Subject: needrestart: returns no output to console with SELinux in Enforcing 
mode
Package: needrestart
X-Debbugs-Cc: [email protected]
Version: 3.11-1
Severity: normal

Dear Maintainer,

In summary, needrestart seemingly doesn't display any output when SELinux is 
set to Enforcing mode on Debian running the "default" policy (as listed by 
sestatus / as provided by selinux-policy-default), insofar as returning zero 
output when run on the VM console (I wasn't sure if screenshots were considered 
polite so I've omitted it for the time being).

However, it does seemingly run orrectly when run from an ssh session on the 
same machine:

        root@debtestbug0:~# sestatus
        SELinux status:                 enabled
        SELinuxfs mount:                /sys/fs/selinux
        SELinux root directory:         /etc/selinux
        Loaded policy name:             default
        Current mode:                   enforcing
        Mode from config file:          enforcing
        Policy MLS status:              enabled
        Policy deny_unknown status:     allowed
        Memory protection checking:     actual (secure)
        Max kernel policy version:      33

        root@debtestbug0:~# needrestart
        Scanning processes...
        Scanning linux images...
        
        Running kernel seems to be up-to-date.
        
        No services need to be restarted.
        
        No containers need to be restarted.
        
        No user sessions are running outdated binaries.
        
        No VM guests are running outdated hypervisor (qemu) binaries on this 
host.
        debconf: DbDriver "templatedb": could not write 
/var/cache/debconf/templates.dat-new: Permission denied

(It working under an ssh session was only spotted when I was already preparing 
this bug report via a test VM, since the key systems I spotted the original 
problem on are airgapped and only have virtual console access)

At first I thought this was merely a type enforcement problem, since denied 
AVCs for needrestart_t do indeed show up in /var/log/auditd/audit.log; I got as 
far as creating a custom TE (attachment test_needrestart.te) and policy based 
on all of the AVC denials I could see relating to needrestart in the audit 
logs, but after applying it there was still no output on the console.

The background here is there's been a big push for enhanced security on a 
number of systems, many of which are air-gapped and inaccessible via ssh, where 
it looks like needrestart doesn't return output correctly and I can't really 
figure out why. But obviously it's a key tool for operators on the lookout for 
boxes that might not have been rebooted in to new kernels or had their daemons 
restarted for whatever reason.

Systems here are all up-to-date Trixie installs so no oddities I'm aware of in 
the packages (other than the obvious eccentricity of running SELinux on Debian) 
running on VMware ESX virtual machines.

I wasn't sure whether this needed to be handled by the needrestart maintainers 
themselves but figured filing directly against needrestart was the best place 
to start; given that this seemingly only affects the console (something that 
wasn't evident until I stood up a test VM in a non-airgapped environment to 
confirm) it's possible it's down to a problem with the SELinux policy for 
open-vm-tools (which does have a large number of policy violations in the 
denied AVCs already, but none that seemingly affect its normal running 
operations) but just supposition at this point.

More details available on request of course but I figure this report is 
probably already a bit too wordy and didn't want to flood it with a lot stuff 
in e.g. AVC denies unless it was asked for. But if anyone's got any pointers on 
where I can start looking or requests for additional info I'm happy to oblige 
where possible.

Hopefully the formatting of this mail is up to snuff, I'm unable to use 
reportbug directly.

-- Package-specific info:
needrestart output:



-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.90+deb13.1-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages needrestart depends on:
ii  dpkg                       1.22.22
ii  gettext-base               0.23.1-2
ii  libintl-perl               1.35-1
ii  libmodule-find-perl        0.17-1
ii  libproc-processtable-perl  0.636-1+b3
ii  libsort-naturally-perl     1.03-4
ii  libterm-readkey-perl       2.38-2+b4
ii  perl                       5.40.1-6
ii  procps                     2:4.0.4-9
ii  xz-utils                   5.8.1-1

Versions of packages needrestart recommends:
ii  libpam-systemd  257.13-1~deb13u1
ii  systemd         257.13-1~deb13u1

Versions of packages needrestart suggests:
pn  iucode-tool                          <none>
pn  needrestart-session | libnotify-bin  <none>

-- no debconf information

-------------------------------
G-RESEARCH believes the information provided herein is reliable. While every 
care has been taken to ensure accuracy, the information is furnished to the 
recipients with no warranty as to the completeness and accuracy of its contents 
and on condition that any errors or omissions shall not be made the basis of 
any claim, demand or cause of action.
The information in this email is intended only for the named recipient.  If you 
are not the intended recipient please notify us immediately and do not copy, 
distribute or take action based on this e-mail.
All messages sent to and from this e-mail address will be logged by G-RESEARCH 
and are subject to archival storage, monitoring, review and disclosure. For 
information about how G-RESEARCH uses your personal data, please refer to our 
Privacy Policy.
G-RESEARCH is the trading name of Alastair LLP and its affiliates globally. 
Alastair LLP is a limited liability partnership registered in England with 
number OC451515 and registered office 8th Floor One Soho Place, London, W1D 
3BG. 

Attachment: test_needrestart.te
Description: test_needrestart.te

Reply via email to