Scientific Linux Security Update : selinux-policy enhancement update on SL6.x i386/x86_64

2012-12-19T00:00:00
ID SL_20121218_SELINUX_POLICY_ENHANCEMENT_UPDATE_ON_SL6_X.NASL
Type nessus
Reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

This update adds the following bugfixes :

  • Due to a bug in the SELinux policy, it was not possible to run a cron job with a valid MLS (Multi Level Security) context for the sysadm_u SELinux user. This update fixes relevant SELinux policy rules and cron now works as expected in the described scenario.

  • Previously, SELinux prevented

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(63294);
  script_version("1.2");
  script_cvs_date("Date: 2018/12/31 11:35:01");

  script_name(english:"Scientific Linux Security Update : selinux-policy enhancement update on SL6.x i386/x86_64");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update adds the following bugfixes :

  - Due to a bug in the SELinux policy, it was not possible
    to run a cron job with a valid MLS (Multi Level
    Security) context for the sysadm_u SELinux user. This
    update fixes relevant SELinux policy rules and cron now
    works as expected in the described scenario.

  - Previously, SELinux prevented
    'rhevm-guest-agent-gdm-plugin' to connect to the
    SO_PASSCRED UNIX domain socket. Consequently, Single
    Sign-On (SSO) did not work because the access to the
    credential socket was blocked. This update fixes the
    relevant policy and SSO now works as expected in the
    described scenario.

This update has been placed in the security tree to avoid selinux
bugs."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1212&L=scientific-linux-errata&T=0&P=915
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?9a72fa43"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"selinux-policy-3.7.19-155.el6_3.13")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-doc-3.7.19-155.el6_3.13")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-minimum-3.7.19-155.el6_3.13")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-mls-3.7.19-155.el6_3.13")) flag++;
if (rpm_check(release:"SL6", reference:"selinux-policy-targeted-3.7.19-155.el6_3.13")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");