Your message dated Thu, 12 Jan 2017 07:18:37 +0000 with message-id <[email protected]> and subject line Bug#740685: fixed in refpolicy 2:2.20161023.1-7 has caused the Debian Bug report #740685, regarding selinux-policy-default: incompatible with resolvconf to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 740685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740685 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20140206-1 Severity: normal The SELinux policy doesn't understand resolvconf. It doesn't appear to throw any sort of AVC denial on the operation of resolvconf *itself* (probably because it does all its work from uber-privileged init.d and DHCP hook scripts, at least on my system) but it cannot handle what resolvconf *does to /etc/resolv.conf*: # ls -lZd /etc /etc/resolv.conf /etc/resolvconf /etc/resolvconf/run /run /run/resolvconf /run/resolvconf/resolv.conf drwxr-xr-x. 70 root root system_u:object_r:etc_t:SystemLow 4096 Mar 2 21:44 /etc drwxr-xr-x. 4 root root system_u:object_r:etc_t:SystemLow 4096 Oct 1 17:38 /etc/resolvconf lrwxrwxrwx. 1 root root system_u:object_r:etc_t:SystemLow 31 Oct 1 17:38 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf lrwxrwxrwx. 1 root root system_u:object_r:etc_t:SystemLow 15 Oct 1 17:38 /etc/resolvconf/run -> /run/resolvconf drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow 600 Mar 4 02:33 /run drwxr-xr-x. 3 root root system_u:object_r:var_run_t:SystemLow 100 Mar 4 02:33 /run/resolvconf -rw-r--r--. 1 root root system_u:object_r:initrc_var_run_t:SystemLow 172 Mar 4 02:33 /run/resolvconf/resolv.conf Note the absence of 'net_conf_t'. After substantial fiddling I have not even been able to figure out a set of modified type-labels that will make the various daemons that need resolv.conf happy. Changing both /run/resolvconf/resolv.conf and the /etc/resolv.conf symlink back to net_conf_t almost does the trick, but I'm left with e.g. avc: denied { read } for pid=3675 comm="ntpd" name="resolv.conf" dev=xvda ino=27841 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file .... because the rules for ntpd say it can read net_conf_t *files*, but not *symlinks*. Sigh. Surely there is a way to patch this at the semanage level, without having to change the definition of a whole bunch of sysnet_* interfaces and regenerate the entire policy? Moreover, I'm not at all sure how to write the rules that ensure that the file and the symlink *stay* labeled net_conf_t. Override rules of the form /etc/resolv\.conf.* all files system_u:object_r:net_conf_t:s0 /var/run/resolvconf(/.*) all files system_u:object_r:net_conf_t:s0 are not enough; the files keep getting created as (depending exactly how you test) initrc_var_run_t, etc_t, or dhcp_something_t. I'm not shy of writing my own module, but I don't even know where to start. (Why would you want to use resolvconf on a SELinux-locked-down server? Because you are also running unbound in forwarding mode; unbound+resolvconf+dhclient seamlessly arrange for all local DNS requests to go through unbound and therefore be DNSSECified ... as far as DAC is concerned, anyway.) zw -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20161023.1-7 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russell Coker <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 12 Jan 2017 18:01:40 +1100 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20161023.1-7 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Russell Coker <[email protected]> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 740685 781779 849637 850032 Changes: refpolicy (2:2.20161023.1-7) unstable; urgency=medium . [ Laurent Bigonville and cgzones ] * Sort the files in the files in the selinux-policy-src.tar.gz tarball by name, this should fix the last issue for reproducible build * Add genfscon for cpu/online. Closes: #849637 [ Russell Coker ] * Make the boinc patch like the one upstream accepted and make it last in the list. * Label /etc/sddm/Xsession as xsession_exec_t * Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it * Allow devicekit_power_t to chat to xdm_t via dbus * Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts * Allow loadkeys_t to read tmp files created by init scripts * Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp and to read dbus lib files for /var/lib/dbus * Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime, relabel to/from user_tmpfs_t, and manage wireless_device_t * Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo and read/write an inherited socket. * Allow xdm_t to send dbus messages to unconfined_t * Give crond_t sys_resource so it can set hard ulimit for jobs * Allow systemd_logind_t to setattr on the kvm device and user ttys, to manage user_tmp_t and user_tmpfs_t files, to read/write the dri device * Allow systemd_passwd_agent_t to stat the selinuxfs and search the contexts dir * Make systemd_read_machines() also allow listing directory * Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files() * Allow setfiles_t to inherit apt_t file handles * Allow system_mail_t to use ptys from apt_t and unconfined_t * Label /run/agetty.reload as getty_var_run_t * Allow systemd_tmpfiles_t to relabel directories to etc_t * Made sysnet_create_config() include { relabelfrom relabelto manage_file_perms }, allow systemd_tmpfiles_t to create config, and set file contexts entries for /var/run/resolvconf. Makes policy work with resolvconf (but requires resolvconf changes) Closes: #740685 * Allow dpkg_script_t to restart init services * Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t * Allow named to read network sysctls and usr files * Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when building with systemd support, also allow listing init pid dirs. Label /var/lib/systemd/clock as ntp_drift_t * Allow systemd_nspawn_t to read system state, search init pid dirs (for /run/systemd) and capability net_admin * Allow backup_t capabilities chown and fsetid to cp files and preserve ownership * Allow logrotate_t to talk to dbus and connect to init streams for systemctl, also allow setrlimit for systemctl * Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t to execute all applications (for ps to getattr mostly) * Label /var/lib/wordpress as httpd_var_lib_t * Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and allow it to manage dirs of type httpd_lock_t [ Russell Coker Important ] * sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779 * Support usrmerge, lots of fc changes and subst_dist changes Closes: #850032 Checksums-Sha1: 0800269bcc61552f85dc0060c788e0d8ce65e599 2477 refpolicy_2.20161023.1-7.dsc 13565daa8abfe0f0834bef69b3c0a65be4799745 105696 refpolicy_2.20161023.1-7.debian.tar.xz c82a662c489488f8bfa77f78f951548b74100c2f 6816 refpolicy_2.20161023.1-7_amd64.buildinfo fe0bcbc0df46a90f1fefae2a4fa662e56be5672a 3022420 selinux-policy-default_2.20161023.1-7_all.deb c1c2a2cbb18bb37faaea1b7d18a0960b1b061ddf 466774 selinux-policy-dev_2.20161023.1-7_all.deb cd28f2c8df216e1d1fdd9279374ff3c8c88f26d9 447792 selinux-policy-doc_2.20161023.1-7_all.deb 2902a7b9c1b54178156e38bc37ae06ae2dcfbdac 3064446 selinux-policy-mls_2.20161023.1-7_all.deb df4901b0c3d096dc9ff11a2ff2554e49a84d8fdb 1249418 selinux-policy-src_2.20161023.1-7_all.deb Checksums-Sha256: 6602e628c2c60bdedc00fbf72f915b9146dd04f0e88d9084e21c01e36e7216a6 2477 refpolicy_2.20161023.1-7.dsc f12332afe827649bff3d4d9ade8c7665b1f4d24ae44d6c0f0eac5db9acb07894 105696 refpolicy_2.20161023.1-7.debian.tar.xz 687e8aa6c820ccc5e8283b06ccbbfd74cca40f4d58b7e253bd4a27c99fe47ab7 6816 refpolicy_2.20161023.1-7_amd64.buildinfo 0607cb8494c6e26940f4a1892a0320fd1d72950aa166377ea100be15b1e241cc 3022420 selinux-policy-default_2.20161023.1-7_all.deb 51760efec7d3b75a2323b3c5d87331b902d916d90890508639d6b76e8309c967 466774 selinux-policy-dev_2.20161023.1-7_all.deb d746cd26b1abc14bec4ed3f620b622ad9704c29b6c5512cfb6bf104a024a9d96 447792 selinux-policy-doc_2.20161023.1-7_all.deb 2aa275683aca899bd72718aa9b68e14945493087adba9e5a24fac042fad10156 3064446 selinux-policy-mls_2.20161023.1-7_all.deb f7359563279d104560584485864ebaa422f396b1ce8281457fe14ffd7e1fa366 1249418 selinux-policy-src_2.20161023.1-7_all.deb Files: 6594732f9477d8a0bbcd1101d74a6e89 2477 admin optional refpolicy_2.20161023.1-7.dsc 04e02832f4fdbf2f057aa4f2716303c3 105696 admin optional refpolicy_2.20161023.1-7.debian.tar.xz 6fa1c16a644657d0361e8cf293bad955 6816 admin optional refpolicy_2.20161023.1-7_amd64.buildinfo 70e5ec155d6d727a458746aa3b2f3600 3022420 admin optional selinux-policy-default_2.20161023.1-7_all.deb 95684f58a0fa20f0b5cfd74be4a65cb7 466774 admin optional selinux-policy-dev_2.20161023.1-7_all.deb 97eefa99b353a64cffd615e39ea49027 447792 doc optional selinux-policy-doc_2.20161023.1-7_all.deb 0ff85b3de406ec5d9823b6c772f2861a 3064446 admin extra selinux-policy-mls_2.20161023.1-7_all.deb 4a61e6f67b660b5c6fdafff3a4b91be6 1249418 admin optional selinux-policy-src_2.20161023.1-7_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlh3KoQACgkQ0UHNMPxL j3n1Cw/+KgiELoiqPbQNRNfoVFNgSSpYbmwFBjRcvyZAKJvJ2Hq/hTmX5cTmoXwb TrMyxROAIuBUySgcM2uAufQ+c8Tn0dJesTIkZv5xeRUhNw9QK2gSucqdl1hDJ8tv 7wHv87fGfRaSShpVhpa+OwaFEM4zqL6ZDToJMrPNWdpJlCCd7DohDAQlNa/xFyHz yS+WqdJapfWtv1yJisIGNUXm0dE2K3iDppRVpSpgttkZ5631AGJeN6pzYm7B/xtK SUUU31hHyHAndnUykrbSlUsbrla3scqx/gzVXP7H/aGzUuoFVbiKJYQ+7bJmZ8jH XuPh3PcLm5nBgU16dts1lKY5i0U9T97gBTWtw0rCRKiWevgI67eCszfr1mezI7BP +dOQsV2NTdF+fAG4o8Kj6+KbLofZ+y/AbQck/PWAcH/lV99wiHeCJaEQUyNhN17f fCjIj4QtlEYR7A//5AhUDLFLOI8qxIiBJOr+tZKxXobzERvosZ/zgpE2fVGHvTh2 /idiHxtq94m6LMj7BKVNxrIIEIdGaFyn2CNB3pALdbbOVthgSN6W+vJM/TSNYQTg Ex5/hVbgf9Yr9smsAk4TDwKOjbBTzrhTW75ofBty0BWJ8ktb0D7W50k/yug0E+Tb qvUGuMuCpdbl2VWVixoY1iNF4UzVtoJ4gjjV6LqDBq0V1GjIrzA= =xcE5 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
