On Saturday, 26 August 2023 14:05:18 AEST undef wrote:
> I've just tested this on Mobian Sid on PinePhone. Selinux still doesn't
> seem to be configured by default with `selinux-basics` and
> `selinux-policy-default` installed.
We discussed this on Matrix and his problem was that he didn't run
> This all works fine in permissive mode and there is nothing reported by
> audit2allow on the log file.
Please run "semodule -DB" and then reproduce the problem, the -D option means
to remove dontaudit rules and the -B option means to rebuild the policy that
is loaded into the kernel. After
close 985036
thanks
This was fixed in 0.5.7 according to the changelog, a test showed it didn't
happen in 0.5.8.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
Package: policycoreutils-python-utils
Version: 3.4-1
Severity: normal
https://serverfault.com/questions/448859/centos-semanage-delete-range-of-ports
According to the above web page the "port_range" is 2 numbers separated by a
hyphen, EG "10-20" means ports from 10 to 20 inclusive. There is also
Package: selinux-basics
Version: 0.5.8
Severity: important
Tags: patch
/etc/selinux/config needs to be world-readable so user space object managers
running as non-root can find the SELINUXTYPE, otherwise they default to
targeted which is the source of error messages about
Package: policycoreutils
Version: 3.5-1
Severity: normal
Tags: patch
THREADS=""
The script /sbin/fixfiles has a line like the above, it should be changed to
one like the below to use all cores on a modern system and speed up operation
by a factor of 3 or mroe.
THREADS="-T0"
On some platforms
On Sunday, 2 April 2023 04:15:18 AEST Christian Göttsche wrote:
>
> Probably due to the usage of the -T flag
>
> +kernel_read_vm_overcommit_sysctl(setfiles_t)
added
>
> +dev_read_urand(vnstatd_t)
added
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.624:6):
# sesearch -A -s systemd_resolved_t -t selinux_config_t
allow systemd_resolved_t file_type:filesystem getattr;
allow systemd_resolved_t selinux_config_t:dir { getattr ioctl lock open read
search };
allow systemd_resolved_t selinux_config_t:file { getattr ioctl lock open read
};
allow
The command "apt source refpolicy" doesn't get this. How do you get it?
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
close 851760
thanks
This was fixed in Debian/Testing recently. It happens in Bullseye but won't
in Bookworm.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
close 941045
thanks
In Bullseye the user@$UID processes work well. In previous versions the
failure didn't appear to impact functionality. So this bug can be closed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
close 999441
thanks
I think the changes that are already in Testing address this.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
close 874191
thanks
I believe that this is all fixed in recent versions of Debian.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
Please send me a patch to use autopkgtest and I'll include it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
severity 1012841 wishlist
thanks
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
type firewalld_tmpfs_t;
files_tmpfs_file(firewalld_tmpfs_t)
fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
allow firewalld_t firewalld_tmpfs_t:file { map execute };
allow firewalld_t self:netlink_netfilter_socket {
close 962007
thanks
Below is from a Bullseye system. This was fixed after Buster, so Buster is
still missing this.
# sesearch -A -s openvpn_t -t openvpn_var_run_t -c sock_file
allow openvpn_t openvpn_runtime_t:sock_file { append create getattr ioctl link
lock open read rename setattr unlink
close 960960
thanks
Appears to be fixed in Bullseye and unstable.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
SELinux-devel@alioth-lists.debian.net
) unstable; urgency=medium
* Policy update, lots of little things and allows the signull access that
systemd-journal from the latest systemd wants.
-- Russell Coker Thu, 30 May 2019 10:28:24 +1000
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au
close 900782
thanks
Works in unstable now.
root@unstable:~# cat /etc/fstab
/dev/vda/ ext4 noatime,nodev 0 1
/dev/vdbnoneswappri=0 0 0
tmpfs /tmp tmpfs rootcontext=system_u:object_r:tmp_t:s0 0 0
root@unstable:~# df -h /tmp
close 878345
close 888967
close 900186
close 933858
close 959803
close 728950
close 758083
close 860532
close 871704
close 890208
thanks
Lots of things have changed and been fixed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
close 962842
thanks
Apache has always been allowed to connect to mysql, usually with a boolean
controlling it.
In this case MariaDB is mislabeled, run "ps axZ|grep maria" and you will see
it's in the wrong context, run "ls -lZ /usr/sbin/mariadbd" and you will
probably find it doesn't have the
close 962238
thanks
Recent versions of the policy allow this, not sure when it was fixed.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
close 879037
thanks
I can't reproduce this and I think it was fixed amongst all the systemd policy
changes before Buster.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
___
SELinux-devel mailing list
https://salsa.debian.org/selinux-team/refpolicy/-/merge_requests/10
The above merge request has transitions from init_t to user domains, in what
situation is that needed with selinux-policy-default version 2.20210203-7?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog
Package: policycoreutils
Version: 3.1-2
Severity: wishlist
When it does an autorelabel it labels all tmpfs filesystems along with /sys/*
and other transient filesystems. It should avoid all of those.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500,
severity 849552 minor
tags 849552 +moreinfo
thanks
Change the severity because it's not that important. Also moreinfo because I
don't even know if that problem still happens or if it happens in the same
way.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog
On Tuesday, 9 February 2021 20:27:37 AEDT Laurent Bigonville wrote:
> OK for libselinux, I've restored the different individual commits from
> Christian and force pushed everything. I also have added my change to
> drop the usage of gettid() to fix the remaining RC bug.
>
> Please before doing
The policy that is in Unstable now is the new upstream release and is working
well on a bunch of my systems. If Bullseye releases without any further
updates to policy then I'll be pretty happy with the situation. Of course I
will keep changing things, but unless the systemd people put in a
Package: selinux-utils
Version: 3.1-2+b2
Severity: normal
gdb /sbin/sefcontext_compile
...
(gdb) r
Starting program: /usr/sbin/sefcontext_compile
/usr/sbin/sefcontext_compile: error while loading shared libraries: cannot make
segment writable for relocation: Permission denied
[Inferior 1
Package: python3-setools
Version: 4.3.0-1.1+b1
Severity: normal
# sesearch -A -s httpd_t -d httpd_sys_content_t
Traceback (most recent call last):
File "/usr/bin/sesearch", line 20, in
import setools
File "/usr/lib/python3/dist-packages/setools/__init__.py", line 78, in
from
close 963495
thanks
Run "setsebool allow_execmem 1" before running certbot and it will be fine.
After running certbot you can run "setsebool allow_execmem 0". Or you could
run "setsebool -P allow_execmem 1" to make the change continue to apply after
a reboot.
There is no good solution to
close 963497
thanks
Run "setsebool allow_execmem 1" before running certbot and it will be fine.
After running certbot you can run "setsebool allow_execmem 0". Or you could
run "setsebool -P allow_execmem 1" to make the change continue to apply after
a reboot.
The 2:2.20161023.1-9 policy
I've attached the patch extracted from the list archives.
--
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/
By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.
This comes at the
Package: policycoreutils
Version: 3.1-1
Severity: normal
Tags: patch upstream
Patch:
https://lore.kernel.org/selinux/85917790-f0a6-0d57-face-58a6536b1...@gmail.com/
Signed off:
https://lore.kernel.org/selinux/d8630b0c-3a43-8295-9903-f21746c37...@gmail.com/
This change is a good idea and has
Source: libsepol
Version: 3.0-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
Gives a compile error about missing flask.h.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Given the plans for a 3.1 release soon (maybe 2 weeks) I suggest doing nothing
about these bugs until 3.1 is released to fix them.
-- Forwarded Message --
Subject: Re: libsepol releases
Date: Tuesday, 7 April 2020, 6:59:22 PM AEST
From: Petr Lautrbach
To: Russell Coker
CC
Package: policycoreutils
Version: 3.0-1
Severity: normal
Tags: upstream
Ok: return value of 0.
Attempting to install module '/usr/share/selinux/default/zosremote.pp.bz2':
Ok: return value of 0.
Committing changes:
Found conflicting filecon rules
at
On Monday, 9 March 2020 4:57:33 AM AEDT Matthias Klose wrote:
> sorry, this was an update for the severity of all python3.8 tagged issues,
> when 3.8 became the default python3 version.
>
> Please close the issue if setools is able to build with 3.8 and is able to
> migrate to testing.
It
severity 943495 normal
thanks
I was unable to reproduce a problem when building with the latest packages
from Unstable. It appears to be building the Python 3.8 stuff in the
cpython3_3.8 directory.
I've installed the gcc package from experimental to make all the gcc links
point to version
Package: policycoreutils
Version: 2.8-1
Severity: normal
Tags: upstream
If /.autorelabel exists and the system can't mount the root filesystem rw then
it will enter a boot loop and never recover. The only recovery from such a
situation is to boot with selinux=0 on the kernel command line, fix
Package: policycoreutils-python-utils
Version: 2.8-3
Severity: normal
When adding or modifying a selinux user via "semanage user -a" or
"semanage user -m" you have to specify the prefix for labelling with the -P
option.
Something like the following is an example:
semanage user -a -P staff -R
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux refe
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux refe
44 matches
Mail list logo