Your message dated Sun, 24 Aug 2025 14:51:56 +0000
with message-id <[email protected]>
and subject line Bug#1104634: fixed in firejail 0.9.76-1
has caused the Debian Bug report #1104634,
regarding missing SELinux labels in /dev
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104634: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104634
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: firejail
Version: 0.9.74-1
Severity: normal
Tags: patch upstream
Dear Maintainer,
firejail fails to create SELinux labels for some objects under /dev, and [1]
addresses this issue upstream. I've attached a back-ported version of that.
Best,
Antonio Russo
[1] https://github.com/netblue30/firejail/pull/6734
commit 217c8665d0b165eae33609d1aebcb94aeba1a75e
Author: Antonio Enrico Russo <[email protected]>
Date: Fri May 2 18:08:08 2025 -0600
selinux: more labeling in fs_dev
Some objects are created in fs_dev but not labeled. This patch ensures
that those objects are properly labeled.
Signed-off-by: Antonio Enrico Russo <[email protected]>
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index c10324d2d..a03467536 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -245,6 +245,7 @@ void fs_private_dev(void){
if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
errExit("mounting /dev");
fs_logger("tmpfs /dev");
+ selinux_relabel_path("/dev", "/dev");
// optional devices: sound, video cards etc...
deventry_mount();
@@ -274,16 +275,22 @@ void fs_private_dev(void){
// create default devices
create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
fs_logger("mknod /dev/zero");
+ selinux_relabel_path("/dev/zero", "/dev/zero");
create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3
fs_logger("mknod /dev/null");
+ selinux_relabel_path("/dev/null", "/dev/null");
create_char_dev("/dev/full", 0666, 1, 7); // mknod -m 666 /dev/full c 1 7
fs_logger("mknod /dev/full");
+ selinux_relabel_path("/dev/full", "/dev/full");
create_char_dev("/dev/random", 0666, 1, 8); // Mknod -m 666 /dev/random c 1 8
fs_logger("mknod /dev/random");
+ selinux_relabel_path("/dev/random", "/dev/random");
create_char_dev("/dev/urandom", 0666, 1, 9); // mknod -m 666 /dev/urandom c 1 9
fs_logger("mknod /dev/urandom");
+ selinux_relabel_path("/dev/urandom", "/dev/urandom");
create_char_dev("/dev/tty", 0666, 5, 0); // mknod -m 666 /dev/tty c 5 0
fs_logger("mknod /dev/tty");
+ selinux_relabel_path("/dev/tty", "/dev/tty");
#if 0
create_dev("/dev/tty0", "mknod -m 666 /dev/tty0 c 4 0");
create_dev("/dev/console", "mknod -m 622 /dev/console c 5 1");
@@ -318,16 +325,24 @@ void fs_private_dev(void){
// stdin, stdout, stderr
create_link("/proc/self/fd", "/dev/fd");
+ selinux_relabel_path("/dev/fd", "/dev/fd");
create_link("/proc/self/fd/0", "/dev/stdin");
+ selinux_relabel_path("/dev/stdin", "/dev/stdin");
create_link("/proc/self/fd/1", "/dev/stdout");
+ selinux_relabel_path("/dev/stdout", "/dev/stdout");
create_link("/proc/self/fd/2", "/dev/stderr");
+ selinux_relabel_path("/dev/stderr", "/dev/stderr");
// symlinks for DVD/CD players
if (stat("/dev/sr0", &s) == 0) {
create_link("/dev/sr0", "/dev/cdrom");
+ selinux_relabel_path("/dev/cdrom", "/dev/cdrom");
create_link("/dev/sr0", "/dev/cdrw");
+ selinux_relabel_path("/dev/cdrw", "/dev/cdrw");
create_link("/dev/sr0", "/dev/dvd");
+ selinux_relabel_path("/dev/dvd", "/dev/dvd");
create_link("/dev/sr0", "/dev/dvdrw");
+ selinux_relabel_path("/dev/dvdrw", "/dev/dvdrw");
}
}
--- End Message ---
--- Begin Message ---
Source: firejail
Source-Version: 0.9.76-1
Done: Reiner Herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <[email protected]> (supplier of updated firejail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Aug 2025 15:41:56 +0200
Source: firejail
Architecture: source
Version: 0.9.76-1
Distribution: unstable
Urgency: medium
Maintainer: Reiner Herrmann <[email protected]>
Changed-By: Reiner Herrmann <[email protected]>
Closes: 1104634
Changes:
firejail (0.9.76-1) unstable; urgency=medium
.
* New upstream release.
- create missing SELinux labels (Closes: #1104634)
Checksums-Sha1:
fe87b42b515f7712463c99b3aee0656270d49d52 2454 firejail_0.9.76-1.dsc
f7ea4dc6a036f69261355485569adf938b39d347 526972 firejail_0.9.76.orig.tar.xz
9d71abcb61939d58976db43a1bbcb30bc10a0b79 488 firejail_0.9.76.orig.tar.xz.asc
95dae0ec106987990492e4b14b056d4a145552fe 16372 firejail_0.9.76-1.debian.tar.xz
3e9935aea7c85cbdd827df8607ee83e8d70c2c17 6413 firejail_0.9.76-1_amd64.buildinfo
Checksums-Sha256:
753bcddcb94a8015f044db5c10d22f229d3c0bcde1145485a97202a709b88c72 2454
firejail_0.9.76-1.dsc
6bfaa57e10897f65cc1183b330974d555669d888d6897c7a8739bb1d334d9e4a 526972
firejail_0.9.76.orig.tar.xz
36b4938d39c5d5a9c663d31e40171d64bc7f13944fe9b3f0e2f3ef946095b7aa 488
firejail_0.9.76.orig.tar.xz.asc
08959965b20fbb99b59a611fa9b3bcb40b36a7beded55db68bc90307665d0201 16372
firejail_0.9.76-1.debian.tar.xz
ce055986aeafa074ec34db7cdfd53cd4f584ba2b99fdfd83c606dbceb7fa68f6 6413
firejail_0.9.76-1_amd64.buildinfo
Files:
d363f6763372fb8c35fe1c2c21d8a8b9 2454 utils optional firejail_0.9.76-1.dsc
7ed5d25544e23dddb5232a0d0d482025 526972 utils optional
firejail_0.9.76.orig.tar.xz
419269192ece018b8b1e2a7c38a2d520 488 utils optional
firejail_0.9.76.orig.tar.xz.asc
c228d7cf6ba03a2327d34e99f2a1fb62 16372 utils optional
firejail_0.9.76-1.debian.tar.xz
1f892777145948f72ff653120889d91d 6413 utils optional
firejail_0.9.76-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAmirGkwACgkQzPBJKNsO
6qcAQg/9EfwKf9wUadKDnUcaqNywlhM5sT4WF4I7bTiZYHM51fqeTyAIl3uIcrJa
gFDS9fY41GdWj5lR6HIweSrSG1sNWy+FnULb6ymMgaGef48ke364cWg2Td0vYjD7
snTJiESh46nQUe+rP609Xt0vV9W9Lx+NxoxB2MlF4uJzIp1fty2JXNOHERx1nQrB
4otxfqhsjT2pY4VN/LaF38lCpy9Nb+CSAOm57qrqKaoky7qGaQug1LC+28Qt3IJX
QAOZs//t+zqAIqdc5DzvrLVZbvPXcEJx1rEnuNYbfWCVR898kOXXXo3HLAL0vcqq
Kz5ENgaDfxPb9f7wUcnvYfOUMcXRmnN/UTy2LCXdhYcP0bmebEfqKB4B5zXwJAWB
Br81Cvlp2PLX6n7egSiaWCcBMo36aNBKayfbqvDtYQtn4/ZpR1b5rkjoAE72MDOQ
ySnLc3DGJqxeSv8z6bKY7ltNfOW/FIkrXj/gqNf+75KintEpSaXBHB7pZBJSAgXw
hatGYqJPBWqwmQvIzaDFmGKg7Pqag43TJFZHZx3YZiYVASWeff48jTc6ZcqWIrqZ
EobbSQphoK1vYc1VDTtcYNiOt2ulejyhoFmeVMrj3RMuDYtW/pp7q5vogg7lU+it
SmZ0X0FqXAj5AVMNlS6zEY2+1IyanHgfiUFyQKwPLM5pCeiCrTA=
=hYPe
-----END PGP SIGNATURE-----
pgp2oHUATg7fI.pgp
Description: PGP signature
--- End Message ---
