Your message dated Wed, 24 Jan 2024 21:25:07 +0000 with message-id <[email protected]> and subject line Bug#1029095: fixed in libselinux 3.5-2 has caused the Debian Bug report #1029095, regarding libselinux: claim /run/setrans directory to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1029095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029095 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libselinux1 Version: 3.1-3 Severity: important Tags: security Libselinux by default, since Debian does not specify DISABLE_SETRANS at compile time, tries to translate security contexts within non-raw interfaces, e.g. getfilecon(3). The purpose is to translate MCS/MLS labels into human readable via mcstransd(8). The translation happens via communication over the public accessible UNIX socket /var/run/setrans/.setrans-unix, created by mcstransd(8). mcstransd(8) however is not installed by default, not a dependency of another package, nor recommended or suggested by one. Thus mcstransd(8) is probably not running on many (most?) SELinux enabled systems and thereby the directory /var/run/setrans is not created. This leaves the opportunity for (compromised) programs to create it and the UNIX socket to take control of the security context translation. It might not be prevented by the SELinux policy since most daemons are allowed to create entries in /var/run and UNIX socket communication between daemons is common. As a solution the directory /var/run/setrans should be created at boot by a trusted party with the default context according to the loaded policy (e.g. setrans_runtime_t), which no other daemon than mcstransd(8) should have the permission to create sockets inside. For example Fedora uses the tmpfiles.d(5) snippet: d /run/setrans 0755 root root , see https://src.fedoraproject.org/rpms/libselinux/c/8b8064a26e06c128e2c0374b9039038842f51557.
--- End Message ---
--- Begin Message ---Source: libselinux Source-Version: 3.5-2 Done: Laurent Bigonville <[email protected]> We believe that the bug you reported is fixed in the latest version of libselinux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laurent Bigonville <[email protected]> (supplier of updated libselinux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 24 Jan 2024 21:23:37 +0100 Source: libselinux Architecture: source Version: 3.5-2 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Laurent Bigonville <[email protected]> Closes: 914247 1029095 Changes: libselinux (3.5-2) unstable; urgency=medium . [ Michael Biebl ] * Move libselinux into /usr (Closes: #914247) . [ Laurent Bigonville ] * debian/libselinux1.tmpfiles: claim /run/setrans directory. Thanks to Christian Göttsche, Michael Biebl (Closes: #1029095) Checksums-Sha1: a70da9880a16c75f71846b987417fe8074520e68 2662 libselinux_3.5-2.dsc 1d3092db46e67e97682d0f7da2fbe203733d24d6 35992 libselinux_3.5-2.debian.tar.xz 42e8594d6700fedf81267aeb9da5c0706e6002f6 13400 libselinux_3.5-2_source.buildinfo Checksums-Sha256: cd6baa8aebf37a88355291bf5cb11a311463479fed8a9f479043d1fc12de25cc 2662 libselinux_3.5-2.dsc e385f14d9700187495a82e433b02b139aebe89c8ceccab5a21598dfef518b0de 35992 libselinux_3.5-2.debian.tar.xz 17499bfe8853b7311d150702c8078972e599a2d509ac1fc814a76e56ec904ea6 13400 libselinux_3.5-2_source.buildinfo Files: f3e992464ec3d416353a5c60e44f5f26 2662 libs optional libselinux_3.5-2.dsc 941738eadc6674dba047e2d8c56d7bed 35992 libs optional libselinux_3.5-2.debian.tar.xz f54242e7bf753ad72a6b4fa6ddc23891 13400 libs optional libselinux_3.5-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAmWxdEMRHGJpZ29uQGRl Ymlhbi5vcmcACgkQH8WJHrqwQ9V3hAf+PoP/nAO305TC/DVib9L7p/UQWOSWCdeO vTLMlxhNRJfOLBDCVr/8vz4LhUIbzFGvNDiuuhdwywQJVVOwiWHUrAKWFXDgw4DC ME3Y7/Tzzhzs6AzE120AcJoNiTKnnLcXo3Y4CVCrjGRPQYZY+W7Rn4EhkLAkmit7 KNhJyH5RTs7MLFqA+m0rm7QWHR2ruK7uMlwhNMLBbfR4CXFIq45noc8SNElFs+UN 4hu+8vHhcWtcSmqwz8fRcKYBmaud+J26QTiy08cFDXW2mVU3l17hL/btLssb+m/Z Tbqc0i4Ku8NJ1R4lEJvsY1B9/qDc41KG2IGuuzsxYPa74cYCrRmfUg== =UvmN -----END PGP SIGNATURE-----
--- End Message ---
