmf-rpcd runs as initrc_t
801163 - SELinux prevents chsh from working with Kerberos auth
801408 - SELinux is always hammered for lack of documentation, need to back port new man pages.
803422 - SELinux denies writing /sbin/quotacheck to nfs_t folder
804186 - AVCs when sending mail to root, using postfix + ~/Maildir
805217 - AVC when connecting to internal-sftp using unconfined user in targeted
805742 - SELINUX_ERR when using config tools to install packages
806220 - list of permissive domains is not empty after disabling permissivedomains module
807590 - virtual network looses network connection
807682 - [RFE] ssh_to_job for VM/Java/Sched/Local universe
807824 - cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
808451 - wrong(?) label on postgresql postmaster.pid file
808624 - dovecot lmtp exec access denied to sendmail.postfix
809356 - libvirt-qmf runs as initrc_t
809746 - SELinux prevents heartbeat service from starting
810273 - lvmetad runs as initrc_t
811532 - feature request: add zfs to the list of xattr supported file systems
812854 - package-cleanup fails to remove kernels when called from cron
813803 - /etc/zipl.conf must be labelled as boot_t
814091 - fence-agents are unable to run snmpwalk/snmpget
818082 - ssh-copy-id from root to guest_u account causes denial
818611 - X11 forwarding does not work for xguest_u
821004 - Cannot create crontabs for users under MLS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/