Bug#859264: update Vcs control files
Package: bash Version: 4.4-4+b1 The specified Vcs fields do not link to the recent packaging version.
Bug#859263: maintain PIE enabled bash
Package: bash Version: 4.4-4+b1 Severity: important Due to #842037, bash is currently shipped without PIE[1] support. Please consider adding a package bash-pie, which Conflicts and Provides bash, or upload a PIE-enabled version to stretch-backports after release. [1] https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29
Bug#859120: ausearch -i segfault
Package: auditd Version: 1:2.6.7-1 User: selinux-de...@lists.alioth.debian.org Usertags: selinux ausearch segfaults on the following input in interpret mode: /sbin/ausearch -i --input file type=AVC msg=audit(1490829425.686:121): avc: denied { bind } for pid=1034 comm="darkstat" scontext=system_u:system_r:darkstat_t:s0 tcontext=system_u:system_r:darkstat_t:s0 tclass=packet_socket permissive=0 type=SYSCALL msg=audit(1490829425.686:121): arch=c03e syscall=49 success=no exit=-13 a0=3 a1=7ffce52e04b0 a2=14 a3=373 items=0 ppid=1033 pid=1034 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="darkstat" exe="/usr/sbin/darkstat" subj=system_u:system_r:darkstat_t:s0 key=(null) type=SOCKADDR msg=audit(1490829425.686:121): saddr=11030200 type=PROCTITLE msg=audit(1490829425.686:121): proctitle=2F7573722F7362696E2F6461726B73746174002D6900656E70307333002D2D6368726F6F74002F7661722F6C69622F6461726B73746174002D2D70696466696C65002F7661722F72756E2F6461726B737461742E706964002D2D696D706F7274006461726B737461742E6462002D2D6578706F7274006461726B737461742E64
Bug#858834: debhelper: make dh_install --list-missing the default
Package: debhelper Version: 10.2.5 Severity: wishlist Hi, personally, I like the --list-missing/--fail-missing options from dh_install. Any chance --list-missing getting the default for maybe compat version 11? Best regards Christian Göttsche
Bug#858179: scan-view-4.0 fails to start due to missing Python module
the fixing patch is not updated: https://sources.debian.net/src/llvm-toolchain-4.0/1:4.0-1/debian/patches/fix-scan-view-path.diff/?hl=9#L9
Bug#858050: /etc/ssh/moduli membership
Package: openssh-client Version: 1:7.4p1-6 Dear Maintainer, according to man:moduli(5) the file /etc/shh/moduli is only used by sshd. Why is this file shipped with openssh-client and not openssh-server? Best regards, Christian Göttsche
Bug#858022: add systemd timer
Package: man-db Version: 2.7.6.1-2 Dear Maintainer, can you please add a systemd timer for the daily man-db cache regeneration. --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ man-db.timer2017-03-16 12:07:22.956516872 +0100 @@ -0,0 +1,11 @@ +[Unit] +Description=Daily man-db regeneration +Documentation=man:mandb(8) + +[Timer] +OnCalendar=daily +AccuracySec=12h +Persistent=true + +[Install] +WantedBy=timers.target --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ man-db.service 2017-03-16 12:07:08.316606820 +0100 @@ -0,0 +1,13 @@ +[Unit] +Description=Daily man-db regeneration +Documentation=man:mandb(8) +ConditionACPower=true + +[Service] +Type=oneshot +ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +ExecStart=/usr/bin/mandb +User=man +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 --- /etc/cron.daily/man-db.old 2017-03-17 12:52:23.223042394 +0100 +++ /etc/cron.daily/man-db 2017-03-15 20:14:55.851223244 +0100 @@ -4,6 +4,10 @@ set -e +# skip in favour of systemd timer +if [ -d /run/systemd/system ]; then + exit 0 +fi + iosched_idle= # Don't try to change I/O priority in a vserver or OpenVZ. if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \ --- /etc/cron.weekly/man-db.old 2017-03-17 12:53:18.442623547 +0100 +++ /etc/cron.weekly/man-db 2017-03-15 20:15:35.511005471 +0100 @@ -4,6 +4,10 @@ set -e +# skip in favour of systemd timer +if [ -d /run/systemd/system ]; then + exit 0 +fi + iosched_idle= # Don't try to change I/O priority in a vserver or OpenVZ. if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \ This will run man-db without the --no-purge option daily. But even on a raspberry pi this only takes 2,5s (vs 0,25s), which is negligible as a daily job. Best regards, Christian Göttsche
Bug#858023: add systemd timer
Package: fake-hwclock Version: 0.11 Dear Maintainer, can you please add a systemd timer for the regular time save. --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ fake-hwclock-save.timer 2017-03-16 11:52:21.062121382 +0100 @@ -0,0 +1,11 @@ +[Unit] +Description=fake-hwclock: save time to disk +Documentation=man:fake-hwclock(8) +After=fake-hwclock.service + +[Timer] +OnBootSec=15m +OnUnitActiveSec=1h + +[Install] +WantedBy=fake-hwclock.service --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ fake-hwclock-save.service 2017-03-16 11:51:40.632378088 +0100 @@ -0,0 +1,9 @@ +[Unit] +Description=fake-hwclock: save time to disk +Documentation=man:fake-hwclock(8) +After=fake-hwclock.service +Requires=fake-hwclock.service + +[Service] +Type=oneshot +ExecStart=/sbin/fake-hwclock save --- fake-hwclock.old 2017-03-17 12:36:31.549158451 +0100 +++ fake-hwclock2017-03-15 19:39:40.915989015 +0100 @@ -3,6 +3,11 @@ # Simple cron script - save the current clock periodically in case of # a power failure or other crash +# skip in favour of systemd timer +if [ -d /run/systemd/system ]; then + exit 0 +fi + if (command -v fake-hwclock >/dev/null 2>&1) ; then fake-hwclock save fi Also the control's suggests filed can be altered to: Suggests: cron | cron-daemon | systemd, ntp Best regards, Christian Göttsche
Bug#858021: add systemd timer
Package: logrotate Version: 3.11.0-0.1 Dear Maintainer, can you please add a systemd timer for the daily log rotation. --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ logrotate.timer 2017-03-15 20:30:26.475786062 +0100 @@ -0,0 +1,11 @@ +[Unit] +Description=Daily rotation of log files +Documentation=man:logrotate(8) man:logrotate.conf(5) + +[Timer] +OnCalendar=daily +AccuracySec=12h +Persistent=true + +[Install] +WantedBy=timers.target --- /dev/null 2017-03-14 22:28:11.90999 +0100 +++ logrotate.service 2017-03-15 20:31:00.545579761 +0100 @@ -0,0 +1,11 @@ +[Unit] +Description=Rotate log files +Documentation=man:logrotate(8) man:logrotate.conf(5) +ConditionACPower=true + +[Service] +Type=oneshot +ExecStart=/usr/sbin/logrotate /etc/logrotate.conf +Nice=19 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 --- /etc/cron.daily/logrotate.old 2017-03-17 12:42:33.616945975 +0100 +++ /etc/cron.daily/logrotate 2017-03-15 20:23:22.108327255 +0100 @@ -1,4 +1,8 @@ #!/bin/sh +# skip in favour of systemd timer +if [ -d /run/systemd/system ]; then + exit 0 +fi + test -x /usr/sbin/logrotate || exit 0 /usr/sbin/logrotate /etc/logrotate.conf And change the control's Depends section to ..., cron | anacron | cron-daemon | systemd, ... Best regards, Christian Göttsche
Bug#857863: add systemd service
Package: monit Version: 1:5.20.0-6 Hi, could you consider shipping a systemd service file? Best regards, Christian Göttsche [Unit] Description=Monit monitoring service Documentation=man:monit(1) [Service] EnvironmentFile=-/etc/default/monit Type=forking KillMode=process ExecStart=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS ExecStop=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS quit TimeoutStopSec=2s ExecReload=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS reload Restart=on-abnormal [Install] WantedBy=multi-user.target
Bug#857861: add systemd service
Package: dphys-swapfile Version: 20100506-3 Hi, could you consider shipping a systemd service file? Best regards, Christian Göttsche [Unit] Description=dphys-swapfile - set up, mount/unmount, and delete an swap file Documentation=man:dphys-swapfile(8) [Service] Type=oneshot ExecStart=/sbin/dphys-swapfile setup ExecStart=/sbin/dphys-swapfile swapon ExecStop=/sbin/dphys-swapfile swapoff RemainAfterExit=yes [Install] WantedBy=multi-user.target
Bug#857678: use /run prefix in systemd socket unit
2017-03-13 23:11 GMT+01:00 Simon McVittie <s...@debian.org>: > On Mon, 13 Mar 2017 at 21:58:46 +0100, cgzones wrote: >> Since recently the reference policy defines the file contexts with >> /run prefixes [1] and only supports /var/run via a backward >> compatibility alias. > > Is that backwards compatibility alias available in the stretch version > of the reference policy? yes > How old is the first reference policy where the /run version works? > > How far in the future is the backwards compatibility alias expected to > go away? idk, there was/is some discussion at the refpolicy mailing list [1] >> Please alter the path from /var/run/dbus/system_bus_socket to >> /run/dbus/system_bus_socket in /usr/lib/systemd/system/dbus.socket to >> avoid wrong file contexts in the future. > > For better or worse, the canonical, interoperable path for the system > bus socket across multiple OS distributions is > /var/run/dbus/system_bus_socket (it has been that since long before > /run was widespread). If /var/run is equivalent to /run, then it shouldn't > matter either way. If /var/run is not equivalent to /run, then the version > we should probably prefer is /var/run. ok, I see also, I found the path /var/run/dbus/system_bus_socket in the official documentation [2] and a similar dbus bugreport [3]. For my part, this can be closed or marked as wont-fix then. Thanks for the quick response. [1] http://oss.tresys.com/pipermail/refpolicy/2017-March/009166.html [2] https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Bug#857660: SELinux: cannot sent policyload notice
Hi list, I created bug report against dbus 1.10 on Debian [1] due to failing to send policyload notices. Are there any objections or comments on the upstream patch[2]? The patch works for me: Mar 14 00:01:36 debianSE audit[441]: USER_AVC pid=441 uid=105 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' Mar 14 00:01:36 debianSE dbus[441]: [system] Reloaded configuration Best regards, Christian Göttsche [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660 [2] https://cgit.freedesktop.org/dbus/dbus/commit/?id=a3a5935a0a038c3b44c61ce5719f0f7e647b96c6
Bug#857678: use /run prefix in systemd socket unit
Package: dbus Version: 1.10.16-1 User: selinux-de...@lists.alioth.debian.org Usertags: selinux Hi, dbus ships a systemd socket unit. On SELinux enabled systems systemd automatically sets the correct file context on creation according to the policy's configuration. Since recently the reference policy defines the file contexts with /run prefixes [1] and only supports /var/run via a backward compatibility alias. Please alter the path from /var/run/dbus/system_bus_socket to /run/dbus/system_bus_socket in /usr/lib/systemd/system/dbus.socket to avoid wrong file contexts in the future. Best regards, Christian Göttsche [1] https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dbus.fc#L16
Bug#857677: use /run in systemd-tmpfiles config
Package: openssh-server Version: 1:7.4p1-6 User: selinux-de...@lists.alioth.debian.org Usertags: selinux Hi, OpenSSH-server ships a systemd-tmpfiles configuration for creating a runtime directory. On SELinux enabled systems, systemd-tmpfiles automatically sets the correct file context on creation according to the policy's configuration. Since recently the reference policy defines the file contexts with /run prefixes [1] and only supports /var/run via a backward compatibility alias. Please alter the path from /var/run/sshd to /run/sshd in /usr/lib/tmpfiles.d/sshd.conf to avoid wrong file contexts in the future. Best regards, Christian Göttsche [1] https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.fc#L21
Bug#857662: cron broken in SELinux enforced mode due to system_u login mapping removal
Package: cron Version: 3.0pl1-128+b1 User: selinux-de...@lists.alioth.debian.org Usertags: selinux Hi, with the removal of the SELinux login entry for system_u [1], cron stops working. get_security_context [2] expects a NULL name when called for a system cronjob. But it is called with "system_u" [2]. It worked so far cause getseuserbyname [3] translated the incorrect name value "system_u" still to the "system_u" seuser. Best regards, Christian Göttsche [1] https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511 [2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218 [3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51 --- user.c 2017-03-13 21:06:52.638905763 +0100 +++ user.c.fixed2017-03-13 21:07:48.654110814 +0100 @@ -215,7 +215,7 @@ if (is_selinux_enabled() > 0) { char *sname=uname; if (pw==NULL) { -sname="system_u"; +sname=NULL; } if (get_security_context(sname, crontab_fd, >scontext, tabname) != 0 ) {
Bug#857660: SELinux: cannot sent policyload notice
Package: dbus Version: 1.10.16-1 User: selinux-de...@lists.alioth.debian.org Usertags: selinux Hi, on SELinux enabled systems, dbus cannot send the policyload notification. There is already a thread over at redhat [1], and bug reports at redhat [2] and dbus [3]. Please, cherry-pick the fix from upstream [4]. Best regards, Christian Göttsche [1] https://www.redhat.com/archives/linux-audit/2015-November/msg2.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1278602 [3] https://bugs.freedesktop.org/show_bug.cgi?id=92832 [4] https://cgit.freedesktop.org/dbus/dbus/commit/?id=a3a5935a0a038c3b44c61ce5719f0f7e647b96c6
Bug#849636: apt-daily: do not use pidof
Any news on this? I currently use this patch: --- apt.systemd.daily.backup2017-02-13 16:32:21.288138322 +0100 +++ apt.systemd.daily 2017-02-13 16:32:51.717937100 +0100 @@ -1,5 +1,5 @@ #!/bin/sh -#set -e +set -e # # This file understands the following apt configuration variables: # Values here are the default. @@ -400,8 +400,8 @@ if check_stamp $UPDATE_STAMP $UpdateInterval; then if eval apt-get $XAPTOPT -y update $XSTDERR; then debug_echo "download updated metadata (success)." - if which dbus-send >/dev/null 2>&1 && pidof dbus-daemon >/dev/null 2>&1; then - if dbus-send --system / app.apt.dbus.updated boolean:true ; then + if which dbus-send >/dev/null 2>&1; then + if dbus-send --system / app.apt.dbus.updated boolean:true >/dev/null 2>&1; then debug_echo "send dbus signal (success)" else debug_echo "send dbus signal (error)" One could also check for the existence of /run/dbus/system_bus_socket via [ -S /run/dbus/system_bus_socket ] 2016-12-31 15:00 GMT+01:00 cgzones <cgzo...@googlemail.com>: > First I'd like to question if the dbus code is needed? A quick debian > codesearch shows no other usages: > https://codesearch.debian.net/search?q=app%5C.apt > > Do we need to check if dbus is running or is it sufficient to simply > try silently via: > > if which dbus-send >/dev/null 2>&1; then > if dbus-send --system / app.apt.dbus.updated boolean:true > > /dev/null 2>&1; then > > Kindly Regards, > Christian Göttsche > > 2016-12-30 21:43 GMT+01:00 David Kalnischkies <da...@kalnischkies.de>: >> Control: severity -1 wishlist >> >> On Thu, Dec 29, 2016 at 12:22:02PM +0100, cgzones wrote: >>> The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon' >>> to check whether dbus is running and whether to send a message. >>> With SELinux enabled this causes avc denials like: >> […] >>> I do not like to grant apt these permissions but I also want apt to >>> announce an update to dbus, >>> so can you rework the dbus check? >> >> Perhaps. Given you are the first person in 8 years to complain about >> this (#438803) perhaps you have also an idea how as I have neither >> a SELinux setup nor know what you would deem acceptable. >> >> (truth be told, I don't even use that cron job, so I am not going to be >> available for review above very trivial changes and even that…) >> >> I guess we could use (pseudo code) "if systemd; then systemctl is-active >> dbus; else pidof dbus; fi" but that would really need someone to verify >> that this has the intended result (and is available in your setup). >> >> >> Best regards >> >> David Kalnischkies
Bug#855919: libwrap recommends tcpd
Package: libwrap0 Version: 7.6.q-26 libwrap0 recommends tcpd and as recommend packages are by default annexed, tcpd will be installed e.g. for the packages openssh-server or auditd. Could you consider to lower the bonding to suggests?
Bug#855444: ntpd: odd SELinux audits
Package: ntp Version: 1:4.2.8p9+dfsg-2.1 User: selinux-de...@lists.alioth.debian.org Usertags: selinux On a SELinux enabled system, ntpd periodical generates some odd audits: type=PROCTITLE msg=audit(02/17/17 22:52:21.790:167) : proctitle=/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:111 type=SYSCALL msg=audit(02/17/17 22:52:21.790:167) : arch=armeb syscall=socket per=PER_LINUX_32BIT success=no exit=EAFNOSUPPORT(Address family not supported by protocol) a0=unknown family(0x0) a1=SOCK_DGRAM a2=ip a3=0x48381b00 items=0 ppid=1 pid=540 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null) type=AVC msg=audit(02/17/17 22:52:21.790:167) : avc: denied { module_request } for pid=540 comm=ntpd kmod="net-pf-0" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 type=AVC msg=audit(02/17/17 22:52:21.790:167) : avc: denied { create } for pid=540 comm=ntpd scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=socket permissive=1 The system is a raspberry pi 3 with a 4.9.2 kernel from https://github.com/raspberrypi/linux/tree/rpi-4.9.y (Linux raspberrypi 4.9.2-v7+ #1 SMP Wed Jan 11 00:27:01 CET 2017 armv7l GNU/Linux)
Bug#852549: do not list /usr/lib/x86_64-linux-gnu/gio/modules
On a minimal non graphical system without any gio modules installed, e.g. the packages glib-networking or dconf-gsettings-backend, the directory /usr/lib/x86_64-linux-gnu/gio/modules does not exist. Due to the entry in debian/libglib2.0-0.dirs, the path is contained on the system at /var/lib/dpkg/info/libglib2.0-0:amd.list . Cruft then complains about the nonexistence of the path. Maybe the directory could be shipped empty? On 15 Feb 2017 7:03 pm, "Michael Biebl" <bi...@debian.org> wrote: On Wed, 25 Jan 2017 13:42:29 +0100 cgzones <cgzo...@googlemail.com> wrote: > Package: libglib2.0-0 > Version: 2.50.2-2 > > cruft creates a report regarding this package: > > missing: dpkg >/usr/lib/x86_64-linux-gnu/gio >/usr/lib/x86_64-linux-gnu/gio/modules > > This is due to libglib2.0-0 lists this directory and file but does not > ship it by default. > The postinst script contains the following comment: > > # The /usr/lib/gio/modules directory is no longer shipped by > # libglib2.0 itself so we need to check to avoid a warning from > # gio-querymodules Can you elaborate what is supposed to be the bug here? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Bug#854068: /usr/bin/scan-build-4.0-py: dead link
Package: clang-4.0 Version: 1:4.0~+rc1-1 The shipped file /usr/bin/scan-build-4.0-py is a dead link to a non existent target ../share/clang/scan-build-4.0/bin/scan-build-py. Maybe the target should be ./share/clang/scan-build-py-4.0/bin/scan-build?
Bug#850531: noise on minimal vm with SElinux
Thanks a lot for your response and the fixes. I finally got some time and reran cruft at the new version: missing: dpkg /usr/lib/x86_64-linux-gnu/gio /usr/lib/x86_64-linux-gnu/gio/modules I reported it here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852549 unexplained: sys-fs-selinux /sys/fs/selinux /sys/fs/selinux/access /sys/fs/selinux/avc Could you ignore selinuxfs and tracefs, e.g. in /usr/lib/cruft/common_legacy.sh? unexplained: / /etc/apt/listchanges.conf apt-listchanges does not list this file, it creates it in its postinst script, can you 'explain' this file? broken symlinks: / /etc/mtab I think cruft reports this because the target ../proc/self/mounts is not indexed. Would it make sense to check before reporting if the target exists on the actual system? Best Regards, Christian Göttsche 2017-01-08 12:02 GMT+01:00 Alexandre Detiste: > control: tag -1 +pending > > Hi, > > Thank you very much for this bug repport. > Sometimes I do install random package in order to add support > for those in cruft, but I'm not really interrested in trying out SElinux > myself. > > Most of your proposed changes are already implemented: > https://github.com/a-detiste/cruft/commits/master > > > >> policycoreutils.explain >> === >> #!/bin/sh >> echo /etc/selinux/config >> echo /usr/sbin/load_policy > > I tend to avoid extra simple "explain" scripts like this one > and instead use a filter. > Reason: avoid starting yet an extra sub-shell to run a two-lines script. > > >> selinux-policy-default.explain >> === >> #!/usr/bin/env python3 > > I do tend to use Python3 as my language of choice; > but I inherited cruft from someone else and for now > the current dependencies are bash + perl and > I don't want to add other ones if possible. > > >> print('/etc/selinux/default/contexts/files/file_contexts') >> print('/etc/selinux/default/contexts/files/file_contexts.bin') >> print('/etc/selinux/default/contexts/files/file_contexts.homedirs') >> print('/etc/selinux/default/contexts/files/file_contexts.homedirs.bin') >> print('/etc/selinux/default/seusers') > > I already translated all these print() lines into a filter. > > >> pattern = re.compile('^(\d+)\s+([a-z0-9_]+)\s+(pp|cil)\s*(disabled)?$') >> cp = subprocess.run(['/usr/sbin/semodule', '--list-modules=full', >> '--store', 'default'], stdout=subprocess.PIPE, >> stderr=subprocess.STDOUT, universal_newlines=True, check=True) >> for line in cp.stdout.splitlines(): > > Please rewrite this in bash or perl & I'll upload a new version. > > >> apt-listchanges.filter >> === >> /usr/share/apt-listchanges/__pycache__ >> /usr/share/apt-listchanges/__pycache__/*.pyc > > I never see these .pyc files because I don't use cruft that much anymore, > but my own cruft-ng rewrite; which has a special heuristic for those. > > https://github.com/a-detiste/cruft-ng/commit/789a2c26f9b9b2a8d46186be3981165be0154f74 > > Reason of rewrite: mostly everything run in a single C++ process > instead of runnign hundreds of shell scripts => much faster. > (but not yet feature-complete versus old cruft) > > >> /var/lib/apt/listchanges.db > This was already there. > > https://github.com/a-detiste/cruft/blame/master/filters-unex/apt-listchanges > > >> missing: dpkg >> # i do not know why they are mssing, reinstalling libglib2.0-0 >># gcc bugs? >> does not help >>/usr/lib/x86_64-linux-gnu/gio >>/usr/lib/x86_64-linux-gnu/gio/modules > > Sometimes packages have those weird bugs. > Sometimes I like to spend hours trying to figure out why... > sometimes not. > >> unexplained: / >> # i think these two are from the installation process? >>/etc/apt/apt.conf.d/00CDMountPoint >>/etc/apt/apt.conf.d/00trustcdrom > > I guess most people would rather delete these files after seeing those > once in cruft report. Mine were from 2002. > >># my custom configuration files >>/etc/apt/apt.conf.d/01aptcacher >>/etc/apt/apt.conf.d/10periodic > You can also deploy those with a custom .deb accross all your hosts, > then they doesn't come up anymore. > Example: https://github.com/a-detiste/detiste > >> # apt listchanges conf, should be handled by explain script? >>/etc/apt/listchanges.conf > It's already there too (?!) > Maybe cruft thinks apt-listchanges is not installed while it really is ?! > > >> # do not know what do to about these two >> >> /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8 >> >> /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8/tmp > > I'd just wholy ignore /tmp (& /run, & /home too). > That's what cruft-ng does. > >> # stamp file from apt.daily
Bug#852549: do not list /usr/lib/x86_64-linux-gnu/gio/modules
Package: libglib2.0-0 Version: 2.50.2-2 cruft creates a report regarding this package: missing: dpkg /usr/lib/x86_64-linux-gnu/gio /usr/lib/x86_64-linux-gnu/gio/modules This is due to libglib2.0-0 lists this directory and file but does not ship it by default. The postinst script contains the following comment: # The /usr/lib/gio/modules directory is no longer shipped by # libglib2.0 itself so we need to check to avoid a warning from # gio-querymodules
Bug#852540: pam_selinux: add new option to select from default_contexts
Package: libpam-modules Version: 1.1.8-3.5 User: selinux-de...@lists.alioth.debian.org Usertags: selinux When an SELinux unaware login application, like sddm, tries to set up sessions via pam, it is not possible to set the new SELinux context accordingly. This patch adds an option to pam_selinux.so, so that via different pam configurations, like sddm does it https://github.com/sddm/sddm/blob/develop/src/helper/backend/PamBackend.cpp#L220, different contexts can be assigned. From: cgzones <cgzo...@googlemail.com> Date: Tue, 3 Jan 2017 12:04:20 +0100 Subject: [PATCH] pam_selinux: add select_default_context option --- modules/pam_selinux/README| 11 + modules/pam_selinux/pam_selinux.8 | 11 - modules/pam_selinux/pam_selinux.8.xml | 19 +++ modules/pam_selinux/pam_selinux.c | 46 ++- 4 files changed, 80 insertions(+), 7 deletions(-) diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README index fb4d449..b1b6be2 100644 --- a/modules/pam_selinux/README +++ b/modules/pam_selinux/README @@ -72,6 +72,17 @@ use_current_range instead of the default level. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment. +select_default_context= + +Select a specific context from the list of default contexts for the login +user returned by SELinux. By default the first entry is taken. +Valid values are 'last' or positiv numbers, to select a different context. +The list of available contexts can be viewed by 'compute_user src_context seuser'. + +Usage: +select_default_context=2 +select_default_context=last + EXAMPLES auth required pam_unix.so diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 index acd4f0d..d936cb9 100644 --- a/modules/pam_selinux/pam_selinux.8 +++ b/modules/pam_selinux/pam_selinux.8 @@ -31,7 +31,7 @@ pam_selinux \- PAM module to set the default security context .SH "SYNOPSIS" .HP \w'\fBpam_selinux\&.so\fR\ 'u -\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range] +\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range] [select_default_context=\fIlast|context_number\fR] .SH "DESCRIPTION" .PP pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&. @@ -99,6 +99,15 @@ Attempt to obtain a custom security context role from PAM environment\&. If MLS .RS 4 Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. .RE +.PP +\fBselect_default_context\fR +.RS 4 +Select a specific context from the list of default contexts for the login user returned by SELinux\&. By default the first entry is taken\&. Valid values are 'last' or positiv numbers, to select a different context\&. The list of a vailable contexts can be viewed by 'compute_user src_context seuser'\&. +.RS 2 +Usage: +.RS 2 +select_default_context=2 +.RE .SH "MODULE TYPES PROVIDED" .PP Only the diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 28d465f..210e262 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -45,6 +45,9 @@ use_current_range + +select_default_context=conf-file + @@ -188,6 +191,22 @@ + + + select_default_context=last|context_number + + + +Select a specific context from the list of default contexts for the login +user returned by SELinux. By default the first entry is taken. +Valid values are 'last' or positiv numbers, to select a different context. +The list of available contexts can be viewed by 'compute_user src_context seuser'. +Usage: + select_default_context=2 + select_default_context=last + + + diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index b96cc23..446b4fb 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -63,8 +63,6 @@ #include #include -#include -#include #include #include #include @@ -480,7 +478,8 @@ set_file_context(const pam_handle_t *pamh, security_context_t context, static int compute_exec_context(pam_handle_t *pamh, module_data_t *data, int select_context, int use_current_range, -int env_params, int debug) +int env_params, int debug, +const char *select_default_context) { const char *username;
Bug#852539: dpkg: run maintainer scripts with SELinux user system_u
Package: dpkg Version: 1.18.18 User: selinux-de...@lists.alioth.debian.org Usertags: selinux Currently, dpkg runs its maintainer tasks in the SELinux type dpkg_script_t without changing the SELinux user or role. So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be run in unconfined_u:unconfined_r:dpkg_script_t. The problem are the postinst scripts: They create files and run binaries. Almost all the files created in this way do not have the correct file context system_u:object_r:*, which can break a ubac enabled system. e.g.: Would relabel /usr/share/info/dir.old from staff_u:object_r:usr_t:s0 to system_u:object_r:usr_t:s0 Would relabel /usr/share/info/dir from staff_u:object_r:usr_t:s0 to system_u:object_r:usr_t:s0 Would relabel /var/cache/man/pt/index.db from unconfined_u:object_r:man_cache_t:s0 to system_u:object_r:man_cache_t:s0 Also, for example, the exim4 post install script does some work leading to run exim in system_mail_t, which is not allowed to run under the roles sysadm_r/unconfined_r. type=PROCTITLE msg=audit(01/24/17 15:51:28.963:2602) : proctitle=/usr/sbin/exim4 -C /var/lib/exim4/config.autogenerated.tmp -bV type=SYSCALL msg=audit(01/24/17 15:51:28.963:2602) : arch=armeb syscall=socket per=PER_LINUX_32BIT success=yes exit=4 a0=local a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22511 pid=22748 auid=christian uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=359 comm=exim4 exe=/usr/sbin/exim4 subj=staff_u:sysadm_r:system_mail_t:s0 key=(null) type=SELINUX_ERR msg=audit(01/24/17 15:51:28.963:2602) : op=security_compute_sid invalid_context=staff_u:sysadm_r:system_mail_t:s0 scontext=staff_u:sysadm_r:system_mail_t:s0 tcontext=staff_u:sysadm_r:system_mail_t:s0 tclass=unix_stream_socket This can cause issues when upgrading packages in enforced mode even as unconfined user. The following dpkg patch runs the maintainer tasks in the context system_u:system_r:dpkg_script_t (may be altered inside the SELinux policy): Note: The patch does not touch the SELinux detection in the build logic and the SELinux policy has to be updated beforehand. From: rootDate: Mon, 9 Jan 2017 22:42:03 +0100 Subject: [PATCH] dpkg: fix maintainer SELinux context --- src/script.c | 95 +--- 1 file changed, 85 insertions(+), 10 deletions(-) diff --git a/src/script.c b/src/script.c index 2f252ae..72b92cf 100644 --- a/src/script.c +++ b/src/script.c @@ -32,6 +32,7 @@ #include #ifdef WITH_LIBSELINUX +#include // isspace #include #endif @@ -141,23 +142,97 @@ maintscript_pre_exec(struct command *cmd) return cmd->filename + instdirlen; } +#ifdef WITH_LIBSELINUX +/* + * derived from get_init_context() + * https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/run_init/run_init.c + * + * Get the CONTEXT associated with the context for the dpkg maint scripts. + * + * in: nothing + * out: The CONTEXT associated with the context. + * return: 0 on success, -1 on failure. + */ +static int +get_dpkg_context(char **context) +{ + FILE *fp; + char buf[255], *bufp; + size_t buf_len; + char context_file[4096]; + snprintf(context_file, sizeof(context_file) - 1, "%s/%s", selinux_contexts_path(), "dpkg_context"); + fp = fopen(context_file, "r"); + if (!fp) { + ohshite(_("Could not open file %s\n"), context_file); + return -1; + } + + while (1) { /* loop until we find a non-empty line */ + + if (!fgets(buf, sizeof buf, fp)) { + break; + } + + buf_len = strlen(buf); + if (buf[buf_len - 1] == '\n') { +buf[buf_len - 1] = 0; + } + + bufp = buf; + while (*bufp && isspace(*bufp)) { +bufp++; + } + + if (*bufp) { + *context = strdup(bufp); + if (!(*context)) { + goto out; + } + fclose(fp); + return 0; + } + } + out: + fclose(fp); + ohshit(_("No context in file %s\n"), context_file); + return -1; +} +#endif + /** * Set a new security execution context for the maintainer script. - * - * Try to create a new execution context based on the current one and the - * specific maintainer script filename. If it's the same as the current - * one, use the given fallback. */ static int -maintscript_set_exec_context(struct command *cmd, const char *fallback) +maintscript_set_exec_context(void) { +#ifdef WITH_LIBSELINUX int rc = 0; + char *dpkg_context = NULL; -#ifdef WITH_LIBSELINUX - rc = setexecfilecon(cmd->filename, fallback); -#endif + if (is_selinux_enabled() < 1) { + return 0; +
Bug#850531: noise on minimal vm with SElinux
Package: cruft Version: 0.9.29 Running cruft on a test vm with SELinux creates some noise. I created some filters and explain scripts under the guideline, filters contains paths, which may be present on the system and paths from the explain scripts must be present. In addition, I ignored the two kernel pseudo filesystems selinuxfs and tracefs in the common_legacy script. policycoreutils.explain === #!/bin/sh echo /etc/selinux/config echo /usr/sbin/load_policy === selinux-policy-default.explain === #!/usr/bin/env python3 import re import subprocess print('/etc/selinux/default/contexts/files/file_contexts') print('/etc/selinux/default/contexts/files/file_contexts.bin') print('/etc/selinux/default/contexts/files/file_contexts.homedirs') print('/etc/selinux/default/contexts/files/file_contexts.homedirs.bin') print('/etc/selinux/default/seusers') print('/etc/selinux/default/policy/policy.' + str(open('/sys/fs/selinux/policyvers', 'r').readline())) pattern = re.compile('^(\d+)\s+([a-z0-9_]+)\s+(pp|cil)\s*(disabled)?$') cp = subprocess.run(['/usr/sbin/semodule', '--list-modules=full', '--store', 'default'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True, check=True) for line in cp.stdout.splitlines(): m = re.match(pattern, line) if m: priority = m.group(1) module = m.group(2) disabled = True if len(m.groups()) is 4 and m.group(4) == 'disabled' else False print('/var/lib/selinux/default/active/modules/' +priority) print('/var/lib/selinux/default/active/modules/' + priority + '/' + module) print('/var/lib/selinux/default/active/modules/' + priority + '/' + module + '/hll') print('/var/lib/selinux/default/active/modules/' + priority + '/' + module + '/cil') print('/var/lib/selinux/default/active/modules/' + priority + '/' + module + '/lang_ext') if disabled: print('/var/lib/selinux/default/active/modules/disabled/' + module) print('/var/lib/selinux/default/active') print('/var/lib/selinux/default/active/booleans.local') print('/var/lib/selinux/default/active/commit_num') print('/var/lib/selinux/default/active/file_contexts') print('/var/lib/selinux/default/active/homedir_template') print('/var/lib/selinux/default/active/modules') print('/var/lib/selinux/default/active/modules/100') print('/var/lib/selinux/default/active/modules/disabled') print('/var/lib/selinux/default/active/policy.kern') print('/var/lib/selinux/default/active/seusers') print('/var/lib/selinux/default/active/seusers.local') print('/var/lib/selinux/default/active/users_extra') print('/var/lib/selinux/default/semanage.read.LOCK') print('/var/lib/selinux/default/semanage.trans.LOCK') === selinux-policy-dev.explain === #!/bin/bash echo /var/lib/sepolgen/interface_info === apt-listchanges.filter === /usr/share/apt-listchanges/__pycache__ /usr/share/apt-listchanges/__pycache__/*.pyc /var/lib/apt/listchanges.db === auditd.filter === /etc/audit/audit.rules /etc/audit/audit.rules.prev /var/log/audit/audit.log* === policycoreutils.filter === /var/lib/selinux/final /var/lib/selinux/tmp === selinux-basics.filter === /usr/share/selinux-basics/tests/__pycache__ /usr/share/selinux-basics/tests/__pycache__/*.pyc === With these changes the report looks like: cruft report: Sat Jan 7 15:19:01 CET 2017 missing: dpkg # i do not know why they are mssing, reinstalling libglib2.0-0 does not help /usr/lib/x86_64-linux-gnu/gio /usr/lib/x86_64-linux-gnu/gio/modules unexplained: / # i think these two are from the installation process? /etc/apt/apt.conf.d/00CDMountPoint /etc/apt/apt.conf.d/00trustcdrom # my custom configuration files /etc/apt/apt.conf.d/01aptcacher /etc/apt/apt.conf.d/10periodic # apt listchanges conf, should be handled by explain script? /etc/apt/listchanges.conf # custom configuration file /etc/tmpfiles.d/x11.conf # do not know what do to about these two /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8 /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8/tmp # stamp file from apt.daily script, should be handled by filter? /var/lib/apt/periodic/clean-stamp broken symlinks: / # gcc bugs? # root@debianSE:/etc/cruft/explain# ll /usr/share/man/man1/gcc*
Bug#849886: create /var/log/monit.log with correct SELinux context
Package: monit Version: 1:5.20.0-4 On package installation, the log file /var/log/monit.log is created by the post install script monit.postinst. The SELinux context will not bet correctly set up. Can you please either add something like if [ -x /sbin/restorecon ]; then /sbin/restorecon /var/log/monit.log fi to restore the context or install the file via intsall -o root -g adm -m 0640 /dev/null /var/log/monit.log ? Kindly Regards, Christian Göttsche
Bug#849858: splt systemd tmpfile configuration files into respective packages
Your right, the default SELinux policy package for Debian, selinux-policy-default, ships the xserver module and loads it. But it not only loads the xserver module by default, it loads all ~377 modules (that's an issue for the refpolicy package). For a mix of performance, security, handsomeness and clarity I only load the for my system needed modules and xserver is not one of them. 2017-01-01 16:35 GMT+01:00 Michael Biebl <bi...@debian.org>: > Am 01.01.2017 um 16:14 schrieb cgzones: >> I meant the x11-common Debian package. >> The SELinux file contexts are defined in the xserver module: >> https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/xserver.fc >> >> 2017-01-01 16:04 GMT+01:00 Michael Biebl <bi...@debian.org>: >>> Am 01.01.2017 um 16:00 schrieb cgzones: >>>> Oops, >>>> I am sorry. >>>> Seems I forgot to check the file affiliations beside the x11 one. >>>> >>>> So my question breaks down to whether the x11.conf file can be >>>> distributed by the x11-common (or similar) package. >>> >>> Why exactly? I don't find x11 specific selinux policy files. > > I still don't understand why we would need to move the tmpfiles config > file from systemd to x11-common. Mind you that I don't have any selinux > knowledge. > Afaics, in Debian we have selinux-policy-default which should contain > the selinux policy for the X11 tmp directories. > > > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? >
Bug#849858: splt systemd tmpfile configuration files into respective packages
Oops, I am sorry. Seems I forgot to check the file affiliations beside the x11 one. So my question breaks down to whether the x11.conf file can be distributed by the x11-common (or similar) package. 2017-01-01 15:41 GMT+01:00 Michael Biebl <bi...@debian.org>: > Am 01.01.2017 um 15:19 schrieb cgzones: >> Package: systemd >> Version: 232-8 >> >> Can the configuration files under /usr/lib/tmpfiles.d/ be distributed >> be their respective packages. >> Like: >> Configuration file Package >> colord.confcolord > > $ apt-file search /usr/lib/tmpfiles.d/colord.conf > colord: /usr/lib/tmpfiles.d/colord.conf > >> dbus.conf dbus > > $ apt-file search /usr/lib/tmpfiles.d/dbus.conf > dbus: /usr/lib/tmpfiles.d/dbus.conf > >> gvfsd-fuse-tmpfiles.confgvfs or gvfs-common > > $ apt-file search /usr/lib/tmpfiles.d/gvfsd-fuse-tmpfiles.conf > gvfs-common: /usr/lib/tmpfiles.d/gvfsd-fuse-tmpfiles.conf > >> lvm2.conf lvm2 > > $ apt-file search /usr/lib/tmpfiles.d/lvm2.conf > lvm2: /usr/lib/tmpfiles.d/lvm2.conf > >> man-db.conf man-db > > $ apt-file search /usr/lib/tmpfiles.d/man-db.conf > man-db: /usr/lib/tmpfiles.d/man-db.conf > >> openvpn.confopenvpn > > $ apt-file search /usr/lib/tmpfiles.d/openvpn.conf > openvpn: /usr/lib/tmpfiles.d/openvpn.conf > >> sshd.conf openssh-server > > $ apt-file search /usr/lib/tmpfiles.d/sshd.conf > openssh-server: /usr/lib/tmpfiles.d/sshd.conf > >> x11.confx11-common > > $ apt-file search /usr/lib/tmpfiles.d/x11.conf > systemd: /usr/lib/tmpfiles.d/x11.conf > > > So, as you see, those are all distributed by the individual packages, > the only expection being x11.conf. > > I'm not quite sure therefore, what exactly you are asking for. > > > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? >
Bug#849858: splt systemd tmpfile configuration files into respective packages
Package: systemd Version: 232-8 Can the configuration files under /usr/lib/tmpfiles.d/ be distributed be their respective packages. Like: Configuration file Package colord.confcolord dbus.conf dbus gvfsd-fuse-tmpfiles.confgvfs or gvfs-common lvm2.conf lvm2 man-db.conf man-db openvpn.confopenvpn sshd.conf openssh-server x11.confx11-common The reason why that's bothering me is, I am using SELinux on a headless debian, i.e. I have no xserver/x11 package installed. Therefore I have no SELinux modules for xserver/x11 loaded. But because systemd-tmpfiles creates the temporary files for x11 and I have no SELinux context for them, I get these output when relabeling the filesystem: root@debianSE:/root/dtdnssync# restorecon -vv -R -n / Warning no default label for /tmp/.XIM-unix Warning no default label for /tmp/.X11-unix Warning no default label for /tmp/.Test-unix Warning no default label for /tmp/.ICE-unix Warning no default label for /tmp/.font-unix It's not breaking anything but it's noisy. Kindly Regards, Christian Göttsche
Bug#849636: apt-daily: do not use pidof
First I'd like to question if the dbus code is needed? A quick debian codesearch shows no other usages: https://codesearch.debian.net/search?q=app%5C.apt Do we need to check if dbus is running or is it sufficient to simply try silently via: if which dbus-send >/dev/null 2>&1; then if dbus-send --system / app.apt.dbus.updated boolean:true > /dev/null 2>&1; then Kindly Regards, Christian Göttsche 2016-12-30 21:43 GMT+01:00 David Kalnischkies <da...@kalnischkies.de>: > Control: severity -1 wishlist > > On Thu, Dec 29, 2016 at 12:22:02PM +0100, cgzones wrote: >> The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon' >> to check whether dbus is running and whether to send a message. >> With SELinux enabled this causes avc denials like: > […] >> I do not like to grant apt these permissions but I also want apt to >> announce an update to dbus, >> so can you rework the dbus check? > > Perhaps. Given you are the first person in 8 years to complain about > this (#438803) perhaps you have also an idea how as I have neither > a SELinux setup nor know what you would deem acceptable. > > (truth be told, I don't even use that cron job, so I am not going to be > available for review above very trivial changes and even that…) > > I guess we could use (pseudo code) "if systemd; then systemctl is-active > dbus; else pidof dbus; fi" but that would really need someone to verify > that this has the intended result (and is available in your setup). > > > Best regards > > David Kalnischkies
Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context
Thanks again for your feedback. The statement I was looking for is: genfscon debugfs /tracing gen_context(system_u:object_r:tracefs_t,s0) I added the filecontexts: /sys/kernel/debug/.* gen_context(system_u:object_r:debugfs_t,s0) /sys/kernel/debug/tracing(/.*)? gen_context(system_u:object_r:tracefs_t,s0) to avoid restorecon spamming me with messages like: restorecon: Warning no default label for /sys/kernel/debug/ieee80211 restorecon: Warning no default label for /sys/kernel/debug/clk restorecon: Warning no default label for /sys/kernel/debug/clk/osc Kindy Regards, Christian Göttsche 2016-12-31 12:49 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: > On 12/31/2016 12:41 PM, Dominick Grift wrote: >> On 12/31/2016 12:38 PM, Dominick Grift wrote: >>> On 12/31/2016 11:34 AM, cgzones wrote: >>>> Wow! >>>> >>>> Thank you very much, I was completely unaware of this feature. >>>> I did not read any documentation of it on selinuxproject.org or in The >>>> SELinux Notebook v4 about it. >>>> >>>> I got it working via >>>> >>>> genfscon sysfs /devices/system/cpu/online >>>> gen_context(system_u:object_r:cpu_online_t,s0) >>>> >>>> at >>>> https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 >>>> >>>> One small issue arises for me: >>>> I tried to set up the directory '/sys/kernel/debug/tracing' via >>>> 'genfscon sysfs /kernel/debug/tracing >>>> gen_context(system_u:object_r:tracefs_t,s0)' >>>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after >>>> boot but seems to change on the first access? > > I misread, yes i think tracefs is mounted on demand. But this should not > be problem because users of tracefs need to be able to traverse debugfs > anyway. > >>> >>> you need a genfscon for tracefs, it is mounted on the >>> kernel/debug/tracing dir >>> >>> genfscon tracefs / gen_context() >> >> Also a word of advice: don't add any fc specs for anything under /sys >> >> The stuff in there are not files (its a pseudo fs like /proc and proc >> also doesnt have fc specs) >> >>> >>>> >>>> Example pattern: >>>> >>>> [...] boot + ssh login >>>> root@debianSE:~# restorecon -v -R -n / >>>> Warning no default label for /dev/mqueue >>>> Warning no default label for /dev/pts/0 >>>> Warning no default label for /tmp/.font-unix >>>> Warning no default label for /tmp/.XIM-unix >>>> Warning no default label for /tmp/.X11-unix >>>> Warning no default label for /tmp/.Test-unix >>>> Warning no default label for /tmp/.ICE-unix >>>> Would relabel /sys/kernel/debug/tracing from >>>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 >>>> root@debianSE:~# restorecon -v -R -n / >>>> Warning no default label for /dev/mqueue >>>> Warning no default label for /dev/pts/0 >>>> Warning no default label for /tmp/.font-unix >>>> Warning no default label for /tmp/.XIM-unix >>>> Warning no default label for /tmp/.X11-unix >>>> Warning no default label for /tmp/.Test-unix >>>> Warning no default label for /tmp/.ICE-unix >>>> >>>> Why? >>>> >>>> I think otherwise this bug can be reassigned to refpolicy. >>>> >>>> Thanks again Dominick >>>> Kindly Regards, >>>>Christian Göttsche >>>> >>>> P.s.: >>>> The kernel patch is over here: >>>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd >>>> (might be Linux 4.2? plenty enough for me) >>>> >>>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>>> On 12/30/2016 10:51 PM, cgzones wrote: >>>>>> But isn't genfscon with subcontexts only available on the /proc >>>>>> filesystem? >>>>> >>>>> If your kernel is not too old, then it also work for sysfs >>>>> >>>>>> >>>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>>>>>> wrote: >>>>>>>> reassign 849637 policycoreutils >>>>>>>> thanks >>>>>>>&
Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context
Wow! Thank you very much, I was completely unaware of this feature. I did not read any documentation of it on selinuxproject.org or in The SELinux Notebook v4 about it. I got it working via genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 One small issue arises for me: I tried to set up the directory '/sys/kernel/debug/tracing' via 'genfscon sysfs /kernel/debug/tracing gen_context(system_u:object_r:tracefs_t,s0)' but is it still labeled initially system_u:object_r:debugfs_t:s0 after boot but seems to change on the first access? Example pattern: [...] boot + ssh login root@debianSE:~# restorecon -v -R -n / Warning no default label for /dev/mqueue Warning no default label for /dev/pts/0 Warning no default label for /tmp/.font-unix Warning no default label for /tmp/.XIM-unix Warning no default label for /tmp/.X11-unix Warning no default label for /tmp/.Test-unix Warning no default label for /tmp/.ICE-unix Would relabel /sys/kernel/debug/tracing from system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 root@debianSE:~# restorecon -v -R -n / Warning no default label for /dev/mqueue Warning no default label for /dev/pts/0 Warning no default label for /tmp/.font-unix Warning no default label for /tmp/.XIM-unix Warning no default label for /tmp/.X11-unix Warning no default label for /tmp/.Test-unix Warning no default label for /tmp/.ICE-unix Why? I think otherwise this bug can be reassigned to refpolicy. Thanks again Dominick Kindly Regards, Christian Göttsche P.s.: The kernel patch is over here: https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd (might be Linux 4.2? plenty enough for me) 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: > On 12/30/2016 10:51 PM, cgzones wrote: >> But isn't genfscon with subcontexts only available on the /proc filesystem? > > If your kernel is not too old, then it also work for sysfs > >> >> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>> wrote: >>>> reassign 849637 policycoreutils >>>> thanks >>>> >>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: >>>> >>>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>>> > is mislabeled after boot: >>>> > >>>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>>> > Would relabel /sys/devices/system/cpu/online from >>>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>>> >>>> Not sure why this is assigned to systemd as this is not created by systemd. >>>> >>>> It's working with sysvinit because the selinux-autorelabel LSB >>>> initscript is explicitly relabeling it during boot. >>>> >>>> Under systemd, that initscript is masked by the >>>> selinux-autorelabel.service. >>>> >>>> I was planning to add a tmpfiles for this, but apparently I forgot about >>>> it. >>>> >>>> Reassigning to policycoreutils >>>> >>>> Laurent Bigonville >>> >>> you should be able to add a genfscon() in policy for this, provided that >>> the kernel is not too old to support that feature >>> >>> I would avoid the alternative if possible >>>> >>>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> >>> >>> ___ >>> SELinux-devel mailing list >>> selinux-de...@lists.alioth.debian.org >>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 > Dominick Grift >
Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context
But isn't genfscon with subcontexts only available on the /proc filesystem? 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: > On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> > wrote: >> reassign 849637 policycoreutils >> thanks >> >> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: >> >> > When running a SELinux enabled system /sys/devices/system/cpu/online >> > is mislabeled after boot: >> > >> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >> > Would relabel /sys/devices/system/cpu/online from >> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >> >> Not sure why this is assigned to systemd as this is not created by systemd. >> >> It's working with sysvinit because the selinux-autorelabel LSB >> initscript is explicitly relabeling it during boot. >> >> Under systemd, that initscript is masked by the selinux-autorelabel.service. >> >> I was planning to add a tmpfiles for this, but apparently I forgot about it. >> >> Reassigning to policycoreutils >> >> Laurent Bigonville > > you should be able to add a genfscon() in policy for this, provided that > the kernel is not too old to support that feature > > I would avoid the alternative if possible >> >> > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 > Dominick Grift > > > ___ > SELinux-devel mailing list > selinux-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
Bug#849637: /sys/devices/system/cpu/online SELinux context
Hi, thanks for your response. I assigned this bug to systemd, cause I did not know any better and thought the sysfs filesystem is managed by systemd, like /run. Btw, /dev/pts/ptmx is also mislabeled: root@debianSE:~# restorecon -vv -R -n /dev Warning no default label for /dev/mqueue Warning no default label for /dev/pts/0 Would relabel /dev/pts/ptmx from system_u:object_r:devpts_t:s0 to system_u:object_r:ptmx_t:s0 Kindly Regards, Christian Göttsche 2016-12-30 12:39 GMT+01:00 Laurent Bigonville <bi...@debian.org>: > reassign 849637 policycoreutils > thanks > > On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: > >> When running a SELinux enabled system /sys/devices/system/cpu/online >> is mislabeled after boot: >> >> root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >> Would relabel /sys/devices/system/cpu/online from >> system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 > > Not sure why this is assigned to systemd as this is not created by systemd. > > It's working with sysvinit because the selinux-autorelabel LSB initscript is > explicitly relabeling it during boot. > > Under systemd, that initscript is masked by the selinux-autorelabel.service. > > I was planning to add a tmpfiles for this, but apparently I forgot about it. > > Reassigning to policycoreutils > > Laurent Bigonville
Bug#849637: /sys/devices/system/cpu/online SELinux context
Package: systemd Version: 232-8 When running a SELinux enabled system /sys/devices/system/cpu/online is mislabeled after boot: root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys Would relabel /sys/devices/system/cpu/online from system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 Kindly Regards, Christian Göttsche
Bug#849636: apt-daily: do not use pidof
Package: apt Version: 1.4~beta2 The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon' to check whether dbus is running and whether to send a message. With SELinux enabled this causes avc denials like: type=PROCTITLE msg=audit(12/29/16 07:43:22.385:42209) : proctitle=pidof dbus-daemon type=PATH msg=audit(12/29/16 07:43:22.385:42209) : item=0 name=3/stat nametype=UNKNOWN type=CWD msg=audit(12/29/16 07:43:22.385:42209) : cwd=/proc type=SYSCALL msg=audit(12/29/16 07:43:22.385:42209) : arch=armeb syscall=open per=PER_LINUX_32BIT success=no exit=EACCES(Permission denied) a0=0x7ec069a4 a1=O_RDONLY|O_NOFOLLOW a2=0x1b6 a3=0x1b6 items=1 ppid=366 1 pid=3797 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof exe=/sbin/killall5 subj=system_u:system_r:apt_t:s0 key=(null) type=AVC msg=audit(12/29/16 07:43:22.385:42209) : avc: denied { search } for pid=3797 comm=pidof name=3 dev="proc" ino=6775 scontext=system_u:system_r:apt_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=di r permissive=0 I do not like to grant apt these permissions but I also want apt to announce an update to dbus, so can you rework the dbus check? Kindly Regards, Christian Göttsche
Bug#849460: Ship list of module in base module package
Package: refpolicy Version: 2:2.20161023.1-3 Ship a list of modules build into the base module package. This might help with module management. --- debian/rules | 1 + debian/selinux-policy-default.install | 1 + debian/selinux-policy-mls.install | 1 + 3 files changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index 45e0187..d6fe74b 100755 --- a/debian/rules +++ b/debian/rules @@ -122,6 +122,7 @@ install-%-policy: build-%-policy mkdir -p $(CURDIR)/debian/tmp/var/lib/selinux/$* # Create a list with the modules we are shipping (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; LC_ALL=C ls -1 | cut -d. -f1 > .modules) + (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; grep -P '^[a-z0-9_]+\s*=\s*base$$' $(CURDIR)/debian/build-$*/policy/modules.conf | cut -d= -f1 | awk '{$$1=$$1};1' | LC_ALL=C sort > .basemodules) touch $@ # The headers are based on the default policy diff --git a/debian/selinux-policy-default.install b/debian/selinux-policy-default.install index b736f14..2d792e9 100644 --- a/debian/selinux-policy-default.install +++ b/debian/selinux-policy-default.install @@ -1,4 +1,5 @@ etc/selinux/default/ +usr/share/selinux/default/.basemodules usr/share/selinux/default/.modules usr/share/selinux/default/*.pp var/lib/selinux/default/ diff --git a/debian/selinux-policy-mls.install b/debian/selinux-policy-mls.install index ef57ad0..8c0082c 100644 --- a/debian/selinux-policy-mls.install +++ b/debian/selinux-policy-mls.install @@ -1,4 +1,5 @@ etc/selinux/mls/ +usr/share/selinux/mls/.basemodules usr/share/selinux/mls/.modules usr/share/selinux/mls/*.pp var/lib/selinux/mls/ -- 2.8.1
Bug#849463: domain_auto_trans is deprecated
Package: refpolicy Version: 2:2.20161023.1-3 The usage of the macro domain_auto_trans is deprecated. Use domain_auto_transition_pattern instead. --- debian/example/example.if | 2 +- debian/policygentool | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/example/example.if b/debian/example/example.if index e9308e5..de3c797 100644 --- a/debian/example/example.if +++ b/debian/example/example.if @@ -29,7 +29,7 @@ interface(`myapp_domtrans',` type myapp_t, myapp_exec_t; ') - domain_auto_trans($1,myapp_exec_t,myapp_t) + domain_auto_transition_pattern($1,myapp_exec_t,myapp_t) allow $1 myapp_t:fd use; allow myapp_t $1:fd use; diff --git a/debian/policygentool b/debian/policygentool index 47afdd5..1180459 100644 --- a/debian/policygentool +++ b/debian/policygentool @@ -42,7 +42,7 @@ interface(`TEMPLATETYPE_domtrans',` type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; ') - domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) + domain_auto_transition_pattern($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) allow $1 TEMPLATETYPE_t:fd use; allow TEMPLATETYPE_t $1:fd use; -- 2.8.1
Bug#849461: Use dh_install --fail-missing
Package: refpolicy Version: 2:2.20161023.1-3 Use dh_install --fail-missing for hard build errors. --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index d6fe74b..d1f7e7c 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,7 @@ endif override_dh_auto_configure: $(patsubst %, conf-%-policy, $(FLAVOURS)) conf-docs conf-src override_dh_install: - dh_install --list-missing + dh_install --fail-missing override_dh_fixperms: dh_fixperms -- 2.8.1
Bug#849459: fix gbp config warning
Package: refpolicy Version: 2:2.20161023.1-3 Git-buildpackage complains about an old config format. While on it, reintroduce signing tags --- debian/gbp.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/gbp.conf b/debian/gbp.conf index 6837223..557fbe8 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -3,6 +3,7 @@ debian-branch = debian upstream-branch = upstream pristine-tar = True -[git-buildpackage] +[buildpackage] +sign-tags = True tarball-dir = ../tarballs/ export-dir = ../build-area/ -- 2.8.1
Bug#848232: semanage login: no awareness of exising entries
Hi, yes I am using libsepol1 2.6-2: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages policycoreutils-python-utils depends on: ii libc6 2.24-8 ii libselinux1 2.6-3 ii libsepol1 2.6-2 ii policycoreutils 2.6-2 ii python3-audit 1:2.6.7-1 ii python3-ipy 1:0.83-1 ii python3-selinux 2.6-3 ii python3-semanage 2.6-1 ii python3-sepolgen 2.6-3 ii python3-sepolicy 2.6-2 pn python3:any ii selinux-utils 2.6-3 policycoreutils-python-utils recommends no packages. policycoreutils-python-utils suggests no packages. -- no debconf information Can I test the upstream version by running #sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap from the git repo inside a vm, or do I have to make more preparations to really use only upstream dependencies? I tried the upstream version without overwriting the system files, but that does not solve the issue. But I am not sure the upstream python modules were used, and probably the system's libsepol was used too. Kindly Regards, Christian Göttsche 2016-12-17 9:57 GMT+01:00 Laurent Bigonville <bi...@debian.org>: > Le 15/12/16 à 14:13, cgzones a écrit : > > Hi, >> >> When working on SELinux login settings, it seems that semanage is not >> aware of already existing entries. > > Could you please try with libsepol1 2.6-2. I think this is a duplicate of > #846484 > > Regards, > > Laurent Bigonville
Bug#848232: semanage login: no awareness of exising entries
Package: policycoreutils-python-utils Version: 2.6-2 When working on SELinux login settings, it seems that semanage is not aware of already existing entries. Example usage: root@desktopdebian:/home/christian# semanage login -a -s unconfined_u christian libsemanage.add_user: user system_u not in password file root@desktopdebian:/home/christian# semanage login -l Login Name SELinux User MLS/MCS RangeService __default__ user_u s0-s0* christianunconfined_u s0 * root root s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * root@desktopdebian:/home/christian# semanage login -m -s user_u christian ValueError: Login mapping for christian is not defined # error root@desktopdebian:/home/christian# semanage login -l Login Name SELinux User MLS/MCS RangeService __default__ user_u s0-s0* christianunconfined_u s0 * # not updated root root s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * root@desktopdebian:/home/christian# semanage login -a -s user_u christian libsemanage.add_user: user system_u not in password file # no error! although user existed root@desktopdebian:/home/christian# semanage login -l Login Name SELinux User MLS/MCS RangeService __default__ user_u s0-s0* christianuser_u s0 * # updated! root root s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * root@desktopdebian:/home/christian# semanage login -d -s user_u christian ValueError: Login mapping for christian is not defined # error root@desktopdebian:/home/christian# semanage login -l Login Name SELinux User MLS/MCS RangeService __default__ user_u s0-s0* christianuser_u s0 * # not deleted root root s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * Kindly regards, Christian Göttsche
Bug#822987: seinfo: no types and attributes treated as types
Package: setools Version: 3.3.8+20151215-3 Severity: normal After the recent upgrades of the selinux userland libraries i noticed a bug in the seinfo tool. Example output: christian@debianSE:~$ seinfo Statistics for policy file: /etc/selinux/default/policy/policy.30 Policy Version & Type: v.30 (binary, mls) Classes:93Permissions: 254 Sensitivities: 1Categories: 1024 Types: 0Attributes: Users: 6Roles: 14 Booleans: 234Cond. Expr.: 265 Allow: 107477Neverallow: 0 Auditallow: 26Dontaudit: 17448 Type_trans: 8930Type_change:72 Type_member:16Role allow: 28 Role_trans:454Range_trans:38 Constraints: 161Validatetrans: 0 Initial SIDs: 27Fs_use: 26 Genfscon: 89Portcon: 458 Netifcon:0Nodecon: 0 Permissives: 0Polcap: 2 # notice 0 types christian@debianSE:~$ seinfo -tinit_t -x christian@debianSE:~$ seinfo -ainit_t -x init_t init_t dbusd_unconfined dbusd_system_bus_client sepgsql_unconfined_type x_domain xserver_unconfined_type christian@debianSE:~$ seinfo -t Types: 0 christian@debianSE:~$ seinfo -a ... # lists hundreds of types ... samba_log_t services_munin_plugin_tmpfs_t spamd_port_t transproxy_initrc_exec_t tripwire_report_t wireshark_input_xevent_t Maybe this https://bugzilla.redhat.com/show_bug.cgi?id=1291336 bugreport is related? -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.5.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages setools depends on: ii libbz2-1.01.0.6-8 ii libc6 2.22-7 ii libgcc1 1:6.0.1-2 ii libqpol1 3.3.8+20151215-3 ii libselinux1 2.5-1 ii libsqlite3-0 3.12.2-1 ii libstdc++66.0.1-2 ii libxml2 2.9.3+dfsg1-1 setools recommends no packages. Versions of packages setools suggests: pn setools-gui -- no debconf information
Bug#822679: Attempts to mount /proc as a regular user
I can confirm this bug. It seems this is already fixed upstream; can you please cherry pick this https://github.com/SELinuxProject/selinux/commit/5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf patch?
Bug#813604: newrole: pamd error
Package: newrole Version: 2.4-4 When i try to use newrole on debian testing with upstream refpolicy (https://github.com/TresysTechnology/refpolicy) installed, i got the following error: root@debianSe:~# newrole -r sysadm_r -t sysadm_t Password: newrole: incorrect password for root Error sending audit message. The is an error message in /var/log/auth.log: Feb 3 16:58:53 debianSe newrole: PAM audit_log_acct_message() failed: Operation not permitted The transition should be allowed by selinux: root@debianSe:~# semanage user -l SELinux UserSELinux Roles rootstaff_r sysadm_r staff_u staff_r sysadm_r sysadm_usysadm_r system_usystem_r unconfined_uunconfined_r user_u user_r root@debianSe:~# id -Z root:staff_r:staff_t When i configure the seuser like 'semange -m -R sysadm_r root', i can login with a sysadm_r role. root@debianSe:~# cat /etc/pam.d/newrole #%PAM-1.0 @include common-auth @include common-account @include common-session session required pam_namespace.so unmnt_remnt no_unmount_on_close
Bug#707633: monit: backport 5.5
Package: monit Version: 1:5.4-2 Severity: wishlist Hi, can you please backport monit 5.5 for debian wheezy. Best regards, Christian Göttsche -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691283: selinux-policy-default: monit policy package
Package: selinux-policy-default Version: 2:2.20110726-11 Severity: wishlist Hi, can you include a policy package for monit. I write one which covers the monit daemon, the web interface, the process monitoring and the monit invocation from a root console. It does not cover connections to m/monit and file monitoring. The only thing i could not include into the package is the port labeling, so i'am doing it by hand with: semanage port -a -t monit_port_t -p tcp 2812 Best regards, Christian Göttsche /etc/monit(/.*)?gen_context(system_u:object_r:monit_etc_t,s0) /etc/monit/monitrc gen_context(system_u:object_r:monit_config_t,s0) /etc/monit/conf.d(/.*)? gen_context(system_u:object_r:monit_config_t,s0) /etc/monit/monit-config(/.*)? gen_context(system_u:object_r:monit_config_t,s0) /usr/sbin/monit gen_context(system_u:object_r:monit_exec_t,s0) /usr/bin/monit gen_context(system_u:object_r:monit_exec_t,s0) /var/lib/monit(/.*)?gen_context(system_u:object_r:monit_lib_t,s0) /var/log/monit(/.*)?gen_context(system_u:object_r:monit_log_t,s0) /var/log/monit.* --gen_context(system_u:object_r:monit_log_t,s0) ## summary/summary policy_module(monit,1.0.0) file/domain-types type monit_t; domain_type(monit_t) type monit_exec_t; files_type(monit_exec_t) type monit_etc_t; files_type(monit_etc_t) type monit_config_t; files_config_file(monit_config_t) type monit_lib_t; files_type(monit_lib_t) type monit_port_t; corenet_port(monit_port_t) type monit_log_t; logging_log_file(monit_log_t) logging_log_filetrans(monit_t, monit_log_t, {file dir}) type monit_run_t; files_pid_file(monit_run_t) files_pid_filetrans(monit_t, monit_run_t, {file dir}) monit_t init_daemon_domain(monit_t, monit_exec_t) init_domtrans_script(monit_t) dontaudit direct_init monit_t:fd use; allow monit_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow monit_t self:tcp_socket { write read connect shutdown getopt create bind setopt listen accept }; allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl getattr }; allow monit_t self:sem { read write unix_write }; allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override }; allow monit_t self:rawip_socket { write read create setopt shutdown }; allow monit_t self:process { signal getpgid }; allow monit_t self:fifo_file { ioctl getattr }; allow monit_t monit_etc_t:dir list_dir_perms; allow monit_t monit_etc_t:file read_file_perms; allow monit_t monit_config_t:dir list_dir_perms; allow monit_t monit_config_t:file read_file_perms; allow monit_t monit_config_t:lnk_file read_lnk_file_perms; allow monit_t monit_lib_t:dir manage_dir_perms; allow monit_t monit_lib_t:file manage_file_perms; allow monit_t monit_log_t:file manage_file_perms; allow monit_t monit_run_t:file manage_file_perms; allow monit_t monit_port_t:tcp_socket name_bind; corenet_tcp_bind_generic_node(monit_t) corenet_tcp_connect_all_ports(monit_t) corecmd_exec_bin(monit_t) corecmd_exec_shell(monit_t) miscfiles_read_localization(monit_t) dev_read_urand(monit_t) userdom_dontaudit_search_user_home_dirs(monit_t) files_read_etc_files(monit_t) files_read_all_pids(monit_t) sysnet_read_config(monit_t) files_search_var_lib(monit_t) files_read_etc_runtime_files(monit_t) dev_list_sysfs(monit_t) kernel_read_system_state(monit_t) storage_getattr_fixed_disk_dev(monit_t) fs_getattr_xattr_fs(monit_t) domain_read_all_domains_state(monit_t) domain_getpgid_all_domains(monit_t) ## running monit from root console domain_use_interactive_fds(monit_t) userdom_use_user_ptys(monit_t)
Bug#691284: selinux-policy-default: allow_ptrace and deny_ptrace
Package: selinux-policy-default Version: 2:2.20110726-11 Severity: wishlist Hi, can you unite the booleans allow_ptrace and deny_ptrace Best regards, Christian Göttsche -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690477: selinux-policy-default: multiple avc denies and su problem
Package: selinux-policy-default Version: 2:2.20110726-11 I'm using smartmontools and the daemon needs to read and write into it's lib directory /var/lib/smartmontools. This directory is not labeled, so i get the following denies: Oct 14 19:29:27 debian kernel: [ 18.35] type=1400 audit(1350235767.006:11): avc: denied { read } for pid=2386 comm=smartd name=smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Oct 14 19:29:27 debian kernel: [ 18.56] type=1400 audit(1350235767.006:12): avc: denied { open } for pid=2386 comm=smartd name=smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Oct 14 19:29:27 debian kernel: [ 18.88] type=1400 audit(1350235767.006:13): avc: denied { getattr } for pid=2386 comm=smartd path=/var/lib/smartmontools/smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file i use .fc file /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) .te file type fsdaemon_var_lib_t; files_type(fsdaemon_var_lib_t) allow fsdaemon_t var_lib_t:dir search_dir_perms; manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) to avoid this. When relabeling manually with restorecond i get the following denies: setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667177] type=1400 audit(1349451350.806:159): avc: denied { write } for pid=5240 comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667259] type=1400 audit(1349451350.806:160): avc: denied { nlmsg_relay } for pid=5240 comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667336] type=1400 audit(1349451350.806:161): avc: denied { audit_write } for pid=5240 comm=restorecon capability=29 scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=capability /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667696] type=1400 audit(1349451350.806:162): avc: denied { read } for pid=5240 comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket While booting i get these denies: Oct 14 19:29:23 debian kernel: [7.465566] type=1400 audit(1350235756.026:3): avc: denied { read write } for pid=581 comm=hostname name=tty1 dev=devtmpfs ino=1201 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [8.116923] type=1400 audit(1350235756.678:4): avc: denied { read write } for pid=647 comm=swapon name=tty1 dev=devtmpfs ino=1201 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [ 11.908177] type=1400 audit(1350235760.470:5): avc: denied { read write } for pid=1257 comm=swapon name=tty1 dev=devtmpfs ino=1201 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [ 13.505206] type=1400 audit(1350235762.066:6): avc: denied { read write } for pid=1532 comm=ip name=tty1 dev=devtmpfs ino=1201 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file I'm not using users in unconfined context so my config is: semanage user -l Labeling MLS/ MLS/ SELinux UserPrefix MCS Level MCS Range SELinux Roles rootsysadm SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r sysadm_usysadm SystemLow SystemLow-SystemHigh sysadm_r system_uuser SystemLow SystemLow-SystemHigh system_r unconfined_uuser SystemLow SystemLow unconfined_r user_u user SystemLow SystemLow user_r semanage login -l Login NameSELinux User MLS/MCS Range __default__ user_uSystemLow systemuserstaff_u SystemLow-SystemHigh root staff_u SystemLow-SystemHigh system_u