Scientific Linux Security Update : selinux-policy on SL6.x i386/x86_64

2012-08-01T00:00:00
ID SL_20110822_SELINUX_POLICY_ON_SL6_X.NASL
Type nessus
Reporter Tenable
Modified 2012-08-01T00:00:00

Description

This update fixes the following bug :

  • Prior to this update, the SELinux policy package did not allow the RHEV agent to execute. This update adds the policy for RHEV agents, so that they can be executed as expected.

  • Previously, several labels were incorrect and rules for creating new 389-ds instances were missing. As a result, access vector caches (AVC) appeared when a new 389-ds instance was created through the 389-console. This update fixes the labels and adds the missing rules. Now, new 389-ds instances are created without further errors.

  • Prior to this update, AVC error messages occurred in the audit.log file. With this update, the labels causing the error messages have been fixed, thus preventing this bug.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(61117);
  script_version("$Revision: 1.1 $");
  script_cvs_date("$Date: 2012/08/01 14:38:56 $");

  script_name(english:"Scientific Linux Security Update : selinux-policy on SL6.x i386/x86_64");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes the following bug :

  - Prior to this update, the SELinux policy package did not
    allow the RHEV agent to execute. This update adds the
    policy for RHEV agents, so that they can be executed as
    expected.

  - Previously, several labels were incorrect and rules for
    creating new 389-ds instances were missing. As a result,
    access vector caches (AVC) appeared when a new 389-ds
    instance was created through the 389-console. This
    update fixes the labels and adds the missing rules. Now,
    new 389-ds instances are created without further errors.

  - Prior to this update, AVC error messages occurred in the
    audit.log file. With this update, the labels causing the
    error messages have been fixed, thus preventing this
    bug."
  );
  # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1108&L=scientific-linux-errata&T=0&P=3178
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?7e9ef357"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/08/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012 Tenable Network Security, Inc.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"selinux-policy-3.7.19-93.el6_1.7")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-doc-3.7.19-93.el6_1.7")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-minimum-3.7.19-93.el6_1.7")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-mls-3.7.19-93.el6_1.7")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-targeted-3.7.19-93.el6_1.7")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");