Your message dated Fri, 13 May 2016 22:27:37 +0000 with message-id <e1b1lyx-0005c2...@franck.debian.org> and subject line Bug#756729: fixed in refpolicy 2:2.20140421-10 has caused the Debian Bug report #756729, regarding selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 756729: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756729 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20110726-12 Severity: important Dear Maintainer, after enableing SELinux the eth0 network device is not longer configured automatically during boot time. There is a similar bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950 but it differs in the command. Here it is 'dhclient' there the scripts. IMHO this is an 'important' bug, because systems using dhcp cannot switch to enforce - or they will not work properly any more. The eth0 device is configured as: allow-hotplug eth0 iface eth0 inet dhcp After booting with SELinux set to enforced the eth0 network interface is not configured. ifconfig shows only 'lo'. During boot, the following two AVCs are reported: Jul 31 12:55:55 debtest kernel: [ 4.489454] type=1400 audit(1406804155.296:5): avc: denied { name_bind } for pid=1677 comm="dhclient" src=1356 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 31 12:55:55 debtest kernel: [ 4.489641] type=1400 audit(1406804155.296:6): avc: denied { name_bind } for pid=1677 comm="dhclient" src=14762 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket When I use these both lines as input to 'audit2allow' and 'semodule $ audit2allow -M localdhclient $ semodule -i localdhclient.pp after booting, the interface comes up, but it looks that the further setup needs 'hostname' and 'ip': Jul 31 13:39:41 debtest kernel: [ 4.954371] type=1400 audit(1406806780.651:5): avc: denied { read write } for pid=1723 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 4.954457] type=1400 audit(1406806780.651:6): avc: denied { read write } for pid=1723 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.005695] type=1400 audit(1406806780.703:7): avc: denied { read write } for pid=1751 comm="hostname" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.005781] type=1400 audit(1406806780.703:8): avc: denied { read write } for pid=1751 comm="hostname" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.007904] type=1400 audit(1406806780.703:9): avc: denied { read write } for pid=1752 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.007988] type=1400 audit(1406806780.703:10): avc: denied { read write } for pid=1752 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket After another 'autid2allow' and 'semodule' there are no further AVCs in the log after a reboot and the interface works fine. Kind regards Andre -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3-4+deb7u1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20140421-10 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 756...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laurent Bigonville <bi...@debian.org> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 13 May 2016 22:29:59 +0200 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20140421-10 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> Changed-By: Laurent Bigonville <bi...@debian.org> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 585355 697843 756729 778232 780934 781670 805492 805496 Changes: refpolicy (2:2.20140421-10) unstable; urgency=medium . * Team upload. [ Laurent Bigonville ] * Fix the maintainer script to support the new policy store from libsemnage 2.4 (Closes: #805492) * debian/gbp.conf: Sign tags by default (Closes: #781670) * debian/control: Adjust and cleanup the {build-}dependencies (Closes: #805496) * debian/control: Bump Standards-Version to 3.9.8 (no further changes) * debian/rules: Make the build reproducible (Closes: #778232) * Remove deprecated system.users and local.users files * debian/control: Update Homepage URL (Closes: #780934) * debian/rules: Allow parallel build now that the build system is supporting it, see #677689 * debian/policygentool: Remove string exceptions so the script is Python >= 2.6 compatible (Closes: #585355) * Do not install semanage.read.LOCK, semanage.trans.LOCK and file_contexts.local in /etc/selinux/* this is not needed anymore with the new policy store. * debian/control: Use https for the Vcs-* URL's to please lintian * debian/watch: Fix watch file URL now that the project has moved to github . [ Russell Coker ] * Allow init_t to manage init_var_run_t symlinks and self getsched to relabel files and dirs to etc_runtime_t for /run/blkid to read/write init_var_run_t fifos for /run/initctl kernel_rw_unix_sysctls() for setting max_dgram_qlen (and eventually other sysctls) * Allow restorecond_t and setfiles_t to getattr pstore_t and debugfs_t filesystems * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to create it * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir * Allow apache to read sysctl_vm_t for overcommit_memory Allow httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t files and directories for mod_pagespeed. * Removed bogus .* in mailman file context that was breaking the regex * Lots of mailman changes * Allow system_mail_t read/write access to crond_tmp_t * Allow postfix_pipe_t to write to postfix_public_t sockets * Label /usr/share/mdadm/checkarray as bin_t * Let systemd_passwd_agent_t, chkpwd_t, and dovecot_auth_t get enforcing status * Allow systemd_tmpfiles_t to create the cpu_device_t device * Allow init_t to manage init_var_run_t links * Allow groupadd_t the fsetid capability * Allow dpkg_script_t to transition to passwd_t. Label dpkg-statoverride as setfiles_exec_t for changing SE Linux context. Allow setfiles_t to read dpkg_var_lib_t so dpkg-statoverride can do it's job * Allow initrc_t to write to fsadm_log_t for logsave in strict configuration * Allow webalizer to read fonts and allow logrotate to manage webaliser_usage_t files also allow it to be run by logrotate_t. * Allow jabber to read ssl certs and give it full access to it's log files Don't audit jabber running ps. * Made logging_search_logs() allow reading var_log_t:lnk_file for symlinks in log dir * Allow webalizer to read usr_t and created webalizer_log_t for it's logs * Made logging_log_filetrans and several other logging macros also allow reading var_log_t links so a variety of sysadmin symlinks in /var/log won't break things * Allow postfix_policyd_t to execute bin_t, read urandom, and capability chown. New type postfix_policyd_tmp_t * Added user_udp_server boolean * Allow apt_t to manage dirs of type apt_var_cache_t * Allow jabber to connect to the jabber_interserver_port_t TCP port Closes: #697843 * Allow xm_t to create xen_lock_t files for creating the first Xen DomU * Allow init_t to manage init_var_run_t for service file symlinks * Add init_telinit(dpkg_script_t) for upgrading systemd * Allow dpkg_script_t the setfcap capability for systemd postinst. * Add domain_getattr_all_domains(init_t) for upgrading strict mode systems * Allow *_systemctl_t domains read initrc_var_run_t (/run/utmp), read proc_t, and have capability net_admin. Allow logrotate_systemctl_t to manage all services. * Give init_t the audit_read capability for systemd * Allow iodined_t access to netlink_route_socket. * add init_read_state(systemd_cgroups_t) and init_read_state(systemd_tmpfiles_t) for /proc/1/environ * Label /etc/openvpn/openvpn-status.log as openvpn_status_t as it seems to be some sort of default location. /var/log is a better directory for this * Allow syslogd_t to write to a netlink_audit_socket for systemd-journal * Allow mandb_t to get filesystem attributes * Allow syslogd to rename and unlink init_var_run_t files for systemd temporary files * Allow ntpd_t to delete files for peerstats and loopstats * Add correct file labels for squid3 and tunable for squid pinger raw net access (default true) * Allow qemu_t to read crypto sysctls, rw xenfs files, and connect to xenstored unix sockets * Allow qemu_t to read sysfs files for cpu online * Allow qemu to append xend_var_log_t for /var/log/xen/qemu-dm-* * Allow xm_t (xl program) to create and rename xend_var_log_t files, read kernel images, execute qemu, and inherit fds from sshd etc. * Allow xm_t and iptables_t to manage udev_var_run_t to communicate via /run/xen-hotplug/iptables for when vif-bridge runs iptables * Allow xm_t to write to xen_lock_t files not var_lock_t * Allow xm_t to load kernel modules * Allow xm_t to signal qemu_t, talk to it by unix domain sockets, and unlink it's sockets * dontaudit xm_t searching home dir content * Label /run/xen as xend_var_run_t and allow qemu_t to create sock_files in xend_var_run_t directory * Label /var/lock/xl as xen_lock_t * allow unconfined_t to execute xl/xm in xm_t domain. * Allow system_cronjob_t to configure all systemd services (restart all daemons) * Allow dpkg_script_t and unconfined_t to manage systemd service files of type null_device_t (symlinks to /dev/null) * Label /var/run/lwresd/lwresd.pid as named_var_run_t * Label /run/xen/qmp* as qemu_var_run_t * Also label squid3.pid * Allow iptables_t to be in unconfined_r (for Xen) * Allow udev_t to restart systemd services Closes: #756729 * Merge Laurent's changes with mine Checksums-Sha1: 6274875f7fdd38d056f1e86a03017fb3549560df 2089 refpolicy_2.20140421-10.dsc 4c4f27df1524bbf2a9db69ba250cb945f8a5f479 90016 refpolicy_2.20140421-10.debian.tar.xz 433730c9090b856c1d6dfaaac32e7604717f893e 2821672 selinux-policy-default_2.20140421-10_all.deb 029ed851edd6d45c11b9fab474f701cfac435959 443666 selinux-policy-dev_2.20140421-10_all.deb 82df1c4e0a456118dcb670f881b0b2347e93530e 423478 selinux-policy-doc_2.20140421-10_all.deb ada7d89622cb470fce3dd6f5e0bc5da63a21fd3b 2871900 selinux-policy-mls_2.20140421-10_all.deb 8b8a042e4f7d5e2af769a2bd7318b9dc3828c4c2 1183880 selinux-policy-src_2.20140421-10_all.deb Checksums-Sha256: 0b83e4e05e8c672b86e928128071727cd152d580b721817ce1a883bb92f85cd6 2089 refpolicy_2.20140421-10.dsc e07227169bf110bc045b977dd545a6a84864e431c745696102907b571188036b 90016 refpolicy_2.20140421-10.debian.tar.xz 274656801d596f8ff71c6745a36c56867f0c9e7f9f3d0e2cea98bb12dec0baea 2821672 selinux-policy-default_2.20140421-10_all.deb 7a8dbdd541378bdf0c6a66f6d27393a64d1de573672dee5feb8fb053b8b5bec6 443666 selinux-policy-dev_2.20140421-10_all.deb 987384487836b46863ed20c30864a4b1600af836b762ad3f6489da4c04168a40 423478 selinux-policy-doc_2.20140421-10_all.deb ecd9622ede56aabb40370a0bd01d151f5ec09e06a7259783428793fb9847fde4 2871900 selinux-policy-mls_2.20140421-10_all.deb 1b9c76e0e3521a51698bc5d299ad385cc5b94074e7c477c25a7b3ce4f1f2f276 1183880 selinux-policy-src_2.20140421-10_all.deb Files: cd12eda70b44ee8d827288a8f037c90d 2089 admin optional refpolicy_2.20140421-10.dsc daa9bad41935fa9966514a77207ae47e 90016 admin optional refpolicy_2.20140421-10.debian.tar.xz 26a6719a2e8035f1df277de7da5960a4 2821672 admin optional selinux-policy-default_2.20140421-10_all.deb c65f722a18d0225b2e70428a2343fbce 443666 admin optional selinux-policy-dev_2.20140421-10_all.deb c75fdf3e201c0fbc03f97c91fb24f679 423478 doc optional selinux-policy-doc_2.20140421-10_all.deb 6fc180e9a11b5994f09a24b515b973dc 2871900 admin extra selinux-policy-mls_2.20140421-10_all.deb 744b4acc08ea65d4f9083102e86fb8d3 1183880 admin optional selinux-policy-src_2.20140421-10_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJXNj1bAAoJEB/FiR66sEPVcGEH/15Pp3PP25YP8g/3KJks5/xG 9CCAfqY0NNMXbonrJVALIRdMn8RJ/9ILP7VqretxuE3WW8hWJ3rgkDwuEJoY/IRt Wayx6knfJuxz0fuLVmHiKfMt2S2lp4AF5zPpan2bn1VgHYwkGfx3w7orm5TaG2OM I6p4tLVR9ZArdFObVysOOypg4mzeGzoz1VIjVqgHvnml9kZ7ItfsQ0vWh2GMdl0V /nbaXG7nLBQA4gR6o8CxS4wZdrBfUkv7WbR8UioYggr5NSytrSpzZd4+C6+nUtnu ErOp7pSeIudQ08v6yCyEuERQHg4w3lI32mKYIQLiE39pQRk73fT4NHCCgV5QxLU= =AnqX -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
