Your message dated Thu, 12 Jan 2017 07:18:37 +0000
with message-id <e1crzef-000e5q...@fasolo.debian.org>
and subject line Bug#781779: fixed in refpolicy 2:2.20161023.1-7
has caused the Debian Bug report #781779,
regarding selinux-policy-default: not possible to login via GUI when SELinux is
set to enforcing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
781779: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781779
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: grave
Justification: renders package unusable
Dear Maintainer,
after enabling SELinux it is not possible to use graphical login anymore.
Instead of the desktop the following message appears:
"Oh no! Something has gone wrong.
A problem has occurred and the system can't recover. All extensions have been
disabled as a precaution."
Beneath there is a 'Logout' button.
When setting 'setenforce 0' it is possible to login (again).
Because there are so many AVCs, I cannot name the root cause here.
Attached you can find the output of 'audit2allow --boot'.
I set the severity to grave because IMHO a lot of people use / will
use Debian as their desktop / laptop OS with graphical UI. This is
not usable any more when SELinux is enabled using the current default
policy.
If I can support finding the root cause or providing a patch, please
drop me a note.
Kind regards
Andre
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
============================== 8< ==============================
# audit2allow --boot
#============= NetworkManager_t ==============
allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read getattr open
search };
allow NetworkManager_t init_var_run_t:dir read;
allow NetworkManager_t self:rawip_socket { write create setopt getattr };
allow NetworkManager_t systemd_logind_t:dbus send_msg;
allow NetworkManager_t systemd_logind_t:fd use;
allow NetworkManager_t systemd_logind_var_run_t:dir { read search };
allow NetworkManager_t systemd_logind_var_run_t:fifo_file write;
allow NetworkManager_t systemd_logind_var_run_t:file { read getattr open };
#============= alsa_t ==============
#!!!! The source type 'alsa_t' can write to a 'dir' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t
allow alsa_t var_run_t:dir { write create add_name setattr };
#!!!! The source type 'alsa_t' can write to a 'file' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, alsa_lock_t, alsa_etc_rw_t,
alsa_tmpfs_t, user_home_t
allow alsa_t var_run_t:file { read write create open lock };
allow alsa_t var_run_t:lnk_file create;
allow alsa_t xdm_t:process signull;
allow alsa_t xdm_tmpfs_t:file { read getattr unlink open };
#============= apmd_t ==============
allow apmd_t device_t:chr_file { read ioctl open };
#============= kernel_t ==============
allow kernel_t systemd_unit_file_t:service { status start };
#============= policykit_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# authlogin_nsswitch_use_ldap, global_ssp
allow policykit_t urandom_device_t:chr_file { read getattr open };
#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:process setsched;
#============= systemd_cgroups_t ==============
allow systemd_cgroups_t kernel_t:unix_dgram_socket sendto;
allow systemd_cgroups_t kernel_t:unix_stream_socket connectto;
#============= systemd_logind_t ==============
allow systemd_logind_t NetworkManager_t:dbus send_msg;
#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following
types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t,
systemd_logind_sessions_t
allow systemd_logind_t tmpfs_t:dir { write remove_name rmdir };
allow systemd_logind_t tmpfs_t:sock_file unlink;
allow systemd_logind_t user_tmpfs_t:dir read;
allow systemd_logind_t user_tmpfs_t:file getattr;
#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following
types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t,
systemd_logind_sessions_t
allow systemd_logind_t xdm_tmpfs_t:dir { write getattr rmdir read remove_name
open };
allow systemd_logind_t xdm_tmpfs_t:file { getattr unlink };
#============= udev_t ==============
allow udev_t self:netlink_socket { write getattr setopt read bind create };
#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem
allow unconfined_t self:process execmem;
#============= xdm_t ==============
allow xdm_t init_t:system status;
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20161023.1-7
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <russ...@coker.com.au> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Jan 2017 18:01:40 +1100
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20161023.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building
modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 740685 781779 849637 850032
Changes:
refpolicy (2:2.20161023.1-7) unstable; urgency=medium
.
[ Laurent Bigonville and cgzones ]
* Sort the files in the files in the selinux-policy-src.tar.gz tarball by
name, this should fix the last issue for reproducible build
* Add genfscon for cpu/online. Closes: #849637
[ Russell Coker ]
* Make the boinc patch like the one upstream accepted and make it last in
the list.
* Label /etc/sddm/Xsession as xsession_exec_t
* Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it
* Allow devicekit_power_t to chat to xdm_t via dbus
* Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts
* Allow loadkeys_t to read tmp files created by init scripts
* Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp
and to read dbus lib files for /var/lib/dbus
* Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime,
relabel to/from user_tmpfs_t, and manage wireless_device_t
* Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo
and read/write an inherited socket.
* Allow xdm_t to send dbus messages to unconfined_t
* Give crond_t sys_resource so it can set hard ulimit for jobs
* Allow systemd_logind_t to setattr on the kvm device and user ttys, to
manage user_tmp_t and user_tmpfs_t files, to read/write the dri device
* Allow systemd_passwd_agent_t to stat the selinuxfs and search the
contexts dir
* Make systemd_read_machines() also allow listing directory
* Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files()
* Allow setfiles_t to inherit apt_t file handles
* Allow system_mail_t to use ptys from apt_t and unconfined_t
* Label /run/agetty.reload as getty_var_run_t
* Allow systemd_tmpfiles_t to relabel directories to etc_t
* Made sysnet_create_config() include { relabelfrom relabelto
manage_file_perms }, allow systemd_tmpfiles_t to create config, and set
file contexts entries for /var/run/resolvconf. Makes policy work with
resolvconf (but requires resolvconf changes) Closes: #740685
* Allow dpkg_script_t to restart init services
* Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t
* Allow named to read network sysctls and usr files
* Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as
ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and
unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when
building with systemd support, also allow listing init pid dirs. Label
/var/lib/systemd/clock as ntp_drift_t
* Allow systemd_nspawn_t to read system state, search init pid dirs (for
/run/systemd) and capability net_admin
* Allow backup_t capabilities chown and fsetid to cp files and preserve
ownership
* Allow logrotate_t to talk to dbus and connect to init streams for
systemctl, also allow setrlimit for systemctl
* Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t
to execute all applications (for ps to getattr mostly)
* Label /var/lib/wordpress as httpd_var_lib_t
* Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and
allow it to manage dirs of type httpd_lock_t
[ Russell Coker Important ]
* sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779
* Support usrmerge, lots of fc changes and subst_dist changes
Closes: #850032
Checksums-Sha1:
0800269bcc61552f85dc0060c788e0d8ce65e599 2477 refpolicy_2.20161023.1-7.dsc
13565daa8abfe0f0834bef69b3c0a65be4799745 105696
refpolicy_2.20161023.1-7.debian.tar.xz
c82a662c489488f8bfa77f78f951548b74100c2f 6816
refpolicy_2.20161023.1-7_amd64.buildinfo
fe0bcbc0df46a90f1fefae2a4fa662e56be5672a 3022420
selinux-policy-default_2.20161023.1-7_all.deb
c1c2a2cbb18bb37faaea1b7d18a0960b1b061ddf 466774
selinux-policy-dev_2.20161023.1-7_all.deb
cd28f2c8df216e1d1fdd9279374ff3c8c88f26d9 447792
selinux-policy-doc_2.20161023.1-7_all.deb
2902a7b9c1b54178156e38bc37ae06ae2dcfbdac 3064446
selinux-policy-mls_2.20161023.1-7_all.deb
df4901b0c3d096dc9ff11a2ff2554e49a84d8fdb 1249418
selinux-policy-src_2.20161023.1-7_all.deb
Checksums-Sha256:
6602e628c2c60bdedc00fbf72f915b9146dd04f0e88d9084e21c01e36e7216a6 2477
refpolicy_2.20161023.1-7.dsc
f12332afe827649bff3d4d9ade8c7665b1f4d24ae44d6c0f0eac5db9acb07894 105696
refpolicy_2.20161023.1-7.debian.tar.xz
687e8aa6c820ccc5e8283b06ccbbfd74cca40f4d58b7e253bd4a27c99fe47ab7 6816
refpolicy_2.20161023.1-7_amd64.buildinfo
0607cb8494c6e26940f4a1892a0320fd1d72950aa166377ea100be15b1e241cc 3022420
selinux-policy-default_2.20161023.1-7_all.deb
51760efec7d3b75a2323b3c5d87331b902d916d90890508639d6b76e8309c967 466774
selinux-policy-dev_2.20161023.1-7_all.deb
d746cd26b1abc14bec4ed3f620b622ad9704c29b6c5512cfb6bf104a024a9d96 447792
selinux-policy-doc_2.20161023.1-7_all.deb
2aa275683aca899bd72718aa9b68e14945493087adba9e5a24fac042fad10156 3064446
selinux-policy-mls_2.20161023.1-7_all.deb
f7359563279d104560584485864ebaa422f396b1ce8281457fe14ffd7e1fa366 1249418
selinux-policy-src_2.20161023.1-7_all.deb
Files:
6594732f9477d8a0bbcd1101d74a6e89 2477 admin optional
refpolicy_2.20161023.1-7.dsc
04e02832f4fdbf2f057aa4f2716303c3 105696 admin optional
refpolicy_2.20161023.1-7.debian.tar.xz
6fa1c16a644657d0361e8cf293bad955 6816 admin optional
refpolicy_2.20161023.1-7_amd64.buildinfo
70e5ec155d6d727a458746aa3b2f3600 3022420 admin optional
selinux-policy-default_2.20161023.1-7_all.deb
95684f58a0fa20f0b5cfd74be4a65cb7 466774 admin optional
selinux-policy-dev_2.20161023.1-7_all.deb
97eefa99b353a64cffd615e39ea49027 447792 doc optional
selinux-policy-doc_2.20161023.1-7_all.deb
0ff85b3de406ec5d9823b6c772f2861a 3064446 admin extra
selinux-policy-mls_2.20161023.1-7_all.deb
4a61e6f67b660b5c6fdafff3a4b91be6 1249418 admin optional
selinux-policy-src_2.20161023.1-7_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlh3KoQACgkQ0UHNMPxL
j3n1Cw/+KgiELoiqPbQNRNfoVFNgSSpYbmwFBjRcvyZAKJvJ2Hq/hTmX5cTmoXwb
TrMyxROAIuBUySgcM2uAufQ+c8Tn0dJesTIkZv5xeRUhNw9QK2gSucqdl1hDJ8tv
7wHv87fGfRaSShpVhpa+OwaFEM4zqL6ZDToJMrPNWdpJlCCd7DohDAQlNa/xFyHz
yS+WqdJapfWtv1yJisIGNUXm0dE2K3iDppRVpSpgttkZ5631AGJeN6pzYm7B/xtK
SUUU31hHyHAndnUykrbSlUsbrla3scqx/gzVXP7H/aGzUuoFVbiKJYQ+7bJmZ8jH
XuPh3PcLm5nBgU16dts1lKY5i0U9T97gBTWtw0rCRKiWevgI67eCszfr1mezI7BP
+dOQsV2NTdF+fAG4o8Kj6+KbLofZ+y/AbQck/PWAcH/lV99wiHeCJaEQUyNhN17f
fCjIj4QtlEYR7A//5AhUDLFLOI8qxIiBJOr+tZKxXobzERvosZ/zgpE2fVGHvTh2
/idiHxtq94m6LMj7BKVNxrIIEIdGaFyn2CNB3pALdbbOVthgSN6W+vJM/TSNYQTg
Ex5/hVbgf9Yr9smsAk4TDwKOjbBTzrhTW75ofBty0BWJ8ktb0D7W50k/yug0E+Tb
qvUGuMuCpdbl2VWVixoY1iNF4UzVtoJ4gjjV6LqDBq0V1GjIrzA=
=xcE5
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel