- Issued:
- 2014-09-16
- Updated:
- 2014-09-16
RHBA-2014:1205 - selinux-policy bug fix update
Synopsis
selinux-policy bug fix update
Type/Severity
Bug Fix Advisory
Topic
Updated selinux-policy packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
Description
The selinux-policy packages contain the rules that govern how confined processes run on the system.
This update fixes the following bugs:
-
Due to missing rules in the SELinux policy, the sssd_t domain could not connect to port 464. With this update, the appropriate rules have been added to the policy and sssd_t now connects to that port as expected. (BZ#959217)
-
Previously, SELinux prevented the fence_xvm agent from fencing nodes even if the fenced_can_network_connect Boolean was enabled. The SELinux policy has been modified to fix this bug and SELinux no longer blocks fence_xvm in the described scenario. (BZ#984453)
-
Due to missing rules in the SELinux policy, SELinux did not allow the dovecot_deliver_t process to send the SIGNULL signal. With this update, the SELinux rules have been modified accordingly and SELinux no longer prevents dovecot_deliver_t from sending SIGNULL. (BZ#997710)
-
Previously, SELinux prevented the iptables_t process from using the inotify utility to monitor file system activity. This update adds appropriate SELinux rules and iptables_t can use inotify as expected. (BZ#1005589)
-
When SELinux was in enforcing mode, the glibc library was unable to update the /etc/localtime file. The SELinux policy has been modified to fix this bug and glibc can now update the file as expected. (BZ#1008472)
-
Due to missing SELinux rules, the automount utility could not read symbolic links, which caused the AVC denial messages to return. With this update, the SELinux policy has been modified and SELinux no longer prevents automount from reading symbolic links. (BZ#1053050)
-
Previously, the restorecon command failed to restore the SELinux context on a file located in a symbolically linked directory. The underlying source code has been modified to fix this bug and restorecon now works correctly in the described scenario. (BZ#1078357)
-
Previously, the smbd daemon service was unable to connect to the nmbd service using a Unix stream socket, which caused AVC messages to be logged in the /var/log/audit/audit.log file. To fix this bug, a set of new rules has been added to the SELinux policy to allow smbd to connect to nmbd. (BZ#1083491)
-
An attempt to start a clustered service with the postgres-8 resource script failed due to a bug in the SELinux policy. With this update, the policy has been modified and the service now starts as expected. (BZ#1089006)
-
Due to missing rules in the SELinux policy, the radiusd daemon was unable to write to the /tmp/ directory. Consequently, when radiusd was integrated with the Kerberos network authentication system, an attempt to authenticate a user failed. This update applies a new SELinux policy module so that radiusd works correctly in the described scenario. (BZ#1096891)
-
The zarafa-indexer package has been replaced with the zarafa-search package. Previously, the zarafa-search utility was not labeled with the same SELinux context as the zarafa-indexer utility. With this update, the appropriate SELinux policy rules have been modified and zarafa-search now runs in the zarafa_indexer_t domain as expected. (BZ#1098031)
Users of selinux-policy are advised to upgrade to these updated packages, which fix these bugs.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- selinux-policy-strict-2.4.6-351.el5.noarch.rpm
- selinux-policy-targeted-2.4.6-351.el5.noarch.rpm
- selinux-policy-2.4.6-351.el5.noarch.rpm
- selinux-policy-minimum-2.4.6-351.el5.noarch.rpm
- selinux-policy-2.4.6-351.el5.src.rpm
- selinux-policy-mls-2.4.6-351.el5.noarch.rpm
- selinux-policy-devel-2.4.6-351.el5.noarch.rpm
Fixes
- This content is not included.BZ - 959217
- This content is not included.BZ - 984453
- This content is not included.BZ - 997710
- This content is not included.BZ - 1005589
- This content is not included.BZ - 1083491
- This content is not included.BZ - 1096891
- This content is not included.BZ - 1098031
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.