Bug#859264: update Vcs control files

[cgzones]

Package: bash
Version: 4.4-4+b1

The specified Vcs fields do not link to the recent packaging version.

Bug#859263: maintain PIE enabled bash

[cgzones]

Package: bash
Version: 4.4-4+b1
Severity: important

Due to #842037, bash is currently shipped without PIE[1] support.
Please consider adding a package bash-pie, which Conflicts and
Provides bash, or upload a PIE-enabled version to stretch-backports
after release.

[1] 
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29

Bug#859120: ausearch -i segfault

[cgzones]

Package: auditd
Version: 1:2.6.7-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

ausearch segfaults on the following input in interpret mode:

/sbin/ausearch -i --input file

type=AVC msg=audit(1490829425.686:121): avc:  denied  { bind } for
pid=1034 comm="darkstat" scontext=system_u:system_r:darkstat_t:s0
tcontext=system_u:system_r:darkstat_t:s0 tclass=packet_socket
permissive=0
type=SYSCALL msg=audit(1490829425.686:121): arch=c03e syscall=49
success=no exit=-13 a0=3 a1=7ffce52e04b0 a2=14 a3=373 items=0
ppid=1033 pid=1034 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="darkstat"
exe="/usr/sbin/darkstat" subj=system_u:system_r:darkstat_t:s0
key=(null)
type=SOCKADDR msg=audit(1490829425.686:121):
saddr=11030200
type=PROCTITLE msg=audit(1490829425.686:121):
proctitle=2F7573722F7362696E2F6461726B73746174002D6900656E70307333002D2D6368726F6F74002F7661722F6C69622F6461726B73746174002D2D70696466696C65002F7661722F72756E2F6461726B737461742E706964002D2D696D706F7274006461726B737461742E6462002D2D6578706F7274006461726B737461742E64

Bug#858834: debhelper: make dh_install --list-missing the default

[cgzones]

Package: debhelper
Version: 10.2.5
Severity: wishlist

Hi,

personally, I like the --list-missing/--fail-missing options from dh_install.
Any chance --list-missing getting the default for maybe compat version 11?

Best regards
   Christian Göttsche

Bug#858179: scan-view-4.0 fails to start due to missing Python module

[cgzones]

the fixing patch is not updated:

https://sources.debian.net/src/llvm-toolchain-4.0/1:4.0-1/debian/patches/fix-scan-view-path.diff/?hl=9#L9

Bug#858050: /etc/ssh/moduli membership

[cgzones]

Package: openssh-client
Version: 1:7.4p1-6

Dear Maintainer,
according to man:moduli(5) the file /etc/shh/moduli is only used by sshd.
Why is this file shipped with openssh-client and not openssh-server?

Best regards,
Christian Göttsche

Bug#858022: add systemd timer

[cgzones]

Package: man-db
Version: 2.7.6.1-2

Dear Maintainer,
can you please add a systemd timer for the daily man-db cache regeneration.

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ man-db.timer2017-03-16 12:07:22.956516872 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily man-db regeneration
+Documentation=man:mandb(8)
+
+[Timer]
+OnCalendar=daily
+AccuracySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ man-db.service  2017-03-16 12:07:08.316606820 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=Daily man-db regeneration
+Documentation=man:mandb(8)
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man
+ExecStart=/usr/bin/mandb
+User=man
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7

--- /etc/cron.daily/man-db.old  2017-03-17 12:52:23.223042394 +0100
+++ /etc/cron.daily/man-db  2017-03-15 20:14:55.851223244 +0100
@@ -4,6 +4,10 @@

set -e

+# skip in favour of systemd timer
+if [ -d /run/systemd/system ]; then
+   exit 0
+fi
+
iosched_idle=
# Don't try to change I/O priority in a vserver or OpenVZ.
if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \

--- /etc/cron.weekly/man-db.old  2017-03-17 12:53:18.442623547 +0100
+++ /etc/cron.weekly/man-db 2017-03-15 20:15:35.511005471 +0100
@@ -4,6 +4,10 @@

set -e

+# skip in favour of systemd timer
+if [ -d /run/systemd/system ]; then
+   exit 0
+fi
+
iosched_idle=
# Don't try to change I/O priority in a vserver or OpenVZ.
if ! egrep -q '(envID|VxID):.*[1-9]' /proc/self/status && \


This will run man-db without the --no-purge option daily.
But even on a raspberry pi this only takes 2,5s (vs 0,25s), which is
negligible as a daily job.

Best regards,
Christian Göttsche

Bug#858023: add systemd timer

[cgzones]

Package: fake-hwclock
Version: 0.11

Dear Maintainer,
can you please add a systemd timer for the regular time save.

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ fake-hwclock-save.timer 2017-03-16 11:52:21.062121382 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=fake-hwclock: save time to disk
+Documentation=man:fake-hwclock(8)
+After=fake-hwclock.service
+
+[Timer]
+OnBootSec=15m
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=fake-hwclock.service

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ fake-hwclock-save.service   2017-03-16 11:51:40.632378088 +0100
@@ -0,0 +1,9 @@
+[Unit]
+Description=fake-hwclock: save time to disk
+Documentation=man:fake-hwclock(8)
+After=fake-hwclock.service
+Requires=fake-hwclock.service
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/fake-hwclock save

--- fake-hwclock.old  2017-03-17 12:36:31.549158451 +0100
+++ fake-hwclock2017-03-15 19:39:40.915989015 +0100
@@ -3,6 +3,11 @@
# Simple cron script - save the current clock periodically in case of
# a power failure or other crash

+# skip in favour of systemd timer
+if [ -d /run/systemd/system ]; then
+   exit 0
+fi
+
if (command -v fake-hwclock >/dev/null 2>&1) ; then
  fake-hwclock save
fi


Also the control's suggests filed can be altered to:
Suggests: cron | cron-daemon | systemd, ntp

Best regards,
 Christian Göttsche

Bug#858021: add systemd timer

[cgzones]

Package: logrotate
Version: 3.11.0-0.1

Dear Maintainer,
can you please add a systemd timer for the daily log rotation.

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ logrotate.timer 2017-03-15 20:30:26.475786062 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily rotation of log files
+Documentation=man:logrotate(8) man:logrotate.conf(5)
+
+[Timer]
+OnCalendar=daily
+AccuracySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

--- /dev/null   2017-03-14 22:28:11.90999 +0100
+++ logrotate.service   2017-03-15 20:31:00.545579761 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=Rotate log files
+Documentation=man:logrotate(8) man:logrotate.conf(5)
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/logrotate /etc/logrotate.conf
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7

--- /etc/cron.daily/logrotate.old 2017-03-17 12:42:33.616945975 +0100
+++ /etc/cron.daily/logrotate   2017-03-15 20:23:22.108327255 +0100
@@ -1,4 +1,8 @@
#!/bin/sh

+# skip in favour of systemd timer
+if [ -d /run/systemd/system ]; then
+   exit 0
+fi
+
test -x /usr/sbin/logrotate || exit 0
/usr/sbin/logrotate /etc/logrotate.conf


And change the control's Depends section to ..., cron | anacron |
cron-daemon | systemd, ...

Best regards,
Christian Göttsche

Bug#857863: add systemd service

[cgzones]

Package: monit
Version: 1:5.20.0-6

Hi,
could you consider shipping a systemd service file?

Best regards,
  Christian Göttsche



[Unit]
Description=Monit monitoring service
Documentation=man:monit(1)

[Service]
EnvironmentFile=-/etc/default/monit
Type=forking
KillMode=process
ExecStart=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS
ExecStop=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS quit
TimeoutStopSec=2s
ExecReload=/usr/bin/monit -c /etc/monit/monitrc $MONIT_OPTS reload
Restart=on-abnormal

[Install]
WantedBy=multi-user.target

Bug#857861: add systemd service

[cgzones]

Package: dphys-swapfile
Version: 20100506-3

Hi,
could you consider shipping a systemd service file?

Best regards,
 Christian Göttsche



[Unit]
Description=dphys-swapfile - set up, mount/unmount, and delete an swap file
Documentation=man:dphys-swapfile(8)

[Service]
Type=oneshot
ExecStart=/sbin/dphys-swapfile setup
ExecStart=/sbin/dphys-swapfile swapon
ExecStop=/sbin/dphys-swapfile swapoff
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Bug#857678: use /run prefix in systemd socket unit

[cgzones]

2017-03-13 23:11 GMT+01:00 Simon McVittie <s...@debian.org>:
> On Mon, 13 Mar 2017 at 21:58:46 +0100, cgzones wrote:
>> Since recently the reference policy defines the file contexts with
>> /run prefixes [1] and only supports /var/run via a backward
>> compatibility alias.
>
> Is that backwards compatibility alias available in the stretch version
> of the reference policy?

yes

> How old is the first reference policy where the /run version works?
>
> How far in the future is the backwards compatibility alias expected to
> go away?

idk, there was/is some discussion at the refpolicy mailing list [1]

>> Please alter the path from /var/run/dbus/system_bus_socket to
>> /run/dbus/system_bus_socket in /usr/lib/systemd/system/dbus.socket to
>> avoid wrong file contexts in the future.
>
> For better or worse, the canonical, interoperable path for the system
> bus socket across multiple OS distributions is
> /var/run/dbus/system_bus_socket (it has been that since long before
> /run was widespread). If /var/run is equivalent to /run, then it shouldn't
> matter either way. If /var/run is not equivalent to /run, then the version
> we should probably prefer is /var/run.

ok, I see
also, I found the path /var/run/dbus/system_bus_socket in the official
documentation [2]
and a similar dbus bugreport [3].

For my part, this can be closed or marked as wont-fix then.

Thanks for the quick response.

[1] http://oss.tresys.com/pipermail/refpolicy/2017-March/009166.html
[2] https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321

Bug#857660: SELinux: cannot sent policyload notice

[cgzones]

Hi list,
I created bug report against dbus 1.10 on Debian [1] due to failing to
send policyload notices.
Are there any objections or comments on the upstream patch[2]?
The patch works for me:

Mar 14 00:01:36 debianSE audit[441]: USER_AVC pid=441 uid=105
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
received policyload notice (seqno=3)
 exe="/usr/bin/dbus-daemon"
sauid=105 hostname=? addr=? terminal=?'
Mar 14 00:01:36 debianSE dbus[441]: [system] Reloaded configuration

Best regards,
   Christian Göttsche


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
[2] 
https://cgit.freedesktop.org/dbus/dbus/commit/?id=a3a5935a0a038c3b44c61ce5719f0f7e647b96c6

Bug#857678: use /run prefix in systemd socket unit

[cgzones]

Package: dbus
Version: 1.10.16-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Hi,
dbus ships a systemd socket unit.
On SELinux enabled systems systemd automatically sets the correct file
context on creation according to the policy's configuration.
Since recently the reference policy defines the file contexts with
/run prefixes [1] and only supports /var/run via a backward
compatibility alias.

Please alter the path from /var/run/dbus/system_bus_socket to
/run/dbus/system_bus_socket in /usr/lib/systemd/system/dbus.socket to
avoid wrong file contexts in the future.

Best regards,
 Christian Göttsche



[1] 
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dbus.fc#L16

Bug#857677: use /run in systemd-tmpfiles config

[cgzones]

Package: openssh-server
Version: 1:7.4p1-6
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Hi,
OpenSSH-server ships a systemd-tmpfiles configuration for creating a
runtime directory.
On SELinux enabled systems, systemd-tmpfiles automatically sets the
correct file context on creation according to the policy's
configuration.
Since recently the reference policy defines the file contexts with
/run prefixes [1] and only supports /var/run via a backward
compatibility alias.
Please alter the path from /var/run/sshd to /run/sshd in
/usr/lib/tmpfiles.d/sshd.conf to avoid wrong file contexts in the
future.

Best regards,
Christian Göttsche


[1] 
https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.fc#L21

Bug#857662: cron broken in SELinux enforced mode due to system_u login mapping removal

[cgzones]

Package: cron
Version: 3.0pl1-128+b1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Hi,
with the removal of the SELinux login entry for system_u [1], cron
stops working.

get_security_context [2] expects a NULL name when called for a system cronjob.
But it is called with "system_u" [2].

It worked so far cause getseuserbyname [3] translated the incorrect
name value "system_u" still to the "system_u" seuser.

Best regards,
  Christian Göttsche

[1] 
https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511
[2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218
[3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51

--- user.c  2017-03-13 21:06:52.638905763 +0100
+++ user.c.fixed2017-03-13 21:07:48.654110814 +0100
@@ -215,7 +215,7 @@
if (is_selinux_enabled() > 0) {
char *sname=uname;
if (pw==NULL) {
-sname="system_u";
+sname=NULL;
}
if (get_security_context(sname, crontab_fd,
 >scontext, tabname) != 0 ) {

Bug#857660: SELinux: cannot sent policyload notice

[cgzones]

Package: dbus
Version: 1.10.16-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Hi,
on SELinux enabled systems, dbus cannot send the policyload notification.

There is already a thread over at redhat [1], and bug reports at
redhat [2] and dbus [3].
Please, cherry-pick the fix from upstream [4].

Best regards,
Christian Göttsche

[1] https://www.redhat.com/archives/linux-audit/2015-November/msg2.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1278602
[3] https://bugs.freedesktop.org/show_bug.cgi?id=92832
[4] 
https://cgit.freedesktop.org/dbus/dbus/commit/?id=a3a5935a0a038c3b44c61ce5719f0f7e647b96c6

Bug#849636: apt-daily: do not use pidof

[cgzones]

Any news on this?
I currently use this patch:

--- apt.systemd.daily.backup2017-02-13 16:32:21.288138322 +0100
+++ apt.systemd.daily   2017-02-13 16:32:51.717937100 +0100
@@ -1,5 +1,5 @@
#!/bin/sh
-#set -e
+set -e
#
# This file understands the following apt configuration variables:
# Values here are the default.
@@ -400,8 +400,8 @@
if check_stamp $UPDATE_STAMP $UpdateInterval; then
if eval apt-get $XAPTOPT -y update $XSTDERR; then
   debug_echo "download updated metadata (success)."
-   if which dbus-send >/dev/null 2>&1 && pidof dbus-daemon
>/dev/null 2>&1; then
-   if dbus-send --system / app.apt.dbus.updated boolean:true ; then
+   if which dbus-send >/dev/null 2>&1; then
+   if dbus-send --system / app.apt.dbus.updated boolean:true
>/dev/null 2>&1; then
   debug_echo "send dbus signal (success)"
   else
   debug_echo "send dbus signal (error)"

One could also check for the existence of /run/dbus/system_bus_socket
via [ -S /run/dbus/system_bus_socket ]

2016-12-31 15:00 GMT+01:00 cgzones <cgzo...@googlemail.com>:
> First I'd like to question if the dbus code is needed? A quick debian
> codesearch shows no other usages:
> https://codesearch.debian.net/search?q=app%5C.apt
>
> Do we need to check if dbus is running or is it sufficient to simply
> try silently via:
>
> if which dbus-send >/dev/null 2>&1; then
> if dbus-send --system / app.apt.dbus.updated boolean:true >
> /dev/null 2>&1; then
>
> Kindly Regards,
> Christian Göttsche
>
> 2016-12-30 21:43 GMT+01:00 David Kalnischkies <da...@kalnischkies.de>:
>> Control: severity -1 wishlist
>>
>> On Thu, Dec 29, 2016 at 12:22:02PM +0100, cgzones wrote:
>>> The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon'
>>> to check whether dbus is running and whether to send a message.
>>> With SELinux enabled this causes avc denials like:
>> […]
>>> I do not like to grant apt these permissions but I also want apt to
>>> announce an update to dbus,
>>> so can you rework the dbus check?
>>
>> Perhaps. Given you are the first person in 8 years to complain about
>> this (#438803) perhaps you have also an idea how as I have neither
>> a SELinux setup nor know what you would deem acceptable.
>>
>> (truth be told, I don't even use that cron job, so I am not going to be
>> available for review above very trivial changes and even that…)
>>
>> I guess we could use (pseudo code) "if systemd; then systemctl is-active
>> dbus; else pidof dbus; fi" but that would really need someone to verify
>> that this has the intended result (and is available in your setup).
>>
>>
>> Best regards
>>
>> David Kalnischkies

Bug#855919: libwrap recommends tcpd

[cgzones]

Package: libwrap0
Version: 7.6.q-26

libwrap0 recommends tcpd and as recommend packages are by default
annexed, tcpd will be installed e.g. for the packages openssh-server
or auditd.
Could you consider to lower the bonding to suggests?

Bug#855444: ntpd: odd SELinux audits

[cgzones]

Package: ntp
Version: 1:4.2.8p9+dfsg-2.1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

On a SELinux enabled system, ntpd periodical generates some odd audits:

type=PROCTITLE msg=audit(02/17/17 22:52:21.790:167) :
proctitle=/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:111
type=SYSCALL msg=audit(02/17/17 22:52:21.790:167) : arch=armeb
syscall=socket per=PER_LINUX_32BIT success=no
exit=EAFNOSUPPORT(Address family not supported by protocol) a0=unknown
family(0x0) a1=SOCK_DGRAM a2=ip a3=0x48381b00 items=0 ppid=1 pid=540
auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp
sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0 key=(null)
type=AVC msg=audit(02/17/17 22:52:21.790:167) : avc:  denied  {
module_request } for  pid=540 comm=ntpd kmod="net-pf-0"
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
type=AVC msg=audit(02/17/17 22:52:21.790:167) : avc:  denied  { create
} for  pid=540 comm=ntpd scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:system_r:ntpd_t:s0 tclass=socket permissive=1

The system is a raspberry pi 3 with a 4.9.2 kernel from
https://github.com/raspberrypi/linux/tree/rpi-4.9.y (Linux raspberrypi
4.9.2-v7+ #1 SMP Wed Jan 11 00:27:01 CET 2017 armv7l GNU/Linux)

Bug#852549: do not list /usr/lib/x86_64-linux-gnu/gio/modules

[cgzones]

On a minimal non graphical system without any gio modules installed, e.g.
the packages glib-networking or dconf-gsettings-backend, the directory
 /usr/lib/x86_64-linux-gnu/gio/modules does not exist.
Due to the entry in debian/libglib2.0-0.dirs, the path is contained on the
system at /var/lib/dpkg/info/libglib2.0-0:amd.list .
Cruft then complains about the nonexistence of the path.

Maybe the directory could be shipped empty?



On 15 Feb 2017 7:03 pm, "Michael Biebl" <bi...@debian.org> wrote:

On Wed, 25 Jan 2017 13:42:29 +0100 cgzones <cgzo...@googlemail.com> wrote:
> Package: libglib2.0-0
> Version: 2.50.2-2
>
> cruft creates a report regarding this package:
>
>  missing: dpkg 
>/usr/lib/x86_64-linux-gnu/gio
>/usr/lib/x86_64-linux-gnu/gio/modules
>
> This is due to libglib2.0-0 lists this directory and file but does not
> ship it by default.
> The postinst script contains the following comment:
>
> # The /usr/lib/gio/modules directory is no longer shipped by
> # libglib2.0 itself so we need to check to avoid a warning from
> # gio-querymodules

Can you elaborate what is supposed to be the bug here?




--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Bug#854068: /usr/bin/scan-build-4.0-py: dead link

[cgzones]

Package: clang-4.0
Version: 1:4.0~+rc1-1

The shipped file /usr/bin/scan-build-4.0-py is a dead link to a non
existent target ../share/clang/scan-build-4.0/bin/scan-build-py.
Maybe the target should be ./share/clang/scan-build-py-4.0/bin/scan-build?

Bug#850531: noise on minimal vm with SElinux

[cgzones]

Thanks a lot for your response and the fixes.

I finally got some time and reran cruft at the new version:

 missing: dpkg 
   /usr/lib/x86_64-linux-gnu/gio
   /usr/lib/x86_64-linux-gnu/gio/modules

I reported it here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852549

 unexplained: sys-fs-selinux 
   /sys/fs/selinux
   /sys/fs/selinux/access
   /sys/fs/selinux/avc

Could you ignore selinuxfs and tracefs, e.g. in /usr/lib/cruft/common_legacy.sh?

 unexplained: / 
   /etc/apt/listchanges.conf

apt-listchanges does not list this file, it creates it in its postinst
script, can you 'explain' this file?

 broken symlinks: / 
   /etc/mtab

I think cruft reports this because the target ../proc/self/mounts is
not indexed.
Would it make sense to check before reporting if the target exists on
the actual system?

Best Regards,
Christian Göttsche

2017-01-08 12:02 GMT+01:00 Alexandre Detiste :
> control: tag -1 +pending
>
> Hi,
>
> Thank you very much for this bug repport.
> Sometimes I do install random package in order to add support
> for those in cruft, but I'm not really interrested in trying out SElinux 
> myself.
>
> Most of your proposed changes are already implemented:
> https://github.com/a-detiste/cruft/commits/master
>
>
>
>> policycoreutils.explain
>> ===
>> #!/bin/sh
>> echo /etc/selinux/config
>> echo /usr/sbin/load_policy
>
> I tend to avoid extra simple "explain" scripts like this one
> and instead use a filter.
> Reason: avoid starting yet an extra sub-shell to run a two-lines script.
>
>
>> selinux-policy-default.explain
>> ===
>> #!/usr/bin/env python3
>
> I do tend to use Python3 as my language of choice;
> but I inherited cruft from someone else and for now
> the current dependencies are bash + perl and
> I don't want to add other ones if possible.
>
>
>> print('/etc/selinux/default/contexts/files/file_contexts')
>> print('/etc/selinux/default/contexts/files/file_contexts.bin')
>> print('/etc/selinux/default/contexts/files/file_contexts.homedirs')
>> print('/etc/selinux/default/contexts/files/file_contexts.homedirs.bin')
>> print('/etc/selinux/default/seusers')
>
> I already translated all these print() lines into a filter.
>
>
>> pattern = re.compile('^(\d+)\s+([a-z0-9_]+)\s+(pp|cil)\s*(disabled)?$')
>> cp = subprocess.run(['/usr/sbin/semodule', '--list-modules=full',
>> '--store', 'default'], stdout=subprocess.PIPE,
>> stderr=subprocess.STDOUT, universal_newlines=True, check=True)
>> for line in cp.stdout.splitlines():
>
> Please rewrite this in bash or perl & I'll upload a new version.
>
>
>> apt-listchanges.filter
>> ===
>> /usr/share/apt-listchanges/__pycache__
>> /usr/share/apt-listchanges/__pycache__/*.pyc
>
> I never see these .pyc files because I don't use cruft that much anymore,
> but my own cruft-ng rewrite; which has a special heuristic for those.
>
> https://github.com/a-detiste/cruft-ng/commit/789a2c26f9b9b2a8d46186be3981165be0154f74
>
> Reason of rewrite: mostly everything run in a single C++ process
> instead of runnign hundreds of shell scripts => much faster.
> (but not yet feature-complete versus old cruft)
>
>
>> /var/lib/apt/listchanges.db
> This was already there.
>
> https://github.com/a-detiste/cruft/blame/master/filters-unex/apt-listchanges
>
>
>>  missing: dpkg 
>>   # i do not know why they are mssing, reinstalling libglib2.0-0
>># gcc bugs?
>> does not help
>>/usr/lib/x86_64-linux-gnu/gio
>>/usr/lib/x86_64-linux-gnu/gio/modules
>
> Sometimes packages have those weird bugs.
> Sometimes I like to spend hours trying to figure out why...
> sometimes not.
>
>>  unexplained: / 
>>   # i think these two are from the installation process?
>>/etc/apt/apt.conf.d/00CDMountPoint
>>/etc/apt/apt.conf.d/00trustcdrom
>
> I guess most people would rather delete these files after seeing those
> once in cruft report. Mine were from 2002.
>
>># my custom configuration files
>>/etc/apt/apt.conf.d/01aptcacher
>>/etc/apt/apt.conf.d/10periodic
> You can also deploy those with a custom .deb accross all your hosts,
> then they doesn't come up anymore.
> Example: https://github.com/a-detiste/detiste
>
>>   # apt listchanges conf, should be handled by explain script?
>>/etc/apt/listchanges.conf
> It's already there too (?!)
> Maybe cruft thinks apt-listchanges is not installed while it really is ?!
>
>
>>   # do not know what do to about these two
>>
>> /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8
>>
>> /tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8/tmp
>
> I'd just wholy ignore /tmp (& /run, & /home too).
> That's what cruft-ng does.
>
>>   # stamp file from apt.daily 

Bug#852549: do not list /usr/lib/x86_64-linux-gnu/gio/modules

[cgzones]

Package: libglib2.0-0
Version: 2.50.2-2

cruft creates a report regarding this package:

 missing: dpkg 
   /usr/lib/x86_64-linux-gnu/gio
   /usr/lib/x86_64-linux-gnu/gio/modules

This is due to libglib2.0-0 lists this directory and file but does not
ship it by default.
The postinst script contains the following comment:

# The /usr/lib/gio/modules directory is no longer shipped by
# libglib2.0 itself so we need to check to avoid a warning from
# gio-querymodules

Bug#852540: pam_selinux: add new option to select from default_contexts

[cgzones]

Package: libpam-modules
Version: 1.1.8-3.5
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

When an SELinux unaware login application, like sddm, tries to set up
sessions via pam, it is not possible to set the new SELinux context
accordingly.

This patch adds an option to pam_selinux.so, so that via different pam
configurations, like sddm does it
https://github.com/sddm/sddm/blob/develop/src/helper/backend/PamBackend.cpp#L220,
different contexts can be assigned.

From: cgzones <cgzo...@googlemail.com>
Date: Tue, 3 Jan 2017 12:04:20 +0100
Subject: [PATCH] pam_selinux: add select_default_context option

---
modules/pam_selinux/README| 11 +
modules/pam_selinux/pam_selinux.8 | 11 -
modules/pam_selinux/pam_selinux.8.xml | 19 +++
modules/pam_selinux/pam_selinux.c | 46 ++-
4 files changed, 80 insertions(+), 7 deletions(-)

diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README
index fb4d449..b1b6be2 100644
--- a/modules/pam_selinux/README
+++ b/modules/pam_selinux/README
@@ -72,6 +72,17 @@ use_current_range
instead of the default level. Also suppresses asking of the sensitivity
level from the user or obtaining it from PAM environment.

+select_default_context=
+
+Select a specific context from the list of default contexts for the login
+user returned by SELinux. By default the first entry is taken.
+Valid values are 'last' or positiv numbers, to select a different context.
+The list of available contexts can be viewed by 'compute_user
src_context seuser'.
+
+Usage:
+select_default_context=2
+select_default_context=last
+
EXAMPLES

auth required  pam_unix.so
diff --git a/modules/pam_selinux/pam_selinux.8
b/modules/pam_selinux/pam_selinux.8
index acd4f0d..d936cb9 100644
--- a/modules/pam_selinux/pam_selinux.8
+++ b/modules/pam_selinux/pam_selinux.8
@@ -31,7 +31,7 @@
pam_selinux \- PAM module to set the default security context
.SH "SYNOPSIS"
.HP \w'\fBpam_selinux\&.so\fR\ 'u
-\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug]
[verbose] [select_context] [env_params] [use_current_range]
+\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug]
[verbose] [select_context] [env_params] [use_current_range]
[select_default_context=\fIlast|context_number\fR]
.SH "DESCRIPTION"
.PP
pam_selinux is a PAM module that sets up the default SELinux security
context for the next executed process\&.
@@ -99,6 +99,15 @@ Attempt to obtain a custom security context role
from PAM environment\&. If MLS
.RS 4
Use the sensitivity level of the current process for the user context
instead of the default level\&. Also suppresses asking of the
sensitivity level from the user or obtaining it from PAM
environment\&.
.RE
+.PP
+\fBselect_default_context\fR
+.RS 4
+Select a specific context from the list of default contexts for the
login user returned by SELinux\&. By default the first entry is
taken\&. Valid values are 'last' or positiv numbers, to select a
different context\&. The list of a
vailable contexts can be viewed by 'compute_user src_context seuser'\&.
+.RS 2
+Usage:
+.RS 2
+select_default_context=2
+.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
diff --git a/modules/pam_selinux/pam_selinux.8.xml
b/modules/pam_selinux/pam_selinux.8.xml
index 28d465f..210e262 100644
--- a/modules/pam_selinux/pam_selinux.8.xml
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -45,6 +45,9 @@
  
   use_current_range
  
+  
+select_default_context=conf-file
+  

  

@@ -188,6 +191,22 @@
  

  
+  
+
+  
select_default_context=last|context_number
+
+
+  
+Select a specific context from the list of default
contexts for the login
+user returned by SELinux. By default the first entry is taken.
+Valid values are 'last' or positiv numbers, to select a
different context.
+The list of available contexts can be viewed by
'compute_user src_context seuser'.
+Usage:
+  select_default_context=2
+  select_default_context=last
+  
+
+  

  

diff --git a/modules/pam_selinux/pam_selinux.c
b/modules/pam_selinux/pam_selinux.c
index b96cc23..446b4fb 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -63,8 +63,6 @@

#include 
#include 
-#include 
-#include 
#include 
#include 
#include 
@@ -480,7 +478,8 @@ set_file_context(const pam_handle_t *pamh,
security_context_t context,
static int
compute_exec_context(pam_handle_t *pamh, module_data_t *data,
int select_context, int use_current_range,
-int env_params, int debug)
+int env_params, int debug,
+const char *select_default_context)
{
  const char *username;

Bug#852539: dpkg: run maintainer scripts with SELinux user system_u

[cgzones]

Package: dpkg
Version: 1.18.18
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Currently, dpkg runs its maintainer tasks in the SELinux type
dpkg_script_t without changing the SELinux user or role.
So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be
run in unconfined_u:unconfined_r:dpkg_script_t.
The problem are the postinst scripts: They create files and run binaries.
Almost all the files created in this way do not have the correct file
context system_u:object_r:*, which can break a ubac enabled system.
e.g.:

Would relabel /usr/share/info/dir.old from staff_u:object_r:usr_t:s0
to system_u:object_r:usr_t:s0
Would relabel /usr/share/info/dir from staff_u:object_r:usr_t:s0 to
system_u:object_r:usr_t:s0
Would relabel /var/cache/man/pt/index.db from
unconfined_u:object_r:man_cache_t:s0 to
system_u:object_r:man_cache_t:s0

Also, for example, the exim4 post install script does some work
leading to run exim in system_mail_t, which is not allowed to run
under the roles sysadm_r/unconfined_r.

type=PROCTITLE msg=audit(01/24/17 15:51:28.963:2602) :
proctitle=/usr/sbin/exim4 -C /var/lib/exim4/config.autogenerated.tmp
-bV
type=SYSCALL msg=audit(01/24/17 15:51:28.963:2602) : arch=armeb
syscall=socket per=PER_LINUX_32BIT success=yes exit=4 a0=local
a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22511 pid=22748
auid=christian uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts1 ses=359 comm=exim4
exe=/usr/sbin/exim4 subj=staff_u:sysadm_r:system_mail_t:s0 key=(null)
type=SELINUX_ERR msg=audit(01/24/17 15:51:28.963:2602) :
op=security_compute_sid
invalid_context=staff_u:sysadm_r:system_mail_t:s0
scontext=staff_u:sysadm_r:system_mail_t:s0
tcontext=staff_u:sysadm_r:system_mail_t:s0 tclass=unix_stream_socket

This can cause issues when upgrading packages in enforced mode even as
unconfined user.

The following dpkg patch runs the maintainer tasks in the context
system_u:system_r:dpkg_script_t (may be altered inside the SELinux
policy):

Note: The patch does not touch the SELinux detection in the build
logic and the SELinux policy has to be updated beforehand.

From: root 
Date: Mon, 9 Jan 2017 22:42:03 +0100
Subject: [PATCH] dpkg: fix maintainer SELinux context

---
src/script.c | 95 +---
1 file changed, 85 insertions(+), 10 deletions(-)

diff --git a/src/script.c b/src/script.c
index 2f252ae..72b92cf 100644
--- a/src/script.c
+++ b/src/script.c
@@ -32,6 +32,7 @@
#include 

#ifdef WITH_LIBSELINUX
+#include  // isspace
#include 
#endif

@@ -141,23 +142,97 @@ maintscript_pre_exec(struct command *cmd)
   return cmd->filename + instdirlen;
}

+#ifdef WITH_LIBSELINUX
+/*
+ * derived from get_init_context()
+ * 
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/run_init/run_init.c
+ *
+ * Get the CONTEXT associated with the context for the dpkg maint scripts.
+ *
+ * in:  nothing
+ * out: The CONTEXT associated with the context.
+ * return:  0 on success, -1 on failure.
+ */
+static int
+get_dpkg_context(char **context)
+{
+   FILE *fp;
+   char buf[255], *bufp;
+   size_t buf_len;
+   char context_file[4096];
+   snprintf(context_file, sizeof(context_file) - 1, "%s/%s",
selinux_contexts_path(), "dpkg_context");
+   fp = fopen(context_file, "r");
+   if (!fp) {
+   ohshite(_("Could not open file %s\n"), context_file);
+   return -1;
+   }
+
+   while (1) { /* loop until we find a non-empty line */
+
+   if (!fgets(buf, sizeof buf, fp)) {
+   break;
+   }
+
+   buf_len = strlen(buf);
+   if (buf[buf_len - 1] == '\n') {
+buf[buf_len - 1] = 0;
+   }
+
+   bufp = buf;
+   while (*bufp && isspace(*bufp)) {
+bufp++;
+   }
+
+   if (*bufp) {
+   *context = strdup(bufp);
+   if (!(*context)) {
+   goto out;
+   }
+   fclose(fp);
+   return 0;
+   }
+   }
+  out:
+   fclose(fp);
+   ohshit(_("No context in file %s\n"), context_file);
+   return -1;
+}
+#endif
+
/**
 * Set a new security execution context for the maintainer script.
- *
- * Try to create a new execution context based on the current one and the
- * specific maintainer script filename. If it's the same as the current
- * one, use the given fallback.
 */
static int
-maintscript_set_exec_context(struct command *cmd, const char *fallback)
+maintscript_set_exec_context(void)
{
+#ifdef WITH_LIBSELINUX
   int rc = 0;
+   char *dpkg_context = NULL;

-#ifdef WITH_LIBSELINUX
-   rc = setexecfilecon(cmd->filename, fallback);
-#endif
+   if (is_selinux_enabled() < 1) {
+   return 0;
+ 

Bug#850531: noise on minimal vm with SElinux

[cgzones]

Package: cruft
Version: 0.9.29

Running cruft on a test vm with SELinux creates some noise.
I created some filters and explain scripts under the guideline,
filters contains paths, which may be present on the system and paths
from the explain scripts must be present.
In addition, I ignored the two kernel pseudo filesystems selinuxfs and
tracefs in the common_legacy script.

policycoreutils.explain
===
#!/bin/sh

echo /etc/selinux/config

echo /usr/sbin/load_policy
===

selinux-policy-default.explain
===
#!/usr/bin/env python3

import re
import subprocess

print('/etc/selinux/default/contexts/files/file_contexts')
print('/etc/selinux/default/contexts/files/file_contexts.bin')
print('/etc/selinux/default/contexts/files/file_contexts.homedirs')
print('/etc/selinux/default/contexts/files/file_contexts.homedirs.bin')
print('/etc/selinux/default/seusers')
print('/etc/selinux/default/policy/policy.' +
str(open('/sys/fs/selinux/policyvers', 'r').readline()))

pattern = re.compile('^(\d+)\s+([a-z0-9_]+)\s+(pp|cil)\s*(disabled)?$')
cp = subprocess.run(['/usr/sbin/semodule', '--list-modules=full',
'--store', 'default'], stdout=subprocess.PIPE,
stderr=subprocess.STDOUT, universal_newlines=True, check=True)
for line in cp.stdout.splitlines():
   m = re.match(pattern, line)
   if m:
   priority = m.group(1)
   module = m.group(2)
   disabled = True if len(m.groups()) is 4 and m.group(4) ==
'disabled' else False

   print('/var/lib/selinux/default/active/modules/' +priority)
   print('/var/lib/selinux/default/active/modules/' + priority +
'/' + module)
   print('/var/lib/selinux/default/active/modules/' + priority +
'/' + module + '/hll')
   print('/var/lib/selinux/default/active/modules/' + priority +
'/' + module + '/cil')
   print('/var/lib/selinux/default/active/modules/' + priority +
'/' + module + '/lang_ext')

   if disabled:
 print('/var/lib/selinux/default/active/modules/disabled/' + module)

print('/var/lib/selinux/default/active')
print('/var/lib/selinux/default/active/booleans.local')
print('/var/lib/selinux/default/active/commit_num')
print('/var/lib/selinux/default/active/file_contexts')
print('/var/lib/selinux/default/active/homedir_template')
print('/var/lib/selinux/default/active/modules')
print('/var/lib/selinux/default/active/modules/100')
print('/var/lib/selinux/default/active/modules/disabled')
print('/var/lib/selinux/default/active/policy.kern')
print('/var/lib/selinux/default/active/seusers')
print('/var/lib/selinux/default/active/seusers.local')
print('/var/lib/selinux/default/active/users_extra')
print('/var/lib/selinux/default/semanage.read.LOCK')
print('/var/lib/selinux/default/semanage.trans.LOCK')
===

selinux-policy-dev.explain
===
#!/bin/bash

echo /var/lib/sepolgen/interface_info
===

apt-listchanges.filter
===
/usr/share/apt-listchanges/__pycache__
/usr/share/apt-listchanges/__pycache__/*.pyc

/var/lib/apt/listchanges.db
===

auditd.filter
===
/etc/audit/audit.rules
/etc/audit/audit.rules.prev
/var/log/audit/audit.log*
===

policycoreutils.filter
===
/var/lib/selinux/final
/var/lib/selinux/tmp
===

selinux-basics.filter
===
/usr/share/selinux-basics/tests/__pycache__
/usr/share/selinux-basics/tests/__pycache__/*.pyc
===


With these changes the report looks like:

cruft report: Sat Jan  7 15:19:01 CET 2017

 missing: dpkg 
  # i do not know why they are mssing, reinstalling libglib2.0-0
does not help
   /usr/lib/x86_64-linux-gnu/gio
   /usr/lib/x86_64-linux-gnu/gio/modules
 unexplained: / 
  # i think these two are from the installation process?
   /etc/apt/apt.conf.d/00CDMountPoint
   /etc/apt/apt.conf.d/00trustcdrom
   # my custom configuration files
   /etc/apt/apt.conf.d/01aptcacher
   /etc/apt/apt.conf.d/10periodic
  # apt listchanges conf, should be handled by explain script?
   /etc/apt/listchanges.conf
  # custom configuration file
   /etc/tmpfiles.d/x11.conf
  # do not know what do to about these two
   
/tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8
   
/tmp/systemd-private-7b3b2461cf5840c8986a3827beef6b31-systemd-timesyncd.service-l1BCT8/tmp
  # stamp file from apt.daily script, should be handled by filter?
   /var/lib/apt/periodic/clean-stamp
 broken symlinks: / 
   # gcc bugs?
   # root@debianSE:/etc/cruft/explain# ll /usr/share/man/man1/gcc*

Bug#849886: create /var/log/monit.log with correct SELinux context

[cgzones]

Package: monit
Version: 1:5.20.0-4

On package installation, the log file /var/log/monit.log is created by
the post install script monit.postinst.
The SELinux context will not bet correctly set up.
Can you please either add something like

if [ -x /sbin/restorecon ]; then
   /sbin/restorecon /var/log/monit.log
fi

to restore the context or install the file via

intsall -o root -g adm -m 0640 /dev/null /var/log/monit.log

?

Kindly Regards,
 Christian Göttsche

Bug#849858: splt systemd tmpfile configuration files into respective packages

[cgzones]

Your right, the default SELinux policy package for Debian,
selinux-policy-default, ships the xserver module and loads it.
But it not only loads the xserver module by default, it loads all ~377
modules (that's an issue for the refpolicy package).
For a mix of performance, security, handsomeness and clarity I only
load the for my system needed modules and xserver is not one of them.

2017-01-01 16:35 GMT+01:00 Michael Biebl <bi...@debian.org>:
> Am 01.01.2017 um 16:14 schrieb cgzones:
>> I meant the x11-common Debian package.
>> The SELinux file contexts are defined in the xserver module:
>> https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/xserver.fc
>>
>> 2017-01-01 16:04 GMT+01:00 Michael Biebl <bi...@debian.org>:
>>> Am 01.01.2017 um 16:00 schrieb cgzones:
>>>> Oops,
>>>> I am sorry.
>>>> Seems I forgot to check the file affiliations beside the x11 one.
>>>>
>>>> So my question breaks down to whether the x11.conf file can be
>>>> distributed by the x11-common (or similar) package.
>>>
>>> Why exactly? I don't find x11 specific selinux policy files.
>
> I still don't understand why we would need to move the tmpfiles config
> file from systemd to x11-common. Mind you that I don't have any selinux
> knowledge.
> Afaics, in Debian we have selinux-policy-default which should contain
> the selinux policy for the X11 tmp directories.
>
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
>

Bug#849858: splt systemd tmpfile configuration files into respective packages

[cgzones]

Oops,
I am sorry.
Seems I forgot to check the file affiliations beside the x11 one.

So my question breaks down to whether the x11.conf file can be
distributed by the x11-common (or similar) package.

2017-01-01 15:41 GMT+01:00 Michael Biebl <bi...@debian.org>:
> Am 01.01.2017 um 15:19 schrieb cgzones:
>> Package: systemd
>> Version: 232-8
>>
>> Can the configuration files under /usr/lib/tmpfiles.d/ be distributed
>> be their respective packages.
>> Like:
>> Configuration file   Package
>> colord.confcolord
>
> $ apt-file search /usr/lib/tmpfiles.d/colord.conf
> colord: /usr/lib/tmpfiles.d/colord.conf
>
>> dbus.conf  dbus
>
> $ apt-file search /usr/lib/tmpfiles.d/dbus.conf
> dbus: /usr/lib/tmpfiles.d/dbus.conf
>
>> gvfsd-fuse-tmpfiles.confgvfs or gvfs-common
>
> $ apt-file search /usr/lib/tmpfiles.d/gvfsd-fuse-tmpfiles.conf
> gvfs-common: /usr/lib/tmpfiles.d/gvfsd-fuse-tmpfiles.conf
>
>> lvm2.conf   lvm2
>
> $ apt-file search /usr/lib/tmpfiles.d/lvm2.conf
> lvm2: /usr/lib/tmpfiles.d/lvm2.conf
>
>> man-db.conf  man-db
>
> $ apt-file search /usr/lib/tmpfiles.d/man-db.conf
> man-db: /usr/lib/tmpfiles.d/man-db.conf
>
>> openvpn.confopenvpn
>
> $ apt-file search /usr/lib/tmpfiles.d/openvpn.conf
> openvpn: /usr/lib/tmpfiles.d/openvpn.conf
>
>> sshd.conf  openssh-server
>
> $ apt-file search /usr/lib/tmpfiles.d/sshd.conf
> openssh-server: /usr/lib/tmpfiles.d/sshd.conf
>
>> x11.confx11-common
>
> $ apt-file search /usr/lib/tmpfiles.d/x11.conf
> systemd: /usr/lib/tmpfiles.d/x11.conf
>
>
> So, as you see, those are all distributed by the individual packages,
> the only expection being x11.conf.
>
> I'm not quite sure therefore, what exactly you are asking for.
>
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
>

Bug#849858: splt systemd tmpfile configuration files into respective packages

[cgzones]

Package: systemd
Version: 232-8

Can the configuration files under /usr/lib/tmpfiles.d/ be distributed
be their respective packages.
Like:
Configuration file   Package
colord.confcolord
dbus.conf  dbus
gvfsd-fuse-tmpfiles.confgvfs or gvfs-common
lvm2.conf   lvm2
man-db.conf  man-db
openvpn.confopenvpn
sshd.conf  openssh-server
x11.confx11-common

The reason why that's bothering me is, I am using SELinux on a
headless debian, i.e. I have no xserver/x11 package installed.
Therefore I have no SELinux modules for xserver/x11 loaded.
But because systemd-tmpfiles creates the temporary files for x11 and I
have no SELinux context for them, I get these output when relabeling
the filesystem:

root@debianSE:/root/dtdnssync# restorecon -vv -R -n /
Warning no default label for /tmp/.XIM-unix
Warning no default label for /tmp/.X11-unix
Warning no default label for /tmp/.Test-unix
Warning no default label for /tmp/.ICE-unix
Warning no default label for /tmp/.font-unix

It's not breaking anything but it's noisy.

Kindly Regards,
 Christian Göttsche

Bug#849636: apt-daily: do not use pidof

[cgzones]

First I'd like to question if the dbus code is needed? A quick debian
codesearch shows no other usages:
https://codesearch.debian.net/search?q=app%5C.apt

Do we need to check if dbus is running or is it sufficient to simply
try silently via:

if which dbus-send >/dev/null 2>&1; then
if dbus-send --system / app.apt.dbus.updated boolean:true >
/dev/null 2>&1; then

Kindly Regards,
Christian Göttsche

2016-12-30 21:43 GMT+01:00 David Kalnischkies <da...@kalnischkies.de>:
> Control: severity -1 wishlist
>
> On Thu, Dec 29, 2016 at 12:22:02PM +0100, cgzones wrote:
>> The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon'
>> to check whether dbus is running and whether to send a message.
>> With SELinux enabled this causes avc denials like:
> […]
>> I do not like to grant apt these permissions but I also want apt to
>> announce an update to dbus,
>> so can you rework the dbus check?
>
> Perhaps. Given you are the first person in 8 years to complain about
> this (#438803) perhaps you have also an idea how as I have neither
> a SELinux setup nor know what you would deem acceptable.
>
> (truth be told, I don't even use that cron job, so I am not going to be
> available for review above very trivial changes and even that…)
>
> I guess we could use (pseudo code) "if systemd; then systemctl is-active
> dbus; else pidof dbus; fi" but that would really need someone to verify
> that this has the intended result (and is available in your setup).
>
>
> Best regards
>
> David Kalnischkies

Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context

[cgzones]

Thanks again for your feedback.
The statement I was looking for is: genfscon debugfs /tracing
gen_context(system_u:object_r:tracefs_t,s0)
I added the filecontexts:
/sys/kernel/debug/.*
gen_context(system_u:object_r:debugfs_t,s0)
/sys/kernel/debug/tracing(/.*)?
gen_context(system_u:object_r:tracefs_t,s0)
to avoid restorecon spamming me with messages like:
restorecon:  Warning no default label for /sys/kernel/debug/ieee80211
restorecon:  Warning no default label for /sys/kernel/debug/clk
restorecon:  Warning no default label for /sys/kernel/debug/clk/osc

Kindy Regards,
  Christian Göttsche

2016-12-31 12:49 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
> On 12/31/2016 12:41 PM, Dominick Grift wrote:
>> On 12/31/2016 12:38 PM, Dominick Grift wrote:
>>> On 12/31/2016 11:34 AM, cgzones wrote:
>>>> Wow!
>>>>
>>>> Thank you very much, I was completely unaware of this feature.
>>>> I did not read any documentation of it on selinuxproject.org or in The
>>>> SELinux Notebook v4 about it.
>>>>
>>>> I got it working via
>>>>
>>>> genfscon sysfs /devices/system/cpu/online
>>>> gen_context(system_u:object_r:cpu_online_t,s0)
>>>>
>>>> at 
>>>> https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
>>>>
>>>> One small issue arises for me:
>>>> I tried to set up the directory '/sys/kernel/debug/tracing' via
>>>> 'genfscon sysfs /kernel/debug/tracing
>>>> gen_context(system_u:object_r:tracefs_t,s0)'
>>>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after
>>>> boot but seems to change on the first access?
>
> I misread, yes i think tracefs is mounted on demand. But this should not
> be problem because users of tracefs need to be able to traverse debugfs
> anyway.
>
>>>
>>> you need a genfscon for tracefs, it is mounted on the
>>> kernel/debug/tracing dir
>>>
>>> genfscon tracefs / gen_context()
>>
>> Also a word of advice: don't add any fc specs for anything under /sys
>>
>> The stuff in there are not files (its a pseudo fs like /proc and proc
>> also doesnt have fc specs)
>>
>>>
>>>>
>>>> Example pattern:
>>>>
>>>> [...] boot + ssh login
>>>> root@debianSE:~# restorecon -v -R -n /
>>>> Warning no default label for /dev/mqueue
>>>> Warning no default label for /dev/pts/0
>>>> Warning no default label for /tmp/.font-unix
>>>> Warning no default label for /tmp/.XIM-unix
>>>> Warning no default label for /tmp/.X11-unix
>>>> Warning no default label for /tmp/.Test-unix
>>>> Warning no default label for /tmp/.ICE-unix
>>>> Would relabel /sys/kernel/debug/tracing from
>>>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
>>>> root@debianSE:~# restorecon -v -R -n /
>>>> Warning no default label for /dev/mqueue
>>>> Warning no default label for /dev/pts/0
>>>> Warning no default label for /tmp/.font-unix
>>>> Warning no default label for /tmp/.XIM-unix
>>>> Warning no default label for /tmp/.X11-unix
>>>> Warning no default label for /tmp/.Test-unix
>>>> Warning no default label for /tmp/.ICE-unix
>>>>
>>>> Why?
>>>>
>>>> I think otherwise this bug can be reassigned to refpolicy.
>>>>
>>>> Thanks again Dominick
>>>> Kindly Regards,
>>>>Christian Göttsche
>>>>
>>>> P.s.:
>>>> The kernel patch is over here:
>>>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
>>>> (might be Linux 4.2? plenty enough for me)
>>>>
>>>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
>>>>> On 12/30/2016 10:51 PM, cgzones wrote:
>>>>>> But isn't genfscon with subcontexts only available on the /proc 
>>>>>> filesystem?
>>>>>
>>>>> If your kernel is not too old, then it also work for sysfs
>>>>>
>>>>>>
>>>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
>>>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org>
>>>>>>> wrote:
>>>>>>>> reassign 849637 policycoreutils
>>>>>>>> thanks
>>>>>>>&

Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context

[cgzones]

Wow!

Thank you very much, I was completely unaware of this feature.
I did not read any documentation of it on selinuxproject.org or in The
SELinux Notebook v4 about it.

I got it working via

genfscon sysfs /devices/system/cpu/online
gen_context(system_u:object_r:cpu_online_t,s0)

at 
https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1

One small issue arises for me:
I tried to set up the directory '/sys/kernel/debug/tracing' via
'genfscon sysfs /kernel/debug/tracing
gen_context(system_u:object_r:tracefs_t,s0)'
but is it still labeled initially system_u:object_r:debugfs_t:s0 after
boot but seems to change on the first access?

Example pattern:

[...] boot + ssh login
root@debianSE:~# restorecon -v -R -n /
Warning no default label for /dev/mqueue
Warning no default label for /dev/pts/0
Warning no default label for /tmp/.font-unix
Warning no default label for /tmp/.XIM-unix
Warning no default label for /tmp/.X11-unix
Warning no default label for /tmp/.Test-unix
Warning no default label for /tmp/.ICE-unix
Would relabel /sys/kernel/debug/tracing from
system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
root@debianSE:~# restorecon -v -R -n /
Warning no default label for /dev/mqueue
Warning no default label for /dev/pts/0
Warning no default label for /tmp/.font-unix
Warning no default label for /tmp/.XIM-unix
Warning no default label for /tmp/.X11-unix
Warning no default label for /tmp/.Test-unix
Warning no default label for /tmp/.ICE-unix

Why?

I think otherwise this bug can be reassigned to refpolicy.

Thanks again Dominick
Kindly Regards,
   Christian Göttsche

P.s.:
The kernel patch is over here:
https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
(might be Linux 4.2? plenty enough for me)

2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
> On 12/30/2016 10:51 PM, cgzones wrote:
>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>
> If your kernel is not too old, then it also work for sysfs
>
>>
>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org>
>>> wrote:
>>>> reassign 849637 policycoreutils
>>>> thanks
>>>>
>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote:
>>>>
>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>  > is mislabeled after boot:
>>>>  >
>>>>  > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>
>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>
>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>> initscript is explicitly relabeling it during boot.
>>>>
>>>> Under systemd, that initscript is masked by the 
>>>> selinux-autorelabel.service.
>>>>
>>>> I was planning to add a tmpfiles for this, but apparently I forgot about 
>>>> it.
>>>>
>>>> Reassigning to policycoreutils
>>>>
>>>> Laurent Bigonville
>>>
>>> you should be able to add a genfscon() in policy for this, provided that
>>> the kernel is not too old to support that feature
>>>
>>> I would avoid the alternative if possible
>>>>
>>>>
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>>
>>> ___
>>> SELinux-devel mailing list
>>> selinux-de...@lists.alioth.debian.org
>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
> Dominick Grift
>

Bug#849637: [DSE-Dev] Bug#849637: /sys/devices/system/cpu/online SELinux context

[cgzones]

But isn't genfscon with subcontexts only available on the /proc filesystem?

2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>:
> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org>
> wrote:
>> reassign 849637 policycoreutils
>> thanks
>>
>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote:
>>
>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>  > is mislabeled after boot:
>>  >
>>  > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>  > Would relabel /sys/devices/system/cpu/online from
>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>
>> Not sure why this is assigned to systemd as this is not created by systemd.
>>
>> It's working with sysvinit because the selinux-autorelabel LSB
>> initscript is explicitly relabeling it during boot.
>>
>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>
>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>
>> Reassigning to policycoreutils
>>
>> Laurent Bigonville
>
> you should be able to add a genfscon() in policy for this, provided that
> the kernel is not too old to support that feature
>
> I would avoid the alternative if possible
>>
>>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
>
> ___
> SELinux-devel mailing list
> selinux-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Bug#849637: /sys/devices/system/cpu/online SELinux context

[cgzones]

Hi,
thanks for your response.
I assigned this bug to systemd, cause I did not know any better and
thought the sysfs filesystem is managed by systemd, like /run.

Btw, /dev/pts/ptmx is also mislabeled:

root@debianSE:~# restorecon -vv -R -n /dev
Warning no default label for /dev/mqueue
Warning no default label for /dev/pts/0
Would relabel /dev/pts/ptmx from system_u:object_r:devpts_t:s0 to
system_u:object_r:ptmx_t:s0


Kindly Regards,
Christian Göttsche

2016-12-30 12:39 GMT+01:00 Laurent Bigonville <bi...@debian.org>:
> reassign 849637 policycoreutils
> thanks
>
> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote:
>
>> When running a SELinux enabled system /sys/devices/system/cpu/online
>> is mislabeled after boot:
>>
>> root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>> Would relabel /sys/devices/system/cpu/online from
>> system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>
> Not sure why this is assigned to systemd as this is not created by systemd.
>
> It's working with sysvinit because the selinux-autorelabel LSB initscript is
> explicitly relabeling it during boot.
>
> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>
> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>
> Reassigning to policycoreutils
>
> Laurent Bigonville

Bug#849637: /sys/devices/system/cpu/online SELinux context

[cgzones]

Package: systemd
Version: 232-8

When running a SELinux enabled system /sys/devices/system/cpu/online
is mislabeled after boot:

root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
Would relabel /sys/devices/system/cpu/online from
system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0

Kindly Regards,
 Christian Göttsche

Bug#849636: apt-daily: do not use pidof

[cgzones]

Package: apt
Version: 1.4~beta2

The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon'
to check whether dbus is running and whether to send a message.
With SELinux enabled this causes avc denials like:

type=PROCTITLE msg=audit(12/29/16 07:43:22.385:42209) :
proctitle=pidof dbus-daemon
type=PATH msg=audit(12/29/16 07:43:22.385:42209) : item=0 name=3/stat
nametype=UNKNOWN
type=CWD msg=audit(12/29/16 07:43:22.385:42209) : cwd=/proc
type=SYSCALL msg=audit(12/29/16 07:43:22.385:42209) : arch=armeb
syscall=open per=PER_LINUX_32BIT success=no exit=EACCES(Permission
denied) a0=0x7ec069a4 a1=O_RDONLY|O_NOFOLLOW a2=0x1b6 a3=0x1b6 items=1
ppid=366
1 pid=3797 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof
exe=/sbin/killall5 subj=system_u:system_r:apt_t:s0 key=(null)
type=AVC msg=audit(12/29/16 07:43:22.385:42209) : avc:  denied  {
search } for  pid=3797 comm=pidof name=3 dev="proc" ino=6775
scontext=system_u:system_r:apt_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=di
r permissive=0

I do not like to grant apt these permissions but I also want apt to
announce an update to dbus,
so can you rework the dbus check?

Kindly Regards,
 Christian Göttsche

Bug#849460: Ship list of module in base module package

[cgzones]

Package: refpolicy
Version: 2:2.20161023.1-3

Ship a list of modules build into the base module package.
This might help with module management.

---
 debian/rules  | 1 +
 debian/selinux-policy-default.install | 1 +
 debian/selinux-policy-mls.install | 1 +
 3 files changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index 45e0187..d6fe74b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -122,6 +122,7 @@ install-%-policy: build-%-policy
  mkdir -p $(CURDIR)/debian/tmp/var/lib/selinux/$*
 # Create a list with the modules we are shipping
  (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; LC_ALL=C ls -1 | cut
-d. -f1 > .modules)
+ (cd $(CURDIR)/debian/tmp/usr/share/selinux/$*; grep -P
'^[a-z0-9_]+\s*=\s*base$$'
$(CURDIR)/debian/build-$*/policy/modules.conf | cut -d= -f1 | awk
'{$$1=$$1};1' | LC_ALL=C sort > .basemodules)
  touch $@

 # The headers are based on the default policy
diff --git a/debian/selinux-policy-default.install
b/debian/selinux-policy-default.install
index b736f14..2d792e9 100644
--- a/debian/selinux-policy-default.install
+++ b/debian/selinux-policy-default.install
@@ -1,4 +1,5 @@
 etc/selinux/default/
+usr/share/selinux/default/.basemodules
 usr/share/selinux/default/.modules
 usr/share/selinux/default/*.pp
 var/lib/selinux/default/
diff --git a/debian/selinux-policy-mls.install
b/debian/selinux-policy-mls.install
index ef57ad0..8c0082c 100644
--- a/debian/selinux-policy-mls.install
+++ b/debian/selinux-policy-mls.install
@@ -1,4 +1,5 @@
 etc/selinux/mls/
+usr/share/selinux/mls/.basemodules
 usr/share/selinux/mls/.modules
 usr/share/selinux/mls/*.pp
 var/lib/selinux/mls/
-- 
2.8.1

Bug#849463: domain_auto_trans is deprecated

[cgzones]

Package: refpolicy
Version: 2:2.20161023.1-3

The usage of the macro domain_auto_trans is deprecated.
Use domain_auto_transition_pattern instead.

---
 debian/example/example.if | 2 +-
 debian/policygentool  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/example/example.if b/debian/example/example.if
index e9308e5..de3c797 100644
--- a/debian/example/example.if
+++ b/debian/example/example.if
@@ -29,7 +29,7 @@ interface(`myapp_domtrans',`
  type myapp_t, myapp_exec_t;
  ')

- domain_auto_trans($1,myapp_exec_t,myapp_t)
+ domain_auto_transition_pattern($1,myapp_exec_t,myapp_t)

  allow $1 myapp_t:fd use;
  allow myapp_t $1:fd use;
diff --git a/debian/policygentool b/debian/policygentool
index 47afdd5..1180459 100644
--- a/debian/policygentool
+++ b/debian/policygentool
@@ -42,7 +42,7 @@ interface(`TEMPLATETYPE_domtrans',`
  type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
  ')

- domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
+ domain_auto_transition_pattern($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)

  allow $1 TEMPLATETYPE_t:fd use;
  allow TEMPLATETYPE_t $1:fd use;
-- 
2.8.1

Bug#849461: Use dh_install --fail-missing

[cgzones]

Package: refpolicy
Version: 2:2.20161023.1-3

Use dh_install --fail-missing for hard build errors.

---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index d6fe74b..d1f7e7c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -23,7 +23,7 @@ endif
 override_dh_auto_configure: $(patsubst %, conf-%-policy, $(FLAVOURS))
conf-docs conf-src

 override_dh_install:
- dh_install --list-missing
+ dh_install --fail-missing

 override_dh_fixperms:
  dh_fixperms
-- 
2.8.1

Bug#849459: fix gbp config warning

[cgzones]

Package: refpolicy
Version: 2:2.20161023.1-3

Git-buildpackage complains about an old config format.
While on it, reintroduce signing tags

---
 debian/gbp.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/gbp.conf b/debian/gbp.conf
index 6837223..557fbe8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -3,6 +3,7 @@ debian-branch = debian
 upstream-branch = upstream
 pristine-tar = True

-[git-buildpackage]
+[buildpackage]
+sign-tags = True
 tarball-dir = ../tarballs/
 export-dir = ../build-area/
-- 
2.8.1

Bug#848232: semanage login: no awareness of exising entries

[cgzones]

Hi,
yes I am using libsepol1 2.6-2:

-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages policycoreutils-python-utils depends on:
ii  libc6 2.24-8
ii  libselinux1   2.6-3
ii  libsepol1 2.6-2
ii  policycoreutils   2.6-2
ii  python3-audit 1:2.6.7-1
ii  python3-ipy   1:0.83-1
ii  python3-selinux   2.6-3
ii  python3-semanage  2.6-1
ii  python3-sepolgen  2.6-3
ii  python3-sepolicy  2.6-2
pn  python3:any   
ii  selinux-utils 2.6-3

policycoreutils-python-utils recommends no packages.

policycoreutils-python-utils suggests no packages.

-- no debconf information


Can I test the upstream version by running
#sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap
from the git repo inside a vm, or do I have to make more preparations
to really use only upstream dependencies?
I tried the upstream version without overwriting the system files, but
that does not solve the issue.
But I am not sure the upstream python modules were used, and probably
the system's libsepol was used too.

Kindly Regards,
 Christian Göttsche

2016-12-17 9:57 GMT+01:00 Laurent Bigonville <bi...@debian.org>:
> Le 15/12/16 à 14:13, cgzones a écrit :
>
> Hi,
>>
>> When working on SELinux login settings, it seems that semanage is not
>> aware of already existing entries.
>
> Could you please try with libsepol1 2.6-2. I think this is a duplicate of
> #846484
>
> Regards,
>
> Laurent Bigonville

Bug#848232: semanage login: no awareness of exising entries

[cgzones]

Package: policycoreutils-python-utils
Version: 2.6-2

When working on SELinux login settings, it seems that semanage is not
aware of already existing entries.
Example usage:

root@desktopdebian:/home/christian# semanage login -a -s unconfined_u christian
libsemanage.add_user: user system_u not in password file
root@desktopdebian:/home/christian# semanage login -l

Login Name   SELinux User MLS/MCS RangeService

__default__  user_u   s0-s0*
christianunconfined_u s0   *
root root s0-s0:c0.c1023   *
system_u system_u s0-s0:c0.c1023   *
root@desktopdebian:/home/christian# semanage login -m -s user_u
christian
ValueError: Login mapping for christian is not defined
   # error
root@desktopdebian:/home/christian# semanage login -l

Login Name   SELinux User MLS/MCS RangeService

__default__  user_u   s0-s0*
christianunconfined_u s0   *
 # not updated
root root s0-s0:c0.c1023   *
system_u system_u s0-s0:c0.c1023   *
root@desktopdebian:/home/christian# semanage login -a -s user_u christian
libsemanage.add_user: user system_u not in password file
   # no error! although user existed
root@desktopdebian:/home/christian# semanage login -l

Login Name   SELinux User MLS/MCS RangeService

__default__  user_u   s0-s0*
christianuser_u   s0   *
  #
updated!
root root s0-s0:c0.c1023   *
system_u system_u s0-s0:c0.c1023   *
root@desktopdebian:/home/christian# semanage login -d -s user_u christian
ValueError: Login mapping for christian is not defined
   # error
root@desktopdebian:/home/christian# semanage login -l

Login Name   SELinux User MLS/MCS RangeService

__default__  user_u   s0-s0*
christianuser_u   s0   *
 # not
deleted
root root s0-s0:c0.c1023   *
system_u system_u s0-s0:c0.c1023   *


Kindly regards,
Christian Göttsche

Bug#822987: seinfo: no types and attributes treated as types

[cgzones]

Package: setools
Version: 3.3.8+20151215-3
Severity: normal


After the recent upgrades of the selinux userland libraries i noticed
a bug in the seinfo tool.

Example output:

christian@debianSE:~$ seinfo

Statistics for policy file: /etc/selinux/default/policy/policy.30
Policy Version & Type: v.30 (binary, mls)

   Classes:93Permissions:   254
   Sensitivities:   1Categories:   1024
   Types:   0Attributes:   
   Users:   6Roles:  14
   Booleans:  234Cond. Expr.:   265
   Allow:  107477Neverallow:  0
   Auditallow: 26Dontaudit:   17448
   Type_trans:   8930Type_change:72
   Type_member:16Role allow: 28
   Role_trans:454Range_trans:38
   Constraints:   161Validatetrans:   0
   Initial SIDs:   27Fs_use: 26
   Genfscon:   89Portcon:   458
   Netifcon:0Nodecon: 0
   Permissives: 0Polcap:  2

# notice 0 types

christian@debianSE:~$ seinfo -tinit_t -x
christian@debianSE:~$ seinfo -ainit_t -x
   init_t
  init_t
  dbusd_unconfined
  dbusd_system_bus_client
  sepgsql_unconfined_type
  x_domain
  xserver_unconfined_type
christian@debianSE:~$ seinfo -t

Types: 0
christian@debianSE:~$ seinfo -a
...
# lists hundreds of types
...
   samba_log_t
   services_munin_plugin_tmpfs_t
   spamd_port_t
   transproxy_initrc_exec_t
   tripwire_report_t
   wireshark_input_xevent_t


Maybe this
https://bugzilla.redhat.com/show_bug.cgi?id=1291336
bugreport is related?


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.5.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages setools depends on:
ii  libbz2-1.01.0.6-8
ii  libc6 2.22-7
ii  libgcc1   1:6.0.1-2
ii  libqpol1  3.3.8+20151215-3
ii  libselinux1   2.5-1
ii  libsqlite3-0  3.12.2-1
ii  libstdc++66.0.1-2
ii  libxml2   2.9.3+dfsg1-1

setools recommends no packages.

Versions of packages setools suggests:
pn  setools-gui  

-- no debconf information

Bug#822679: Attempts to mount /proc as a regular user

[cgzones]

I can confirm this bug.
It seems this is already fixed upstream; can you please cherry pick this
https://github.com/SELinuxProject/selinux/commit/5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
patch?

Bug#813604: newrole: pamd error

[cgzones]

Package: newrole
Version: 2.4-4

When i try to use newrole on debian testing with upstream refpolicy
(https://github.com/TresysTechnology/refpolicy) installed, i got the
following error:

root@debianSe:~# newrole -r sysadm_r -t sysadm_t
Password:
newrole: incorrect password for root
Error sending audit message.

The is an error message in /var/log/auth.log:
Feb  3 16:58:53 debianSe newrole: PAM audit_log_acct_message() failed:
Operation not permitted


The transition should be allowed by selinux:

root@debianSe:~# semanage user -l
SELinux UserSELinux Roles

rootstaff_r sysadm_r
staff_u staff_r sysadm_r
sysadm_usysadm_r
system_usystem_r
unconfined_uunconfined_r
user_u  user_r

root@debianSe:~# id -Z
root:staff_r:staff_t


When i configure the seuser like 'semange -m -R sysadm_r root', i can
login with a sysadm_r role.


root@debianSe:~# cat /etc/pam.d/newrole
#%PAM-1.0

@include common-auth
@include common-account
@include common-session
session  required pam_namespace.so unmnt_remnt no_unmount_on_close

Bug#707633: monit: backport 5.5

[cgzones]

Package: monit
Version: 1:5.4-2
Severity: wishlist

Hi,
can you please backport monit 5.5 for debian wheezy.

Best regards,
Christian Göttsche


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691283: selinux-policy-default: monit policy package

[cgzones]

Package: selinux-policy-default
Version: 2:2.20110726-11
Severity: wishlist

Hi,
can you include a policy package for monit.
I write one which covers the monit daemon, the web interface, the
process monitoring and the monit invocation from a root console.
It does not cover connections to m/monit and file monitoring.
The only thing i could not include into the package is the port
labeling, so i'am doing it by hand with:
semanage port -a -t monit_port_t -p tcp 2812

Best regards,
Christian Göttsche
/etc/monit(/.*)?gen_context(system_u:object_r:monit_etc_t,s0)
/etc/monit/monitrc  gen_context(system_u:object_r:monit_config_t,s0)
/etc/monit/conf.d(/.*)? gen_context(system_u:object_r:monit_config_t,s0)
/etc/monit/monit-config(/.*)?   gen_context(system_u:object_r:monit_config_t,s0)
/usr/sbin/monit gen_context(system_u:object_r:monit_exec_t,s0)
/usr/bin/monit  gen_context(system_u:object_r:monit_exec_t,s0)

/var/lib/monit(/.*)?gen_context(system_u:object_r:monit_lib_t,s0)
/var/log/monit(/.*)?gen_context(system_u:object_r:monit_log_t,s0)
/var/log/monit.*  --gen_context(system_u:object_r:monit_log_t,s0)
## summary/summary
policy_module(monit,1.0.0)

 file/domain-types
type monit_t;
domain_type(monit_t)

type monit_exec_t;
files_type(monit_exec_t)

type monit_etc_t;
files_type(monit_etc_t)

type monit_config_t;
files_config_file(monit_config_t)

type monit_lib_t;
files_type(monit_lib_t)

type monit_port_t;
corenet_port(monit_port_t)

type monit_log_t;
logging_log_file(monit_log_t)
logging_log_filetrans(monit_t, monit_log_t, {file dir})

type monit_run_t;
files_pid_file(monit_run_t)
files_pid_filetrans(monit_t, monit_run_t, {file dir})

 monit_t
init_daemon_domain(monit_t, monit_exec_t)
init_domtrans_script(monit_t)
dontaudit direct_init monit_t:fd use;

allow monit_t self:netlink_route_socket { write getattr read bind create 
nlmsg_read };
allow monit_t self:tcp_socket { write read connect shutdown getopt create bind 
setopt listen accept };
allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl 
getattr };
allow monit_t self:sem { read write unix_write };
allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override 
};
allow monit_t self:rawip_socket { write read create setopt shutdown };
allow monit_t self:process { signal getpgid };
allow monit_t self:fifo_file { ioctl getattr };
allow monit_t monit_etc_t:dir list_dir_perms;
allow monit_t monit_etc_t:file read_file_perms;
allow monit_t monit_config_t:dir list_dir_perms;
allow monit_t monit_config_t:file read_file_perms;
allow monit_t monit_config_t:lnk_file read_lnk_file_perms;
allow monit_t monit_lib_t:dir manage_dir_perms;
allow monit_t monit_lib_t:file manage_file_perms;
allow monit_t monit_log_t:file manage_file_perms;
allow monit_t monit_run_t:file manage_file_perms;

allow monit_t monit_port_t:tcp_socket name_bind;
corenet_tcp_bind_generic_node(monit_t)

corenet_tcp_connect_all_ports(monit_t)

corecmd_exec_bin(monit_t)
corecmd_exec_shell(monit_t)

miscfiles_read_localization(monit_t)
dev_read_urand(monit_t)
userdom_dontaudit_search_user_home_dirs(monit_t)
files_read_etc_files(monit_t)
files_read_all_pids(monit_t)
sysnet_read_config(monit_t)
files_search_var_lib(monit_t)
files_read_etc_runtime_files(monit_t)

dev_list_sysfs(monit_t)
kernel_read_system_state(monit_t)
storage_getattr_fixed_disk_dev(monit_t)
fs_getattr_xattr_fs(monit_t)

domain_read_all_domains_state(monit_t)
domain_getpgid_all_domains(monit_t)

## running monit from root console
domain_use_interactive_fds(monit_t)
userdom_use_user_ptys(monit_t)

Bug#691284: selinux-policy-default: allow_ptrace and deny_ptrace

[cgzones]

Package: selinux-policy-default
Version: 2:2.20110726-11
Severity: wishlist

Hi,
can you unite the booleans allow_ptrace and deny_ptrace

Best regards,
Christian Göttsche


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#690477: selinux-policy-default: multiple avc denies and su problem

[cgzones]

Package: selinux-policy-default
Version: 2:2.20110726-11

I'm using smartmontools and the daemon needs to read and write into it's
lib directory /var/lib/smartmontools.
This directory is not labeled, so i get the following denies:

Oct 14 19:29:27 debian kernel: [   18.35] type=1400
audit(1350235767.006:11): avc:  denied  { read } for  pid=2386
comm=smartd name=smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Oct 14 19:29:27 debian kernel: [   18.56] type=1400
audit(1350235767.006:12): avc:  denied  { open } for  pid=2386
comm=smartd name=smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Oct 14 19:29:27 debian kernel: [   18.88] type=1400
audit(1350235767.006:13): avc:  denied  { getattr } for  pid=2386
comm=smartd
path=/var/lib/smartmontools/smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file

i use
.fc file
/var/lib/smartmontools(/.*)?   
gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)

.te file
type fsdaemon_var_lib_t;
files_type(fsdaemon_var_lib_t)
allow fsdaemon_t var_lib_t:dir search_dir_perms;
manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)

to avoid this.

When relabeling manually with restorecond i get the following denies:

setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct  5 17:35:50 debian kernel: [ 2826.667177] type=1400
audit(1349451350.806:159): avc:  denied  { write } for  pid=5240
comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct  5 17:35:50 debian kernel: [ 2826.667259] type=1400
audit(1349451350.806:160): avc:  denied  { nlmsg_relay } for  pid=5240
comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct  5 17:35:50 debian kernel: [ 2826.667336] type=1400
audit(1349451350.806:161): avc:  denied  { audit_write } for  pid=5240
comm=restorecon capability=29 
scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=capability
/var/log/syslog:Oct  5 17:35:50 debian kernel: [ 2826.667696] type=1400
audit(1349451350.806:162): avc:  denied  { read } for  pid=5240
comm=restorecon scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket

While booting i get these denies:

Oct 14 19:29:23 debian kernel: [7.465566] type=1400
audit(1350235756.026:3): avc:  denied  { read write } for  pid=581
comm=hostname name=tty1 dev=devtmpfs ino=1201
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [8.116923] type=1400
audit(1350235756.678:4): avc:  denied  { read write } for  pid=647
comm=swapon name=tty1 dev=devtmpfs ino=1201
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [   11.908177] type=1400
audit(1350235760.470:5): avc:  denied  { read write } for  pid=1257
comm=swapon name=tty1 dev=devtmpfs ino=1201
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [   13.505206] type=1400
audit(1350235762.066:6): avc:  denied  { read write } for  pid=1532
comm=ip name=tty1 dev=devtmpfs ino=1201
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file


I'm not using users in unconfined context so my config is:
semanage user -l

Labeling   MLS/   MLS/
SELinux UserPrefix MCS Level  MCS Range 
SELinux Roles

rootsysadm SystemLow  SystemLow-SystemHigh  
staff_r sysadm_r system_r
staff_u user   SystemLow  SystemLow-SystemHigh  
staff_r sysadm_r
sysadm_usysadm SystemLow  SystemLow-SystemHigh  
sysadm_r
system_uuser   SystemLow  SystemLow-SystemHigh  
system_r
unconfined_uuser   SystemLow  SystemLow 
unconfined_r
user_u  user   SystemLow  SystemLow  user_r

semanage login -l

Login NameSELinux User  MLS/MCS Range

__default__   user_uSystemLow
systemuserstaff_u   SystemLow-SystemHigh
root  staff_u   SystemLow-SystemHigh
system_u