Package: bash
Version: 4.4-4+b1
The specified Vcs fields do not link to the recent packaging version.
Package: bash
Version: 4.4-4+b1
Severity: important
Due to #842037, bash is currently shipped without PIE[1] support.
Please consider adding a package bash-pie, which Conflicts and
Provides bash, or upload a PIE-enabled version to stretch-backports
after release.
[1]
https://wiki.debian.org/Hard
Package: auditd
Version: 1:2.6.7-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
ausearch segfaults on the following input in interpret mode:
/sbin/ausearch -i --input file
type=AVC msg=audit(1490829425.686:121): avc: denied { bind } for
pid=1034 comm="darkstat" scontext=system
Package: debhelper
Version: 10.2.5
Severity: wishlist
Hi,
personally, I like the --list-missing/--fail-missing options from dh_install.
Any chance --list-missing getting the default for maybe compat version 11?
Best regards
Christian Göttsche
the fixing patch is not updated:
https://sources.debian.net/src/llvm-toolchain-4.0/1:4.0-1/debian/patches/fix-scan-view-path.diff/?hl=9#L9
Package: openssh-client
Version: 1:7.4p1-6
Dear Maintainer,
according to man:moduli(5) the file /etc/shh/moduli is only used by sshd.
Why is this file shipped with openssh-client and not openssh-server?
Best regards,
Christian Göttsche
Package: man-db
Version: 2.7.6.1-2
Dear Maintainer,
can you please add a systemd timer for the daily man-db cache regeneration.
--- /dev/null 2017-03-14 22:28:11.90999 +0100
+++ man-db.timer2017-03-16 12:07:22.956516872 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily man-db regene
Package: fake-hwclock
Version: 0.11
Dear Maintainer,
can you please add a systemd timer for the regular time save.
--- /dev/null 2017-03-14 22:28:11.90999 +0100
+++ fake-hwclock-save.timer 2017-03-16 11:52:21.062121382 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=fake-hwclock: save time
Package: logrotate
Version: 3.11.0-0.1
Dear Maintainer,
can you please add a systemd timer for the daily log rotation.
--- /dev/null 2017-03-14 22:28:11.90999 +0100
+++ logrotate.timer 2017-03-15 20:30:26.475786062 +0100
@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily rotation of log files
Package: monit
Version: 1:5.20.0-6
Hi,
could you consider shipping a systemd service file?
Best regards,
Christian Göttsche
[Unit]
Description=Monit monitoring service
Documentation=man:monit(1)
[Service]
EnvironmentFile=-/etc/default/monit
Type=forking
KillMode=process
ExecStart=/usr/b
Package: dphys-swapfile
Version: 20100506-3
Hi,
could you consider shipping a systemd service file?
Best regards,
Christian Göttsche
[Unit]
Description=dphys-swapfile - set up, mount/unmount, and delete an swap file
Documentation=man:dphys-swapfile(8)
[Service]
Type=oneshot
ExecStart=/sb
2017-03-13 23:11 GMT+01:00 Simon McVittie :
> On Mon, 13 Mar 2017 at 21:58:46 +0100, cgzones wrote:
>> Since recently the reference policy defines the file contexts with
>> /run prefixes [1] and only supports /var/run via a backward
>> compatibility alias.
>
> Is that ba
Hi list,
I created bug report against dbus 1.10 on Debian [1] due to failing to
send policyload notices.
Are there any objections or comments on the upstream patch[2]?
The patch works for me:
Mar 14 00:01:36 debianSE audit[441]: USER_AVC pid=441 uid=105
auid=4294967295 ses=4294967295
subj=system_u
Package: dbus
Version: 1.10.16-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Hi,
dbus ships a systemd socket unit.
On SELinux enabled systems systemd automatically sets the correct file
context on creation according to the policy's configuration.
Since recently the reference poli
Package: openssh-server
Version: 1:7.4p1-6
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Hi,
OpenSSH-server ships a systemd-tmpfiles configuration for creating a
runtime directory.
On SELinux enabled systems, systemd-tmpfiles automatically sets the
correct file context on creation
Package: cron
Version: 3.0pl1-128+b1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Hi,
with the removal of the SELinux login entry for system_u [1], cron
stops working.
get_security_context [2] expects a NULL name when called for a system cronjob.
But it is called with "system_u"
Package: dbus
Version: 1.10.16-1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Hi,
on SELinux enabled systems, dbus cannot send the policyload notification.
There is already a thread over at redhat [1], and bug reports at
redhat [2] and dbus [3].
Please, cherry-pick the fix from u
debug_echo "send dbus signal (success)"
else
debug_echo "send dbus signal (error)"
One could also check for the existence of /run/dbus/system_bus_socket
via [ -S /run/dbus/system_bus_socket ]
2016-12-31 15:00 GMT+01:00 cgzones :
> First I'd like to question
Package: libwrap0
Version: 7.6.q-26
libwrap0 recommends tcpd and as recommend packages are by default
annexed, tcpd will be installed e.g. for the packages openssh-server
or auditd.
Could you consider to lower the bonding to suggests?
Package: ntp
Version: 1:4.2.8p9+dfsg-2.1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
On a SELinux enabled system, ntpd periodical generates some odd audits:
type=PROCTITLE msg=audit(02/17/17 22:52:21.790:167) :
proctitle=/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:111
type=SYS
/info/libglib2.0-0:amd.list .
Cruft then complains about the nonexistence of the path.
Maybe the directory could be shipped empty?
On 15 Feb 2017 7:03 pm, "Michael Biebl" wrote:
On Wed, 25 Jan 2017 13:42:29 +0100 cgzones wrote:
> Package: libglib2.0-0
> Version: 2.50.2-2
>
Package: clang-4.0
Version: 1:4.0~+rc1-1
The shipped file /usr/bin/scan-build-4.0-py is a dead link to a non
existent target ../share/clang/scan-build-4.0/bin/scan-build-py.
Maybe the target should be ./share/clang/scan-build-py-4.0/bin/scan-build?
Thanks a lot for your response and the fixes.
I finally got some time and reran cruft at the new version:
missing: dpkg
/usr/lib/x86_64-linux-gnu/gio
/usr/lib/x86_64-linux-gnu/gio/modules
I reported it here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852549
u
Package: libglib2.0-0
Version: 2.50.2-2
cruft creates a report regarding this package:
missing: dpkg
/usr/lib/x86_64-linux-gnu/gio
/usr/lib/x86_64-linux-gnu/gio/modules
This is due to libglib2.0-0 lists this directory and file but does not
ship it by default.
The postinst
pam_selinux.so, so that via different pam
configurations, like sddm does it
https://github.com/sddm/sddm/blob/develop/src/helper/backend/PamBackend.cpp#L220,
different contexts can be assigned.
From: cgzones
Date: Tue, 3 Jan 2017 12:04:20 +0100
Subject: [PATCH] pam_selinux: add select_default_context option
Package: dpkg
Version: 1.18.18
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Currently, dpkg runs its maintainer tasks in the SELinux type
dpkg_script_t without changing the SELinux user or role.
So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be
run in unconfine
Package: cruft
Version: 0.9.29
Running cruft on a test vm with SELinux creates some noise.
I created some filters and explain scripts under the guideline,
filters contains paths, which may be present on the system and paths
from the explain scripts must be present.
In addition, I ignored the two k
Package: monit
Version: 1:5.20.0-4
On package installation, the log file /var/log/monit.log is created by
the post install script monit.postinst.
The SELinux context will not bet correctly set up.
Can you please either add something like
if [ -x /sbin/restorecon ]; then
/sbin/restoreco
s and clarity I only
load the for my system needed modules and xserver is not one of them.
2017-01-01 16:35 GMT+01:00 Michael Biebl :
> Am 01.01.2017 um 16:14 schrieb cgzones:
>> I meant the x11-common Debian package.
>> The SELinux file contexts are defined in the xserver module:
&
Oops,
I am sorry.
Seems I forgot to check the file affiliations beside the x11 one.
So my question breaks down to whether the x11.conf file can be
distributed by the x11-common (or similar) package.
2017-01-01 15:41 GMT+01:00 Michael Biebl :
> Am 01.01.2017 um 15:19 schrieb cgzones:
>>
Package: systemd
Version: 232-8
Can the configuration files under /usr/lib/tmpfiles.d/ be distributed
be their respective packages.
Like:
Configuration file Package
colord.confcolord
dbus.conf dbus
gvfsd-fuse-tmpfiles.confgvfs or g
hen
if dbus-send --system / app.apt.dbus.updated boolean:true >
/dev/null 2>&1; then
Kindly Regards,
Christian Göttsche
2016-12-30 21:43 GMT+01:00 David Kalnischkies :
> Control: severity -1 wishlist
>
> On Thu, Dec 29, 2016 at 12:22:02PM +0100, cgzones wrote:
>> Th
Göttsche
2016-12-31 12:49 GMT+01:00 Dominick Grift :
> On 12/31/2016 12:41 PM, Dominick Grift wrote:
>> On 12/31/2016 12:38 PM, Dominick Grift wrote:
>>> On 12/31/2016 11:34 AM, cgzones wrote:
>>>> Wow!
>>>>
>>>> Thank you very much, I was compl
://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
One small issue arises for me:
I tried to set up the directory '/sys/kernel/debug/tracing' via
'genfscon sysfs /kernel/debug/tracing
gen_context(system_u:object_r:tracefs_t,s0)'
but
But isn't genfscon with subcontexts only available on the /proc filesystem?
2016-12-30 22:18 GMT+01:00 Dominick Grift :
> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville
> wrote:
>> reassign 849637 policycoreutils
>> thanks
>>
>> On Thu, 29 Dec
:36:30 +0100 cgzones wrote:
>
>> When running a SELinux enabled system /sys/devices/system/cpu/online
>> is mislabeled after boot:
>>
>> root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>> Would relabel /sys/devices/system/cpu/o
Package: systemd
Version: 232-8
When running a SELinux enabled system /sys/devices/system/cpu/online
is mislabeled after boot:
root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
Would relabel /sys/devices/system/cpu/online from
system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_onli
Package: apt
Version: 1.4~beta2
The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon'
to check whether dbus is running and whether to send a message.
With SELinux enabled this causes avc denials like:
type=PROCTITLE msg=audit(12/29/16 07:43:22.385:42209) :
proctitle=pidof dbus-daem
Package: refpolicy
Version: 2:2.20161023.1-3
Ship a list of modules build into the base module package.
This might help with module management.
---
debian/rules | 1 +
debian/selinux-policy-default.install | 1 +
debian/selinux-policy-mls.install | 1 +
3 files chang
Package: refpolicy
Version: 2:2.20161023.1-3
The usage of the macro domain_auto_trans is deprecated.
Use domain_auto_transition_pattern instead.
---
debian/example/example.if | 2 +-
debian/policygentool | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/example/e
Package: refpolicy
Version: 2:2.20161023.1-3
Use dh_install --fail-missing for hard build errors.
---
debian/rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index d6fe74b..d1f7e7c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -23,7 +23,7 @@
Package: refpolicy
Version: 2:2.20161023.1-3
Git-buildpackage complains about an old config format.
While on it, reintroduce signing tags
---
debian/gbp.conf | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 6837223..557fbe8 100644
---
erwriting the system files, but
that does not solve the issue.
But I am not sure the upstream python modules were used, and probably
the system's libsepol was used too.
Kindly Regards,
Christian Göttsche
2016-12-17 9:57 GMT+01:00 Laurent Bigonville :
> Le 15/12/16 à 14:13, cgzones
Package: policycoreutils-python-utils
Version: 2.6-2
When working on SELinux login settings, it seems that semanage is not
aware of already existing entries.
Example usage:
root@desktopdebian:/home/christian# semanage login -a -s unconfined_u christian
libsemanage.add_user: user system_u not in p
Package: setools
Version: 3.3.8+20151215-3
Severity: normal
After the recent upgrades of the selinux userland libraries i noticed
a bug in the seinfo tool.
Example output:
christian@debianSE:~$ seinfo
Statistics for policy file: /etc/selinux/default/policy/policy.30
Policy Version & Type: v.30
I can confirm this bug.
It seems this is already fixed upstream; can you please cherry pick this
https://github.com/SELinuxProject/selinux/commit/5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
patch?
Package: newrole
Version: 2.4-4
When i try to use newrole on debian testing with upstream refpolicy
(https://github.com/TresysTechnology/refpolicy) installed, i got the
following error:
root@debianSe:~# newrole -r sysadm_r -t sysadm_t
Password:
newrole: incorrect password for root
Error sending a
Package: monit
Version: 1:5.4-2
Severity: wishlist
Hi,
can you please backport monit 5.5 for debian wheezy.
Best regards,
Christian Göttsche
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.o
Package: selinux-policy-default
Version: 2:2.20110726-11
Severity: wishlist
Hi,
can you unite the booleans allow_ptrace and deny_ptrace
Best regards,
Christian Göttsche
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
Package: selinux-policy-default
Version: 2:2.20110726-11
Severity: wishlist
Hi,
can you include a policy package for monit.
I write one which covers the monit daemon, the web interface, the
process monitoring and the monit invocation from a root console.
It does not cover connections to m/monit an
Package: selinux-policy-default
Version: 2:2.20110726-11
I'm using smartmontools and the daemon needs to read and write into it's
lib directory /var/lib/smartmontools.
This directory is not labeled, so i get the following denies:
Oct 14 19:29:27 debian kernel: [ 18.35] type=1400
audit(13502
51 matches
Mail list logo
