Your message dated Mon, 02 Jan 2023 11:22:16 +0000
with message-id <[email protected]>
and subject line Bug#1012755: fixed in refpolicy 2:2.20221101-2
has caused the Debian Bug report #1012755,
regarding Package: selinux-policy-default: Missing policies for e.g.
systemd-resolved and bash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1012755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20220520-1
Info:
When running SELinux on a freshly installed ‚Debian‘ (‚Stable‘, ‚Testing‘) in
‚enforcing‘ mode, additional policies (e.g. for ‚bash‘ or ‚systemd-resolved‘)
are missing.
Issue(s):
• systemd-resolved
‚system-resolved‘ can not be started via systemd unit file. You will see errors
like ‚Failed to initialize SELinux labeling handle: No such file or directory‘.
Unfortunately, this is misleading in this case and is ‚libselinux-1‘ related
(reported within an additional bug report). However, there’s still an issue
which isn’t reported or logged in any case. Within the code you can see the
following block:
(optional base_optional_1526
(typeattributeset cil_gen_require selinux_config_t)
(dontaudit systemd_resolved_t selinux_config_t (dir (getattr open search)))
(dontaudit systemd_resolved_t selinux_config_t (file (ioctl read getattr
lock open)))
)
Which means that it is declared as ‚dontaudit‘. Removing the ‚dontaudit‘
attribute allows us fetch the missing rule and to create a policy for this:
AVC avc: denied { read } for pid=4016 comm="systemd-resolve" name="config"
dev="sda1" ino=531948 scontext=system_u:system_r:systemd_resolved_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0
• /bin/bash: Permission denied
Trying to initialize a SSH session results directly in:
Linux testing 5.16.0-6-amd64 #1 SMP PREEMPT Debian 5.16.18-1 (2022-03-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun 13 08:22:29 2022 from 10.0.2.2
/bin/bash: Permission denied
Connection to 127.0.0.1 closed.
Luckily you can still use the regular console for logging in. However, this is
just to mention here and hasn’t been further analyzed.
How to reproduce:
• Use a Debian Stable or Testing minimal installation
• Remove AppArmor (apt remove apparmor)
• Install SELinux (apt-get install selinux-basics
selinux-policy-default auditd)
• Run ‚selinux-activate‘ (Keep in mind, this will only set SELinux to
‚permissive‘ mode, not ‚enforcing’)
• Reboot (it will ‚relabel‘ during the boot)
• Edit ‚/etc/selinux/config‘ an switch ‚SELINUX‘ from ‚permissive‘ to
‚enforcing‘
• Reboot
• Now, you can reproduce the mentioned issues (ssh login bash
permission, systemd-resolved)
If you need further information or help for debugging, feel free to ask.
Thanks,
gyptazy
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20221101-2
Done: Russell Coker <[email protected]>
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <[email protected]> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 02 Jan 2023 22:02:36 +1100
Source: refpolicy
Architecture: source
Version: 2:2.20221101-2
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <[email protected]>
Changed-By: Russell Coker <[email protected]>
Closes: 1012755
Changes:
refpolicy (2:2.20221101-2) unstable; urgency=medium
.
* Allow $1_dbusd_t to create sock_files under /tmp
* Remove the deprecated interfaces that had been in Bullseye
* Allow $1_wm_t to read/write input devices and use logind fds
* Added systemd_dbus_chat_locale() and allowed xdm and user domains to do it.
* Allow user domains to unlink xdm_tmp_t socket files
* Allow systemd-coredump, chkpwd_t, and setfiles_t to statfs /proc
* Label /usr/lib/NetworkManager/nm-dispatcher* as NetworkManager_exec_t
* Label /sbin/fstrim as fsadm_exec_t
* Allow setfiles_t to read bin_t links
* Make ssh_sysadm_login default to true. Closes: #1012755
* Allow fsadm_t to statfs cgroup filesystems and to read /proc/1/environ
for systemd-fsckd. Also dontaudit net_admin capability for systemd-fsckd
trying to change buffer sizes.
* Allow systemd_sysusers_t to use inherited user terminals and inherit file
handles from unconfined_t and give it domain_obj_id_change_exemption()
* Made init_runtime_t an init unit file, for automatically generated units
Checksums-Sha1:
0a8707f178c624586e8b9fbb63c8e97ccb4f22d9 2448 refpolicy_2.20221101-2.dsc
1af1c3fd28f8afb68d1d804c30a688c2b1fb1441 101664
refpolicy_2.20221101-2.debian.tar.xz
db8d53436345c5c8ed774336c2e912097031a898 8679
refpolicy_2.20221101-2_amd64.buildinfo
Checksums-Sha256:
8aee261e9315eb01460bfcc1fd764d87068b3f70f04f1f3351d390d4c8195717 2448
refpolicy_2.20221101-2.dsc
dba852c415a8c8446460fbb84184a47ad632a336a34febd4b5a3b486c2b9146c 101664
refpolicy_2.20221101-2.debian.tar.xz
5c7827d5296937a289685ea75b8187e9c942443c2c914fadb344c8eb9cf8befd 8679
refpolicy_2.20221101-2_amd64.buildinfo
Files:
a43d7151d56d18dc49e9552a2c93be26 2448 admin optional refpolicy_2.20221101-2.dsc
99f2a639c13025e8e7506ef533ea6410 101664 admin optional
refpolicy_2.20221101-2.debian.tar.xz
8d2cfabcdf0cdb29f611881a4869d4fd 8679 admin optional
refpolicy_2.20221101-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAmOyuocACgkQ0UHNMPxL
j3nQaBAAyquusFA15PIs2yVwWQTvzlht/cUdnYmIvooTYKHHESdugLFjQW4V/GV1
U9BiSwDESvF5BTYxAICx0rHxGwTwgdmBbZisvJFZgNmRdHTaG/UYy2q3uNM2Wtyt
DN9Dm986Y2ipzVv4Dx4kXpNAij8APtnjyJCaEBLXqOVyVdxRMpjiFzdpZNhjNjvk
7czK+20oCqNIYoIjYQ7VyLbKonFVEYUSmhrE9fV8lF3tmbHm4CTv9wrhCjgOjUJY
AVfQbdhrRcdMobnkJkW1RajsuJmt9rZw/GSgu4yu2J/tzBNfJlsAZNljUBSTTSv3
MsVC1jBmfHx4IWo9SCgwb5Cv9w6nzdJFdbeTFv9OYNQGTEwnU9K02PgHXHO/dez0
ImHi5EUznUHXt8kUlqla1XroTKCN3LrrzViIoXc9NB4ylg38v8vbxcKcnSFUDQom
K6si07RHUV2IVkRY2ARZvxswgN/7MryIhJ+c9E7KbyfNqpEYXLKUKK7hS2lIzQ0A
c9zT9c1dSphonOvgIwaPNi1fUY9G9TOnVjj/14lzLWARR3zmnWOupYHhutNr+Y/X
68VJDqIXv3Ofx2bhxy5iBc7aa+HEIuByeeBru2xcFc+Mp1iS+6z1aX/ZKocxM+ng
+dUhAW1H1Wadcfx8+hIlv0MzXTq5oMTa4R+4wGnhm4hN/BjGHwg=
=K+ow
-----END PGP SIGNATURE-----
--- End Message ---
