Le Thu, 20 Feb 2014 00:28:43 -0800,
Devin Carraway <de...@debian.org> a écrit :
> Package: selinux-policy-default
> Version: 2:2.20140206-1
> Severity: important
>
> On a jessie system with refpolicy 2:2.20140206-1, and allow-hotplug
> set on the primary network interface, sshd is left running in udev_t,
> breaking it thoroughly (and in fact flooding the logs with socket
> errors until the machine runs out of disk). bind9, which also has a
> hotplug trigger script, is broken by inability of rndc to access auth
> keys.
>
> My guess as to why:
>
> Removal of the debian-specific refpolicy patches in rev
> 853ebfe7118c3984ff2b53f51af6f5758d222cd7 had the effect of returning
> the contents of /etc/network/if-{up,down}.d/ from initrc_exec_t to
> etc_t. As a result, on systems with allow-hotplug on their primary
> network interfaces the sshd and any other network-using daemons aware
> of hotplug will be started from udev rather than init, and with an
> etc_t startup script the usual domain transition doesn't happen.
>
> I'll test out restoring the labelling and see if there's more to this.
>
> Years ago, thus was Bug#503941 at least as it impacted bind.
Could you please attach the AVC denials to the bug.
Thanks!
Laurent Bigonville
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
