Your message dated Tue, 13 Dec 2016 23:20:46 +0000 with message-id <[email protected]> and subject line Bug#504412: fixed in selinux-basics 0.5.6 has caused the Debian Bug report #504412, regarding /usr/sbin/postfix-nochroot: not handling rsyslog socket for chroot to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 504412: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504412 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-basics Version: 0.3.5 Severity: normal File: /usr/sbin/postfix-nochroot Tags: patch Hi, I installed Rsyslog as this is the default syslog daemon now. Postfix from version 2.5.5-1.1 (07 Sep 2008) provides Rsyslog configuration snippet with additional socket /var/spool/postfix/dev/log, so chrooted Postfix can do logging even in the case syslog daemon is restarted. (Please, look into /usr/share/doc/postfix/README.Debian for details). This is problem for SE Linux: Nov 3 16:02:24 sid kernel: [ 3056.301851] type=1400 audit(1225724544.685:18): avc: denied { search } for pid=1574 comm="rsyslogd" name="spool" dev=hda2 ino=82087 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Nov 3 16:02:24 sid kernel: [ 3056.306114] type=1400 audit(1225724544.685:18): avc: denied { search } for pid=1574 comm="rsyslogd" name="postfix" dev=hda2 ino=82089 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir Nov 3 16:02:24 sid kernel: [ 3056.310092] type=1400 audit(1225724544.685:18): avc: denied { write } for pid=1574 comm="rsyslogd" name="dev" dev=hda2 ino=84254 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir Nov 3 16:02:24 sid kernel: [ 3056.313944] type=1400 audit(1225724544.685:18): avc: denied { remove_name } for pid=1574 comm="rsyslogd" name="log" dev=hda2 ino=82043 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir Nov 3 16:02:24 sid kernel: [ 3056.317603] type=1400 audit(1225724544.685:18): avc: denied { unlink } for pid=1574 comm="rsyslogd" name="log" dev=hda2 ino=82043 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file Nov 3 16:02:24 sid kernel: [ 3056.321174] type=1300 audit(1225724544.685:18): arch=40000003 syscall=10 success=yes exit=0 a0=87d1d70 a1=0 a2=b7e097f0 a3=1 items=0 ppid=1 pid=1574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) Nov 3 16:02:24 sid kernel: Kernel logging (proc) stopped. I prepared modification in /usr/sbin/postfix-nochroot, so it moves out this configuration (renames it to *.bak, only *.conf files Rsyslog loads), restarts Rsyslog if socket really exists and removes dev chroot directory. Postfix provided with a debconf question for doing chroot environment would be much more appropriate and I try to make some activity in this direction (report a bug with something) - but probably not acceptable for Lenny :(. Best Regards -- Zito -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages selinux-basics depends on: ii checkpolicy 2.0.16-2 SELinux policy compiler ii policycoreutils 2.0.49-6 SELinux core policy utilities ii python 2.5.2-3 An interactive high-level object-o ii selinux-utils 2.0.65-5 SELinux utility programs Versions of packages selinux-basics recommends: ii selinux-policy-default 2:0.0.20080702-14 Strict and Targeted variants of th ii setools 3.3.5.ds-5 tools for Security Enhanced Linux Versions of packages selinux-basics suggests: pn logcheck <none> (no description available) pn syslog-summary <none> (no description available) -- no debconf information--- postfix-nochroot.orig 2008-10-30 18:53:14.000000000 +0100 +++ postfix-nochroot 2008-11-03 16:17:39.000000000 +0100 @@ -8,6 +8,10 @@ use strict; my $file = "/etc/postfix/master.cf"; +my $rsyslog_postfix_conf = "/etc/rsyslog.d/postfix.conf"; +my $rsyslog_postfix_sock = "/var/spool/postfix/dev/log"; + +my $rsyslog_initrc = "/etc/init.d/rsyslog"; if(-e "$file.bak") { @@ -49,9 +53,61 @@ { system("$script stop"); } -system("rm -rf /var/spool/postfix/etc /var/spool/postfix/lib /var/spool/postfix/usr"); +rsyslog_postfix_socket_disable(); +mysystem('rm', '-rf', qw( + /var/spool/postfix/dev + /var/spool/postfix/etc + /var/spool/postfix/lib + /var/spool/postfix/usr + )); if($status =~ /postfix is running/) { system("$script start"); } +exit(0); + +sub rsyslog_postfix_socket_disable +{ + if ( -f $rsyslog_postfix_conf ) + { + my $from = $rsyslog_postfix_conf; + my $to = $rsyslog_postfix_conf . '.bak'; + rename($from, $to) + or die qq|$0: can't rename("$from", "$to"): $!\n|; + } + if ( -S $rsyslog_postfix_sock && -x $rsyslog_initrc ) + { + mysystem($rsyslog_initrc, 'restart'); + } +} + +sub mysystem +{ + system(@_); + if ( $? != 0 ) + { + print STDERR "$0: exec(" . join(',', map(qq|"$_"|, @_)) . ") "; + } + if ($? == -1) + { + mysystem_error(\@_, "failed: $!"); + } + elsif ($? & 127) + { + mysystem_error(\@_, "child died with signal %d, %s coredump", + ($? & 127), ($? & 128) ? 'with' : 'without'); + } + elsif ( $? ) + { + mysystem_error(\@_, "child exited with value %d", $? >> 8); + } + return $?; +} + +sub mysystem_error +{ + my ($args, $fmt, @fmtargs) = @_; + print STDERR "$0: exec(", join(',', map(qq|"$_"|, @$args)), + ") ", sprintf($fmt, @fmtargs), "\n"; +}
--- End Message ---
--- Begin Message ---Source: selinux-basics Source-Version: 0.5.6 We believe that the bug you reported is fixed in the latest version of selinux-basics, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russell Coker <[email protected]> (supplier of updated selinux-basics package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 14 Dec 2016 10:01:32 +1100 Source: selinux-basics Binary: selinux-basics Architecture: source all Version: 0.5.6 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Russell Coker <[email protected]> Description: selinux-basics - SELinux basic support Closes: 504412 Changes: selinux-basics (0.5.6) unstable; urgency=medium . [ Laurent Bigonville ] * debian/gbp.conf: Sign tags by default [ Russell Coker ] * Make postfix-nochroot remove rsyslog socket. Closes: #504412 * selinux-activate now doesn't add selinux=1 as it hasn't been supported by kernels for years. Fixed a regex bug that made it not remove security=selinux if there was no preceding space. Checksums-Sha1: 6f8cbf6fdab3f0e0f7ca6f21f87735f4c6a48071 1706 selinux-basics_0.5.6.dsc 38c364a8678c7ef5e09a2f8640d83e8c2ad8d065 10980 selinux-basics_0.5.6.tar.xz 368a4ebfc36dddb4e9e0fcd3ccc6ebe73e344e34 15018 selinux-basics_0.5.6_all.deb 5c9852e43adbdd615a97d141a87c4d03f2e52a22 4861 selinux-basics_0.5.6_amd64.buildinfo Checksums-Sha256: 57b38ca6c72faa67a1d50b9f63a682a1744d6d4984be836ea0f73899e231d1ed 1706 selinux-basics_0.5.6.dsc 2f418509f10b6d919b47a2ce7f25ab4c938c751c8dbd71ab72800480ee84802e 10980 selinux-basics_0.5.6.tar.xz 28e2df3fed5b08492e4cffc3b93ff52e3e09ad074d258592b5d47002646b28ba 15018 selinux-basics_0.5.6_all.deb a01eb7c4fe7ac65e22c821e72f617a1a98fc231cf529a43451ae9a4dc98356e4 4861 selinux-basics_0.5.6_amd64.buildinfo Files: 43711c987abeb9b75f5439ba7f09060d 1706 admin optional selinux-basics_0.5.6.dsc 146fe08c97933ad1f071632866713989 10980 admin optional selinux-basics_0.5.6.tar.xz 07aa6e95eaf50b7d45ce73363a9030d5 15018 admin optional selinux-basics_0.5.6_all.deb dedad7676331d70617a1ab8a1ba8fb30 4861 admin optional selinux-basics_0.5.6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlhQf64ACgkQ0UHNMPxL j3nhHw/+Lmi0HZVzpvtgmvSBXgi8qL6IJs0xXJ10zjVaG/jBgQaOtmVjx66H1AeX Zbnd9Xaxi7a9MgOcpI2lJFnf6QqXP9H7mW32uZY5Qlm2Dk4nkFE50IvbqKBqKgB5 vcKRpQx2dfg+znWoYHqTDaABi6dKGyvHVoLWRtih3qPK5c88C57vxZ1FO+ptcODw Ixqg9JqA1vdKLzHDFad7wMUV3vVSGGXyV3tp4hqYcIvs4Dz1ARlpOZ0yE2fixkzN wnKQEw0zwB3hDSPQirnwIA6aT7VunSilfSlb1zl3oIm0RfjOccbbO9vJzEJk+RUW 43Jomgm1IbFWmZwScJ18f47+oactx4UNocr/+D2fBpX+5xsF3RugryG8EDx16AXx nkWXYM9d8XdK7UBk6/rrkOz05/XsayEOOAJOS6lU4emcloCRi3H8KDZBNG/ju5ED +Cbvxz6ybdW5WLz4N1x8qihHO8FtPW6qaEU1YF7/bcxlN5TB59IpJj2GniAigd8+ hPiywz9HlIBobTcHiJFJ8Y5bU7jx2ESYkMgZhRfaLx1pOXxGDTI4IXtR4xcic2jn 39ciCUU+fXWgUVFAfmI6aAq48NDpCNWyYKdhqvjr6HGnyt6Wsq8XdJzTzSmwVGWn yNtqyDnOU+03ocrLa0j8A31ODD6I6++y7wvzVh4N/E+IOIU/kVQ= =PcPC -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
