Bug#626720: marked as done (selinux-policy-default: Policy needs patched for /run)

Debian Bug Tracking System Sat, 23 Jul 2011 23:06:19 -0700

Your message dated Sun, 24 Jul 2011 06:02:56 +0000
with message-id <e1qkrmc-0006op...@franck.debian.org>
and subject line Bug#626720: fixed in refpolicy 2:0.2.20100524-10
has caused the Debian Bug report #626720,
regarding selinux-policy-default: Policy needs patched for /run
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
626720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626720
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: selinux-policy-default
Version: 2:0.2.20100524-9
Severity: critical
Tags: patch

Most services fail to start when booting with SELinux enabled and with
the /run directory (initscripts 2.88dsf-13.6).

A patch is attached to solve this:

1. Add file_contexts.subs_dist file, so that files in /run are labelled
the same as corresponding files in /var/run, and likewise for /run/lock
and /run/shm.
However support for file_contexts.subs_dist requires libselinux 2.0.102,
available in upstream git.  If you don't want to update libselinux, then
you can change this to use file_contexts.subs instead.  (The intention of
2.0.102 is that file_contexts.subs_dist should be used by the distribution,
and file_contexts.subs reserved for the local admin.)

2. Allow all domains which access /var/run or /var/lock to read symlinks
of the appropriate type (because they are now symlinks to /run and to
/run/lock).

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules               1.1.2-3     Pluggable Authentication Modules f
ii  libselinux1                  2.0.98-1+b1 SELinux runtime shared libraries
ii  libsepol1                    2.0.42-1    SELinux library for manipulating b
ii  policycoreutils              2.0.82-5    SELinux core policy utilities
ii  python                       2.6.6-14    interactive high-level object-orie

Versions of packages selinux-policy-default recommends:
ii  checkpolicy              2.0.23-1        SELinux policy compiler
ii  setools                  3.3.6.ds-7.2+b1 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

diff -Nwaru 20100524-9/debian/file_contexts.subs_dist 20100524-9+orr/debian/file_contexts.subs_dist
--- 20100524-9/debian/file_contexts.subs_dist	1970-01-01 01:00:00.000000000 +0100
+++ 20100524-9+orr/debian/file_contexts.subs_dist	2011-05-14 14:31:17.316000865 +0100
@@ -0,0 +1,5 @@
+/run		/var/run
+/run/lock	/var/lock
+/var/run/lock	/var/lock
+/run/shm	/dev/shm
+/var/run/shm	/dev/shm
diff -Nwaru 20100524-9/debian/local.mk 20100524-9+orr/debian/local.mk
--- 20100524-9/debian/local.mk	2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/debian/local.mk	2011-05-14 14:36:39.616000898 +0100
@@ -213,6 +213,7 @@
               rm -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp;    \
         done
 	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/mls/
+	$(install_file)      debian/file_contexts.subs_dist  $(TMPTOP)/etc/selinux/mls/contexts/files/
 	$(install_file)      VERSION               $(DOCDIR)/
 	$(install_file)      README                $(DOCDIR)/
 	$(install_file)      debian/README.Debian  $(DOCDIR)/
@@ -249,6 +250,7 @@
              rm -f $(TMPTOP)/usr/share/selinux/default/$$module.pp;     \
         done
 	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/default/
+	$(install_file)      debian/file_contexts.subs_dist  $(TMPTOP)/etc/selinux/default/contexts/files/
 	$(install_file)      VERSION              $(DOCDIR)/
 	$(install_file)      README               $(DOCDIR)/
 	$(install_file)      debian/README.Debian $(DOCDIR)/
diff -Nwaru 20100524-9/policy/modules/kernel/files.if 20100524-9+orr/policy/modules/kernel/files.if
--- 20100524-9/policy/modules/kernel/files.if	2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/policy/modules/kernel/files.if	2011-05-14 17:19:18.616001017 +0100
@@ -4861,6 +4861,7 @@
 		type var_t, var_lock_t;
 	')
 
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
 
@@ -4899,6 +4900,7 @@
 		type var_t, var_lock_t;
 	')
 
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
@@ -4918,6 +4920,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
@@ -4939,6 +4942,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
@@ -4960,6 +4964,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	delete_files_pattern($1, lockfile, lockfile)
 ')
 
@@ -4980,6 +4985,7 @@
 	')
 
 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5002,6 +5008,7 @@
 	')
 
 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5034,6 +5041,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	filetrans_pattern($1, var_lock_t, $2, $3)
 ')
 
@@ -5072,6 +5080,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_run_t)
 ')
 
@@ -5110,6 +5119,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
 
@@ -5128,6 +5138,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
@@ -5185,6 +5196,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	filetrans_pattern($1, var_run_t, $2, $3)
 ')
 
@@ -5203,6 +5215,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
@@ -5242,6 +5255,7 @@
 	')
 
 	allow $1 var_t:dir search;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	allow $1 var_run_t:dir manage_dir_perms;
 ')
 
@@ -5298,6 +5312,7 @@
 		type var_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, pidfile)
 	read_files_pattern($1, pidfile, pidfile)
 ')
@@ -5363,6 +5378,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	delete_dirs_pattern($1, pidfile, pidfile)
 ')

--- End Message ---

--- Begin Message ---

Source: refpolicy
Source-Version: 2:0.2.20100524-10

We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive:

refpolicy_0.2.20100524-10.diff.gz
  to main/r/refpolicy/refpolicy_0.2.20100524-10.diff.gz
refpolicy_0.2.20100524-10.dsc
  to main/r/refpolicy/refpolicy_0.2.20100524-10.dsc
selinux-policy-default_0.2.20100524-10_all.deb
  to main/r/refpolicy/selinux-policy-default_0.2.20100524-10_all.deb
selinux-policy-dev_0.2.20100524-10_all.deb
  to main/r/refpolicy/selinux-policy-dev_0.2.20100524-10_all.deb
selinux-policy-doc_0.2.20100524-10_all.deb
  to main/r/refpolicy/selinux-policy-doc_0.2.20100524-10_all.deb
selinux-policy-mls_0.2.20100524-10_all.deb
  to main/r/refpolicy/selinux-policy-mls_0.2.20100524-10_all.deb
selinux-policy-src_0.2.20100524-10_all.deb
  to main/r/refpolicy/selinux-policy-src_0.2.20100524-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 626...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Coker <russ...@coker.com.au> (supplier of updated refpolicy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Jul 2011 15:50:23 +1000
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src 
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:0.2.20100524-10
Distribution: unstable
Urgency: low
Maintainer: Russell Coker <russ...@coker.com.au>
Changed-By: Russell Coker <russ...@coker.com.au>
Description: 
 selinux-policy-default - Strict and Targeted variants of the SELinux policy
 selinux-policy-dev - Headers from the SELinux reference policy for building 
modules
 selinux-policy-doc - Documentation for the SELinux reference policy
 selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
 selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 626720 628039 629066
Changes: 
 refpolicy (2:0.2.20100524-10) unstable; urgency=low
 .
   * Label gpgsm as gpg_exec_t
   * Add policy for /run etc, thanks to Martin Orr <mar...@martinorr.name> for
     working on this, even though we can't use subst now.
     Closes: #629066, #628039, #626720
Checksums-Sha1: 
 30fbd3d7fb11287bae6d487aa609456f66d5902f 1518 refpolicy_0.2.20100524-10.dsc
 9db953690c39411382012a3ef83f54e68cfa8b86 125918 
refpolicy_0.2.20100524-10.diff.gz
 4919ec03d5f2002ddfb864e90eb44525f2ab3da4 4218436 
selinux-policy-mls_0.2.20100524-10_all.deb
 4f9e17c495936944dbece113845ec2416c3c54ff 4179194 
selinux-policy-default_0.2.20100524-10_all.deb
 c543a9b26df596dffbb05151b2f735147852eed5 855424 
selinux-policy-src_0.2.20100524-10_all.deb
 ccc7e149c3b5631f43db9372bb3ae7efa5e882b8 822948 
selinux-policy-dev_0.2.20100524-10_all.deb
 6b15c2e1fe5392f104b0f787461626a849698c44 576868 
selinux-policy-doc_0.2.20100524-10_all.deb
Checksums-Sha256: 
 261c86cc398f64f6f22a14f80f971ab731942f84596d2cb84fc3377a5f2828b0 1518 
refpolicy_0.2.20100524-10.dsc
 32f890daac789f0ba29e7a06c868b1665ea2ed589a91ca3d3796857abcfbcef0 125918 
refpolicy_0.2.20100524-10.diff.gz
 de8cab0ba4af94f716b477c28eb0be24a82829440945fead3d707d4361b1f23d 4218436 
selinux-policy-mls_0.2.20100524-10_all.deb
 f01b29afea1b5167cfc8bf835193fbc078ea20c1b221a362084f0d69defa7a8b 4179194 
selinux-policy-default_0.2.20100524-10_all.deb
 477e2c5848a5750e7ba0ec1c4f28a0e3ccedf954c079cc5a294178be9c5af309 855424 
selinux-policy-src_0.2.20100524-10_all.deb
 48ab9382d797e762a20ea8cef8ee80ff681b13363b3eae8124a8d12ecd77ec0e 822948 
selinux-policy-dev_0.2.20100524-10_all.deb
 ffd99257c8e710fb9b79b1f33b1cbfebde01f3928394fd3c5299bb8b835f86de 576868 
selinux-policy-doc_0.2.20100524-10_all.deb
Files: 
 04a28653f4b9022fd89281b2047362cf 1518 admin optional 
refpolicy_0.2.20100524-10.dsc
 2e1e070afdba9233ead741a6249cc4f8 125918 admin optional 
refpolicy_0.2.20100524-10.diff.gz
 e17f7e0891549fe627cb27ed06267839 4218436 admin extra 
selinux-policy-mls_0.2.20100524-10_all.deb
 673a6cd50386323ecd6e09e90955ad16 4179194 admin optional 
selinux-policy-default_0.2.20100524-10_all.deb
 8747e528ce5f362a3b13cd4e072afcb5 855424 admin optional 
selinux-policy-src_0.2.20100524-10_all.deb
 4413c0f9c8cdab7a240cbc51fc1df9c0 822948 admin optional 
selinux-policy-dev_0.2.20100524-10_all.deb
 dd143bfe7c5659fa9cff3e6ca1ed95d3 576868 doc optional 
selinux-policy-doc_0.2.20100524-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk4rs54ACgkQwrB5/PXHUlbBBgCgyiLTdWSSDDlckCdESILz5n2S
NToAnjr1x3/dCVXSrRxJo5XGbGGYk5+y
=QNN4
-----END PGP SIGNATURE-----

--- End Message ---

Bug#626720: marked as done (selinux-policy-default: Policy needs patched for /run)

Reply via email to