Le Thu, 20 Feb 2014 00:28:43 -0800, Devin Carraway <de...@debian.org> a écrit :
> Package: selinux-policy-default > Version: 2:2.20140206-1 > Severity: important > > On a jessie system with refpolicy 2:2.20140206-1, and allow-hotplug > set on the primary network interface, sshd is left running in udev_t, > breaking it thoroughly (and in fact flooding the logs with socket > errors until the machine runs out of disk). bind9, which also has a > hotplug trigger script, is broken by inability of rndc to access auth > keys. > > My guess as to why: > > Removal of the debian-specific refpolicy patches in rev > 853ebfe7118c3984ff2b53f51af6f5758d222cd7 had the effect of returning > the contents of /etc/network/if-{up,down}.d/ from initrc_exec_t to > etc_t. As a result, on systems with allow-hotplug on their primary > network interfaces the sshd and any other network-using daemons aware > of hotplug will be started from udev rather than init, and with an > etc_t startup script the usual domain transition doesn't happen. > > I'll test out restoring the labelling and see if there's more to this. > > Years ago, thus was Bug#503941 at least as it impacted bind. Could you please attach the AVC denials to the bug. Thanks! Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org