Your message dated Thu, 12 Jan 2017 07:18:37 +0000 with message-id <[email protected]> and subject line Bug#781779: fixed in refpolicy 2:2.20161023.1-7 has caused the Debian Bug report #781779, regarding selinux-policy-default: not possible to login via GUI when SELinux is set to enforcing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 781779: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781779 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20140421-9 Severity: grave Justification: renders package unusable Dear Maintainer, after enabling SELinux it is not possible to use graphical login anymore. Instead of the desktop the following message appears: "Oh no! Something has gone wrong. A problem has occurred and the system can't recover. All extensions have been disabled as a precaution." Beneath there is a 'Logout' button. When setting 'setenforce 0' it is possible to login (again). Because there are so many AVCs, I cannot name the root cause here. Attached you can find the output of 'audit2allow --boot'. I set the severity to grave because IMHO a lot of people use / will use Debian as their desktop / laptop OS with graphical UI. This is not usable any more when SELinux is enabled using the current default policy. If I can support finding the root cause or providing a patch, please drop me a note. Kind regards Andre -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-3.1 ii libselinux1 2.3-2 ii libsepol1 2.3-2 ii policycoreutils 2.3-1 ii python 2.7.9-1 ii selinux-utils 2.3-2 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.3-1 ii setools 3.3.8-3.1 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information ============================== 8< ============================== # audit2allow --boot #============= NetworkManager_t ============== allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read getattr open search }; allow NetworkManager_t init_var_run_t:dir read; allow NetworkManager_t self:rawip_socket { write create setopt getattr }; allow NetworkManager_t systemd_logind_t:dbus send_msg; allow NetworkManager_t systemd_logind_t:fd use; allow NetworkManager_t systemd_logind_var_run_t:dir { read search }; allow NetworkManager_t systemd_logind_var_run_t:fifo_file write; allow NetworkManager_t systemd_logind_var_run_t:file { read getattr open }; #============= alsa_t ============== #!!!! The source type 'alsa_t' can write to a 'dir' of the following types: # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t allow alsa_t var_run_t:dir { write create add_name setattr }; #!!!! The source type 'alsa_t' can write to a 'file' of the following types: # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, alsa_lock_t, alsa_etc_rw_t, alsa_tmpfs_t, user_home_t allow alsa_t var_run_t:file { read write create open lock }; allow alsa_t var_run_t:lnk_file create; allow alsa_t xdm_t:process signull; allow alsa_t xdm_tmpfs_t:file { read getattr unlink open }; #============= apmd_t ============== allow apmd_t device_t:chr_file { read ioctl open }; #============= kernel_t ============== allow kernel_t systemd_unit_file_t:service { status start }; #============= policykit_t ============== #!!!! This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, global_ssp allow policykit_t urandom_device_t:chr_file { read getattr open }; #============= rtkit_daemon_t ============== allow rtkit_daemon_t xdm_t:process setsched; #============= systemd_cgroups_t ============== allow systemd_cgroups_t kernel_t:unix_dgram_socket sendto; allow systemd_cgroups_t kernel_t:unix_stream_socket connectto; #============= systemd_logind_t ============== allow systemd_logind_t NetworkManager_t:dbus send_msg; #!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types: # var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t allow systemd_logind_t tmpfs_t:dir { write remove_name rmdir }; allow systemd_logind_t tmpfs_t:sock_file unlink; allow systemd_logind_t user_tmpfs_t:dir read; allow systemd_logind_t user_tmpfs_t:file getattr; #!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types: # var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t allow systemd_logind_t xdm_tmpfs_t:dir { write getattr rmdir read remove_name open }; allow systemd_logind_t xdm_tmpfs_t:file { getattr unlink }; #============= udev_t ============== allow udev_t self:netlink_socket { write getattr setopt read bind create }; #============= unconfined_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_execstack, allow_execmem allow unconfined_t self:process execmem; #============= xdm_t ============== allow xdm_t init_t:system status;
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20161023.1-7 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russell Coker <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 12 Jan 2017 18:01:40 +1100 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20161023.1-7 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Russell Coker <[email protected]> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 740685 781779 849637 850032 Changes: refpolicy (2:2.20161023.1-7) unstable; urgency=medium . [ Laurent Bigonville and cgzones ] * Sort the files in the files in the selinux-policy-src.tar.gz tarball by name, this should fix the last issue for reproducible build * Add genfscon for cpu/online. Closes: #849637 [ Russell Coker ] * Make the boinc patch like the one upstream accepted and make it last in the list. * Label /etc/sddm/Xsession as xsession_exec_t * Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it * Allow devicekit_power_t to chat to xdm_t via dbus * Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts * Allow loadkeys_t to read tmp files created by init scripts * Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp and to read dbus lib files for /var/lib/dbus * Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime, relabel to/from user_tmpfs_t, and manage wireless_device_t * Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo and read/write an inherited socket. * Allow xdm_t to send dbus messages to unconfined_t * Give crond_t sys_resource so it can set hard ulimit for jobs * Allow systemd_logind_t to setattr on the kvm device and user ttys, to manage user_tmp_t and user_tmpfs_t files, to read/write the dri device * Allow systemd_passwd_agent_t to stat the selinuxfs and search the contexts dir * Make systemd_read_machines() also allow listing directory * Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files() * Allow setfiles_t to inherit apt_t file handles * Allow system_mail_t to use ptys from apt_t and unconfined_t * Label /run/agetty.reload as getty_var_run_t * Allow systemd_tmpfiles_t to relabel directories to etc_t * Made sysnet_create_config() include { relabelfrom relabelto manage_file_perms }, allow systemd_tmpfiles_t to create config, and set file contexts entries for /var/run/resolvconf. Makes policy work with resolvconf (but requires resolvconf changes) Closes: #740685 * Allow dpkg_script_t to restart init services * Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t * Allow named to read network sysctls and usr files * Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when building with systemd support, also allow listing init pid dirs. Label /var/lib/systemd/clock as ntp_drift_t * Allow systemd_nspawn_t to read system state, search init pid dirs (for /run/systemd) and capability net_admin * Allow backup_t capabilities chown and fsetid to cp files and preserve ownership * Allow logrotate_t to talk to dbus and connect to init streams for systemctl, also allow setrlimit for systemctl * Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t to execute all applications (for ps to getattr mostly) * Label /var/lib/wordpress as httpd_var_lib_t * Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and allow it to manage dirs of type httpd_lock_t [ Russell Coker Important ] * sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779 * Support usrmerge, lots of fc changes and subst_dist changes Closes: #850032 Checksums-Sha1: 0800269bcc61552f85dc0060c788e0d8ce65e599 2477 refpolicy_2.20161023.1-7.dsc 13565daa8abfe0f0834bef69b3c0a65be4799745 105696 refpolicy_2.20161023.1-7.debian.tar.xz c82a662c489488f8bfa77f78f951548b74100c2f 6816 refpolicy_2.20161023.1-7_amd64.buildinfo fe0bcbc0df46a90f1fefae2a4fa662e56be5672a 3022420 selinux-policy-default_2.20161023.1-7_all.deb c1c2a2cbb18bb37faaea1b7d18a0960b1b061ddf 466774 selinux-policy-dev_2.20161023.1-7_all.deb cd28f2c8df216e1d1fdd9279374ff3c8c88f26d9 447792 selinux-policy-doc_2.20161023.1-7_all.deb 2902a7b9c1b54178156e38bc37ae06ae2dcfbdac 3064446 selinux-policy-mls_2.20161023.1-7_all.deb df4901b0c3d096dc9ff11a2ff2554e49a84d8fdb 1249418 selinux-policy-src_2.20161023.1-7_all.deb Checksums-Sha256: 6602e628c2c60bdedc00fbf72f915b9146dd04f0e88d9084e21c01e36e7216a6 2477 refpolicy_2.20161023.1-7.dsc f12332afe827649bff3d4d9ade8c7665b1f4d24ae44d6c0f0eac5db9acb07894 105696 refpolicy_2.20161023.1-7.debian.tar.xz 687e8aa6c820ccc5e8283b06ccbbfd74cca40f4d58b7e253bd4a27c99fe47ab7 6816 refpolicy_2.20161023.1-7_amd64.buildinfo 0607cb8494c6e26940f4a1892a0320fd1d72950aa166377ea100be15b1e241cc 3022420 selinux-policy-default_2.20161023.1-7_all.deb 51760efec7d3b75a2323b3c5d87331b902d916d90890508639d6b76e8309c967 466774 selinux-policy-dev_2.20161023.1-7_all.deb d746cd26b1abc14bec4ed3f620b622ad9704c29b6c5512cfb6bf104a024a9d96 447792 selinux-policy-doc_2.20161023.1-7_all.deb 2aa275683aca899bd72718aa9b68e14945493087adba9e5a24fac042fad10156 3064446 selinux-policy-mls_2.20161023.1-7_all.deb f7359563279d104560584485864ebaa422f396b1ce8281457fe14ffd7e1fa366 1249418 selinux-policy-src_2.20161023.1-7_all.deb Files: 6594732f9477d8a0bbcd1101d74a6e89 2477 admin optional refpolicy_2.20161023.1-7.dsc 04e02832f4fdbf2f057aa4f2716303c3 105696 admin optional refpolicy_2.20161023.1-7.debian.tar.xz 6fa1c16a644657d0361e8cf293bad955 6816 admin optional refpolicy_2.20161023.1-7_amd64.buildinfo 70e5ec155d6d727a458746aa3b2f3600 3022420 admin optional selinux-policy-default_2.20161023.1-7_all.deb 95684f58a0fa20f0b5cfd74be4a65cb7 466774 admin optional selinux-policy-dev_2.20161023.1-7_all.deb 97eefa99b353a64cffd615e39ea49027 447792 doc optional selinux-policy-doc_2.20161023.1-7_all.deb 0ff85b3de406ec5d9823b6c772f2861a 3064446 admin extra selinux-policy-mls_2.20161023.1-7_all.deb 4a61e6f67b660b5c6fdafff3a4b91be6 1249418 admin optional selinux-policy-src_2.20161023.1-7_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlh3KoQACgkQ0UHNMPxL j3n1Cw/+KgiELoiqPbQNRNfoVFNgSSpYbmwFBjRcvyZAKJvJ2Hq/hTmX5cTmoXwb TrMyxROAIuBUySgcM2uAufQ+c8Tn0dJesTIkZv5xeRUhNw9QK2gSucqdl1hDJ8tv 7wHv87fGfRaSShpVhpa+OwaFEM4zqL6ZDToJMrPNWdpJlCCd7DohDAQlNa/xFyHz yS+WqdJapfWtv1yJisIGNUXm0dE2K3iDppRVpSpgttkZ5631AGJeN6pzYm7B/xtK SUUU31hHyHAndnUykrbSlUsbrla3scqx/gzVXP7H/aGzUuoFVbiKJYQ+7bJmZ8jH XuPh3PcLm5nBgU16dts1lKY5i0U9T97gBTWtw0rCRKiWevgI67eCszfr1mezI7BP +dOQsV2NTdF+fAG4o8Kj6+KbLofZ+y/AbQck/PWAcH/lV99wiHeCJaEQUyNhN17f fCjIj4QtlEYR7A//5AhUDLFLOI8qxIiBJOr+tZKxXobzERvosZ/zgpE2fVGHvTh2 /idiHxtq94m6LMj7BKVNxrIIEIdGaFyn2CNB3pALdbbOVthgSN6W+vJM/TSNYQTg Ex5/hVbgf9Yr9smsAk4TDwKOjbBTzrhTW75ofBty0BWJ8ktb0D7W50k/yug0E+Tb qvUGuMuCpdbl2VWVixoY1iNF4UzVtoJ4gjjV6LqDBq0V1GjIrzA= =xcE5 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
