Your message dated Wed, 28 Dec 2016 15:33:51 +0000
with message-id <e1cmgeh-0001ia...@fasolo.debian.org>
and subject line Bug#619979: fixed in refpolicy 2:2.20161023.1-5
has caused the Debian Bug report #619979,
regarding selinux-policy-default: avc denial errors in rsync for fifos and unix
sockets when using rsync_export_all_ro
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
619979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619979
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:0.2.20100524-7
Severity: normal
Rsync can be used to backup SElinux systems by setting the boolean
rsync_export_all_ro.
This used to work on lenny, but after the squeeze update reading fifos and unix
domain
sockets result in avc denials:
type=1400 audit(1301268253.519:1001): avc: denied { getattr } for pid=14927
comm="rsync" path="/etc/service/clear/supervise/ok" dev=hda1 ino=66238
scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:svc_svc_t:s0
tclass=fifo_file
type=1400 audit(1301268285.436:1008): avc: denied { getattr } for pid=14927
comm="rsync" path="/var/run/hostapd/wlan0" dev=hda1 ino=179290
scontext=system_u:system_r:rsync_t:s0
tcontext=system_u:object_r:hostapd_var_run_t:s0 tclass=sock_file
The attached patch solved the problem for me.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i586)
Kernel: Linux 2.6.38-geodelx (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libsepol1 2.0.41-1 SELinux library for manipulating b
ii policycoreutils 2.0.82-3 SELinux core policy utilities
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.0.22-1 SELinux policy compiler
pn setools <none> (no description available)
Versions of packages selinux-policy-default suggests:
pn logcheck <none> (no description available)
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
/etc/selinux/default/modules/semanage.read.LOCK [Errno 13] Permission denied:
u'/etc/selinux/default/modules/semanage.read.LOCK'
/etc/selinux/default/modules/semanage.trans.LOCK [Errno 13] Permission denied:
u'/etc/selinux/default/modules/semanage.trans.LOCK'
-- no debconf information
--- selinux-policy-src-2:0.2.20100524-7/policy/modules/services/rsync.te
2011-01-13 11:36:57.000000000 +0100
+++ selinux-policy-src/policy/modules/services/rsync.te 2011-03-24
18:24:47.000000000 +0100
@@ -129,6 +129,8 @@
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
+ read_fifo_files_pattern(rsync_t, file_type, file_type)
+ read_sock_files_pattern(rsync_t, file_type, file_type)
auth_tunable_read_shadow(rsync_t)
')
auth_can_read_shadow_passwords(rsync_t)
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20161023.1-5
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 619...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <russ...@coker.com.au> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 29 Dec 2016 01:08:24 +1100
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20161023.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building
modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 619855 619979 697814 734192 757994
Changes:
refpolicy (2:2.20161023.1-5) unstable; urgency=medium
.
* Allowed system_munin_plugin_t to read usr_t files and have capability
net_admin for mii-tool. Thanks joerg <j...@joergschneider.com>
Closes: #619855
* Allow rsync_t to stat all sock_files and fifo_files when
rsync_export_all_ro is set. Thanks joerg <j...@joergschneider.com>
Closes: #619979
* Allow bitlbee_t to read FIPS state. Closes: #697814
* Allow mono_t to be in role unconfined_r. Closes: #734192
* Allow dpkg_script_t to manage null_device_t services for service scripts
linked to /dev/null. Closes: #757994
* Give systemd_tmpfiles_t sys_admin capability for adjusting quotas.
* Included initrc_t as a source domain in init_ranged_domain() so that old
XDM packages that lack a systemd service file will work.
* Use xserver_role() for unconfined_t so the xdm can start the session.
* Allow user domains to talk to devicekit_disk_t and devicekit_power_t via
dbus
* Label /run/lvm as lvm_var_run_t
* Allow dhcpc_t to manage samba config
Checksums-Sha1:
ae6b01cff11af7e898ea3b17ba0d78e2ab5cff62 2459 refpolicy_2.20161023.1-5.dsc
adf4156ab23ad78994e49a4bae7bdb1966acac11 92864
refpolicy_2.20161023.1-5.debian.tar.xz
4cf8c8cad9c9a4bb3fc063b98a815a62e6e27f5d 6808
refpolicy_2.20161023.1-5_amd64.buildinfo
bd9835e93d788933d9515f2d6ebfc38a23ef729d 3019806
selinux-policy-default_2.20161023.1-5_all.deb
85ef46a33c168a4c2d00dfece347860204420627 463718
selinux-policy-dev_2.20161023.1-5_all.deb
07a17dbc173743ac5f2bf0e8adc624f35b094b61 444674
selinux-policy-doc_2.20161023.1-5_all.deb
dd29bd354bc3828ce6159d8b5eb3268af6735939 3056326
selinux-policy-mls_2.20161023.1-5_all.deb
b4e6bf37845ea80f82b9a8aa8e8eb6dfc3b34bf1 1255722
selinux-policy-src_2.20161023.1-5_all.deb
Checksums-Sha256:
6fa61599a29a20cc42127c65149e2fbdaee2cc49a851103fba53b698cfb3d302 2459
refpolicy_2.20161023.1-5.dsc
26f9a6cbdf8c50478eff7a1a242bf1a12052867bd3186a9d9918b0ebad2316de 92864
refpolicy_2.20161023.1-5.debian.tar.xz
1ded073e0d6b35d307fd396dc5eecff38f724b3964c1f2243314bf6d896ba61e 6808
refpolicy_2.20161023.1-5_amd64.buildinfo
7982335b14445b9760decf6212fd25e8cb293758cf6aa3d9772705d333318261 3019806
selinux-policy-default_2.20161023.1-5_all.deb
6f85f5e6c448606f0dbf37e7f2537037751e5a2ff25bf695c68070392b5a13fa 463718
selinux-policy-dev_2.20161023.1-5_all.deb
df079a6be534504b267e5776441365cca414dbec16cab7c5e736d048d639e2d8 444674
selinux-policy-doc_2.20161023.1-5_all.deb
e97ab8c42a2398ccd669f88901d44bd1fc4676b9fdd3b15689dc41d0d22ffeb4 3056326
selinux-policy-mls_2.20161023.1-5_all.deb
9268e70cfcb41793dfe0da91a5f7ed14fdbd7943257e3e4f6284532f643b4887 1255722
selinux-policy-src_2.20161023.1-5_all.deb
Files:
7c794099f9741f1fa0ef640738c0922f 2459 admin optional
refpolicy_2.20161023.1-5.dsc
e7f4f8591e207b1e376e046dd8cc0b57 92864 admin optional
refpolicy_2.20161023.1-5.debian.tar.xz
75bf1781f6c6361563c4bdb652d612e2 6808 admin optional
refpolicy_2.20161023.1-5_amd64.buildinfo
8b4c47369bef30f1a2311d95161d9204 3019806 admin optional
selinux-policy-default_2.20161023.1-5_all.deb
d6a5c32f1cbd26bb98ee2ac4fa515d6f 463718 admin optional
selinux-policy-dev_2.20161023.1-5_all.deb
335ed80025137290487fcf47331aaed0 444674 doc optional
selinux-policy-doc_2.20161023.1-5_all.deb
cb46b580643871284072f5040eeddaae 3056326 admin extra
selinux-policy-mls_2.20161023.1-5_all.deb
80cd46e2ba3eff5242ec38360ff27c20 1255722 admin optional
selinux-policy-src_2.20161023.1-5_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlhj0aQACgkQ0UHNMPxL
j3k4qw/7BLBCCrjJIWD/ZSKxb8NBfq8rzq6f4mrQyW9EffPL/hgKeN9xprfU0+2Q
1G+6PEHkygljzYlHxz5fE1atj2dBQauItXuYJYYAui3ljbovsXumLHPlz9wmj6eM
sQFyXQc8So6hRuAHlXZObejsXWHVZvGcZeArEH+uNTtrhv8j2HfdUJdFhMezXFE2
tUkVmRXAn4FDWxf843dCqyskd4s39M2d6378eeYCAwHiiv2xQmEIe8NW8S7iFtPo
Tq+U94h3PtQ3hV8j6NdJYHJcMbK9vl6NDVXkoCN/w9jhg1FgoajzZw2c+ZP/VTzN
/KR+ia+9TsW4V20RcU64+N4r4FtgHBbq2QNb2WC7osh+2DLPzFZa3IuVuWbWCPpX
388ELIQDwwtp2eA0c0FFdZqrnSW6hP34lp0RJ7LoH1DVkHKA6UI1kR8fnwkyc+DR
2ZE0vfmIWjNUqcSWZMB/OWIG9Y22akXw2HGu4u2JIrZBZO4ElDQwkuyb7nRH12fi
j/hfInlfM3/YrsE13Lyj630Yh/QTyiMuvu2milOVbVwwD0ZuAMagLat6sernSVEB
Q/aOkcQIBaYasoDhS0nmZ48rHx0JKJgL6gJ0hmkSOdDi0BhXPs/Df6HV3XYWecrH
ocOPdR76aA929nOIUr+6QCZYBZ71ZR/YoKRvB3QzFXxDDcnx02Q=
=Q2XD
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
