- Issued:
- 2010-11-10
- Updated:
- 2010-11-10
RHBA-2010:0845 - selinux-policy bug fix update
Synopsis
selinux-policy bug fix update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated selinux-policy packages that fix various bugs are now available.
Description
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages fix the following bugs:
-
Due to incorrect SELinux policy, attempting to use the guest operating system customization in vCenter failed. With this update, the relevant policy code has been added, and SELinux no longer prevents users from customizing guest operating systems. (BZ#637081)
-
When SELinux was enabled, suspending VMware virtual machines was either slowed down, or failed. With this update, the relevant policy has been corrected, and VMware virtual machines are now suspended as expected. (BZ#637082)
-
When the cluster was configured to use fence_scsi, running the cman startup script or using the "fence_node -U
" command failed. These updated selinux-policy packages contain updated SELinux rules and add the security file context for the /var/lib/cluster directory, which allows the cluster with fence_scsi enabled to work properly. (BZ#636489) -
Previously, the "allow_corosync_rw_tmpfs" boolean allowed third party applications to create, write and read generic tmpfs files. To prevent this, the boolean has been removed, and unless the unconfined policy is disabled, generic tmpfs files can now be managed using Corosync. (BZ#636488)
-
Due to SELinux policies, certmonger was not permitted to search through directories that contain certificates. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which allow certmonger to access these directories. (BZ#642607)
-
When SELinux was enabled, users were unable to mount GFS2 file systems listed in /etc/fstab. With this update, SELinux rules have been added to allow the mount process to communicate with gfs_controld, so that such file systems can now be mount as expected. (BZ#642609)
-
Due to incorrect SELinux policy, smbcontrol, a utility that sends messages to the smbd, nmbd, or winbindd service, did not work properly. This error has been fixed, the relevant policy code has been added, and SELinux no longer prevents smbcontrol from working. (BZ#644807)
-
With SELinux running in the enforcing mode, resuming the system from the Suspend mode failed, because the /etc/resolv.conf file did not have the correct security context. This was caused by NetworkManager, which was running under wrong SELinux domain, "devicekit_power_t". With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from the Suspend mode now works as expected. (BZ#644808)
-
Prior to this update, running the passwd command in the single user mode (that is, runlevel 1) failed when SELinux was enabled. To address this issue, the SELinux rules have been updated, so that passwd can now access the console, as well as all terminals (TTYs) and pseudo terminals (PTYs). (BZ#644820)
-
Due to SELinux policy rules, certain iptables commands such as "iptables-save" or "iptables -L" were unable to write to files with output redirection. With this update, the SELinux domain transition from "unconfined_t" to the "iptables_t" domain has been removed, and such commands now work as expected. (BZ#645658)
All users of selinux-policy are advised to upgrade to these updated packages, which resolve these issues.
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- selinux-policy-3.7.19-54.el6_0.3.src.rpm
- selinux-policy-minimum-3.7.19-54.el6_0.3.noarch.rpm
- selinux-policy-3.7.19-54.el6_0.3.noarch.rpm
- selinux-policy-doc-3.7.19-54.el6_0.3.noarch.rpm
- selinux-policy-mls-3.7.19-54.el6_0.3.noarch.rpm
- selinux-policy-targeted-3.7.19-54.el6_0.3.noarch.rpm
Fixes
- This content is not included.BZ - 636488
- This content is not included.BZ - 636489
- This content is not included.BZ - 637081
- This content is not included.BZ - 637082
- This content is not included.BZ - 642607
- This content is not included.BZ - 642609
- This content is not included.BZ - 644807
- This content is not included.BZ - 644808
- This content is not included.BZ - 644820
- This content is not included.BZ - 645658
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.