Hi!
On Tue, 2016-03-08 at 02:03:29 +0100, Guillem Jover wrote:
> On Thu, 2016-01-14 at 23:57:28 -0500, Alan Corey wrote:
> > Package: dpkg
> > Version: 1.18.1
> > Severity: normal
>
> > I'm using armhf Debian on a phone, NOT in a chroot, by using basically an
> > adapted Debian Kit to get Jessie instead of somethiing old. Almost
> > everything I install gives the error message "security labeling handle: no
> > such file or directory". I found on the web a workaround of sorts by
> > remounting /sys/fs/selinux readonly during the installation, but this causes
> > Android to panic and lock up after about 1 minute. Normally this works in a
> > terminal emulator or over a VNC or SSH connection concurently with Android
> > apps. Old versions of Debian from a year ago didn't have this problem, and
> > it may be compunded by the fact that Android shipped with selinux in
> > permissive mode until 5.0. Going to permissive mode has little affect on
> > the problem.
> >
> > It seems to come from src/selinux.c which is where the error message can be
> > found. It seems like at least if you set selinux to permissive this should
> > only be a warning, not stop the install. Or maybe it could be a new --force
> > option to dpkg.
>
> Right, that makes sense, and I wrote a patch to add such --force
> option when you filed the bug report, but one problem is that
> dpkg-statoverride also sets SE labels, and dpkg would need a way to
> pass the force option somehow to the child program. Which means
> programs might still fail. :/
>
> But I could certainly try to make it non-fatal on non-enforcing mode.
Does the attached patch fix the issue for you?
Thanks,
Guillem
diff --git i/src/selinux.c w/src/selinux.c
index 4d020b1..d56db16 100644
--- i/src/selinux.c
+++ w/src/selinux.c
@@ -76,7 +76,7 @@ dpkg_selabel_load(void)
}
sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- if (sehandle == NULL)
+ if (sehandle == NULL && security_getenforce() == 1)
ohshite(_("cannot get security labeling handle"));
#endif
}
