Debian DSA-1617-1 : refpolicy - incompatible policy
Medium Nessus Plugin ID 33737
SynopsisThe remote Debian host is missing a security-related update.
DescriptionIn DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447 ). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard 'domain' port (53). The incompatibility affects both the 'targeted' and 'strict' policy packages supplied by this version of refpolicy.
This update to the refpolicy packages grants the ability to bind to arbitrary UDP ports to named_t processes. When installed, the updated packages will attempt to update the bind policy module on systems where it had been previously loaded and where the previous version of refpolicy was 0.0.20061018-5 or below.
Because the Debian refpolicy packages are not yet designed with policy module upgradeability in mind, and because SELinux-enabled Debian systems often have some degree of site-specific policy customization, it is difficult to assure that the new bind policy can be successfully upgraded. To this end, the package upgrade will not abort if the bind policy update fails. The new policy module can be found at /usr/share/selinux/refpolicy-targeted/bind.pp after installation.
Administrators wishing to use the bind service policy can reconcile any policy incompatibilities and install the upgrade manually thereafter. A more detailed discussion of the corrective procedure may be found on https://wiki.debian.org/SELinux/Issues/BindPortRandomization.
SolutionUpgrade the refpolicy packages.
For the stable distribution (etch), this problem has been fixed in version 0.0.20061018-5.1+etch1.