Your message dated Tue, 27 Mar 2012 16:03:09 +0000
with message-id <[email protected]>
and subject line Bug#665320: fixed in policycoreutils 2.1.10-6
has caused the Debian Bug report #665320,
regarding policycoreutils: Hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
665320: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: policycoreutils
Version: 2.1.10-5
Severity: important
Tags: patch
Dear Maintainer,
The hardening flags are missing in multiple places because the
build system ignores them; CPPFLAGS is completely ignored.
The following _and_ the attached patch fix the issue. It also
enables all hardening options which were already used by some
files - this enables them for the complete package.
diff -Nru policycoreutils-2.1.10/debian/rules
policycoreutils-2.1.10/debian/rules
--- policycoreutils-2.1.10/debian/rules 2012-03-06 10:38:57.000000000 +0100
+++ policycoreutils-2.1.10/debian/rules 2012-03-23 01:58:12.000000000 +0100
@@ -10,6 +10,14 @@
#export SHLIBDIR=$${DESTDIR}/lib/${DEB_HOST_MULTIARCH}
#export LIBBASE=lib/${DEB_HOST_MULTIARCH}
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the
+# missing (hardening) flags. dpkg_buildflags is necessary because $(shell ..)
+# doesn't use local environment variables.
+dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS)
dpkg-buildflags
+export DEB_CFLAGS_MAINT_APPEND = $(shell $(dpkg_buildflags) --get CPPFLAGS)
+
%:
dh $@ --with python2
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything):
$ hardening-check /usr/sbin/restorecond /usr/sbin/setsebool
/usr/sbin/semodule ...
/usr/sbin/restorecond:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/setsebool:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
/usr/sbin/semodule:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
...
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags).
Necessary for hardening flags.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-23
Index: policycoreutils-2.1.10/setfiles/Makefile
===================================================================
--- policycoreutils-2.1.10.orig/setfiles/Makefile 2012-03-23 02:05:07.981390480 +0100
+++ policycoreutils-2.1.10/setfiles/Makefile 2012-03-23 02:05:09.677390546 +0100
@@ -5,7 +5,7 @@
LIBDIR ?= $(PREFIX)/lib
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-CFLAGS = -g -Werror -Wall -W
+CFLAGS += -g -Werror -Wall -W
override CFLAGS += -I$(PREFIX)/include
LDLIBS = -lselinux -lsepol -L$(LIBDIR)
Index: policycoreutils-2.1.10/sestatus/Makefile
===================================================================
--- policycoreutils-2.1.10.orig/sestatus/Makefile 2012-03-23 02:05:07.981390480 +0100
+++ policycoreutils-2.1.10/sestatus/Makefile 2012-03-23 02:05:09.677390546 +0100
@@ -5,7 +5,7 @@
ETCDIR ?= $(DESTDIR)/etc
LIBDIR ?= $(PREFIX)/lib
-CFLAGS = -Werror -Wall -W
+CFLAGS += -Werror -Wall -W
override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
LDLIBS = -lselinux -L$(LIBDIR)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: policycoreutils
Source-Version: 2.1.10-6
We believe that the bug you reported is fixed in the latest version of
policycoreutils, which is due to be installed in the Debian FTP archive:
policycoreutils_2.1.10-6.debian.tar.gz
to main/p/policycoreutils/policycoreutils_2.1.10-6.debian.tar.gz
policycoreutils_2.1.10-6.dsc
to main/p/policycoreutils/policycoreutils_2.1.10-6.dsc
policycoreutils_2.1.10-6_amd64.deb
to main/p/policycoreutils/policycoreutils_2.1.10-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <[email protected]> (supplier of updated policycoreutils
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 27 Mar 2012 17:45:36 +0200
Source: policycoreutils
Binary: policycoreutils
Architecture: source amd64
Version: 2.1.10-6
Distribution: unstable
Urgency: low
Maintainer: Laurent Bigonville <[email protected]>
Changed-By: Laurent Bigonville <[email protected]>
Description:
policycoreutils - SELinux core policy utilities
Closes: 662514 665320
Changes:
policycoreutils (2.1.10-6) unstable; urgency=low
.
* Team upload.
* debian/control, debian/patches/0013-use_dpkg_buildflags.patch: Enable
hardening flags for all components of the package (Closes: #665320)
* debian/control: Fix Vcs-Browser URL
* debian/patches/0014-po-file-update.patch: Update the po files, this allows
the package to build twice in a row again (Closes: #662514)
* debian/rules: Install the right pam files
Checksums-Sha1:
68bbb4e9582ce53393d011d08a2ef44ccabeab66 2022 policycoreutils_2.1.10-6.dsc
f56d32ff5ff18c23679792da9fb11f5dbcbf121a 543817
policycoreutils_2.1.10-6.debian.tar.gz
c2131a9984aae684f550858c840365345a389be0 643298
policycoreutils_2.1.10-6_amd64.deb
Checksums-Sha256:
343400aae7111477254dee9e80d8fba91d07bba5e11a710af0ac14a5d5d609bb 2022
policycoreutils_2.1.10-6.dsc
de2a2a5f1e9c3fd680525f0f1718ea25d50e3461772afdd86e60104d87e50fd5 543817
policycoreutils_2.1.10-6.debian.tar.gz
3e1fc49ea674926c3aa8dff050c2760021bddda96360bb0b0bbefa653cf658c0 643298
policycoreutils_2.1.10-6_amd64.deb
Files:
61607d22cbe866a94802da0af24486d5 2022 utils optional
policycoreutils_2.1.10-6.dsc
ab4922a9a8e468c33fab7bc527aa637a 543817 utils optional
policycoreutils_2.1.10-6.debian.tar.gz
fac90fbaf9ad31e9e0ae3543b18e68f8 643298 utils optional
policycoreutils_2.1.10-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJPceLLAAoJEB/FiR66sEPVEVoH/Apa7ivI3ssrpBsKN1a4VT0y
RcxT3p0m+2OI4evCI1idWl4h7dOl+wJaxhJoN66Ik1P2zCydSM049EWAnZN8n0j0
8eykuDPQx/iO87qfRMGWnVP7D6dR3COPXYXK+tWmVUy5fSTMBDgq0PicziCr75i8
JTnO8/rT1JkylD3nNk/ElhmtswV54usH8zmLlv8PbdkzvMBMLQIYy3vU+Fqyu7Mk
KAycnp5FvSX6keOJbrQon0QQDv/kDwaPmUuouzz1ZwbcZq0zlc4cipkE94/qs9g/
llOOwnBuiwT2ZDdV4NLwGne9JEKgDc+JE5NHvqhRZ4v23QNLNBRdqLJkc2JHrlo=
=fuuJ
-----END PGP SIGNATURE-----
--- End Message ---
