RedHat has issued an advisory today (April 10):
We don't actually support SELinux, so we probably don't need to update this for Mageia 6, but we should at least fix it in Cauldron.
Patch available from CentOS
Looking more closely, it looks like the easiest way to fix it would be to update to 2.8 (synced with Fedora).
fixed in cauldron and mga7
Updated policycoreutils packages fix security vulnerability:
Context relabeling of filesystems is vulnerable to symbolic link attack,
allowing a local, unprivileged malicious entity to change the SELinux context
of an arbitrary file to a context with few restrictions. This only happens when
the relabeling process is done, usually when taking SELinux state from disabled
to enable (permissive or enforcing) (CVE-2018-1063).
Updated packages in core/updates_testing:
Patch available from CentOS =>
Installed policycoreutils, and ran the guis without actually doing anything.
Used QA Repo to get the updated packages. No installation issues.
Ran the guis again, and they looked and acted the same as before the update.
Since we don't actively support SELinux, and this vulnerability was reported nearly three years ago, it's time to move this along. Validating with my simple test. Advisory in Comment 3.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.