Your message dated Fri, 26 Jun 2009 13:00:29 -0500
with message-id <[email protected]>
and subject line selinux-policy-default - dpkg fails to execute initrc_exec_t
with invalid context
has caused the Debian Bug report #526133,
regarding selinux-policy-default - dpkg fails to execute initrc_exec_t with
invalid context
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
526133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526133
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:0.0.20080702-6
Severity: grave
I have a machine where the unconfined policy is loaded but not used, so
my only way in is staff_u with staff_r and transition to sysadm_r:
| # id
| uid=0(root) gid=0(root) groups=0(root)
context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Now dpkg fails to execute initrc_exec_t with the following audit
message:
| audit(1241011095.115:260): security_compute_sid: invalid context
staff_u:sysadm_r:initrc_t:s0 for
scontext=staff_u:sysadm_r:dpkg_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process
This makes it impossible to install/remove any package which wants to
use invoke-rc.d.
Bastian
--
Deflector shields just came on, Captain.
--- End Message ---
--- Begin Message ---
Hi,
> I have a machine where the unconfined policy is loaded but not used,
> so my only way in is staff_u with staff_r and transition to sysadm_r:
Hmm. This is not the default, so the bug in the policy package
is not grave.
And not only is the change nothe default, it is weird: Either
you use targeted policy, which means you load and use unconfined policy
module, or you unload the unconfined module to make it strict. The
hybrid approach is .. unusual.
You are, of course, free to change policy any way you want, but
if that policy then breaks, you can't file bugs against the package.
In kernel terms, if you use make-kpkg, or yourkernel is tainted,
or you change the kernel config, you can't bug the kernel team; similar
logic applies here.
manoj
--
Birthdays are like busses, never the number you want.
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--- End Message ---
