- Issued:
- 2009-01-20
- Updated:
- 2009-01-20
RHBA-2009:0206 - Bug Fix Advisory
Synopsis
policycoreutils bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated policycoreutils packages that fix several bugs are now available.
Description
policycoreutils contains the policy core utilities that are required for
the basic operation of a Security-Enhanced Linux (SELinux) system. These
utilities include load_policy to load policies, setfiles to label file
systems, newrole to switch roles, and run_init to run "/etc/init.d/"
scripts in the proper context.
These updated packages fix the following bugs:
- after adding a user with a home directory in "/usr/local/", for example,
"useradd -d /usr/local/[username] [username]", running "genhomedircon"
added conflicting file-contexts to the SELinux file-context configuration.
This caused two entries, defining different contexts, for "/usr/local/".
Running "restorecon -R -v /usr/local/" at this point caused files to be
incorrectly labeled with the "user_home_t" type. This may have caused
denials. In this update, "genhomedircon" no longer adds conflicting
entries.
- it was not possible to use "semanage fcontext" to specify the "none"
type. Attempting this resulted in "libsepol.context_from_record" and
"libsemanage.validate_handler" errors. In this update, the "semanage
fcontext" command accepts the "none" type, which resolves this issue.
- depending on the structure of home directories, adding or removing
modules with the "semodule" command may have taken a long time, and caused
errors. Also, running the "genhomedircon" command may have caused errors.
For example, if home directories used a "/home/misc/[username]" structure,
running the "genhomedircon" command caused errors similar to the following:
[username] homedir /home/misc/[username] or its parent directory conflicts
with a defined context in
/etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually
indicates an incorrectly defined system account. If it is a system account
please make sure its login shell is /sbin/nologin.
This was caused by a regular expression in "genhomedircon" incorrectly
matching "home" in file-context configuration. In this update, the entire
path is searched for, which resolves this issue.
- turning on auditing for certain rules may result in "avc: granted"
messages being logged to "/var/log/audit/audit.log". "audit2allow" treated
such messages as if they were denied ("avc: denied"), and created rules
for the actions that were already being allowed. In this update,
"audit2allow" ignores "granted" messages, which resolves this issue.
- when using "system-config-selinux" to add a file context that contained
a regular expression, for example, "/test(/.*)?", the context was not added
to file-context configuration, and the following errors occurred:
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `{ semanage fcontext -a -t -r s0 -f 'all files'
/test(/.*)?; } 2>&1'
These errors were only seen when running "system-config-selinux" from the
command line. In this update, "system-config-selinux" supports adding file
contexts that contain regular expressions.
Users of policycoreutils are advised to upgrade to these updated packages,
which resolve these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 250989 - semanage fcontext rejects default type of <<none>>
- BZ - 412411 - selinux module changes take ages and give genhomedircon errors
- BZ - 433429 - genhomedircon creates duplicate entries
- BZ - 435140 - SELinux Administration utility doesn't handle file specificatoins correctly
- BZ - 441402 - audit2allow parses 'granted' audit entries like they were 'denied'
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
x86_64 | |
policycoreutils-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 7e39699f62989c903b787ae2cba74c1c8a6eb14be4e6dc7b35a308b2ab8aeeea |
policycoreutils-gui-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 15748e07b35c59c56aa57924e63e63d8b9cb5a607923c331bdbed099ccec4a4f |
policycoreutils-newrole-1.33.12-14.2.el5.x86_64.rpm | SHA-256: bd18089cf4184d3532422b6f8484bed7280de51021235032d59f4970a668560f |
ia64 | |
policycoreutils-1.33.12-14.2.el5.ia64.rpm | SHA-256: 32d7823a8f6b2cb109ce12a963cc81d9368eed949bad755075f5bd93d9f59d5e |
policycoreutils-gui-1.33.12-14.2.el5.ia64.rpm | SHA-256: d9889f7a28f9101551e886828b969bea282f3d24fb5d9d600c2664310e4192c4 |
policycoreutils-newrole-1.33.12-14.2.el5.ia64.rpm | SHA-256: d1900932feed35b94765d1e6097118aefb6f423b7790ba7d780e297b47aec4a2 |
i386 | |
policycoreutils-1.33.12-14.2.el5.i386.rpm | SHA-256: 95c1706a4d15a20629cb364786465038f168534573c424b9e9adcab838d77b73 |
policycoreutils-gui-1.33.12-14.2.el5.i386.rpm | SHA-256: 2b9880db5877a73bde7d170b80cc96a9ca93d4ca67e3350d508be64ccca7a431 |
policycoreutils-newrole-1.33.12-14.2.el5.i386.rpm | SHA-256: 4e48256e7040bf31b85ecde455cd503c2247a866ae5b2ac6b5939bc1fc49c048 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
x86_64 | |
policycoreutils-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 7e39699f62989c903b787ae2cba74c1c8a6eb14be4e6dc7b35a308b2ab8aeeea |
policycoreutils-gui-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 15748e07b35c59c56aa57924e63e63d8b9cb5a607923c331bdbed099ccec4a4f |
policycoreutils-newrole-1.33.12-14.2.el5.x86_64.rpm | SHA-256: bd18089cf4184d3532422b6f8484bed7280de51021235032d59f4970a668560f |
i386 | |
policycoreutils-1.33.12-14.2.el5.i386.rpm | SHA-256: 95c1706a4d15a20629cb364786465038f168534573c424b9e9adcab838d77b73 |
policycoreutils-gui-1.33.12-14.2.el5.i386.rpm | SHA-256: 2b9880db5877a73bde7d170b80cc96a9ca93d4ca67e3350d508be64ccca7a431 |
policycoreutils-newrole-1.33.12-14.2.el5.i386.rpm | SHA-256: 4e48256e7040bf31b85ecde455cd503c2247a866ae5b2ac6b5939bc1fc49c048 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
x86_64 | |
policycoreutils-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 7e39699f62989c903b787ae2cba74c1c8a6eb14be4e6dc7b35a308b2ab8aeeea |
policycoreutils-gui-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 15748e07b35c59c56aa57924e63e63d8b9cb5a607923c331bdbed099ccec4a4f |
policycoreutils-newrole-1.33.12-14.2.el5.x86_64.rpm | SHA-256: bd18089cf4184d3532422b6f8484bed7280de51021235032d59f4970a668560f |
i386 | |
policycoreutils-1.33.12-14.2.el5.i386.rpm | SHA-256: 95c1706a4d15a20629cb364786465038f168534573c424b9e9adcab838d77b73 |
policycoreutils-gui-1.33.12-14.2.el5.i386.rpm | SHA-256: 2b9880db5877a73bde7d170b80cc96a9ca93d4ca67e3350d508be64ccca7a431 |
policycoreutils-newrole-1.33.12-14.2.el5.i386.rpm | SHA-256: 4e48256e7040bf31b85ecde455cd503c2247a866ae5b2ac6b5939bc1fc49c048 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
s390x | |
policycoreutils-1.33.12-14.2.el5.s390x.rpm | SHA-256: 29ddedf93135cf4bfc0fa07f2493286ff675815377e659b914c98a34c9bf4b57 |
policycoreutils-gui-1.33.12-14.2.el5.s390x.rpm | SHA-256: 0a09167bf9084df8ff60165a9bd8423a7752a158cdbec80113329574bafb4f4f |
policycoreutils-newrole-1.33.12-14.2.el5.s390x.rpm | SHA-256: 044c26a1d9e60a2449b4e9113ed1d27583b06ef74c4508f2343fe16ae8ff16f6 |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
ppc | |
policycoreutils-1.33.12-14.2.el5.ppc.rpm | SHA-256: 988529b109c8bc3e8d26a10755c4624550358ed8ed648dbcf893497104393d43 |
policycoreutils-gui-1.33.12-14.2.el5.ppc.rpm | SHA-256: 35b9cf381f622a1b1c298acbff8f52bc10b24653a45a55565351d11b90f0006a |
policycoreutils-newrole-1.33.12-14.2.el5.ppc.rpm | SHA-256: 500c5ae8fbce6d11a7e3781da03b433434687532f648b2b795f83f8e579c0f4b |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
policycoreutils-1.33.12-14.2.el5.src.rpm | SHA-256: e41a22da643fc6776791d259763280c1355dd6522fa43e125ed4e8218a8f4fdb |
x86_64 | |
policycoreutils-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 7e39699f62989c903b787ae2cba74c1c8a6eb14be4e6dc7b35a308b2ab8aeeea |
policycoreutils-gui-1.33.12-14.2.el5.x86_64.rpm | SHA-256: 15748e07b35c59c56aa57924e63e63d8b9cb5a607923c331bdbed099ccec4a4f |
policycoreutils-newrole-1.33.12-14.2.el5.x86_64.rpm | SHA-256: bd18089cf4184d3532422b6f8484bed7280de51021235032d59f4970a668560f |
i386 | |
policycoreutils-1.33.12-14.2.el5.i386.rpm | SHA-256: 95c1706a4d15a20629cb364786465038f168534573c424b9e9adcab838d77b73 |
policycoreutils-gui-1.33.12-14.2.el5.i386.rpm | SHA-256: 2b9880db5877a73bde7d170b80cc96a9ca93d4ca67e3350d508be64ccca7a431 |
policycoreutils-newrole-1.33.12-14.2.el5.i386.rpm | SHA-256: 4e48256e7040bf31b85ecde455cd503c2247a866ae5b2ac6b5939bc1fc49c048 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.