Package: selinux-policy-default Version: 2:2.20140421-7 Severity: important
Dear Maintainer, I am trying to get this machine to work properly under SELinux enforcing mode, but run into all kinds of interesting issues. One of these issues is that etckeeper, when run from cron, tries to read and write various files in /etc, but this is not allowed by the system_cronjob_t type the cronjob runs under. How etckeeper works is that it scans /etc and for each file that was changed, it commits it into git (or similar). The default path of this repository is /etc/.git (etc_t). It also wants to modify /etc/.etckeeper and have read access to each and any file in /etc (except for files that are ignored in /etc/.gitignore). I do not think it is wise to grant system_cronjob_t write permission to etc_t files, and also not wise to grant it read permission to each and any file in /etc. I'm not sure what the best approach should be, but I think it should start with a process transion, so that etckeeper runs in its own type. root@ix:˜# dpkg -l etckeeper Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii etckeeper 1.15 all store /etc in git, mercurial, bzr root@ix:˜# -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (750, 'testing'), (400, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-3.1 ii libselinux1 2.3-2 ii libsepol1 2.3-2 ii policycoreutils 2.3-1 ii python 2.7.8-2 ii selinux-utils 2.3-2 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.3-1 ii setools 3.3.8-3.1 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org