Bug#737006: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works
Hello, Thanks for the update. This way, the only processes I see running unconfined_t are those that I expect to be unconfined: my user processes. I'm 1 reboot away from verifying this on the exact machine I reported this for, but already can confirm the fix for my 64-bit system at home. -Original message- From:Laurent Bigonville bi...@debian.org mailto:bi...@debian.org Sent: Friday 31st January 2014 15:47 To: Michael Biebl bi...@debian.org mailto:bi...@debian.org Cc: Bart-Jan Vrielink bart...@vrielink.net mailto:bart...@vrielink.net ; 737...@bugs.debian.org mailto:737...@bugs.debian.org Subject: Re: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works Le Fri, 31 Jan 2014 06:56:49 +0100, Michael Biebl bi...@debian.org mailto:bi...@debian.org a écrit : Am 29.01.2014 10:54, schrieb Bart-Jan Vrielink: Package: systemd Version: 204-6 Severity: important Dear Maintainer, When I boot up under systemd, I get asked if I want to enter a security context when I login. It seems that all processes are running under the kernel_t label (except systemd-udevd, which runs under system_u:system_r:udev_t:s0-s0:c0.c1023) Because of this, the combination of SELinux and systemd is at the moment unusable. SELinux works fine under init=/sbin/init Hello Michael! Sounds like a bug in the selinux policy package to me, not in systemd itself. That said, I basically know nothing about selinux. bigon, can you comment on this bug report? Let us know whether we should re-assing it to one of the selinux-policy-* packages or if there is something which needs to be addressed in systemd. Yes you are correct, this is a bug in the policy and it should be reassigned to it. We dropped almost all the debian specific patches that were applied to the package in the past because it was impossible for us to keep a such huge delta with upstream. Unfortunately upstream doesn't have ATM (people are working on it IIRC) systemd support (the patches were previously coming straight from Fedora). Bart-Jan: So what I will suggest you is the 2 following commands: semanage fcontext -a -t init_exec_t /lib/systemd/systemd restorecon -v /lib/systemd/systemd This will already help, but unfortunately not all the services will not run in the correct labels. Cheers, Laurent Bigonville
Bug#737006: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works
Le Fri, 31 Jan 2014 06:56:49 +0100, Michael Biebl bi...@debian.org a écrit : Am 29.01.2014 10:54, schrieb Bart-Jan Vrielink: Package: systemd Version: 204-6 Severity: important Dear Maintainer, When I boot up under systemd, I get asked if I want to enter a security context when I login. It seems that all processes are running under the kernel_t label (except systemd-udevd, which runs under system_u:system_r:udev_t:s0-s0:c0.c1023) Because of this, the combination of SELinux and systemd is at the moment unusable. SELinux works fine under init=/sbin/init Hello Michael! Sounds like a bug in the selinux policy package to me, not in systemd itself. That said, I basically know nothing about selinux. bigon, can you comment on this bug report? Let us know whether we should re-assing it to one of the selinux-policy-* packages or if there is something which needs to be addressed in systemd. Yes you are correct, this is a bug in the policy and it should be reassigned to it. We dropped almost all the debian specific patches that were applied to the package in the past because it was impossible for us to keep a such huge delta with upstream. Unfortunately upstream doesn't have ATM (people are working on it IIRC) systemd support (the patches were previously coming straight from Fedora). Bart-Jan: So what I will suggest you is the 2 following commands: semanage fcontext -a -t init_exec_t /lib/systemd/systemd restorecon -v /lib/systemd/systemd This will already help, but unfortunately not all the services will not run in the correct labels. Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737006: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works
Am 31.01.2014 15:47, schrieb Laurent Bigonville: Le Fri, 31 Jan 2014 06:56:49 +0100, Michael Biebl bi...@debian.org a écrit : Sounds like a bug in the selinux policy package to me, not in systemd itself. That said, I basically know nothing about selinux. bigon, can you comment on this bug report? Let us know whether we should re-assing it to one of the selinux-policy-* packages or if there is something which needs to be addressed in systemd. Yes you are correct, this is a bug in the policy and it should be reassigned to it. Which package should we re-assign this bug to: selinux-policy-default, src:refpolicy? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#737006: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works
Le Sat, 01 Feb 2014 08:37:25 +0100, Michael Biebl bi...@debian.org a écrit : Am 31.01.2014 15:47, schrieb Laurent Bigonville: Le Fri, 31 Jan 2014 06:56:49 +0100, Michael Biebl bi...@debian.org a écrit : Sounds like a bug in the selinux policy package to me, not in systemd itself. That said, I basically know nothing about selinux. bigon, can you comment on this bug report? Let us know whether we should re-assing it to one of the selinux-policy-* packages or if there is something which needs to be addressed in systemd. Yes you are correct, this is a bug in the policy and it should be reassigned to it. Which package should we re-assign this bug to: selinux-policy-default, src:refpolicy? src:refpolicy is ok I guess :) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737006: [Pkg-systemd-maintainers] Bug#737006: systemd: When init=/lib/systemd/systemd, selinux no longer works
Am 29.01.2014 10:54, schrieb Bart-Jan Vrielink: Package: systemd Version: 204-6 Severity: important Dear Maintainer, When I boot up under systemd, I get asked if I want to enter a security context when I login. It seems that all processes are running under the kernel_t label (except systemd-udevd, which runs under system_u:system_r:udev_t:s0-s0:c0.c1023) Because of this, the combination of SELinux and systemd is at the moment unusable. SELinux works fine under init=/sbin/init Sounds like a bug in the selinux policy package to me, not in systemd itself. That said, I basically know nothing about selinux. bigon, can you comment on this bug report? Let us know whether we should re-assing it to one of the selinux-policy-* packages or if there is something which needs to be addressed in systemd. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature