[DSE-Dev] Bug#747106: marked as done (selinux-policy-default: Unistalling selinux-policy-default is buggy)

[Debian Bug Tracking System]

Your message dated Mon, 5 May 2014 19:34:32 +0200
with message-id <20140505193432.60c48446@george.anarkia>
and subject line Re: [DSE-Dev] Bug#747106: selinux-policy-default: Unistalling 
selinux-policy-default is buggy
has caused the Debian Bug report #747106,
regarding selinux-policy-default: Unistalling selinux-policy-default is buggy
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
747106: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747106
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: selinux-policy-default
Version: 2:2.20140421-1
Severity: important

Dear Maintainer,

First I ran:

# apt-get remove selinux-policy-default

After reboot the policy was not removed and X11 hasn't started.

That it was not removed by `apt-get remove` is the first bug.

The second bug:

I ran

# dpkg --purge selinux-policy-default

After this system hasn't rebooted at all saying "kernel panic" about
not able to find policy.29 file.

The thing I want, is to remove selinux-policy-default without complete
uninstallation of SELinux, in order that I could test my own little
security policy (what I cannot do with selinux-policy-default installed
because selinux-policy-default is too buggy (particularly X doesn't start).

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.10-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1      2.2.2-1
ii  libsepol1        2.2-1
ii  policycoreutils  2.2.5-1
ii  python           2.7.5-5
ii  selinux-utils    2.2.2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.2-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

--- End Message ---

--- Begin Message ---

Hi,

Victor Porton <por...@narod.ru> wrote:
> # apt-get remove selinux-policy-default
> 
> After reboot the policy was not removed and X11 hasn't started.
> 
> That it was not removed by `apt-get remove` is the first bug.

> I've said "After reboot the policy was not removed".

> I mean files in /etc/selinux/default/ which should be removed by
> `apt-get remove selinux-policy-default` were not removed.

No, files in /etc/selinux are configuration files, which must not be
deleted at "apt-get remove". You have to use "apt-get purge" for that.
See the debian policy or the manpages for apt.
> 
> The second bug:
> 
> I ran
> 
> # dpkg --purge selinux-policy-default
> 
> After this system hasn't rebooted at all saying "kernel panic" about
> not able to find policy.29 file.

Well, I guess you still booted with kernel command line
security=selinux and selinux=1, probably in enforcing mode. Which
doesn't work because then you need a working selinux policy installed.

> The thing I want, is to remove selinux-policy-default without complete
> uninstallation of SELinux, in order that I could test my own little
> security policy (what I cannot do with selinux-policy-default
> installed because selinux-policy-default is too buggy (particularly X
> doesn't start).

Please boot without selinux enabled or with selinux in permissive mode
(see /etc/selinux/config or boot with selinux.enforcing=0), install your
own policy and reboot.

I don't think we can (or should) automatically disable selinux in the
postrm script of selinux-policy-*, as this would change config files
not belonging to selinux, which were explicitly changed by the
administrator (for example by running selinux-activate). After all, the
administrator action:
* Enable selinux
* Write own policy to protect services
* Install selinux-policy-default, do not use it
* Purge selinux-policy-default
must not result in disabled selinux.

As I fail to see a bug here, I'm closing the bug. If I misunderstood
you, feel free to reopen or report a new bug.

Cheers,

Mika

-- 

signature.asc
Description: PGP signature

--- End Message ---

_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel