Package: selinux-policy-default Version: 2:2.20140421-9 Severity: grave Justification: renders package unusable
Dear Maintainer, after enabling SELinux it is not possible to use graphical login anymore. Instead of the desktop the following message appears: "Oh no! Something has gone wrong. A problem has occurred and the system can't recover. All extensions have been disabled as a precaution." Beneath there is a 'Logout' button. When setting 'setenforce 0' it is possible to login (again). Because there are so many AVCs, I cannot name the root cause here. Attached you can find the output of 'audit2allow --boot'. I set the severity to grave because IMHO a lot of people use / will use Debian as their desktop / laptop OS with graphical UI. This is not usable any more when SELinux is enabled using the current default policy. If I can support finding the root cause or providing a patch, please drop me a note. Kind regards Andre -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-3.1 ii libselinux1 2.3-2 ii libsepol1 2.3-2 ii policycoreutils 2.3-1 ii python 2.7.9-1 ii selinux-utils 2.3-2 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.3-1 ii setools 3.3.8-3.1 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information ============================== 8< ============================== # audit2allow --boot #============= NetworkManager_t ============== allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read getattr open search }; allow NetworkManager_t init_var_run_t:dir read; allow NetworkManager_t self:rawip_socket { write create setopt getattr }; allow NetworkManager_t systemd_logind_t:dbus send_msg; allow NetworkManager_t systemd_logind_t:fd use; allow NetworkManager_t systemd_logind_var_run_t:dir { read search }; allow NetworkManager_t systemd_logind_var_run_t:fifo_file write; allow NetworkManager_t systemd_logind_var_run_t:file { read getattr open }; #============= alsa_t ============== #!!!! The source type 'alsa_t' can write to a 'dir' of the following types: # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t allow alsa_t var_run_t:dir { write create add_name setattr }; #!!!! The source type 'alsa_t' can write to a 'file' of the following types: # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, alsa_lock_t, alsa_etc_rw_t, alsa_tmpfs_t, user_home_t allow alsa_t var_run_t:file { read write create open lock }; allow alsa_t var_run_t:lnk_file create; allow alsa_t xdm_t:process signull; allow alsa_t xdm_tmpfs_t:file { read getattr unlink open }; #============= apmd_t ============== allow apmd_t device_t:chr_file { read ioctl open }; #============= kernel_t ============== allow kernel_t systemd_unit_file_t:service { status start }; #============= policykit_t ============== #!!!! This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, global_ssp allow policykit_t urandom_device_t:chr_file { read getattr open }; #============= rtkit_daemon_t ============== allow rtkit_daemon_t xdm_t:process setsched; #============= systemd_cgroups_t ============== allow systemd_cgroups_t kernel_t:unix_dgram_socket sendto; allow systemd_cgroups_t kernel_t:unix_stream_socket connectto; #============= systemd_logind_t ============== allow systemd_logind_t NetworkManager_t:dbus send_msg; #!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types: # var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t allow systemd_logind_t tmpfs_t:dir { write remove_name rmdir }; allow systemd_logind_t tmpfs_t:sock_file unlink; allow systemd_logind_t user_tmpfs_t:dir read; allow systemd_logind_t user_tmpfs_t:file getattr; #!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types: # var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t allow systemd_logind_t xdm_tmpfs_t:dir { write getattr rmdir read remove_name open }; allow systemd_logind_t xdm_tmpfs_t:file { getattr unlink }; #============= udev_t ============== allow udev_t self:netlink_socket { write getattr setopt read bind create }; #============= unconfined_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_execstack, allow_execmem allow unconfined_t self:process execmem; #============= xdm_t ============== allow xdm_t init_t:system status; -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org