Your message dated Thu, 12 Jan 2017 07:18:37 +0000
with message-id <e1crzef-000e5k...@fasolo.debian.org>
and subject line Bug#740685: fixed in refpolicy 2:2.20161023.1-7
has caused the Debian Bug report #740685,
regarding selinux-policy-default: incompatible with resolvconf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
740685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20140206-1
Severity: normal
The SELinux policy doesn't understand resolvconf. It doesn't appear to
throw any sort of AVC denial on the operation of resolvconf *itself*
(probably because it does all its work from uber-privileged init.d and
DHCP hook scripts, at least on my system) but it cannot handle what
resolvconf *does to /etc/resolv.conf*:
# ls -lZd /etc /etc/resolv.conf /etc/resolvconf /etc/resolvconf/run /run
/run/resolvconf /run/resolvconf/resolv.conf
drwxr-xr-x. 70 root root system_u:object_r:etc_t:SystemLow 4096 Mar
2 21:44 /etc
drwxr-xr-x. 4 root root system_u:object_r:etc_t:SystemLow 4096 Oct
1 17:38 /etc/resolvconf
lrwxrwxrwx. 1 root root system_u:object_r:etc_t:SystemLow 31 Oct
1 17:38 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
lrwxrwxrwx. 1 root root system_u:object_r:etc_t:SystemLow 15 Oct
1 17:38 /etc/resolvconf/run -> /run/resolvconf
drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow 600 Mar
4 02:33 /run
drwxr-xr-x. 3 root root system_u:object_r:var_run_t:SystemLow 100 Mar
4 02:33 /run/resolvconf
-rw-r--r--. 1 root root system_u:object_r:initrc_var_run_t:SystemLow 172 Mar
4 02:33 /run/resolvconf/resolv.conf
Note the absence of 'net_conf_t'. After substantial fiddling I have not
even been able to figure out a set of modified type-labels that will
make the various daemons that need resolv.conf happy. Changing both
/run/resolvconf/resolv.conf and the /etc/resolv.conf symlink back to
net_conf_t almost does the trick, but I'm left with e.g.
avc: denied { read } for pid=3675 comm="ntpd" name="resolv.conf" dev=xvda
ino=27841 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file
.... because the rules for ntpd say it can read net_conf_t *files*,
but not *symlinks*. Sigh. Surely there is a way to patch this
at the semanage level, without having to change the definition of
a whole bunch of sysnet_* interfaces and regenerate the entire policy?
Moreover, I'm not at all sure how to write the rules that ensure that
the file and the symlink *stay* labeled net_conf_t. Override rules
of the form
/etc/resolv\.conf.* all files
system_u:object_r:net_conf_t:s0
/var/run/resolvconf(/.*) all files
system_u:object_r:net_conf_t:s0
are not enough; the files keep getting created as (depending exactly
how you test) initrc_var_run_t, etc_t, or dhcp_something_t. I'm not
shy of writing my own module, but I don't even know where to start.
(Why would you want to use resolvconf on a SELinux-locked-down
server? Because you are also running unbound in forwarding mode;
unbound+resolvconf+dhclient seamlessly arrange for all local DNS requests
to go through unbound and therefore be DNSSECified ... as far as DAC is
concerned, anyway.)
zw
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20161023.1-7
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 740...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <russ...@coker.com.au> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Jan 2017 18:01:40 +1100
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20161023.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>
Changed-By: Russell Coker <russ...@coker.com.au>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building
modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 740685 781779 849637 850032
Changes:
refpolicy (2:2.20161023.1-7) unstable; urgency=medium
.
[ Laurent Bigonville and cgzones ]
* Sort the files in the files in the selinux-policy-src.tar.gz tarball by
name, this should fix the last issue for reproducible build
* Add genfscon for cpu/online. Closes: #849637
[ Russell Coker ]
* Make the boinc patch like the one upstream accepted and make it last in
the list.
* Label /etc/sddm/Xsession as xsession_exec_t
* Label ~/.xsession-errors as xauth_home_t and use a type-trans rule for it
* Allow devicekit_power_t to chat to xdm_t via dbus
* Allow rtkit_daemon_t to stat the selinuxfs and seach default contexts
* Allow loadkeys_t to read tmp files created by init scripts
* Allow systemd_tmpfiles_t to delete usr_t files for a file copied to /tmp
and to read dbus lib files for /var/lib/dbus
* Allow systemd_logind_t to list tmpfs_t dirs, relabelto user runtime,
relabel to/from user_tmpfs_t, and manage wireless_device_t
* Allow xauth_t to inherit file handles from xdm_t, read an inherited fifo
and read/write an inherited socket.
* Allow xdm_t to send dbus messages to unconfined_t
* Give crond_t sys_resource so it can set hard ulimit for jobs
* Allow systemd_logind_t to setattr on the kvm device and user ttys, to
manage user_tmp_t and user_tmpfs_t files, to read/write the dri device
* Allow systemd_passwd_agent_t to stat the selinuxfs and search the
contexts dir
* Make systemd_read_machines() also allow listing directory
* Make auth_login_pgm_domain() include userdom_read_user_tmpfs_files()
* Allow setfiles_t to inherit apt_t file handles
* Allow system_mail_t to use ptys from apt_t and unconfined_t
* Label /run/agetty.reload as getty_var_run_t
* Allow systemd_tmpfiles_t to relabel directories to etc_t
* Made sysnet_create_config() include { relabelfrom relabelto
manage_file_perms }, allow systemd_tmpfiles_t to create config, and set
file contexts entries for /var/run/resolvconf. Makes policy work with
resolvconf (but requires resolvconf changes) Closes: #740685
* Allow dpkg_script_t to restart init services
* Allow shell_exec_t to be an entrypoint for unconfined_cronjob_t
* Allow named to read network sysctls and usr files
* Label /lib/systemd/systemd-timedated and /lib/systemd/systemd-timesyncd as
ntpd_exec_t and allow ntpd_t to talk to dbus and talk to sysadm_t and
unconfined_t over dbus. Allow ntpd_t capabilities fowner and setpcap when
building with systemd support, also allow listing init pid dirs. Label
/var/lib/systemd/clock as ntp_drift_t
* Allow systemd_nspawn_t to read system state, search init pid dirs (for
/run/systemd) and capability net_admin
* Allow backup_t capabilities chown and fsetid to cp files and preserve
ownership
* Allow logrotate_t to talk to dbus and connect to init streams for
systemctl, also allow setrlimit for systemctl
* Allow mon_net_test_t to bind to generic UDP nodes. Allow mon_local_test_t
to execute all applications (for ps to getattr mostly)
* Label /var/lib/wordpress as httpd_var_lib_t
* Label apachectl as httpd_exec_t so it correctly creates pid dirs etc and
allow it to manage dirs of type httpd_lock_t
[ Russell Coker Important ]
* sddm is now working (gdm3 SEGVs, not a policy bug), closes: #781779
* Support usrmerge, lots of fc changes and subst_dist changes
Closes: #850032
Checksums-Sha1:
0800269bcc61552f85dc0060c788e0d8ce65e599 2477 refpolicy_2.20161023.1-7.dsc
13565daa8abfe0f0834bef69b3c0a65be4799745 105696
refpolicy_2.20161023.1-7.debian.tar.xz
c82a662c489488f8bfa77f78f951548b74100c2f 6816
refpolicy_2.20161023.1-7_amd64.buildinfo
fe0bcbc0df46a90f1fefae2a4fa662e56be5672a 3022420
selinux-policy-default_2.20161023.1-7_all.deb
c1c2a2cbb18bb37faaea1b7d18a0960b1b061ddf 466774
selinux-policy-dev_2.20161023.1-7_all.deb
cd28f2c8df216e1d1fdd9279374ff3c8c88f26d9 447792
selinux-policy-doc_2.20161023.1-7_all.deb
2902a7b9c1b54178156e38bc37ae06ae2dcfbdac 3064446
selinux-policy-mls_2.20161023.1-7_all.deb
df4901b0c3d096dc9ff11a2ff2554e49a84d8fdb 1249418
selinux-policy-src_2.20161023.1-7_all.deb
Checksums-Sha256:
6602e628c2c60bdedc00fbf72f915b9146dd04f0e88d9084e21c01e36e7216a6 2477
refpolicy_2.20161023.1-7.dsc
f12332afe827649bff3d4d9ade8c7665b1f4d24ae44d6c0f0eac5db9acb07894 105696
refpolicy_2.20161023.1-7.debian.tar.xz
687e8aa6c820ccc5e8283b06ccbbfd74cca40f4d58b7e253bd4a27c99fe47ab7 6816
refpolicy_2.20161023.1-7_amd64.buildinfo
0607cb8494c6e26940f4a1892a0320fd1d72950aa166377ea100be15b1e241cc 3022420
selinux-policy-default_2.20161023.1-7_all.deb
51760efec7d3b75a2323b3c5d87331b902d916d90890508639d6b76e8309c967 466774
selinux-policy-dev_2.20161023.1-7_all.deb
d746cd26b1abc14bec4ed3f620b622ad9704c29b6c5512cfb6bf104a024a9d96 447792
selinux-policy-doc_2.20161023.1-7_all.deb
2aa275683aca899bd72718aa9b68e14945493087adba9e5a24fac042fad10156 3064446
selinux-policy-mls_2.20161023.1-7_all.deb
f7359563279d104560584485864ebaa422f396b1ce8281457fe14ffd7e1fa366 1249418
selinux-policy-src_2.20161023.1-7_all.deb
Files:
6594732f9477d8a0bbcd1101d74a6e89 2477 admin optional
refpolicy_2.20161023.1-7.dsc
04e02832f4fdbf2f057aa4f2716303c3 105696 admin optional
refpolicy_2.20161023.1-7.debian.tar.xz
6fa1c16a644657d0361e8cf293bad955 6816 admin optional
refpolicy_2.20161023.1-7_amd64.buildinfo
70e5ec155d6d727a458746aa3b2f3600 3022420 admin optional
selinux-policy-default_2.20161023.1-7_all.deb
95684f58a0fa20f0b5cfd74be4a65cb7 466774 admin optional
selinux-policy-dev_2.20161023.1-7_all.deb
97eefa99b353a64cffd615e39ea49027 447792 doc optional
selinux-policy-doc_2.20161023.1-7_all.deb
0ff85b3de406ec5d9823b6c772f2861a 3064446 admin extra
selinux-policy-mls_2.20161023.1-7_all.deb
4a61e6f67b660b5c6fdafff3a4b91be6 1249418 admin optional
selinux-policy-src_2.20161023.1-7_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlh3KoQACgkQ0UHNMPxL
j3n1Cw/+KgiELoiqPbQNRNfoVFNgSSpYbmwFBjRcvyZAKJvJ2Hq/hTmX5cTmoXwb
TrMyxROAIuBUySgcM2uAufQ+c8Tn0dJesTIkZv5xeRUhNw9QK2gSucqdl1hDJ8tv
7wHv87fGfRaSShpVhpa+OwaFEM4zqL6ZDToJMrPNWdpJlCCd7DohDAQlNa/xFyHz
yS+WqdJapfWtv1yJisIGNUXm0dE2K3iDppRVpSpgttkZ5631AGJeN6pzYm7B/xtK
SUUU31hHyHAndnUykrbSlUsbrla3scqx/gzVXP7H/aGzUuoFVbiKJYQ+7bJmZ8jH
XuPh3PcLm5nBgU16dts1lKY5i0U9T97gBTWtw0rCRKiWevgI67eCszfr1mezI7BP
+dOQsV2NTdF+fAG4o8Kj6+KbLofZ+y/AbQck/PWAcH/lV99wiHeCJaEQUyNhN17f
fCjIj4QtlEYR7A//5AhUDLFLOI8qxIiBJOr+tZKxXobzERvosZ/zgpE2fVGHvTh2
/idiHxtq94m6LMj7BKVNxrIIEIdGaFyn2CNB3pALdbbOVthgSN6W+vJM/TSNYQTg
Ex5/hVbgf9Yr9smsAk4TDwKOjbBTzrhTW75ofBty0BWJ8ktb0D7W50k/yug0E+Tb
qvUGuMuCpdbl2VWVixoY1iNF4UzVtoJ4gjjV6LqDBq0V1GjIrzA=
=xcE5
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel