Skip to navigation

Bug Fix Advisory selinux-policy bug fix and enhancement update

Advisory: RHBA-2013:0314-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2013-02-20
Last updated on: 2013-02-20
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated selinux packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.

The selinux-policy packages contain the rules that govern how confined processes
run on the system.

These updated selinux-policy packages include numerous bug fixes and various
enhancements. Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes for
information on the most significant of these changes:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/selinux-policy.html

All users of selinux-policy are advised to upgrade to these updated packages,
which fix these bugs and add these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
selinux-policy-3.7.19-195.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: ce1d917d40d15acc7fe935579cc866d0
SHA-256: 99c93cdc0b3bbea56c5bd1f9c8f769188e7b31237931ff129745a472067f47bd
 
IA-32:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
x86_64:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
selinux-policy-3.7.19-195.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: ce1d917d40d15acc7fe935579cc866d0
SHA-256: 99c93cdc0b3bbea56c5bd1f9c8f769188e7b31237931ff129745a472067f47bd
 
x86_64:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
selinux-policy-3.7.19-195.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: ce1d917d40d15acc7fe935579cc866d0
SHA-256: 99c93cdc0b3bbea56c5bd1f9c8f769188e7b31237931ff129745a472067f47bd
 
IA-32:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
PPC:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
s390x:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
x86_64:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
selinux-policy-3.7.19-195.el6.src.rpm
File outdated by:  RHBA-2014:0324
    MD5: ce1d917d40d15acc7fe935579cc866d0
SHA-256: 99c93cdc0b3bbea56c5bd1f9c8f769188e7b31237931ff129745a472067f47bd
 
IA-32:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
x86_64:
selinux-policy-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: f9ea98c109c70488b8df19a27ef410e3
SHA-256: 979059ad9b591cc96a8867d74bfa927909de440831ea162536084fc34d585cf5
selinux-policy-doc-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 8cbd3e0803e4c5daacd45a04ee381133
SHA-256: 161eb4d9470fa8ce770b456ac287406c2c525ecdc3e2271a45f17664e9cde2fd
selinux-policy-minimum-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 411b47633602e8a98748e906f84b1e49
SHA-256: e3aaecbffe75426a6bc91285692b3e9a00b09311d06104f6afd1665f4f65002b
selinux-policy-mls-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 4330d4d11c05755af0bbc86ead1a3f74
SHA-256: 2f67585f000c7d542a79335224f389a060c2647da765e54bb57e48b6bac67ca9
selinux-policy-targeted-3.7.19-195.el6.noarch.rpm
File outdated by:  RHBA-2014:0324
    MD5: 09b1178394c325f7f18d068bd925d870
SHA-256: dcc85e0be6af9d025613e81753e6d2c71a73513c8d412f719683cf8db94c2718
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

695698 - Wordpress needs a bit of SELinux love to run in the Enforcing mode
770065 - SELinux AVC denials for check_icmp
790967 - additional permissions for certmonger_t
801493 - Please create policy for pacemaker
807157 - numad runs as initrc_t
807678 - bcfg2-server runs as initrc_t
809877 - selinux-policy does not always have a correct label for files in /var/log/ which were processed by logrotate before
811304 - glusterd runs as initrc_t
811319 - fence_virtd runs as initrc_t
811361 - svnserve runs as initrc_t
816251 - SELinux blocks /bin/ping from read access to dhclient.suspend file on resume from hibernate
821483 - SpamAssassin needs write access to spamd_etc_t
821887 - RHEV Hypervisors are setting selinux context on /etc/mtab improperly.
823647 - typo errors and missing patterns in /etc/selinux/targeted/contexts/files/file_contexts
825221 - restorecon disregards custom rules for sym links
827389 - Gitolite3 policy missing
829274 - MLS: chkconfig SERVICE on/off doesn't work well for root:sysadm_r:sysadm_t
831068 - SELinux problem passwd
831908 - AVC denied errors on sanlock
833557 - No SELinux policies for xl2tpd
834994 - rhnsd runs as initrc_t
835269 - additional permissions for certmonger_t
835923 - OpenMPI problem with SELinux (Grid - parallel universe)
835936 - [selinux-policy] AVC when trying to start qemu-kvm domain (guest) on posix compliant file-system
836241 - selinux policy prevents dovecot domains access to mail_home_rw_t (Maildir)
836311 - New corosync SELinux policy makes heartbeat unusable by default
837815 - MLS user with category s8:c101 cannot ssh to the system
838260 - SELinux policy denies fsav(1) usage in amavisd-new
839250 - service amavisd-snmp restart produces AVCs
839831 - deny qemu guest agent read/write operations by default
840093 - staff_u cannot send mail
840667 - SELinux policy denies clamd(1) usage in amavisd-new
841329 - SELinux targeted policy prevents confined users from using gpgsm with gpg-agent
841950 - SELinux uselessly cripples sadc in root cron jobs
842818 - SELinux problem saslauthd cannot work with MECH=shadow
842905 - user_u crontab_t autofs .viminfo
842927 - selinux policy prevents procmail access to Maildir
842968 - dovecot can't access ~/Maildir
843455 - munin_stats broken after upgrade to 6.3
843543 - starting libvirt default network causes avc: denied { write } comm="dnsmasq" scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
843814 - Need update of selinux policy related to SSSD
844448 - munin exim selinux configurations missing
845033 - selinux policy for iucvtty
845201 - Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs
845417 - Add SELinux policy for openvswitch daemons
846340 - VMware virtual ethernet service fails to start on RHEL 6.3
848915 - slpd runs as initrc_t
848918 - sensord runs as initrc_t
849262 - SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock_file /var/run/cman_client (corosync_var_run_t)
849671 - SELinux doesn't allow /etc/init.d/clamd.amavisd to write PID file
849745 - SELinux prevents pppd from working in targeted mode when using L2TP IPSec mode
851113 - incorrect label on /var/run/cachefilesd.pid file
851128 - rpc.rstatd and rpc.rusersd run as initrc_t
851241 - cpglockd runs as initrc_t
851289 - unbound not able to bind to port 80, despite dns_port_t set correctly
851483 - spice-vdagent(d) is moving to syslog, needs selinux policy adjustment
852544 - SELinux targeted policy prevents confined users from using sandbox
852763 - root can't mount any file via loop device with enforcing mls policy
853453 - SELinux vs .forward script on nfs
853852 - SELinux Boolean for NFS failed to prevent nfs client access
853970 - RHCS cluster node does not auto-join cluster ring after power fencing due to corosync SELinux AVCs (avc: denied { name_bind } for pid=1516 comm="corosync" src=122[89] scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:*_port_t:s0...
854620 - AVCs when running lvmetad test with disabled unconfined and unlabelednet
854671 - selinux avcs when running openswan on a system with fips enabled
855286 - SELinux is preventing /usr/sbin/sanlock from getattr access on Posix Compliant FS storage type
855295 - AVCs when running rhsmcertd test with disabled unconfined and unlabelednet
855311 - AVCs when running tgtd test with disabled unconfined and unlabelednet
855314 - Saving ebtables is blocked when unconfined module is disabled
855889 - libselinux should support per-user login contexts
855895 - AVCs when running cyrus-imapd test with disabled unconfined and unlabelednet
856580 - nslcd - denied sys_nice
858235 - rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0
858406 - PostgreSQL PITR setup with SELinux feature request
858784 - pulse fails to start IPVS sync daemon
859231 - krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
860087 - Update SELinux policies for pppd
860858 - RHEL5/RHEL6 selinux-policy needs clamscan_can_scan_system tunable
861980 - selinux, afs, and readahead
863407 - SELinux policy doesn't allow freshclam to update through http proxy
864546 - SELinux prevents puppet master from running as passenger web app
865390 - SELinux denies getattr to perl strict.pm module
865567 - avc denials on fail2ban restart
865759 - Root can ssh when ssh_sysadm_login --> off in MLS
867001 - rsyslog cannot access krb5 ticket and keytab
867002 - SELinux is preventing /usr/sbin/sshd from read access on the file /var/lib/sss/mc/passwd
867628 - stale man pages (specifically ricci_selinux(8))
868959 - AVCs for cluster-cim w/ Pegasus server
869059 - SELinux blocks postfix <-> dspam
869304 - AVC while starting VMs hosted on RHS
871038 - SELinux prevents /sbin/cgrulesengd (cgred_t) from searching in /proc/irq (sysctl_irq_t)
871106 - [PATCH] Munin plugins can't run unconfined
871816 - rhel6.4 ipactl restart avc denials for various services
874843 - Zarafa webapp generates AVC when writing to /var/lib/zarafa-webapp/tmp/session/
875602 - SELinux prevents rsyslogd from writing to /var/lib/net-snmp/mib_indexes/0 file
875839 - Please ship the openshift SELinux policy with RHEL 6.4
878212 - Cannot log into 6.4 nightlies with fips mode + selinux in enforcing mode
880369 - Unable to create quota system on openshift_var_lib_t
880407 - incorrect SELinux file contexts on /etc/multipath*
881413 - SELinux errors when including domain-realm mapping directory
881445 - SELinux is preventing /usr/sbin/sshd "search" access on /var/lib/mysql
881993 - rsyncd fails to chdir with autofs mounted nfs directory
883143 - git-daemon and httpd can't serve the same dir
885432 - selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent
885518 - PostgreSQL and .ssh context
886563 - selinux denies dovecot scripts
886619 - Passenger prespawn does not work
888164 - AVC reported by rpc.rusersd
888440 - Apcupsd SNMP monitoring blocked
889251 - SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket
890687 - rsyncd cannot append to tcontext=system_u:object_r:var_log_t
895220 - SELinux error managing certmonger certificates in rpm post script


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/