Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Le 04/06/18 à 02:09, Norbert Preining a écrit : Hi Laurent, 3) Copy the files instead of moving them, copied files ends with the label of their parent folder I think I will implement this change upstream, so that other distributions will profit from it at the same time. Yeah that's why I was asking what exactly is generating these files, because "update-tl-stacked-conffile" script seems to be debian specific.
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Hi Laurent, > 3) Copy the files instead of moving them, copied files ends with the > label of their parent folder I think I will implement this change upstream, so that other distributions will profit from it at the same time. Norbert -- PREINING Norbert http://www.preining.info Accelia Inc. +JAIST +TeX Live +Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
On 02.06.2018 13:48, Norbert Preining wrote: Hi, > Sure enough the kernel does, but based on a role set that is shipped > with Debian. I'm quite sure (near to 100%) that the kernel does not > contain rules about tetex!!! > > So the question is who/what did set up these rules, it was none of us. > AFAICT it is in the upstream code of refpolicy (Source package). policy/modules/system/miscfiles.te:type tetex_data_t; policy/modules/system/miscfiles.te:files_tmp_file(tetex_data_t) policy/modules/system/miscfiles.fc:/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) policy/modules/system/miscfiles.fc:/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) etc. H. -- sigfault #206401 http://counter.li.org
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Hi >> about the >>tetex_foobar >> stuff the SElinux ships out. This is nothing of my doing. So you need >to >> first find out who/what attaches any of these tags. >The kernel does. Sure enough the kernel does, but based on a role set that is shipped with Debian. I'm quite sure (near to 100%) that the kernel does not contain rules about tetex!!! So the question is who/what did set up these rules, it was none of us. Norbert -- PREINING Norbert http://www.preining.info Accelia Inc. + JAIST + TeX Live + Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Le 02/06/18 à 02:08, Norbert Preining a écrit : On Fri, 01 Jun 2018, Laurent Bigonville wrote: Well the problem (from a SELinux) perspective is that the files from /var/lib/texmf are created in /tmp and the moved to their final location. So something needs to be done to fix that (as explained), so the first question would be, what is generating these files? Of course it is *us* tex-common creating these files, but I never heard about the tetex_foobar stuff the SElinux ships out. This is nothing of my doing. So you need to first find out who/what attaches any of these tags. The kernel does.
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
On Fri, 01 Jun 2018, Laurent Bigonville wrote: > Well the problem (from a SELinux) perspective is that the files from > /var/lib/texmf are created in /tmp and the moved to their final location. > > So something needs to be done to fix that (as explained), so the first > question would be, what is generating these files? Of course it is *us* tex-common creating these files, but I never heard about the tetex_foobar stuff the SElinux ships out. This is nothing of my doing. So you need to first find out who/what attaches any of these tags. Thanks Norbert -- PREINING Norbert http://www.preining.info Accelia Inc. +JAIST +TeX Live +Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Le 01/06/18 à 18:08, Norbert Preining a écrit : Hi Laurent, sorry to say, but ... The generated files are ending being labeld as dpkg_script_tmp_t instead of tetex_data_t as they are created in /tmp and then moved. I have absolutely no idea what you are talking about!?! tetex_data_t is something I heard the very first time. It is something that I never used and there is nothing in tex-common related to it, so I have no idea where it is coming from. Well the problem (from a SELinux) perspective is that the files from /var/lib/texmf are created in /tmp and the moved to their final location. So something needs to be done to fix that (as explained), so the first question would be, what is generating these files?
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Hi Laurent, sorry to say, but ... > The generated files are ending being labeld as dpkg_script_tmp_t instead > of tetex_data_t as they are created in /tmp and then moved. I have absolutely no idea what you are talking about!?! tetex_data_t is something I heard the very first time. It is something that I never used and there is nothing in tex-common related to it, so I have no idea where it is coming from. Best Norbert -- PREINING Norbert http://www.preining.info Accelia Inc. +JAIST +TeX Live +Debian Developer GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug#900580: Please restore SELinux context after creating the files in /var/lib/texmf
Package: tex-common Version: 6.09 Severity: normal User: selinux-de...@lists.alioth.debian.org Usertags: selinux Hi, When installing tex related packages, files are being generated in /var/lib/texmf by maintainer scripts/triggers The generated files are ending being labeld as dpkg_script_tmp_t instead of tetex_data_t as they are created in /tmp and then moved. To fix this, there are several ways: 1) Run restorecon utility (when present) on the newly created files 2) move the files using the -Z option to the label is set atomically in one go (the option is supported in current debian stable) 3) Copy the files instead of moving them, copied files ends with the label of their parent folder Kind regards, Laurent Bigonville # restorecon -Rv /var/lib/texmf Relabeled /var/lib/texmf/web2c/metafont/mf.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/metafont/mf.base from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/tex/tex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/tex/tex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/pdfetex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/pdftex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/etex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/pdftex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/pdfetex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/pdftex/etex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/luatex/dviluatex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/luatex/dviluatex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/luatex/luatex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 Relabeled /var/lib/texmf/web2c/luatex/luatex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0 -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy Versions of packages tex-common depends on: ii dpkg 1.19.0.5+b1 ii ucf 3.0038 tex-common recommends no packages. Versions of packages tex-common suggests: ii debhelper 11.3.2 Versions of packages texlive-base depends on: ii debconf [debconf-2.0] 1.5.66 ii libpaper-utils 1.1.24+nmu5 ii texlive-binaries 2018.20180416.47457-4 ii ucf3.0038 ii xdg-utils 1.1.3-1 Versions of packages texlive-base recommends: ii lmodern 2.004.5-3 Versions of packages texlive-base suggests: ii evince [postscript-viewer] 3.28.2-1 ii ghostscript [postscript-viewer] 9.22~dfsg-2.1 pn perl-tk pn xpdf-reader | pdf-viewer Versions of packages texlive-binaries depends on: ii dpkg 1.19.0.5+b1 ii libc6 2.27-3 ii libcairo2 1.15.10-3 ii libfontconfig12.13.0-5 ii libfreetype6 2.8.1-2 ii libgcc1 1:8.1.0-4 ii libgmp10 2:6.1.2+dfsg-3 ii libgraphite2-31.3.11-2 ii libgs99.22~dfsg-2.1 ii libharfbuzz-icu0 1.7.6-1+b1 ii libharfbuzz0b 1.7.6-1+b1 ii libice6 2:1.0.9-2 ii libicu60 60.2-6 ii libkpathsea6 2018.20180416.47457-4 ii libmpfr6 4.0.1-1 ii libpaper1 1.1.24+nmu5 ii libpixman-1-0 0.34.0-2 ii libpng16-16 1.6.34-1 ii libpotrace0 1.15-1 ii libptexenc1 2018.20180416.47457-4 ii libsm62:1.2.2-1+b3 ii libstdc++68.1.0-4 ii libsynctex2 2018.20180416.47457-4 ii libtexlua52 2018.20180416.47457-4 ii libtexlua53 2018.20180416.47457-4 ii libtexluajit2 2018.20180416.47457-4 ii libx11-6 2:1.6.5-1 ii libxaw7 2:1.0.13-1+b2 ii
