Your message dated Wed, 10 Sep 2008 11:51:55 +1000
with message-id <[EMAIL PROTECTED]>
and subject line fixed
has caused the Debian Bug report #494827,
regarding selinux-policy-default: denials ldconfig access to aux-cache
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
494827: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494827
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:0.0.20080702-4
Severity: normal
Tags: patch

Hi,
running ldconfig with SE Linux enabled in the permissive mode results in:

[ 3990.114224] type=1400 audit(1218548500.328:31): avc:  denied  { read } for  
pid=4714 comm="ldconfig" name="aux-cache" dev=hda2 ino=82125 
scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.124557] type=1300 audit(1218548500.328:31): arch=40000003 syscall=5 
success=yes exit=3 a0=80c42dc a1=0 a2=90d48f0 a3=bf8d8a08 items=0 ppid=1816 
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig" 
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)
[ 3990.133965] type=1400 audit(1218548500.349:32): avc:  denied  { getattr } 
for  pid=4714 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev=hda2 
ino=82125 scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.141174] type=1300 audit(1218548500.349:32): arch=40000003 syscall=197 
success=yes exit=0 a0=3 a1=bf8d8984 a2=90d48f0 a3=bf8d8a08 items=0 ppid=1816 
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig" 
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)
[ 3990.172814] type=1400 audit(1218548500.388:33): avc:  denied  { write } for  
pid=4714 comm="ldconfig" name="ldconfig" dev=hda2 ino=81891 
scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=dir
[ 3990.178302] type=1400 audit(1218548500.388:33): avc:  denied  { add_name } 
for  pid=4714 comm="ldconfig" name="aux-cache~" 
scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=dir
[ 3990.183627] type=1400 audit(1218548500.388:33): avc:  denied  { create } for 
 pid=4714 comm="ldconfig" name="aux-cache~" 
scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.195683] type=1400 audit(1218548500.388:33): avc:  denied  { write } for  
pid=4714 comm="ldconfig" name="aux-cache~" dev=hda2 ino=82129 
scontext=unconfined_u:unconfined_r:ldconfig_t:s0 
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.200344] type=1300 audit(1218548500.388:33): arch=40000003 syscall=5 
success=yes exit=3 a0=90d58a0 a1=20241 a2=180 a3=90d58a0 items=0 ppid=1816 
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig" 
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)

I already solved this and send a patch (taken from Fedora) upstream in
the past, but unfortunately it was not merged yet :(.
http://marc.info/?t=120369424100003&r=1&w=2

Attached is a patch against sources of Debian policy.
Regards.
-- 
Zito


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-2    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-4   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-5   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-1   SELinux policy compiler
ii  setools                       3.3.4.ds-4 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information
Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc.orig	2008-08-12 16:08:33.000000000 +0200
+++ policy/modules/system/libraries.fc	2008-08-12 16:12:55.000000000 +0200
@@ -304,10 +304,9 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+\.so(\.[^/]*)*	-l	gen_context(system_u:object_r:lib_t,s0)
 ')
-ifdef(`distro_debian', `
-/var/cache/ldconfig/aux-cache		--	gen_context(system_u:object_r:ld_so_cache_t,s0)
-')
 
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)?		    	gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig	2008-08-12 16:08:33.000000000 +0200
+++ policy/modules/system/libraries.te	2008-08-12 16:12:26.000000000 +0200
@@ -23,6 +23,9 @@
 init_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
 
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
 type ldconfig_tmp_t;
 files_tmp_file(ldconfig_tmp_t)
 
@@ -51,7 +54,9 @@
 
 allow ldconfig_t self:capability sys_chroot;
 
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
 files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)

--- End Message ---
--- Begin Message ---
Fixed in 0.0.20080702-7.


--- End Message ---

Reply via email to