Issued:: 2014-10-13
Updated:: 2014-10-13

RHBA-2014:1469 - libselinux bug fix update

Synopsis

libselinux bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated libselinux packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

Description

The libselinux packages contain the core library of an SELinux system. The libselinux library provides an API for SELinux applications to get and set process and file security contexts, and to obtain security policy decisions. It is required for any applications that use the SELinux API, and used by all applications that are SELinux-aware.

This update fixes the following bugs:

When attempting to run the virt-manager utility over SSH X11 forwarding, SELinux prevented the D-Bus system from performing actions even if SELinux was in permissive mode. As a consequence, such attempts failed and an AVC denial message was logged. With this update, a patch has been provided to fix this bug, and SELinux in permissive mode no longer blocks D-Bus in the described scenario. (BZ#753675)
Prior to this update, the selinux(8) manual page contained outdated information. This manual page has been updated, and SELinux is now documented correctly. (BZ#1011109)
The Name Server Caching Daemon (nscd) uses SELinux permissions to check if a connecting user is allowed to query the cache. However, two permissions, NSCD__GETNETGRP and NSCD__SHMEMNETGRP, were missing from the SELinux list of permissions. Consequently, the netgroup caching worked only when SELinux was running in permissive mode. The missing permissions have been added to the list, and the netgroup caching now works as expected. (BZ#1025507)
Previously, the matchpathcon utility did not handle non-existent files or directories properly; the "matchpathcon -V" command verified the files of directories instead of specifying that they did not exist. The underlying source code has been modified to fix this bug, and matchpathcon now correctly recognizes non-existent files or directories. As a result, an error message is returned when a file or directory do not exist. (BZ#1091857)
It was not possible to add a new user inside a Docker container because SELinux in enforcing or permissive mode incorrectly blocked an attempt to modify the /etc/passwd file. With this update, when the /selinux/ or /sys/fs/selinux/ directories are mounted as read-only, the libselinux library acts as if SELinux is disabled. This behavior stops SELinux-aware applications from attempting to perform SELinux actions inside a container, and /etc/passwd can now be modified as expected. (BZ#1096816)

Users of libselinux are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Enterprise Linux for Scientific Computing	6	x86_64
Red Hat Enterprise Linux for Power, big endian	6	ppc64
Red Hat Enterprise Linux for IBM z Systems	6	s390x
Red Hat Enterprise Linux Workstation	6	x86_64
Red Hat Enterprise Linux Workstation	6	i386
Red Hat Enterprise Linux Server	6	x86_64
Red Hat Enterprise Linux Server	6	i386
Red Hat Enterprise Linux Server from RHUI	6	x86_64
Red Hat Enterprise Linux Server from RHUI	6	i386
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support	6	x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support	6	x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support	6	i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension	6	x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension	6	i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)	6	s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)	6	s390x
Red Hat Enterprise Linux Desktop	6	x86_64
Red Hat Enterprise Linux Desktop	6	i386

Updated Packages

libselinux-2.0.94-5.8.el6.i686.rpm
libselinux-devel-2.0.94-5.8.el6.ppc.rpm
libselinux-utils-2.0.94-5.8.el6.x86_64.rpm
libselinux-utils-2.0.94-5.8.el6.ppc64.rpm
libselinux-utils-2.0.94-5.8.el6.s390x.rpm
libselinux-static-2.0.94-5.8.el6.ppc64.rpm
libselinux-ruby-2.0.94-5.8.el6.x86_64.rpm
libselinux-debuginfo-2.0.94-5.8.el6.s390.rpm
libselinux-devel-2.0.94-5.8.el6.s390x.rpm
libselinux-python-2.0.94-5.8.el6.x86_64.rpm
libselinux-ruby-2.0.94-5.8.el6.s390x.rpm
libselinux-2.0.94-5.8.el6.ppc.rpm
libselinux-static-2.0.94-5.8.el6.s390x.rpm
libselinux-debuginfo-2.0.94-5.8.el6.s390x.rpm
libselinux-2.0.94-5.8.el6.ppc64.rpm
libselinux-devel-2.0.94-5.8.el6.s390.rpm
libselinux-2.0.94-5.8.el6.s390.rpm
libselinux-static-2.0.94-5.8.el6.x86_64.rpm
libselinux-devel-2.0.94-5.8.el6.x86_64.rpm
libselinux-2.0.94-5.8.el6.src.rpm
libselinux-debuginfo-2.0.94-5.8.el6.ppc.rpm
libselinux-ruby-2.0.94-5.8.el6.ppc64.rpm
libselinux-debuginfo-2.0.94-5.8.el6.x86_64.rpm
libselinux-python-2.0.94-5.8.el6.ppc64.rpm
libselinux-2.0.94-5.8.el6.s390x.rpm
libselinux-ruby-2.0.94-5.8.el6.i686.rpm
libselinux-devel-2.0.94-5.8.el6.ppc64.rpm
libselinux-debuginfo-2.0.94-5.8.el6.i686.rpm
libselinux-utils-2.0.94-5.8.el6.i686.rpm
libselinux-python-2.0.94-5.8.el6.s390x.rpm
libselinux-2.0.94-5.8.el6.x86_64.rpm
libselinux-devel-2.0.94-5.8.el6.i686.rpm
libselinux-static-2.0.94-5.8.el6.i686.rpm
libselinux-python-2.0.94-5.8.el6.i686.rpm
libselinux-debuginfo-2.0.94-5.8.el6.ppc64.rpm

Fixes

CVEs

(none)

References

(none)

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.