[DSE-Dev] Bug#893697: Bug#893697: sesearch needs python3-lib2to3

reassign 893697 python3-networkx 1.11-2 severity 893697 serious tags 893697 + sid buster thanks Le 21/03/18 à 11:10, Christian Göttsche a écrit : Package: setools Version: 4.1.1-3 Severity: Important sesearch needs the python module lib2to3 or it fails: Traceback (most recent call last):

[DSE-Dev] Changes in 2.20171228-1

Hello Russell, Is it expected that the 2.20171228-1 upload doesn't seems to contain the changes of the 2.20161023.1-10 one? Do you think it's possible to update the git repository with the last changes? It's a bit difficult to follow the changes that are happening (and also to be able to

Re: [DSE-Dev] Bug#773346: reportbug should provide information about active LSM

Le 27/10/17 à 14:40, Laurent Bigonville a écrit : Le 26/10/17 à 19:17, intrigeri a écrit : intrigeri: I'm attaching the equivalent for AppArmor. Here's a cleaned up v2 (my initial patch had leftovers from a previous version that included the output of aa-enabled; now that I've stopped doing

Re: [DSE-Dev] Bug#773346: reportbug should provide information about active LSM

). This is a bit less elegant, but it seems to do the job and it has the advantage of not requiring python-selinux. I guess it's up to the maintainer to choose here. >From 4bf22d8b52dcebc078281fd200680d95b08b926d Mon Sep 17 00:00:00 2001 From: Laurent Bigonville <bi...@debian.org> Date: Sat, 7 Oct 2

Re: [DSE-Dev] Bug#773346: reportbug should provide information about active LSM

Le 07/10/17 à 17:03, Laurent Bigonville a écrit : On Fri, 22 Sep 2017 12:26:42 +0200 Laurent Bigonville <bi...@debian.org> wrote: [...] 3. If you don't want to shell out, you could use the python selinux module to retrieve and display the informations (see my little example at

Re: [DSE-Dev] Bug#773346: reportbug should provide information about active LSM

On Fri, 22 Sep 2017 12:26:42 +0200 Laurent Bigonville <bi...@debian.org> wrote: On Sun, 03 Sep 2017 13:26:57 +0200 intrigeri <intrig...@debian.org> wrote: > > As I am un-knowledgeable on this matter, can you list all the LSMs and > > the way to identify any of them is ru

Re: [DSE-Dev] cron broken in SELinux enforced mode due to system_u login mapping removal

refpolicy specific identifiers. I'm thinking about uploading my patch in unstable in the following days and then in stable Cheers, Laurent Bigonville diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c --- cron-3.0pl1/user.c +++ cron-3.0pl1/user.c @@ -47,22 +47,31 @@ char *level = NULL;

[DSE-Dev] Bug#875558: libsemanage: please support nocheck option and profile

On Tue, 12 Sep 2017 10:05:33 +0200 Helmut Grohne wrote: > Source: libsemanage > Version: 2.7-1 > Tags: patch > User: helm...@debian.org > Usertags: rebootstrap > > libsemanage Build-Depends on libcunit1-dev. The dependency is only used > for the test suite and can be skipped

[DSE-Dev] Bug#874191: gdm3 started users start in wrong context

started by dbus/systemd user session. In /etc/selinux/default/contexts/users/unconfined_u, could you please add the following line and try again? system_r:init_t:s0  unconfined_r:unconfined_t:s0 Regards, Laurent Bigonville ___ SE

Re: [DSE-Dev] CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE

Le 11/04/17 à 16:53, Christian Göttsche a écrit : I am using the boot flag *checkreqprot=0* without any complications or policy changes. @Laurent if you are willing, one could alter the selinux-activate script to set the boot flag I think it's too late now to do that (and I don't know all the

Re: [DSE-Dev] i386 PIE/allow_execmod in stretch emergency!

Le 08/03/17 à 05:14, Russell Coker a écrit : There have been some recent binary NMUs for Stretch to support PIE on i386. One very important one is gzip. PIE on i386 needs execmod access and given the number of domains calling gzip and other programs that means allow_execmod is almost mandatory

[DSE-Dev] Bug#849637: not policy bugs

Le 07/01/17 à 07:21, Russell Coker a écrit : On Friday, 6 January 2017 2:09:13 PM AEDT Laurent Bigonville wrote: I just retested myself and it's working with the kernel from unstable (apparently you need >= 4.2) and the following line: genfscon sysfs /devices/system/cpu/online gen_cont

[DSE-Dev] Bug#849637: not policy bugs

On Fri, 06 Jan 2017 23:54:37 +1100 Russell Coker wrote: > This can't be fixed in policy. Policycoreutils should have an init script or > systemd tmpfiles config file to set it. I just retested myself and it's working with the kernel from unstable (apparently you need

Re: [DSE-Dev] reproducable builds

Le 01/01/17 à 21:47, cgzones a écrit : I rioted in the debian/rules file and got the build reproducible for me: https://github.com/cgzones/debian-package-refpolicy/commit/8de642c8d1ddd10c09a1d1521eeb4e0a1da6bfff I think the only reproducible error was the missing --sort=name option to the tar

[DSE-Dev] Bug#736909: where are we at with this?

Hi Russell, Le 27/12/16 à 13:20, Russell Coker a écrit : The lxc_contents file is in selinux-policy-default and a quick check indicates that the policy might be ok. What do we have to do to test it? I can provide root on a test system to anyone who wants to help test this. The initial

[DSE-Dev] Bug#848232: semanage login: no awareness of exising entries

Le 15/12/16 à 14:13, cgzones a écrit : Hi, When working on SELinux login settings, it seems that semanage is not aware of already existing entries. Could you please try with libsepol1 2.6-2. I think this is a duplicate of #846484 Regards, Laurent Bigonville

[DSE-Dev] Bug#740563: Fwd: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow

On Mon, 3 Mar 2014 14:38:41 -0500 Zack Weinberg <za...@panix.com> wrote: > On Mon, Mar 3, 2014 at 12:24 PM, Laurent Bigonville <bi...@debian.org> wrote: Hi, [...] > > I'm not sure this is a bug. > > Well, I would ask that you consider two changes

[DSE-Dev] Bug#835503: libselinux: please provide libselinux1-udeb

months. Is this OK for you? Regards, Laurent Bigonville On Fri, 26 Aug 2016 13:41:35 +0200 Christian Seiler <christ...@iwakd.de> wrote: > Dear Maintainer, > > please provide libselinux1-udeb for use in a d-i environment, since > libmount depends on libselinux, and open-iscs

[DSE-Dev] Bug#829617: selinux-policy-default not available for stable

severity 829617 wishlist tag 829617 + jessie thanks Le 04/07/16 à 20:37, Klaus Ethgen a écrit : selinux-policy-default is not available for stable (jessie) than only for old-stable and testing (and unstable). Yes the policy was considered too buggy when stable has been released and thus has

[DSE-Dev] Bug#823184: umount mounts /proc as a side effect

Can you please try the patch that has been attached to the bug and tell me if it's fixing your issue? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823184#44 Le 13/05/16 à 17:49, Laurent Bigonville a écrit : Le 13/05/16 à 17:16, Yuri D'Elia a écrit : On Fri, May 13 2016, Laurent

[DSE-Dev] Bug#823184: umount mounts /proc as a side effect

Le 13/05/16 à 17:16, Yuri D'Elia a écrit : On Fri, May 13 2016, Laurent Bigonville<bi...@debian.org> wrote: Again this is supposed to happen at early boot, and at this stage, only PID1 exists. So I doubt there is a lot of concurrent processes at that time. But this is not c

[DSE-Dev] Bug#819200: ruby-selinux: implicit depends on libruby

re installed and add the necessary dependencies? Also should this dependency be against librubyX.X or against the ruby interpreter itself? I'm thinking about reassigning this to gem2deb pkg. Cheers, Laurent Bigonville ___ SELinux-devel mailing

[DSE-Dev] Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

On Mon, 02 May 2016 20:51:55 -0700 Jonathan Yu wrote: > > Dear Maintainer, Hello, > > Thank you for your work bringing SELinux to Debian! > > I regret that my knowledge of both SELinux and systemd is limited, so I do not > know what diagnostics to collect or how to collect

[DSE-Dev] Bug#822679: Bug#822679: closed by Laurent Bigonville <bi...@debian.org> (Bug#822679: fixed in libselinux 2.5-2)

Le 01/05/16 à 21:01, Yuri D'Elia a écrit : On Sun, May 01 2016, Laurent Bigonville <bi...@debian.org> wrote: It's only doing this if /proc is not mounted, something that should happen at early boot. libselinux needs to determine the status of selinux on the machine. This is done by r

[DSE-Dev] Bug#822679: Bug#822679: closed by Laurent Bigonville <bi...@debian.org> (Bug#822679: fixed in libselinux 2.5-2)

Le 01/05/16 à 14:00, Yuri D'Elia a écrit : I'm_not_ happy with the solution here. This will*still* cause regular userland utilities, such as ls on Debian, to mount /proc when you least expect it to. libselinux must just bail gracefully if /proc is not mounted. It's only doing this if /proc

[DSE-Dev] Bug#775610: policycoreutils: strange access to /root/tmpfiles.d from restorecond

/root/tmpfiles.d. > The symlink in question was created in 2012 and I don't know why I created it > or if it was created by a script. > > A grep of the source code didn't show a reason for this access, there is no > match for the string tmpfiles.d in the policycoreutils sou

[DSE-Dev] Bug#731212: policycoreutils: restorecon sometimes fails with error 255 unexpectedly (but repeatedly)

; > The error return should happen in cases B, C, and D if it concerns the warning > about /etc/mtab. > > If the error return doesn't concern the displayed warning about /etc/mtab then > it should have an error message telling the user what went wrong. > Can you still repr

[DSE-Dev] Bug#620907: policycoreutils: fixfiles does not relabel contents of btrfs subvolumes

ot counting as being on a filesystem of type 'btrfs', according to find which is called by this script. I know this is an old bug, but are you still able to reproduce it? I see that there are some changes related to this to fixfiles script, but I cannot verify as I'm not using btrfs myself. Chee

[DSE-Dev] Bug#805492: /var/lib

Le 29/02/16 03:46, Russell Coker a écrit : On Mon, 29 Feb 2016 02:47:04 AM Laurent Bigonville wrote: Le 28/02/16 11:05, Russell Coker a écrit : the easiest would be to do like fedora and install the modules directly in the /var/lib/selinux//100 store instead of copying/loading them

[DSE-Dev] Bug#805492: /var/lib

Le 28/02/16 11:05, Russell Coker a écrit : the easiest would be to do like fedora and install the modules directly in the /var/lib/selinux//100 store instead of copying/loading them at installation time Do you mean having files in the package under /var/lib? If so that seems like a FHS

[DSE-Dev] Bug#813604: newrole: pamd error

tag 813604 + fixed-upstream thanks Hi, IIRC this has been fixed upstream already and will be part of the 2.5 release Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org

[DSE-Dev] Bug#752337: setools: Logwatch script in wrong location, produces error when package is removed but not purged

Le 28/12/15 09:55, Willi Mann a écrit : Hi, Am 2015-12-28 um 01:28 schrieb Laurent Bigonville: On Sun, 22 Jun 2014 21:14:55 +0200 Willi Mann <wi...@wm1.at> wrote: Hi, I think the script /etc/logwatch/scripts/services/seaudit-report-service should be shipped in /usr/share/logwatch/s

[DSE-Dev] Tagging SELinux related bugs

-devel%40lists.alioth.debian.org If you are opening a bug related to SELinux integration in Debian, could you please tag this bug. You can add the following pseudo-headers when sending the bugreport: User: selinux-devel@lists.alioth.debian.org Usertags: selinux Thanks, Laurent Bigonville

Re: [DSE-Dev] selinux-policy-default in Jessie

Le 12/12/15 12:36, Oliver Kirst a écrit : Hi Laurent, thanks for your answer. I will try to use the policy from source/upstream directly. However, I thought that Debian is widely used on servers. Is there no one really complaining about missing SELinux support in Jessie? Kernel and

[DSE-Dev] Bug#805492: refpolicy: Fix the maintainer script to support the new policy store

it (it uses python) or if we are doing the migration manually. The maintainer script should also be updated to use the new location to install the modules after the initial migration. Should we use semodule again? We should also install these modules with the correct priority. Cheers, Laurent Bigonville

[DSE-Dev] Bug#805496: refpolicy: Check if the (build-)dependencies are still satisfied

Source: refpolicy Version: 2:2.20140421-9 Severity: serious Hi, With policycoreutils 2.4, the package has been split in multiple sub-packages. We need to check if the needed executables are still present and adjust the dependencies accordingly. Cheers, Laurent Bigonville -- System

[DSE-Dev] Bug#776205: selinux-basics: dbus uninstallable in lxc container due to selinux

is disable and will not bother trying to do anything with it Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

[DSE-Dev] Bug#555365: python-sepolgen: Embedded code copy of python-ply

t; > > Please modify your package to use the system-wide module provided by > the python-ply package. I just double checked, and it seems that the embedded version is slightly modified. The changes doesn't seems that bit so we could try to m

[DSE-Dev] Splitting/reworking policycoreutils packages

is working on debian) - mcstrans - restorecond - ... What are people thinking about this? Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Re: [DSE-Dev] Bug#796693: selinux-basics: Has init script in runlevel S but no matching service file

Le 14/09/15 17:26, Russell Coker a écrit : On Tue, 15 Sep 2015 12:49:15 AM Laurent Bigonville wrote: Package: selinux-basics Followup-For: Bug #796693 I'm planning to kill the selinux-basics LSB initscript entirely and remove all functionalities from the selinux-basic package. I'm planning

Re: [DSE-Dev] Bug#752002: cdebconf: Please run maintainer scripts in correct selinux context

Regis Boudin wrote: Hi Laurent, Hello Regis, On 18/06/14 18:27, Laurent Bigonville wrote: Package: cdebconf Version: 0.191 Severity: wishlist Hi, Since 1.17.0, dpkg is trying to run the maintainer scripts in a different context based on the file context and fallback

[DSE-Dev] Bug#753727: Bug#753727: reason for this

Le Sat, 05 Jul 2014 20:11:44 +1000, Russell Coker russ...@coker.com.au a écrit : On Sat, 5 Jul 2014 11:03:32 Laurent Bigonville wrote: Quickly looking a the libsepol case, I'm not sure why we are re-executing init in this case at all. sysvinit doesn't seems to use any of its symbols

[DSE-Dev] Bug#752245: Bug#752245: selinux-basics: An USB 3.0 disk does not work with SELinux

system? And then are you seeing any AVC denials related to this? To be honest I'm puzzled by this bug. Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman

Re: [DSE-Dev] I've created secilc package, please sponsor

Le Mon, 12 May 2014 01:58:21 +0300, Victor Porton por...@narod.ru a écrit : 12.05.2014, 01:50, Laurent Bigonville bi...@debian.org: Le Mon, 12 May 2014 00:22:59 +0300, Victor Porton por...@narod.ru a écrit :  I also added (untested) code to automatically reload the policy

Re: [DSE-Dev] I've created secilc package, please sponsor

(maybe upstream meant -L?) Are you planning to send your patches to upstream (the one to add the DESTDIR variable), it is always nice to have the less patches possible in the debian package. Cheers! Laurent Bigonville ___ SELinux-devel mailing list

[DSE-Dev] Bug#747106: Bug#747106: I disagree with closing

is blocking everything, I don't think this is a bug but a design feature. Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Re: [DSE-Dev] Bug#682068: [Piuparts-devel] Bug#682068: selinux + piuparts

tag 682068 + patch thanks Le Wed, 30 Apr 2014 15:46:45 +0200, Holger Levsen hol...@layer-acht.org a écrit : Hi, On Mittwoch, 30. April 2014, Laurent Bigonville wrote: I'll try to cook something. But if you really want to remove the support, wouldn't it be better to unconditionally switch

Re: [DSE-Dev] debian-policy: Document in the policy the way to properly set selinux labels on files and directories

This is the first time I'm drafting a policy change, so comments welcome :) Cheers, Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Re: [DSE-Dev] debian-policy: Document in the policy the way to properly set selinux labels on files and directories

Le Thu, 1 May 2014 18:02:20 +0200, Laurent Bigonville bi...@debian.org a écrit : [...] A maintainer script can for example call the restorecon(8) executable to achieve this: [ -x /sbin/restorecon ] /sbin/restorecon $myfile I guess the output of restorecon should be redirected to /dev

Re: [DSE-Dev] [Piuparts-devel] Bug#682068: Bug#682068: selinux + piuparts

Le Thu, 1 May 2014 17:57:02 +0200, Holger Levsen hol...@layer-acht.org a écrit : Hi Laurent, On Donnerstag, 1. Mai 2014, Laurent Bigonville wrote: I've attached a patch that is implementing the change. great! If /selinux is present, the selinuxfs will be mounted

[DSE-Dev] [PATCH] Mount selinuxfs read-only and on new location when possible

From: Laurent Bigonville bi...@bigon.be We need to mount the selinuxfs read-only inside the chroot to make the userspace think that selinux is disabled. This is required, otherwise dpkg will fail as no policy is installed in the chroot. We are also moving the mountpoint of the selinuxfs from

Re: [DSE-Dev] debian-policy: Document in the policy the way to properly set selinux labels on files and directories

Le Thu, 1 May 2014 09:55:09 -0700, Jonathan Nieder jrnie...@gmail.com a écrit : Hi, Hello, Laurent Bigonville wrote: A maintainer script can for example call the restorecon(8) executable to achieve this: [ -x /sbin/restorecon ] /sbin/restorecon $myfile Should I do

[DSE-Dev] Bug#697814: selinux-policy-default: exim4 and bitlbee want access to sysctl_crypto_t

{ ioctl read getattr lock search open } ; But we should indeed considere adding something more generic Cheers, Laurent Bigonville -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign

[DSE-Dev] Bug#742957: /usr/sbin/update-ca-certificates: Please restore SELinux label after generating ca-certificates.crt file

-certificates.crt file is initally created in /tmp and thus is labeled as '*_tmp_t', when the file is moved this label is preserved. This could cause issues if a confined application wants to access it. Cheers, Laurent Bigonville -- System Information: Debian Release: jessie/sid APT prefers unstable

Re: [DSE-Dev] at: Needs SE Linux support

is not setting the context before calling sendmail as by default it will transition to system_mail_t anyway. Cheers, Laurent Bigonville [0]http://pkgs.fedoraproject.org/cgit/at.git/tree/at-3.1.14-selinux.patch only in patch2: unchanged: --- at-3.1.14.orig/Makefile.in +++ at-3.1.14/Makefile.in @@ -40,6

[DSE-Dev] Bug#740563: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow

Le Mon, 03 Mar 2014 12:11:56 -0500, Zack Weinberg za...@panix.com a écrit : On 2014-03-02 8:14 PM, Laurent Bigonville wrote: Le Sun, 02 Mar 2014 17:09:39 -0500, Zack Weinberg za...@panix.com a écrit : Enabling or disabling any SELinux module with `semodule -e` / `-d` takes

[DSE-Dev] Bug#739590: Bug#739590: selinux-policy-default: ssh bind9 broken by removal of hotplug script initrc labelling

. Thanks! Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Re: [DSE-Dev] base module

Le Tue, 14 Jan 2014 03:08:47 +1100, Russell Coker russ...@coker.com.au a écrit : On Mon, 13 Jan 2014 16:19:22 Laurent Bigonville wrote: [...] True. But seeing a list of 400+ modules isn't helpful either. Also the module names aren't that informative, *I* had to read the source of some

Re: [DSE-Dev] Bug#682068: selinux + piuparts

-only is a bit more urgent than moving the mountpoint. Cheers, Laurent Bigonville [0] http://comments.gmane.org/gmane.comp.security.selinux/15349 [1] http://permalink.gmane.org/gmane.comp.security.selinux/15870 ___ SELinux-devel mailing list SELinux-devel

[DSE-Dev] Transition unconfined users to dpkg_t domain

how this should be done? I've opened [0] is somebody is interested. Cheers, Laurent Bigonville [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732845 ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http

[DSE-Dev] Bug#732845: /usr/sbin/dpkg-reconfigure: Maintainer scripts not run in correct selinux context

transitioned out of the dpkg_t context. The maintainer scripts run by dpkg-reconfigure should also transition to the appropriate context. Unfortunately there is no perl binding for selinux, I guess that the tools from selinux-utils could be used instead. Cheers Laurent Bigonville -- System Information

[DSE-Dev] Bug#707214: refpolicy: Please handle new dpkg_script_t execution context

that the policy already has support for the dpkg_script_t execution context, or did you had something specific in mind? Cheers, Laurent Bigonville For the record the discussion with selinux upstream is here: https://lists.debian.org/debian-dpkg/2012/11/msg4.html

[DSE-Dev] Bug#690477: selinux-policy-default: multiple avc denies and su problem

? It is quite difficult to track different problems in one bug. Cheers Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

[DSE-Dev] Bug#725339: rpm: Please (re)enable selinux support

Source: rpm Version: 4.11.1-3 Severity: wishlist Tags: patch Hi, Is there any reasons, the selinux support in rpm package has been disabled? If no, could you please reenable it? Cheers Laurent Bigonville -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy

Re: [DSE-Dev] Bug#682068: selinux + piuparts

if this filesystem is mounted and not use the selinuxenabled command to see if selinux is enabled. It might be possible that this package is not installed on the system even if selinux is enabled (that's probably not the case on standard setup, but it might happen). Cheers Laurent Bigonville See

[DSE-Dev] Bug#708435: aide: FTBFS: (.text+0x1d8): undefined reference to `pthread_atfork'

Le Fri, 17 May 2013 09:06:31 +0200, Hannes von Haugwitz han...@vonhaugwitz.com a écrit : Hi, Hello, On Thu, May 16, 2013 at 11:09:11PM +0200, Laurent Bigonville wrote: Hannes von Haugwitz wrote: [...] I'll fix this in the libselinux package soon. It also probably needs

[DSE-Dev] Bug#708435: aide: FTBFS: (.text+0x1d8): undefined reference to `pthread_atfork'

. It also probably needs Requires.private: libpcre too. Cheers Laurent Bigonville ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel