Issued:

2009-12-09

Updated:

2010-03-30

RHBA-2009:1656 - system-config-securitylevel bug fix update

Synopsis

system-config-securitylevel bug fix update

Type/Severity

Bug Fix Advisory

Topic

Updated system-config-securitylevel packages that fix several bugs are now available.

Description

system-config-securitylevel is a graphical program for configuring firewall and SELinux settings.

These updated packages address the following bugs:

• when a new port is added to a firewall -- via the Firewall Options > Other ports > Add dialog box -- its service name is derived from the port number. Service names containing hyphens (eg iascontrol-oms, 1156/TCP, the Oracle Application Server control port) were incorrectly assumed to be port ranges. This caused them to be split, with the individual sections found to be invalid. Note: this validation failure did not prevent the port from being added to the firewall, as could be seen with the iptables-save command. The port was not listed in the "Other ports" list, however. With this update service names with hyphens are treated correctly, the added port is validated correctly and it is listed in "Other ports" as expected. (BZ#503588)

• system-config-securitylevel-tui, the text-based equivalent to system-config-securitylevel, relies on the setenforce command but did not have an explicit dependency on libselinux, the package that provides the setenforce command. With this update, the system-config-securitylevel spec file has been updated to require libselinux, ensuring system-config-securitylevel-tui always has the setenforce command available as needed. (BZ#532947)

• lokkit calls referenced setenforce without explicitly noting its path: /usr/sbin/setenforce. The default PATH for ordinary users on Red Hat Enterprise Linux does not include /usr/sbin/, however. If such users had sudo-based permission to run system-config-securitylevel-tui, attempting to run this application resulted in a "sh: setenforce: command not found" error. lokkit now references setenforce's path explicitly and ordinary users with appropriate permissions can run system-config-securitylevel-tui as expected. Note: /usr/sbin is in the default PATH of the root user on Red Hat Enterprise Linux. If system-config-securitylevel-tui was only run by the root user, this error did not present. (BZ#532948)

All users are advised to upgrade to these updated packages, which resolve these issues.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Updated Packages

• system-config-securitylevel-1.6.29.1-5.el5.src.rpm
• system-config-securitylevel-tui-1.6.29.1-5.el5.x86_64.rpm
• system-config-securitylevel-1.6.29.1-5.el5.ppc.rpm
• system-config-securitylevel-tui-1.6.29.1-5.el5.ia64.rpm
• system-config-securitylevel-1.6.29.1-5.el5.x86_64.rpm
• system-config-securitylevel-tui-1.6.29.1-5.el5.ppc.rpm
• system-config-securitylevel-1.6.29.1-5.el5.ia64.rpm
• system-config-securitylevel-tui-1.6.29.1-5.el5.i386.rpm
• system-config-securitylevel-1.6.29.1-5.el5.i386.rpm
• system-config-securitylevel-tui-1.6.29.1-5.el5.s390x.rpm
• system-config-securitylevel-1.6.29.1-5.el5.s390x.rpm

Fixes

• This content is not included.BZ - 503588
• This content is not included.BZ - 532947
• This content is not included.BZ - 532948

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.