Your message dated Wed, 28 Dec 2016 15:33:51 +0000
with message-id <e1cmgeh-0001ig...@fasolo.debian.org>
and subject line Bug#697814: fixed in refpolicy 2:2.20161023.1-5
has caused the Debian Bug report #697814,
regarding selinux-policy-default: exim4 and bitlbee want access to
sysctl_crypto_t
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
697814: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697814
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal
For some reason exim4 and bitlbee are trying to read
/proc/sys/crypto/fips_enabled and SELinux doesn't let them.
These are the audit.log entries concerning exim4:
type=AVC msg=audit(1357769011.179:17405): avc: denied { search } for
pid=1427 comm="exim4" name="crypto" dev=proc ino=5781
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1357769011.179:17405): avc: denied { read } for
pid=1427 comm="exim4" name="fips_enabled" dev=proc ino=5782
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1357769011.179:17405): avc: denied { open } for
pid=1427 comm="exim4" name="fips_enabled" dev=proc ino=5782
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=SYSCALL msg=audit(1357769011.179:17405): arch=c000003e syscall=2
success=yes exit=4 a0=7ffc609af260 a1=0 a2=1b6 a3=0 items=1 ppid=1426 pid=1427
auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103
fsgid=103 tty=(none) ses=4294967295 comm="exim4" exe="/usr/sbin/exim4"
subj=system_u:system_r:exim_t:s0 key=(null)
type=CWD msg=audit(1357769011.179:17405): cwd="/var/spool/exim4"
type=PATH msg=audit(1357769011.179:17405): item=0
name="/proc/sys/crypto/fips_enabled" inode=5782 dev=00:03 mode=0100444 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_crypto_t:s0
type=AVC msg=audit(1357769011.179:17406): avc: denied { getattr } for
pid=1427 comm="exim4" path="/proc/sys/crypto/fips_enabled" dev=proc ino=5782
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=SYSCALL msg=audit(1357769011.179:17406): arch=c000003e syscall=5
success=yes exit=0 a0=4 a1=7fffdd4935e0 a2=7fffdd4935e0 a3=0 items=0 ppid=1426
pid=1427 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103
sgid=103 fsgid=103 tty=(none) ses=4294967295 comm="exim4" exe="/usr/sbin/exim4"
subj=system_u:system_r:exim_t:s0 key=(null)
audi2allow suggests:
#============= exim_t ==============
allow exim_t sysctl_crypto_t:dir search;
allow exim_t sysctl_crypto_t:file { read getattr open };
The same problem happens for bitlbee.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.3-7.1
ii libselinux1 2.1.9-5
ii libsepol1 2.1.4-3
ii policycoreutils 2.1.10-9
ii python 2.7.3~rc2-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.1.8-2
ii setools 3.3.7-3
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20161023.1-5
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 697...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <russ...@coker.com.au> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Dec 2016 01:08:24 +1100
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20161023.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building
modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 619855 619979 697814 734192 757994
Changes:
refpolicy (2:2.20161023.1-5) unstable; urgency=medium
.
* Allowed system_munin_plugin_t to read usr_t files and have capability
net_admin for mii-tool. Thanks joerg <j...@joergschneider.com>
Closes: #619855
* Allow rsync_t to stat all sock_files and fifo_files when
rsync_export_all_ro is set. Thanks joerg <j...@joergschneider.com>
Closes: #619979
* Allow bitlbee_t to read FIPS state. Closes: #697814
* Allow mono_t to be in role unconfined_r. Closes: #734192
* Allow dpkg_script_t to manage null_device_t services for service scripts
linked to /dev/null. Closes: #757994
* Give systemd_tmpfiles_t sys_admin capability for adjusting quotas.
* Included initrc_t as a source domain in init_ranged_domain() so that old
XDM packages that lack a systemd service file will work.
* Use xserver_role() for unconfined_t so the xdm can start the session.
* Allow user domains to talk to devicekit_disk_t and devicekit_power_t via
dbus
* Label /run/lvm as lvm_var_run_t
* Allow dhcpc_t to manage samba config
Checksums-Sha1:
ae6b01cff11af7e898ea3b17ba0d78e2ab5cff62 2459 refpolicy_2.20161023.1-5.dsc
adf4156ab23ad78994e49a4bae7bdb1966acac11 92864
refpolicy_2.20161023.1-5.debian.tar.xz
4cf8c8cad9c9a4bb3fc063b98a815a62e6e27f5d 6808
refpolicy_2.20161023.1-5_amd64.buildinfo
bd9835e93d788933d9515f2d6ebfc38a23ef729d 3019806
selinux-policy-default_2.20161023.1-5_all.deb
85ef46a33c168a4c2d00dfece347860204420627 463718
selinux-policy-dev_2.20161023.1-5_all.deb
07a17dbc173743ac5f2bf0e8adc624f35b094b61 444674
selinux-policy-doc_2.20161023.1-5_all.deb
dd29bd354bc3828ce6159d8b5eb3268af6735939 3056326
selinux-policy-mls_2.20161023.1-5_all.deb
b4e6bf37845ea80f82b9a8aa8e8eb6dfc3b34bf1 1255722
selinux-policy-src_2.20161023.1-5_all.deb
Checksums-Sha256:
6fa61599a29a20cc42127c65149e2fbdaee2cc49a851103fba53b698cfb3d302 2459
refpolicy_2.20161023.1-5.dsc
26f9a6cbdf8c50478eff7a1a242bf1a12052867bd3186a9d9918b0ebad2316de 92864
refpolicy_2.20161023.1-5.debian.tar.xz
1ded073e0d6b35d307fd396dc5eecff38f724b3964c1f2243314bf6d896ba61e 6808
refpolicy_2.20161023.1-5_amd64.buildinfo
7982335b14445b9760decf6212fd25e8cb293758cf6aa3d9772705d333318261 3019806
selinux-policy-default_2.20161023.1-5_all.deb
6f85f5e6c448606f0dbf37e7f2537037751e5a2ff25bf695c68070392b5a13fa 463718
selinux-policy-dev_2.20161023.1-5_all.deb
df079a6be534504b267e5776441365cca414dbec16cab7c5e736d048d639e2d8 444674
selinux-policy-doc_2.20161023.1-5_all.deb
e97ab8c42a2398ccd669f88901d44bd1fc4676b9fdd3b15689dc41d0d22ffeb4 3056326
selinux-policy-mls_2.20161023.1-5_all.deb
9268e70cfcb41793dfe0da91a5f7ed14fdbd7943257e3e4f6284532f643b4887 1255722
selinux-policy-src_2.20161023.1-5_all.deb
Files:
7c794099f9741f1fa0ef640738c0922f 2459 admin optional
refpolicy_2.20161023.1-5.dsc
e7f4f8591e207b1e376e046dd8cc0b57 92864 admin optional
refpolicy_2.20161023.1-5.debian.tar.xz
75bf1781f6c6361563c4bdb652d612e2 6808 admin optional
refpolicy_2.20161023.1-5_amd64.buildinfo
8b4c47369bef30f1a2311d95161d9204 3019806 admin optional
selinux-policy-default_2.20161023.1-5_all.deb
d6a5c32f1cbd26bb98ee2ac4fa515d6f 463718 admin optional
selinux-policy-dev_2.20161023.1-5_all.deb
335ed80025137290487fcf47331aaed0 444674 doc optional
selinux-policy-doc_2.20161023.1-5_all.deb
cb46b580643871284072f5040eeddaae 3056326 admin extra
selinux-policy-mls_2.20161023.1-5_all.deb
80cd46e2ba3eff5242ec38360ff27c20 1255722 admin optional
selinux-policy-src_2.20161023.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlhj0aQACgkQ0UHNMPxL
j3k4qw/7BLBCCrjJIWD/ZSKxb8NBfq8rzq6f4mrQyW9EffPL/hgKeN9xprfU0+2Q
1G+6PEHkygljzYlHxz5fE1atj2dBQauItXuYJYYAui3ljbovsXumLHPlz9wmj6eM
sQFyXQc8So6hRuAHlXZObejsXWHVZvGcZeArEH+uNTtrhv8j2HfdUJdFhMezXFE2
tUkVmRXAn4FDWxf843dCqyskd4s39M2d6378eeYCAwHiiv2xQmEIe8NW8S7iFtPo
Tq+U94h3PtQ3hV8j6NdJYHJcMbK9vl6NDVXkoCN/w9jhg1FgoajzZw2c+ZP/VTzN
/KR+ia+9TsW4V20RcU64+N4r4FtgHBbq2QNb2WC7osh+2DLPzFZa3IuVuWbWCPpX
388ELIQDwwtp2eA0c0FFdZqrnSW6hP34lp0RJ7LoH1DVkHKA6UI1kR8fnwkyc+DR
2ZE0vfmIWjNUqcSWZMB/OWIG9Y22akXw2HGu4u2JIrZBZO4ElDQwkuyb7nRH12fi
j/hfInlfM3/YrsE13Lyj630Yh/QTyiMuvu2milOVbVwwD0ZuAMagLat6sernSVEB
Q/aOkcQIBaYasoDhS0nmZ48rHx0JKJgL6gJ0hmkSOdDi0BhXPs/Df6HV3XYWecrH
ocOPdR76aA929nOIUr+6QCZYBZ71ZR/YoKRvB3QzFXxDDcnx02Q=
=Q2XD
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
