Stay Secure with the Latest Linux Advisories

security advisorysecurity updateenhancement

Scientific Linux SL6.x Advisory: SELinux Policy Enhancement Low Severity

Low: selinux-policy enhancement update. Date: Thu, 28 Feb 2013 16:15:34 -0600 Reply-To: Pat Riehecky Sender: Security Errata for Scientific Linux From: Pat Riehecky Organization: Fermilab Subject: Security ERRATA Low: selinux-policy enhancement update on SL6.x i386/x86_64 MIME-Version: 1.0 Synopsis: Low: selinux-policy enhancement update Issue date: 2013-02-21 This update adds the following enhancements: * With the Multi-Level Security (MLS) SELinux policy enabled, a user created with an SELinux MLS level could not login to the system through an |SSH| client. The SELinux policy rules have been updated to allow the user to log in to the system in the described scenario. * When SELinux was in enforcing mode, an |OpenMPI| job, parallel universe in Red Hat Enterprise Linux MRG Grid, failed and was unable to access files in the |/var/lib/condor/execute/| directory. New SELinux policy rules have been added for |OpenMPI| jobs to allow a job to access files in this directory. * Due to a regression, the root user was able to log in when the |ssh_sysadm_login| variable was set to |OFF| in MLS. To fix this bug, the |ssh_sysadm_login| SELinux boolean has been corrected to prevent the root user to log in when this variable is set to |OFF|. * Previously, |cron| daemon jobs were set to run in the |cronjob_t| domain when the SELinux MLS policy was enabled. As a consequence, users could not run their |cron| jobs. The relevant policy rules have been modified and |cron| jobs now run in the user domain, thus fixing this bug. * With SELinux in enforcing mode, during automatic testing of Red Hat Enterprise Linux in FIPS mode, PAM (Pluggable Authentication Modules) attempted to run prelink on the |/sbin/unix_chkpwd| file to verify its hash. Consequently, users could not log in to the system. The appropriate SELinux policy rules have been updated and a FIPS mode boolean has been added to resolve this bug. * When the krb5 package was upgraded to version 1.9-33.el6_3.3 and Identity Management or FreeIPA was used, anattempt to start the |named| daemon terminated unexpectedly in enforcing mode. This update adapts the relevant SELinux policy to make sure the |named| daemon can be started in the described scenario. * Previously, the |libselinux| library did not support setting the context based on the contents of |/etc/selinux/targeted/logins/$username/| directories. Consequently, central management of SELinux limits did not work properly. With this update, the |/etc/selinux/targeted/logins/| directory is now handled by the selinux-policy packages as expected. * In its current version, the |SSSD| daemon writes SELinux configuration files into the |/etc/selinux/ /logins/| directory. The SELinux PAM module then uses this information to set the correct context for a remote user trying to log in. Due to a missing policy for this feature, |SSSD| could not write into this directory. With this update, a new security context for |/etc/selinux/

Feb 28, 2013 •Low Scientific Linux