Your message dated Tue, 02 Sep 2008 11:29:47 -0500 with message-id <[EMAIL PROTECTED]> and subject line selinux-policy-refpolicy-* packages obsolete, and removed has caused the Debian Bug report #405767, regarding selinux-policy-refpolicy-targeted: resolvconf policy would be nice to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 405767: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405767 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: selinux-policy-refpolicy-targeted Version: 0.0.20061018-2 Severity: wishlist I'm only just wrapping my head around selinux policies, but during boot I get a whole bunch of avc notices from different daemons like this: Jan 6 00:13:33 localhost kernel: audit(1168002812.497:4): avc: denied { read } for pid=2273 comm="syslogd" name="resolv.conf" dev=tmpfs ino=6462 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file Jan 6 00:13:33 localhost kernel: audit(1168002812.497:5): avc: denied { getattr } for pid=2273 comm="syslogd" name="resolv.conf" dev=tmpfs ino=6462 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file Which seems to me to be because resolvconf makes /etc/resolv.conf a symlink to /etc/resolvconf/run/resolv.conf where /etc/resolvconf/run is itself a symlink to /dev/shm/resolvconf. The correctness of this symlinking aside (I think this is the sort of thing that /lib/init/rw/ is intended for) this means resolv.conf is picking up device_t rather than what it's supposed to have (resolv_conf_t?). Resolvconf itself generates the following avc notices: Jan 6 00:15:13 localhost kernel: audit(1168002913.017:25): avc: denied { write } for pid=3437 comm="resolvconf" name="interface" dev=tmpfs ino=6435 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir Jan 6 00:15:13 localhost kernel: audit(1168002913.017:26): avc: denied { add_name } for pid=3437 comm="resolvconf" name="wlan0_new.3437" scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir Jan 6 00:15:13 localhost kernel: audit(1168002913.017:27): avc: denied { create } for pid=3437 comm="resolvconf" name="wlan0_new.3437" scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.017:28): avc: denied { write } for pid=3437 comm="resolvconf" name="wlan0_new.3437" dev=tmpfs ino=443447 scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.021:29): avc: denied { getattr } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs ino=443447 scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.021:30): avc: denied { remove_name } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs ino=443447 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir Jan 6 00:15:13 localhost kernel: audit(1168002913.021:31): avc: denied { rename } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs ino=443447 scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.021:32): avc: denied { getattr } for pid=3437 comm="resolvconf" name="enable-updates" dev=tmpfs ino=6436 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.025:33): avc: denied { execute } for pid=3437 comm="run-parts" name="bind" dev=hda3 ino=2852423 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.037:34): avc: denied { execute_no_trans } for pid=3440 comm="run-parts" name="bind" dev=hda3 ino=2852423 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.065:35): avc: denied { execute_no_trans } for pid=3458 comm="libc" name="list-records" dev=hda3 ino=3424259 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.077:36): avc: denied { read } for pid=3460 comm="sed" name="wlan0" dev=tmpfs ino=443447 scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.085:37): avc: denied { append } for pid=3463 comm="libc" name="resolv.conf_new.3456" dev=tmpfs ino=443479 scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.097:38): avc: denied { read } for pid=3467 comm="cat" name="resolv.conf" dev=tmpfs ino=6462 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file Jan 6 00:15:13 localhost kernel: audit(1168002913.109:39): avc: denied { unlink } for pid=3468 comm="mv" name="resolv.conf" dev=tmpfs ino=6462 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file (That's wlan0 coming up with dhclient3, for reference) This leads me to believe that resolvconf probably needs its own domain (nothing else should be modifying files in /dev/shm/resolvconf) so that only resolvconf and the things it calls can modify things in /dev/shm/resolvconf, and things like dhcpt_t can transition into that domain running resolvconf. Presumably the files being created should all be resolv_conf_t, so that things that need to do DNS lookups can read them. Or at least the resulting resolv.conf should be... I was going to have a go at writing my own policy for this, but once I got into having to relabel things and add a domain etc, I decided I'd better throw this up onto the BTS first. If there's some kind of policy-writing tutorial I've overlooked, I'd be interested to know. -- System Information: Debian Release: 4.0 Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-686 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages selinux-policy-refpolicy-targeted depends on: ii libpam-modules 0.79-4 Pluggable Authentication Modules f ii libselinux1 1.32-3 SELinux shared libraries ii policycoreutils 1.32-1 SELinux core policy utilities ii python 2.4.4-2 An interactive high-level object-o Versions of packages selinux-policy-refpolicy-targeted recommends: ii checkpolicy 1.32-1 SELinux policy compiler pn setools <none> (no description available) -- no debconf information -- Paul "TBBle" Hampson, [EMAIL PROTECTED] Shorter .sig for a more eco-friendly paperless office.
pgp7LC0uNao9M.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Hi, The packages called selinux-policy-refpolicy-* have been obsoleted by selinux-policy-default, and have been removed from Sid and Lenny. The latter package is a newer version, with various substantive bug fixes and improvements, and the chances are that the bug has been fixed in the new line of packages. If that happens not to be the case, please file a bug against the new package. Sorry for the inconvenience, and thanks for your help and consideration. manoj -- Life is too short to be taken seriously. Oscar Wilde Manoj Srivastava <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--- End Message ---
