Bug#1045479: pipexec: Fails to build source after successful build

[Andreas Florath]

Hello!

Thanks for reporting this.

The root cause of the problem is, that one .c file is autogenerated by
a script during the build process.
This file is not cleaned during the dh_clean phase.

My suggestion would be to add this file to debian/clean. This fixes the
problem for me.

    $ cat debian/clean 
    src/app_version.c

This needs to be done my the maintainer (Thorsten) as I have no access
to the files under 'debian' sub-directory.

Kind regards - Andre

Bug#781779: selinux-policy-default: not possible to login via GUI when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: grave
Justification: renders package unusable

Dear Maintainer,

after enabling SELinux it is not possible to use graphical login anymore.
Instead of the desktop the following message appears:
"Oh no! Something has gone wrong.
A problem has occurred and the system can't recover. All extensions have been
disabled as a precaution."
Beneath there is a 'Logout' button.

When setting 'setenforce 0' it is possible to login (again).

Because there are so many AVCs, I cannot name the root cause here.
Attached you can find the output of 'audit2allow --boot'.

I set the severity to grave because IMHO a lot of people use / will
use Debian as their desktop / laptop OS with graphical UI.  This is
not usable any more when SELinux is enabled using the current default
policy.

If I can support finding the root cause or providing a patch, please
drop me a note.

Kind regards

Andre


-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1  2.3-2
ii  libsepol12.3-2
ii  policycoreutils  2.3-1
ii  python   2.7.9-1
ii  selinux-utils2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information

== 8< ==
# audit2allow --boot

#= NetworkManager_t ==
allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read getattr open 
search };
allow NetworkManager_t init_var_run_t:dir read;
allow NetworkManager_t self:rawip_socket { write create setopt getattr };
allow NetworkManager_t systemd_logind_t:dbus send_msg;
allow NetworkManager_t systemd_logind_t:fd use;
allow NetworkManager_t systemd_logind_var_run_t:dir { read search };
allow NetworkManager_t systemd_logind_var_run_t:fifo_file write;
allow NetworkManager_t systemd_logind_var_run_t:file { read getattr open };

#= alsa_t ==

# The source type 'alsa_t' can write to a 'dir' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t

allow alsa_t var_run_t:dir { write create add_name setattr };

# The source type 'alsa_t' can write to a 'file' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, alsa_lock_t, alsa_etc_rw_t, 
alsa_tmpfs_t, user_home_t

allow alsa_t var_run_t:file { read write create open lock };
allow alsa_t var_run_t:lnk_file create;
allow alsa_t xdm_t:process signull;
allow alsa_t xdm_tmpfs_t:file { read getattr unlink open };

#= apmd_t ==
allow apmd_t device_t:chr_file { read ioctl open };

#= kernel_t ==
allow kernel_t systemd_unit_file_t:service { status start };

#= policykit_t ==

# This avc can be allowed using one of the these booleans:
# authlogin_nsswitch_use_ldap, global_ssp
allow policykit_t urandom_device_t:chr_file { read getattr open };

#= rtkit_daemon_t ==
allow rtkit_daemon_t xdm_t:process setsched;

#= systemd_cgroups_t ==
allow systemd_cgroups_t kernel_t:unix_dgram_socket sendto;
allow systemd_cgroups_t kernel_t:unix_stream_socket connectto;

#= systemd_logind_t ==
allow systemd_logind_t NetworkManager_t:dbus send_msg;

# The source type 'systemd_logind_t' can write to a 'dir' of the following 
types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, 
systemd_logind_sessions_t

allow systemd_logind_t tmpfs_t:dir { write remove_name rmdir };
allow systemd_logind_t tmpfs_t:sock_file unlink;
allow systemd_logind_t user_tmpfs_t:dir read;
allow systemd_logind_t user_tmpfs_t:file getattr;

# The source type 'systemd_logind_t' can write to a 'dir' of the following 
types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, 
systemd_logind_sessions_t

allow systemd_logind_t xdm_tmpfs_t:dir { write getattr rmdir read remove_name 
open };
allow systemd_logind_t xdm_tmpfs_t:file { getattr unlink };

#= udev_t ==
allow udev_t self:netlink_socket { write getattr setopt read bind create };

#= unconfined_t ==

# This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem
allow unconfined_t self:process execmem;

#= xdm_t ==
allow xdm_t init_t:system status;


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsu

Bug#781776: selinux-policy-default: postfix does not start when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: normal

Dear Maintainer,

postfix does not start when SELinux is set to enforcing:

root@debian8gi:~# se_apt-get install postfix
[...]
root@debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix)
  Drop-In: /run/systemd/generator/postfix.service.d
   └─50-postfix-$mail-transport-agent.conf
   Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
  Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited, 
status=0/SUCCESS)
  Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited, 
status=0/SUCCESS)

Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent: 
postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file 
pid/master.pid: cannot create file exclusively: Permission denied

The following AVC is logged:

type=AVC msg=audit(1427973050.472:88): avc:  denied  { net_admin } for  
pid=2144 comm="systemd-tty-ask" capability=12  
scontext=system_u:system_r:systemd_passwd_agent_t:s0 
tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability 
permissive=0

It looks that the appropriate directory was not correctly labled by default:

root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr  2 
13:07 /var/spool/postfix/pid/

root@debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context 
system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0

root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr  2 13:07 
/var/spool/postfix/pid/

Nevertheless: even after this adaption the process still not starts up:

root@debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix)
  Drop-In: /run/systemd/generator/postfix.service.d
   └─50-postfix-$mail-transport-agent.conf
   Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
  Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited, 
status=0/SUCCESS)
  Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited, 
status=0/SUCCESS)

Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent: 
postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup: 
Permission denied

The AVC:
type=AVC msg=audit(1427976832.296:134): avc:  denied  { create } for  pid=3568 
comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0

Therefore it looks that a more general restorecon is needed:

root@debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context 
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context 
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context 
system_u:object_r:var_spool_t:s0-

Bug#781571: selinux-policy-default: lvcreate hangs when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-9
Justification: renders package unusable
Severity: grave

Dear Maintainer,

executing

# lvcreate -l "100%FREE" -n 00 bak00

hangs forever when SELinux is set to enforcing.  Because the command
never returns it is unclear if the operation was successful or not;
whether or not data was written to disk (which might corrupt
the LVM data on disk).

The following AVC is logged:

type=AVC msg=audit(1427722098.297:76): avc:  denied  { associate } for  
pid=1178 comm="dmsetup" key=223152149  
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem 
permissive=0
type=SYSCALL msg=audit(1427722098.297:76): arch=c03e syscall=64 success=no 
exit=-13 a0=d4d0815 a1=1 a2=0 a3=7ffe6908a9d0 items=0 ppid=1173 pid=1178 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="dmsetup" exe="/sbin/dmsetup" 
subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null)

Exactly the same happens when executing

# cryptsetup luksOpen /dev/mapper/bak00-00 uencbak00

Also hangs; same AVCs.


I set the severity to 'grave' because two important commands
(lvcreate / cryptsetup) do not work when SELinux is enabled
with the current default policy;
LVM is installed in more than 25% of all systems
(https://qa.debian.org/popcon.php?package=lvm2).
Also it is unclear if data is (partially) written to disk
that might corrupt the data structures on disk.

If you want I can start a root cause analysis - if you want
I can try to generate a patch: just drop me a short note.


Kind regards

Andreas


P.S.: Version information
||/ Name  Version   Architecture
  Description
+++-=-=-=-
ii  cryptsetup-bin2:1.6.6-5 amd64   
  disk encryption support - command line tools
ii  lvm2  2.02.111-2.1  amd64   
  Linux Logical Volume Manager



-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1  2.3-2
ii  libsepol12.3-2
ii  policycoreutils  2.3-1
ii  python   2.7.9-1
ii  selinux-utils2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#757994: selinux-policy-default: Installing x11-common fails when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-9
Followup-For: Bug #757994

Dear Maintainer,

the problem still exists in the current version.

I'm a little bit confused - this is the second bug (I know about)
that was closed because 'it should have been fixed'.

It takes not more than three minutes to check, if the problem
still exists.  IMHO before closing a bug, at least some
basic tests should have beed run.

If you do not have the resources doing these tests, just ask:
I would really like to support you.

Kind regards

Andreas


-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1  2.3-2
ii  libsepol12.3-2
ii  policycoreutils  2.3-1
ii  python   2.7.8-4
ii  selinux-utils2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: Problem still exists

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-9
Followup-For: Bug #756729

Dear Maintainer,

the problem still exists.
Today I installed a complete new VM using the latest testing iso files.
Because there is no selinux-policy-default in testing, I pulled the
version from sid.

Exactly the same problem as described still exists.  (Even the
workaround still works...)

If you want, I can provide the VM.

Kind regards

Andre


-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1  2.3-2
ii  libsepol12.3-2
ii  policycoreutils  2.3-1
ii  python   2.7.8-3
ii  selinux-utils2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#767885: systemd fails to start services from time to time

[Andreas Florath]

Package: systemd
Version: 215-5+b1
Severity: important

Dear Maintainer,

after upgrading to the latest version of systemd, from time to
time either services are not started or the system startup hangs
completely.

When the system startup hangs, the symptoms are very similar to
the ones reported in #754218.

I investigated this problem with different services, like:
* kbd.service
* pcscd.service
* networking.service

When the system starts and a service was not started, it is also
not possible to start this manually:

$ systemctl start kbd.service

hangs forever (or until a timeout of five minutes).

The 'strace -f systemctl start xyz.service' output looks always very
similar.  Find a trace attached.

The problem occurs on my desktop machine and also on one of my VMs
(did not upgrade my other VMs yet...)

Kind regards

Andre 


-- Package-specific info:

-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages systemd depends on:
ii  acl 2.2.52-2
ii  adduser 3.113+nmu3
ii  initscripts 2.88dsf-53.4
ii  libacl1 2.2.52-2
ii  libaudit1   1:2.4-1
ii  libblkid1   2.25.1-5
ii  libc6   2.19-12
ii  libcap2 1:2.24-6
ii  libcap2-bin 1:2.24-6
ii  libcryptsetup4  2:1.6.6-3
ii  libgcrypt20 1.6.2-4
ii  libkmod218-3
ii  liblzma55.1.1alpha+20120614-2
ii  libpam0g1.1.8-3.1
ii  libselinux1 2.3-2
ii  libsystemd0 215-5+b1
ii  sysv-rc 2.88dsf-53.4
ii  udev215-5+b1
ii  util-linux  2.25.1-5

Versions of packages systemd recommends:
ii  dbus1.8.8-2
ii  libpam-systemd  215-5+b1

Versions of packages systemd suggests:
pn  systemd-ui  

-- no debconf information


-- strace -ft systemctl start kbd.service

[...]
[pid   517] 10:19:53 stat("/run/systemd/ask-password-block", 
{st_mode=S_IFDIR|0700, st_size=80, ...}) = 0
[pid   517] 10:19:53 mknod("/run/systemd/ask-password-block/136:0", 
S_IFIFO|0600) = -1 EEXIST (File exists)
[pid   517] 10:19:53 open("/run/systemd/ask-password-block/136:0", 
O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC) = 3
[pid   517] 10:19:53 stat("/run/systemd", {st_mode=S_IFDIR|0755, st_size=400, 
...}) = 0
[pid   517] 10:19:53 futex(0x7f4d9ea8f60c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid   517] 10:19:53 gettid()   = 517
[pid   517] 10:19:53 open("/proc/self/task/517/attr/current", 
O_RDONLY|O_CLOEXEC) = 4
[pid   517] 10:19:53 read(4, "unconfined_u:unconfined_r:unconf"..., 4095) = 54
[pid   517] 10:19:53 close(4)   = 0
[pid   517] 10:19:53 access("/sys/fs/smackfs/", F_OK) = -1 ENOENT (No such file 
or directory)
[pid   517] 10:19:53 mkdir("/run/systemd/ask-password", 0755) = -1 EEXIST (File 
exists)
[pid   517] 10:19:53 inotify_init1(O_CLOEXEC) = 4
[pid   517] 10:19:53 inotify_add_watch(4, "/run/systemd/ask-password", 
IN_CLOSE_WRITE|IN_MOVED_TO) = 1
[pid   517] 10:19:53 rt_sigprocmask(SIG_SETMASK, [INT TERM], NULL, 8) = 0
[pid   517] 10:19:53 signalfd4(-1, [INT TERM], 8, O_NONBLOCK|O_CLOEXEC) = 5
[pid   517] 10:19:53 openat(AT_FDCWD, "/run/systemd/ask-password", 
O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 6
[pid   517] 10:19:53 getdents(6, /* 2 entries */, 32768) = 48
[pid   517] 10:19:53 getdents(6, /* 0 entries */, 32768) = 0
[pid   517] 10:19:53 close(6)   = 0
[pid   517] 10:19:53 poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}], 2, 
4294967295 
[pid   516] 10:19:53 <... ppoll resumed> ) = 1 ([{fd=3, revents=POLLIN}], left 
{24, 992058699})
[pid   516] 10:19:53 recvmsg(3, {msg_name(0)=NULL, 
msg_iov(1)=[{"l\2\1\0011\0\0\0\6\0\0\0\17\0\0\0\5\1u\0\2\0\0\0", 24}], 
msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, 
cmsg_type=SCM_CREDENTIALS{pid=250, uid=0, gid=0}}, msg_flags=MSG_CMSG_CLOEXEC}, 
MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 24
[pid   516] 10:19:53 recvmsg(3, {msg_name(0)=NULL, 
msg_iov(1)=[{"\10\1g\0\1o\0\0,\0\0\0/org/freedesktop/sys"..., 57}], 
msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, 
cmsg_type=SCM_CREDENTIALS{pid=250, uid=0, gid=0}}, msg_flags=MSG_CMSG_CLOEXEC}, 
MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 57
[pid   516] 10:19:53 sendmsg(3, {msg_name(0)=NULL, 
msg_iov(2)=[{"l\1\0\0019\0\0\0\3\0\0\0\240\0\0\0\1\1o\0,\0\0\0/org/fre"..., 
176}, {"\35\0\0\0org.freedesktop.systemd1.Uni"..., 57}], msg_controllen=0, 
msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 233
[pid   516] 10:19:53 clock_gettime(CLOCK_MONOTONIC, {2012, 968280589}) = 0
[pid   516] 10:19:53 recvmsg(3, 0x7fff443b05a0, 
MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily 
unavailable)
[pid   516] 10:19:53 clock_gettime(CLOCK_MONOTONIC, {2012, 968382555}) = 0
[pid   516] 10:19:53 ppoll([{fd=3, events=POLLIN}], 1, {24, 999898000}, NULL, 

Bug#762651: libreoffice-core: soffice cores during start with SIGSEGV

[Andreas Florath]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello!

Attached the list of packages which were updated two days ago.

Kind regards

Andre

=

Start-Date: 2014-09-23  07:07:59
Commandline: apt-get upgrade
Upgrade: libkrossui4:amd64 (4.14.0-1, 4.14.1-1), libmimic0:amd64 (1.0.4-2.1+b1, 
1.0.4-2.2), libkde3support4:amd64 (4.14.0-1, 4.14.1-1), telepathy-haze:amd64 
(0.8.0-1, 0.8.0-2), libkrosscore4:amd64 (4.14.0-1, 4.14.1-1), libgpgme++2:amd64 
(4.14.0-1, 4.14.1-1), libktexteditor4:amd64 (4.14.0-1, 4.14.1-1), 
telepathy-idle:amd64 (0.2.0-1, 0.2.0-2), kdelibs5-data:amd64 (4.14.0-1, 
4.14.1-1), kmod:amd64 (18-1, 18-2), libkdeui5:amd64 (4.14.0-1, 4.14.1-1), 
libkdeclarative5:amd64 (4.14.0-1, 4.14.1-1), apt:amd64 (1.0.8, 1.0.9.1), 
libunique-1.0-0:amd64 (1.1.6-4, 1.1.6-5), evolution-data-server-common:amd64 
(3.12.5-2, 3.12.6-1), empathy-common:amd64 (3.12.5-1, 3.12.6-1), empathy:amd64 
(3.12.5-1, 3.12.6-1), libthreadweaver4:amd64 (4.14.0-1, 4.14.1-1), 
libwireshark5:amd64 (1.12.0+git+4fab41a1-1+b1, 1.12.1+g01b65bf-1), 
libotf0:amd64 (0.9.13-1, 0.9.13-2), gstreamer0.10-plugins-good:amd64 
(0.10.31-3+nmu3, 0.10.31-3+nmu4), gir1.2-wnck-3.0:amd64 (3.4.7-3, 3.4.9-1), 
pcsc-tools:amd64 (1.4.22-1,
1.4.23-1), librsvg2-2:amd64 (2.40.3-2, 2.40.4-1), libkparts4:amd64 (4.14.0-1, 
4.14.1-1), libkemoticons4:amd64 (4.14.0-1, 4.14.1-1), libebackend-1.2-7:amd64 
(3.12.5-2, 3.12.6-1), libnepomukquery4a:amd64 (4.14.0-1, 4.14.1-1), 
tshark:amd64 (1.12.0+git+4fab41a1-1+b1, 1.12.1+g01b65bf-1), cgmanager:amd64 
(0.30-1, 0.32-4), libwiretap4:amd64 (1.12.0+git+4fab41a1-1+b1, 
1.12.1+g01b65bf-1), libkmediaplayer4:amd64 (4.14.0-1, 4.14.1-1), buffer:amd64 
(1.19-11, 1.19-12), katepart:amd64 (4.14.0-1, 4.14.1-1), 
telepathy-mission-control-5:amd64 (5.16.2-1, 5.16.3-1), libkdnssd4:amd64 
(4.14.0-1, 4.14.1-1), console-setup:amd64 (1.112, 1.113), tasksel:amd64 (3.21, 
3.24), libvirtodbc0:amd64 (6.1.6+dfsg-4, 6.1.6+dfsg2-2), apt-utils:amd64 
(1.0.8, 1.0.9.1), libkatepartinterfaces4:amd64 (4.14.0-1, 4.14.1-1), 
task-english:amd64 (3.21, 3.24), console-setup-linux:amd64 (1.112, 1.113), 
libxkbcommon-dev:amd64 (0.4.1-2, 0.4.3-2), libfolks25:amd64 (0.9.8-1, 
0.10.0-1), sudo:amd64 (1.8.9p5-1, 1.8.10p3-1),
libwsutil4:amd64 (1.12.0+git+4fab41a1-1+b1, 1.12.1+g01b65bf-1), 
libxkbcommon0:amd64 (0.4.1-2, 0.4.3-2), kdelibs5-plugins:amd64 (4.14.0-1, 
4.14.1-1), libwireshark-data:amd64 (1.12.0+git+4fab41a1-1, 1.12.1+g01b65bf-1), 
xserver-xorg-input-synaptics:amd64 (1.8.0-1, 1.8.1-1), tasksel-data:amd64 
(3.21, 3.24), libwnck-3-0:amd64 (3.4.7-3, 3.4.9-1), libkjsapi4:amd64 (4.14.0-1, 
4.14.1-1), libmeanwhile1:amd64 (1.0.2-4.1, 1.0.2-5), libgs9-common:amd64 
(9.05~dfsg-9, 9.06~dfsg-1), telepathy-logger:amd64 (0.8.0-3, 0.8.1-1), 
libcgmanager0:amd64 (0.30-1, 0.32-4), xserver-xorg-core:amd64 (1.16.0-2+b1, 
1.16.0.901-1), virtuoso-opensource-6.1-common:amd64 (6.1.6+dfsg-4, 
6.1.6+dfsg2-2), libmission-control-plugins0:amd64 (5.16.2-1, 5.16.3-1), 
virtuoso-opensource-6.1-bin:amd64 (6.1.6+dfsg-4, 6.1.6+dfsg2-2), 
libapt-inst1.5:amd64 (1.0.8, 1.0.9.1), wireshark-common:amd64 
(1.12.0+git+4fab41a1-1+b1, 1.12.1+g01b65bf-1), libtelepathy-glib0:amd64 
(0.24.0-1, 0.24.1-1), virtuoso-minimal:amd64 (6.1.6+dfsg-4,
6.1.6+dfsg2-2), libfarstream-0.2-2:amd64 (0.2.3-3, 0.2.4-1), 
libwnck-3-common:amd64 (3.4.7-3, 3.4.9-1), libfolks-eds25:amd64 (0.9.8-1, 
0.10.0-1), libtelepathy-logger3:amd64 (0.8.0-3, 0.8.1-1), 
gstreamer0.10-pulseaudio:amd64 (0.10.31-3+nmu3, 0.10.31-3+nmu4), 
gir1.2-telepathyglib-0.12:amd64 (0.24.0-1, 0.24.1-1), libknewstuff3-4:amd64 
(4.14.0-1, 4.14.1-1), task-laptop:amd64 (3.21, 3.24), libkmod2:amd64 (18-1, 
18-2), xserver-common:amd64 (1.16.0-2, 1.16.0.901-1), 
libedata-book-1.2-20:amd64 (3.12.5-2, 3.12.6-1), libjemalloc1:amd64 (3.6.0-1, 
3.6.0-3), libnepomukutils4:amd64 (4.14.0-1, 4.14.1-1), 
openjdk-7-jre-headless:amd64 (7u65-2.5.2-2, 7u65-2.5.2-4), gnome-media:amd64 
(3.4.0-1, 3.4.0-2), liblircclient0:amd64 (0.9.0~pre1-1, 0.9.0~pre1-1.1), 
kdoctools:amd64 (4.14.0-1, 4.14.1-1), libkxmlrpcclient4:amd64 (4.14.0-1, 
4.14.1-1), libkpty4:amd64 (4.14.0-1, 4.14.1-1), libkjsembed4:amd64 (4.14.0-1, 
4.14.1-1), libcamel-1.2-49:amd64 (3.12.5-2, 3.12.6-1), libsolid4:amd64 
(4.14.0-1, 4.14.1-1),
libkhtml5:amd64 (4.14.0-1, 4.14.1-1), libkfile4:amd64 (4.14.0-1, 4.14.1-1), 
libapt-pkg4.12:amd64 (1.0.8, 1.0.9.1), libzvbi0:amd64 (0.2.33-7, 0.2.35-3), 
wireshark:amd64 (1.12.0+git+4fab41a1-1+b1, 1.12.1+g01b65bf-1), 
librsvg2-common:amd64 (2.40.3-2, 2.40.4-1), xserver-xephyr:amd64 (1.16.0-2+b1, 
1.16.0.901-1), libpkcs11-helper1:amd64 (1.11-1, 1.11-2), 
gstreamer0.10-gconf:amd64 (0.10.31-3+nmu3, 0.10.31-3+nmu4), libkdesu5:amd64 
(4.14.0-1, 4.14.1-1), libfolks-telepathy25:amd64 (0.9.8-1, 0.10.0-1), 
libknotifyconfig4:amd64 (4.14.0-1, 4.14.1-1), libqmi-glib1:amd64 (1.10.2-1, 
1.10.2-2), libtelepathy-farstream3:amd64 (0.6.1-1, 0.6.2-1), 
openjdk-7-jre:amd64 (7u65-2.5.2-2, 7u65-2.5.2-4), libkdecore5:amd64 (4.14.0-1, 
4.14.1-1), kdelibs-bin:amd64 (4.14.0-1, 4.14.1-1), libecal-1.2-1

Bug#762651: libreoffice-core: soffice cores during start with SIGSEGV

[Andreas Florath]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello!

The problem exists also in versions 4.3.1-2 and 4.3.2~rc2.1.

Some more information:

when using a 'fresh' user configuration, soffice works.
After some comparison and analyze, it looks that the cause is in the file 
'registrymodifications.xcu'.  When using the following content, soffice cores:


http://openoffice.org/2001/registry"; 
xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
0draw8com.sun.star.drawing.DrawingDocumentUntitled 2Default


false
true


So it looks that libreoffice wrote a file which prevents it to restart again...

It might be a coincidence that some packages were updated at the same time.  
(If you still want, I can send you the list.)

I'm not sure if 'grave' is still valid: a workaround is to open the config file 
and delete the appropriate files. Nevertheless, it's not 'nice'

Kind regards

Andre
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlQjFMoACgkQRkg/dalib9DZvACfWrYycnm9nKbekpmzEhUJA2Zr
joQAn3JSbe7rU+dqZBPNTiDKxDoK1gwe
=i1EM
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#762651: libreoffice-core: soffice cores during start with SIGSEGV

[Andreas Florath]

Package: libreoffice-core
Version: 1:4.3.1-1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

soffice cores with SIGSEGV during start. (This happens since yesterday's 
'apt-get upgrade'.)

$ rm core
$ soffice
$ file core
core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 
'/usr/lib/libreoffice/program/soffice.bin --splash-pipe=5'

The stack trace is attached.

Kind regards

Andre

= Stack Trace
florath@pelias:~$ gdb /usr/lib/libreoffice/program/soffice.bin core
GNU gdb (Debian 7.7.1+dfsg-3) 7.7.1
[...]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/libreoffice/program/soffice.bin 
--splash-pipe=5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x7f5c60968c95 in TabBar::ImplShowPage (this=0x28b0c40, nPos=65535) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/svtools/source/control/tabbar.cxx:798
798 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/svtools/source/control/tabbar.cxx: 
No such file or directory.
(gdb) bt
#0  0x7f5c60968c95 in TabBar::ImplShowPage (this=0x28b0c40, nPos=65535) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/svtools/source/control/tabbar.cxx:798
#1  0x7f5c60968f9f in TabBar::Resize (this=0x28b0c40) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/svtools/source/control/tabbar.cxx:1546
#2  0x7f5c5f3266ac in Window::ImplCallResize (this=this@entry=0x28b0c40) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:1124
#3  0x7f5c5f3299f0 in Window::ImplPosSizeWindow (this=this@entry=0x28b0c40, 
nX=, nX@entry=0, nY=nY@entry=927, nWidth=, 
nWidth@entry=350, nHeight=, 
nHeight@entry=13, nFlags=) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:2835
#4  0x7f5c5f32a462 in Window::setPosSizePixel (this=0x28b0c40, nX=0, 
nY=, nWidth=350, nHeight=13, nFlags=)
at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:5781
#5  0x7f5c3bc2c3ea in sd::GraphicViewShell::ArrangeGUIElements 
(this=0x287b910) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/sd/source/ui/view/grviewsh.cxx:107
#6  0x7f5c3bc5b11d in sd::ViewShell::Resize (this=this@entry=0x287b910) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/sd/source/ui/view/viewshel.cxx:857
#7  0x7f5c3bc01f90 in sd::DrawViewShell::Resize (this=0x287b910) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/sd/source/ui/view/drviews5.cxx:94
#8  0x7f5c604521f5 in WindowListenerMultiplexer::windowResized 
(this=, evt=...) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/toolkit/source/helper/listenermultiplexer.cxx:74
#9  0x7f5c6031ad19 in VCLXWindow::ProcessWindowEvent (this=0x287d5b0, 
rVclWindowEvent=...) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/toolkit/source/awt/vclxwindow.cxx:492
#10 0x7f5c60317849 in VCLXWindow::WindowEventListener (this=0x287d5b0, 
pEvent=0x7fff08865d50) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/toolkit/source/awt/vclxwindow.cxx:417
#11 0x7f5c5f537e2f in Call (pCaller=0x7fff08865d50, this=0x28699a0) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/include/tools/link.hxx:123
#12 VclEventListeners::Call (this=0x285a9f0, 
pEvent=pEvent@entry=0x7fff08865d50) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/app/vclevent.cxx:66
#13 0x7f5c5f32650e in Window::CallEventListeners 
(this=this@entry=0x285a530, nEvent=nEvent@entry=1002, pData=pData@entry=0x0) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:4289
#14 0x7f5c5f326665 in Window::ImplCallEventListeners 
(this=this@entry=0x285a530, nEvent=nEvent@entry=1002, pData=pData@entry=0x0)
at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:4274
#15 0x7f5c5f3266bc in Window::ImplCallResize (this=this@entry=0x285a530) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:1128
#16 0x7f5c5f3299f0 in Window::ImplPosSizeWindow (this=this@entry=0x285a530, 
nX=, nX@entry=0, nY=nY@entry=0, nWidth=, 
nWidth@entry=1717, nHeight=, 
nHeight@entry=940, nFlags=) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:2835
#17 0x7f5c5f32a462 in Window::setPosSizePixel (this=0x285a530, nX=0, 
nY=, nWidth=1717, nHeight=940, nFlags=)
at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/vcl/source/window/window.cxx:5781
#18 0x7f5c3bbd23bb in sd::ViewShellBase::Implementation::ResizePixel 
(this=0x2859e30, rOrigin=Point = {...}, rSize=Size = {...}, 
bOuterResize=)
at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/sd/source/ui/view/ViewShellBase.cxx:1269
#19 0x7f5c6152fa9b in SfxViewFrame::DoAdjustPosSizePixel (this=0x28b0c40, 
pSh=0x0, rPos=Point = {...}, rSize=Size = {...}) at 
/build/libreoffice-Xeqp7W/libreoffice-4.3.1/sfx2/source/view/viewfrm.cxx:1586
#20 0x7f5c6153118d in SfxViewFrame::Resize (this=0x2852480, 
bForce=) at 
/build/libreoffice-Xeqp7W/libr

Bug#757786: pgrouting: Port to postgresql 9.4 works for me

[Andreas Florath]

Source: pgrouting
Followup-For: Bug #757786

Dear Maintainer,

just a short note: I was able to build the packages
  postgresql-9.4-pgrouting_2.0.0-3_amd64.deb
  postgresql-9.4-pgrouting-doc_2.0.0-3_all.deb
from 
  git://anonscm.debian.org/pkg-grass/pgrouting.git
  commit d034e4c3e4c4ecde9da824359ca14c5d2c9ccfea
without any problems.

After installing them I was able to do all steps
of the pgrouting workshop, especially:
  http://workshop.pgrouting.org/chapters/topology.html
  http://workshop.pgrouting.org/chapters/shortest_path.html
  http://workshop.pgrouting.org/chapters/advanced.html
I did not check all results in detail: all commands
worked and the results seem to be ok.

Running a fresh installed Jessie VM with SELinux set
to enforcing.

Hope this (positive) feedback helps a little bit...

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

[Andreas Florath]

Hello!

I had a closer look at the libvirt-bin package:

libvirt_driver_storage.so depends on librados.so, which is known
to use execstack:
https://lintian.debian.org/tags/shlib-with-executable-stack.html

root@nestor:~# ldd /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so 
| grep rados
librados.so.2 => /usr/lib/x86_64-linux-gnu/librados.so.2 
(0x7f4dd575d000)
root@nestor:~# execstack -q /usr/lib/x86_64-linux-gnu/librados.so.2
X /usr/lib/x86_64-linux-gnu/librados.so.2

IMHO setting the execstack flag to "allow virtd_t self:process" is not a good 
idea.
Maybe one possibility is, to create a type for those 'special' libraries,
allow execstack for this type and add an appropriate transition?

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

[Andreas Florath]

Hello Mika,

there is also a boolean 'virt_use_execmem' which does
a similar thing (allow execmem and execstack) but in a different
domain: setting this to on does also not change the things.

The attached patched solves the problem for me.
I'm not sure why the 'execstack' was not included in the appropriate rule
- execmem is already.
And also I'm not sure if this can be a general way to fix this:
I have not enough knowledge about libvirtd.

Nevertheless:
when applying the patch to the selinux-policy-default and installing
the new version, two more errors pop up:

Aug 18 10:31:22 nestor libvirtd[866]: An SELinux policy prevents this sender 
from sending this message to this recipient, 0 matched rules; 
type="method_call", sender=":1.4" (uid=0 pid=866 comm="/usr/sbin/libvirtd ") 
interface="org.freedesktop.login1.Manager" member="CanSuspend" error 
name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 
pid=672 comm="/lib/systemd/systemd-logind ")
Aug 18 10:31:22 nestor libvirtd[866]: Failed to get host power management 
capabilities
Aug 18 10:31:22 nestor libvirtd[866]: Unable to open /dev/net/tun, is tun 
module loaded?: No such file or directory

The first one is IMHO a minor problem (it's not nice, but it should run without 
this info).
The second one prevents VMs to be started (therefore it's IMHO an important 
one).

Should I create two new bug reports for these things? (This would IMHO be
better than discussing some problems in the same thread.)

Kind regards

Andre

===


diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index cb868d5..e1a36fb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -412,7 +412,7 @@ corenet_tcp_connect_all_ports(svirt_t)
 #

 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem execstack setexec setfscreate setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

[Andreas Florath]

Hello Mika,

thanks for this hint: but it does not help.

Before I reported the bug, I run audit2allow
with the AVC. Typically, when a appropriate
boolean exists, this is printed.
In this case, there was no hint to a boolean, just:

#= virtd_t ==
allow virtd_t self:process execstack;


I set the boolean now with
  setsebool -P allow_execstack on
and rebooted. (IMHO the -P is needed here, because
the libvirtd is executed directly after boot.)

No changes:
root@nestor:~# getsebool allow_execstack
allow_execstack --> on
root@nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: important

Dear Maintainer,

it is impossible to use tools based on or using libvirt when
enforcing is set to on.

root@nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system

Also tools like 'virt-manager' show the same problem.

>From journal:
Aug 17 20:03:30 nestor libvirtd[676]: no connection driver available for 
qemu:///system
Aug 17 20:03:34 nestor libvirtd[676]: End of file while reading data: 
Input/output error

When using permissive mode, everything works fine.
I did not find any logs when enforcing - maybe because of the early start phase 
of
the process libvirtd.
The following AVCs are logged when using permissive mode:

type=SYSCALL msg=audit(08/17/2014 20:25:19.411:96) : arch=x86_64 
syscall=mprotect success=yes exit=0 a0=0x7fff92a84000 a1=0x1000 
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=1 pid=670 auid=unset 
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd 
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/17/2014 20:25:19.411:96) : avc:  denied  { execstack } 
for  pid=670 comm=libvirtd scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process 
type=SYSCALL msg=audit(08/17/2014 20:25:21.731:105) : arch=x86_64 
syscall=mprotect success=yes exit=0 a0=0x7fff701df000 a1=0x1000 
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=670 pid=731 auid=unset 
uid=libvirt-qemu gid=libvirt-qemu euid=libvirt-qemu suid=libvirt-qemu 
fsuid=libvirt-qemu egid=libvirt-qemu sgid=libvirt-qemu fsgid=libvirt-qemu 
tty=(none) ses=unset comm=qemu-system-i38 exe=/usr/bin/qemu-system-i386 
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/17/2014 20:25:21.731:105) : avc:  denied  { execstack } 
for  pid=731 comm=qemu-system-i38 
scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process 

IMHO this is important, because it is not possible to just temporarily 
set SELinux to permissive, do some tasks and set it back to enforcing.
When using libvirtd the system cannot run in enforcing mode.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758083: selinux-policy-default: Installing openjdk-7-jre-headless fails with 'Native memory allocation (malloc) failed' if enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

installing openjdk fails if enforcing:

root@debselinux01:~# sestatus 
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  29
root@debselinux01:~# se_apt-get install openjdk-7-jre-headless
[...]
Setting up openjdk-7-jre-headless:amd64 (7u65-2.5.1-4) ...
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/rmid to 
provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java to 
provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/keytool to 
provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/pack200 to 
provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using 
/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/rmiregistry to provide 
/usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/unpack200 
to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/orbd to 
provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/servertool 
to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/tnameserv 
to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/jexec to 
provide /usr/bin/jexec (jexec) in auto mode
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x7f9d407c8000, 
2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for 
committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2638.log
ignoring dump failure
Setting up icedtea-7-jre-jamvm:amd64 (7u65-2.5.1-4) ...
Setting up ca-certificates-java (20140324) ...
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x7fe68900, 
2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for 
committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2657.log
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x7f325d00, 
2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for 
committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid2661.log
done.
Processing triggers for libc-bin (2.19-7) ...
Processing triggers for ca-certificates (20140325) ...
Updating certificates in /etc/ssl/certs... 168 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x7fb560beb000, 
2555904, 1) failed; error='Permission denied' (errno=13)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for 
committing reserved memory.
# An error report file with more information is saved as:
# /etc/ssl/certs/hs_err_pid4218.log
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.

The following AVCs are logged:

type=AVC msg=audit(1407996485.840:107): avc:  denied  { execmem } for  pid=2639 
comm="java" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996485.840:107): arch=c03e syscall=9 success=no 
exit=-13 a0=7f9d407c8000 a1=27 a2=7 a3=32 items=0 ppid=2622 pid=2639 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 
comm="java" exe="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" 
subj=system_u:system_r:dpkg_script_t:s0 key=(null)
type=AVC msg=audit(1407996485.940:108): avc:  denied  { execmem } for  pid=2658 
comm="java" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:system_r:dpkg_script_t:s0 tclass=process
type=SYSCALL msg=audit(1407996485.940:108): arch=c03e syscall=9 success=no 
exit=-13 a0=7fe68900 a1=27 a2=7 a3=32 items=0 ppid=2643 pid=2658 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 
comm

Bug#758082: selinux-policy-default: Installing hddtemp fails with 'Failed to issue method call: Access denied' if enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

installing hddtemp fails:

root@debselinux01:~# sestatus 
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  29
root@debselinux01:~# se_apt-get install hddtemp
[...]
Setting up hddtemp (0.3-beta15-52) ...
Failed to issue method call: Access denied
invoke-rc.d: initscript hddtemp, action "start" failed.
dpkg: error processing package hddtemp (--configure):
 subprocess installed post-installation script returned error exit status 4
Errors were encountered while processing:
 hddtemp
E: Sub-process /usr/bin/dpkg returned an error code (1)

These AVCs are logged:

type=USER_AVC msg=audit(1407995529.568:104): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/hddtemp" cmdline="systemctl -p 
LoadState show hddtemp.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:hddtemp_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1407995529.596:105): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } 
for auid=0 uid=0 gid=0 path="/etc/init.d/hddtemp" cmdline="systemctl start 
hddtemp.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:hddtemp_initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Please note that this problem is similar to #758080 - nevertheless the target 
context differs.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#758080: selinux-policy-default: Installing sane-utils fails with 'Failed to issue method call: Access denied' if enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

if SELinux is set to enforcing it is not possible to install sane-utils:

root@debselinux01:~# sestatus 
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  29
root@debselinux01:~# se_apt-get install sane-utils
[...]
Setting up sane-utils (1.0.24-1.1+b1) ...
Adding saned group and user...
Adding user saned to group scanner
Failed to issue method call: Access denied
invoke-rc.d: initscript saned, action "start" failed.
saned couldn't start; check your inetd configuration and README.Debian
[...]

The following AVCs are logged:

type=USER_AVC msg=audit(1407994334.044:122): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/etc/init.d/saned" cmdline="systemctl -p LoadState 
show saned.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1407994334.080:123): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } 
for auid=0 uid=0 gid=0 path="/etc/init.d/saned" cmdline="systemctl start 
saned.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Kind regards

Andre

-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#757994: selinux-policy-default: Patch

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Followup-For: Bug #757994

Hello!

Attached you can find a patch which fixes this problem.
One cause was similar to #756729.

The cause was, that it is possible to use a link to /dev/null as
systemd service file - which is done for x11-common:

root@debselinux01:~# ls -lZ /lib/systemd/system/x11-common.service
lrwxrwxrwx. 1 root root system_u:object_r:systemd_unit_file_t:SystemLow 9 Jul 
16 00:52 /lib/systemd/system/x11-common.service -> /dev/null
root@debselinux01:~# ls -lZ /dev/null 
crw-rw-rw-. 1 root root system_u:object_r:null_device_t:SystemLow 1, 3 Aug 13 
16:57 /dev/null
root@debselinux01:~# dpkg -S /lib/systemd/system/x11-common.service
systemd: /lib/systemd/system/x11-common.service

The patch allows to access the null_device_t from systemd and friends.

If it is easier for you, you can also pull the patch from
https://github.com/flonatel/refpolicy-experimental/tree/bugfix/757994-x11-common-fails-to-install

Kind regards

Andre
diff --git a/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null b/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null
new file mode 100644
index 000..69692b4
--- /dev/null
+++ b/debian/patches/1001-systemd-unit-files-can-be-linked-to-dev-null
@@ -0,0 +1,22 @@
+Systemd files can be a link to /dev/null.
+
+Signed-off-by: Andreas Florath 
+
+Index: refpolicy-experimental/policy/modules/system/systemd.if
+===
+--- refpolicy-experimental.orig/policy/modules/system/systemd.if
 refpolicy-experimental/policy/modules/system/systemd.if
+@@ -621,9 +621,13 @@ interface(`systemd_manage_all_unit_lnk_f
+ interface(`systemd_config_all_services',`
+ 	gen_require(`
+ 		attribute systemd_unit_file_type;
++		type null_device_t;
+ 	')
+ 
+ 	allow $1 systemd_unit_file_type:service all_service_perms;
++	# There is a special feature in systemd, that unit files can be
++	# linked to /dev/null.
++	allow $1 null_device_t:service { stop start status };
+ ')
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 0707cc2..779ac0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
 0080-misc-daemon
 0090-selinux
 0100-chrome
+1001-systemd-unit-files-can-be-linked-to-dev-null

Bug#757994: selinux-policy-default: Installing x11-common fails when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

installing x11-common fails:

root@debselinux01:~# sestatus 
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  29

root@debselinux01:~# se_apt-get install x11-common
[...]
Setting up x11-common (1:7.7+7) ...
update-rc.d: warning: start and stop actions are no longer supported; falling 
back to defaults
Failed to issue method call: Access denied
invoke-rc.d: initscript x11-common, action "start" failed.
dpkg: error processing package x11-common (--configure):
 subprocess installed post-installation script returned error exit status 4
E: Sub-process /usr/bin/dpkg returned an error code (1)

Two AVC are logged:
type=USER_AVC msg=audit(1407870310.296:105): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl -p LoadState show 
x11-common.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:null_device_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1407870310.336:106): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } 
for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl start 
x11-common.service" scontext=system_u:system_r:dpkg_script_t:s0 
tcontext=system_u:object_r:null_device_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

The cause for this is, that the x11-common.service is a link to /dev/null.

I'm currently working on a patch for this - and hopefully can provide this 
during the next days.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: selinux-policy-default: Updated Patch

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Followup-For: Bug #756729

Hello!

While checking another problem, I found out, that there is a 'special'
feature in systemd: service files can be linked to /dev/null.
(See e.g.: http://0pointer.de/blog/projects/three-levels-of-off)

Therefore it must also be allowed to start, stop and status
null_device_t.

The new patch is attached.  You can also pull it from this branch:
https://github.com/flonatel/refpolicy-experimental/tree/bugfix/756729-udev-use-systemd-unit-files

Kind regards

Andre
diff --git a/debian/patches/1000-allow-udev-systemd_unit_file b/debian/patches/1000-allow-udev-systemd_unit_file
new file mode 100644
index 000..8a6d638
--- /dev/null
+++ b/debian/patches/1000-allow-udev-systemd_unit_file
@@ -0,0 +1,81 @@
+There is the need for udev (hotplug) to run systemd_unit_file_type
+programs like 
+ /lib/systemd/system/ifup@.service
+which has the context
+ system_u:object_r:systemd_unit_file_t:SystemLow
+in the same manner as the init scripts.
+(init_t is e.g. used for 'auto eth0', udev_t for 'allow-hotplug eth0')
+
+Signed-off-by: Andreas Florath 
+
+Index: refpolicy-experimental/policy/modules/system/systemd.if
+===
+--- refpolicy-experimental.orig/policy/modules/system/systemd.if
 refpolicy-experimental/policy/modules/system/systemd.if
+@@ -626,6 +626,28 @@ interface(`systemd_config_all_services',
+ 	allow $1 systemd_unit_file_type:service all_service_perms;
+ ')
+ 
++
++## 
++##Allow the specified domain to access start, stop and status
++##  service perms for all unit files
++## 
++## 
++##
++##Domain allowed access.
++##
++## 
++#
++interface(`systemd_config_sss_services',`
++  gen_require(`
++  attribute systemd_unit_file_type;
++	  type null_device_t;
++  ')
++
++  allow $1 systemd_unit_file_type:service { stop start status };
++  # There is a special feature in systemd, that unit files can be
++  # linked to /dev/null.
++  allow $1 null_device_t:service { stop start status };
++')
+ 
+ 
+ ## 
+Index: refpolicy-experimental/policy/modules/system/systemd.te
+===
+--- refpolicy-experimental.orig/policy/modules/system/systemd.te
 refpolicy-experimental/policy/modules/system/systemd.te
+@@ -1,4 +1,4 @@
+-policy_module(systemd, 1.0.0)
++policy_module(systemd, 1.0.1)
+ 
+ ###
+ #
+@@ -47,7 +47,7 @@ init_systemd_domain(systemd_notify_t, sy
+ # type for systemd unit files
+ type systemd_unit_file_t;
+ systemd_unit_file(systemd_unit_file_t)
+-allow init_t systemd_unit_file_t:service { stop start status };
++systemd_config_sss_services(init_t)
+ 
+ # executable for systemctl
+ type systemd_systemctl_exec_t;
+Index: refpolicy-experimental/policy/modules/system/udev.te
+===
+--- refpolicy-experimental.orig/policy/modules/system/udev.te
 refpolicy-experimental/policy/modules/system/udev.te
+@@ -1,4 +1,4 @@
+-policy_module(udev, 1.17.1)
++policy_module(udev, 1.17.2)
+ 
+ 
+ #
+@@ -87,6 +87,8 @@ files_read_kernel_modules(udev_t)
+ init_search_pid_dirs(udev_t)
+ # for hdparm init script run by udev
+ initrc_service_status(udev_t)
++# for (hotplug) script run by udev
++systemd_config_sss_services(udev_t)
+ 
+ kernel_getattr_core_if(udev_t)
+ kernel_use_fds(udev_t)
diff --git a/debian/patches/series b/debian/patches/series
index 0707cc2..fb44d3e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
 0080-misc-daemon
 0090-selinux
 0100-chrome
+1000-allow-udev-systemd_unit_file

Bug#731212: policycoreutils: Cannot reproduce with current version in Jessie

[Andreas Florath]

Package: policycoreutils
Followup-For: Bug #731212

Hello Russell,

I was not able to reproduce this with the current policycoreutils
(2.3-1) from Jessie.

To reproduce it, I wrote a small script (see attached).  Run
the commands about 50.000 times without any problems.

Would it be possible to check, if this problem still exists for you
with the current versions?

Kind regards

Andre


P.S.: I think you are one of the maintainers of this package.
  Mika wrote in one reply to a bug report, that it would help
  trying to reproduce bugs in Jessie.
  Currently I have some time to look though the bug list and check one
  from time to time.  (Example: For the release critical bug #750331
  there was a simple and easy solution.)
  I hope also reports that I could not reproduce the bug in the
  current version of Jessie help.

---
#!/bin/bash
#
# Script to reproduce #731212

cnt=0

while true;
do
echo "Run $cnt"
/sbin/restorecon -R /dev || (echo "ERROR: /dev" && exit)
/sbin/restorecon -R /etc/mtab /dev || (echo "ERROR: /etc/mtab /dev" && exit)
/sbin/restorecon -R /etc/mtab || (echo "ERROR: /etc/mtab" && exit)
/sbin/restorecon -R /dev /etc/mtab || (echo "ERROR: /etc/mtab" && exit)
cnt=$(( $cnt + 1 ))
done
---


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages policycoreutils depends on:
ii  init-system-helpers  1.20
ii  libaudit11:2.3.7-1
ii  libc62.19-7
ii  libcap2  1:2.24-3
ii  libdbus-1-3  1.8.6-1
ii  libdbus-glib-1-2 0.102-1
ii  libgcc1  1:4.9.1-4
ii  libglib2.0-0 2.40.0-3
ii  libpam0g 1.1.8-3
ii  libpcre3 1:8.35-3
ii  libselinux1  2.3-1
ii  libsemanage1 2.3-1
ii  libsepol12.3-1
ii  libstdc++6   4.9.1-4
ii  lsb-base 4.1+Debian13
ii  psmisc   22.21-2
ii  python   2.7.8-1
ii  python-ipy   1:0.81-1
ii  python-selinux   2.3-1
ii  python-semanage  2.3-1
ii  python-sepolgen  1.2.1-1
ii  python-sepolicy  2.3-1
ii  python-setools   3.3.8-3
ii  selinux-utils2.3-1

Versions of packages policycoreutils recommends:
ii  python-audit1:2.3.7-1
ii  selinux-policy-default  2:2.20140421-4

Versions of packages policycoreutils suggests:
pn  selinux-policy-dev  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#750331: setools: Patch for 'setools: FTBFS: replcon.cc:73:25: error: invalid operands...'

[Andreas Florath]

Package: setools
Version: 3.3.8-3
Tags: patch
Followup-For: Bug #750331

Hello!

I was able to reproduce this on amd64.

Attached you can find a patch that fixes the problem:
The cause for this was, that at one point the prototype
for 'lsetfilecon_raw' was wrong.

Header: int lsetfilecon_raw(const char *, const char *)
  defined as 'extern "C"'

replcon.cc: int lsetfilecon_raw(const char *, security_context_t)

Therefore the later one was treated as a C++ symbol - which
cannot be compared to NULL.  I tested this with a minimalistic
prototype implementation: the correct function is picked up.

The patch is against the current HEAD of the master from
git://anonscm.debian.org/selinux/setools.git
commit a3ab84b35efd9c42641d53ec2236ad01f7411df7

Kind regards

Andre

-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages setools depends on:
ii  libbz2-1.01.0.6-7
ii  libc6 2.19-7
ii  libgcc1   1:4.9.1-4
ii  libqpol1  3.3.8-3
ii  libselinux1   2.3-1
ii  libsqlite3-0  3.8.5-2
ii  libstdc++64.9.1-4
ii  libxml2   2.9.1+dfsg1-4

setools recommends no packages.

Versions of packages setools suggests:
pn  setools-gui  

-- no debconf information
diff --git a/debian/changelog b/debian/changelog
index a9ab1c7..8a98632 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+setools (3.3.8-4) unstable; urgency=medium
+
+  [ Andreas Florath ]
+  * secmds/replcon.cc: Fixed prototype of lsetfilecon_raw.
+(Closes: #750331)
+
+ -- To Be Filled In   Sun, 10 Aug 2014 22:54:16 +0200
+
 setools (3.3.8-3) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/fix-lsetfilecon_raw-prototype.patch b/debian/patches/fix-lsetfilecon_raw-prototype.patch
new file mode 100644
index 000..feeaf04
--- /dev/null
+++ b/debian/patches/fix-lsetfilecon_raw-prototype.patch
@@ -0,0 +1,13 @@
+Index: setools-git/secmds/replcon.cc
+===
+--- setools-git.orig/secmds/replcon.cc
 setools-git/secmds/replcon.cc
+@@ -60,7 +60,7 @@ static struct option const longopts[] =
+ 	{NULL, 0, NULL, 0}
+ };
+ 
+-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
++extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
+ 
+ /**
+  * As that setools must work with older libselinux versions that may
diff --git a/debian/patches/series b/debian/patches/series
index 83a22dd..668a9ea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ setools-swig-2.0.7.patch
 python_setools_path.patch
 fix-javacflags.patch
 fix-sediffx-crash.patch
+fix-lsetfilecon_raw-prototype.patch

Bug#756729: selinux-policy-default: Patch for Jessie

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20140421-4
Followup-For: Bug #756729

Hello!

After some more reading (and some more understanding ;-) ) of the refpolicy
I'm pretty sure that the reported problem is a result of a missing allow-rule.

Therefore I prepared the attached patch which adds the missing rule.

The patch is against
https://alioth.debian.org/anonscm/git/selinux/refpolicy.git
commit 242a27cb910e7035d01347bea209010d51c2b727
which is (as the time of this writing) the master HEAD.

I changed the already available patches 0050-systemd and 0080-misc-daemon
to limit the number of patches.
This is the first time sending a patch.  Therefore I'm not sure if the
formal things are correct.  If you need another format or a patch
against another version, just give notice.

If you are interested, I can also try to provide a patch for Wheezy.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information
diff --git a/debian/changelog b/debian/changelog
index 84e0a65..22e0a1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+refpolicy (2:2.20140421-5) unstable; urgency=medium
+
+  [ Andreas Florath ]
+  * Allow udev_t to use systemd_unit_file_t to initialize, shutdown
+and retreive status of devices. (Closes: #756729)
+
+ -- To Be Filled In   Sun, 10 Aug 2014 08:17:19 +0200
+
 refpolicy (2:2.20140421-4) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/0050-systemd b/debian/patches/0050-systemd
index 5d989a6..3700d5a 100644
--- a/debian/patches/0050-systemd
+++ b/debian/patches/0050-systemd
@@ -2002,7 +2002,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.if
 ===
 --- /dev/null
 +++ refpolicy-2.20140421/policy/modules/system/systemd.if
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,739 @@
 +## SELinux policy for systemd components
 +
 +###
@@ -2631,6 +2631,25 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.if
 +	allow $1 systemd_unit_file_type:service all_service_perms;
 +')
 +
++
++## 
++##	Allow the specified domain to access start, stop and status
++##  service perms for all unit files
++## 
++## 
++##	
++##	Domain allowed access.
++##	
++## 
++#
++interface(`systemd_config_sss_services',`
++	gen_require(`
++		attribute systemd_unit_file_type;
++	')
++
++	allow $1 systemd_unit_file_type:service { stop start status };
++')
++
 +
 +
 +## 
@@ -2762,7 +2781,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.te
 --- /dev/null
 +++ refpolicy-2.20140421/policy/modules/system/systemd.te
 @@ -0,0 +1,417 @@
-+policy_module(systemd, 1.0.0)
++policy_module(systemd, 1.0.1)
 +
 +###
 +#
@@ -2811,7 +2830,7 @@ Index: refpolicy-2.20140421/policy/modules/system/systemd.te
 +# type for systemd unit files
 +type systemd_unit_file_t;
 +systemd_unit_file(systemd_unit_file_t)
-+allow init_t systemd_unit_file_t:service { stop start status };
++systemd_config_sss_services(init_t)
 +
 +# executable for systemctl
 +type systemd_systemctl_exec_t;
diff --git a/debian/patches/0080-misc-daemon b/debian/patches/0080-misc-daemon
index 9398ef9..a5c115f 100644
--- a/debian/patches/0080-misc-daemon
+++ b/debian/patches/0080-misc-daemon
@@ -133,7 +133,22 @@ Index: refpolicy-2.20140421/policy/modules/system/udev.te
 ===
 --- refpolicy-2.20140421.orig/policy/modules/system/udev.te
 +++ refpolicy-2.20140421/policy/modules/system/udev.te
-@@ -329,6 +329,7 @@ optional_policy(`
+@@ -1,4 +1,4 @@
+-policy_module(udev, 1.17.1)
++policy_module(udev, 1.17.2)
+ 
+ 
+ #
+@@ -87,6 +87,8 @@ files_read_kernel_modules(udev_t)
+ init_search_pid_dirs(udev_t)
+ # for hdparm init script run by udev
+ initrc_service_status(udev_t)
++# for (hotplug) scripts run by udev
++systemd_config_sss_services(udev_t)
+ 
+ kernel_getatt

Bug#756729: AVCs for Jessie

[Andreas Florath]

Hello!

After some experiments it was somewhat clear for me that this must
be a SELinux or policy 'problem'.  The problem is, that the things
are set up during boot time and I did not receive any hint what
was going on.

Therefore I disabled the 'virtio_net' module during boot, set
the system to enforcing an loaded the module manually:

# run_init modprobe virtio_net

I got this AVC

type=USER_AVC msg=audit(1407598899.576:95): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } 
for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup@.service" 
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

created policy file from it, rebooted, modprobe again and another AVC:

type=USER_AVC msg=audit(1407599868.756:93): pid=1 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } 
for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup@.service" 
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

This was all I got - no more AVCs. For me the resulting policy file is:

# cat local-network-hotplug.te
policy_module(localnetworkhotplug, 1.0.1)

gen_require(`
type udev_t;
type systemd_unit_file_t;
')

allow udev_t systemd_unit_file_t:service { start status };


After loading this policy, re-enabling the module during boot, the eth0
interface was brought up directly during boot.  Adding this rule solves
the problem for me.

=== Start Assumptions

In refpolicy-2.20140421/policy/modules/system/systemd.te I found:

allow init_t systemd_unit_file_t:service { stop start status };

in the Debian patch to the ref-policy. IMHO not only init but also
udev should be able to start / stop / status a service like ifup
(especially for hotplug).

root@debselinux01:~# ls -Z /lib/systemd/system/ifup\@.service
system_u:object_r:systemd_unit_file_t:SystemLow 
/lib/systemd/system/ifup@.service

=== End Assumptions


Kind regards

Andre


root@debselinux01:~# dpkg -l | grep systemd
ii  libpam-systemd:amd64   208-6   amd64
system and service manager - PAM module
ii  libsystemd-daemon0:amd64   208-6   amd64
systemd utility library
ii  libsystemd-journal0:amd64  208-6   amd64
systemd journal utility library
ii  libsystemd-login0:amd64208-6   amd64
systemd login utility library
ii  systemd208-6   amd64
system and service manager
ii  systemd-sysv   208-6   amd64
system and service manager - SysV links
root@debselinux01:~# dpkg -l | grep udev
ii  libudev1:amd64 208-6   amd64
libudev shared library
ii  udev   208-6   amd64
/dev/ and hotplug management daemon
root@debselinux01:~# dpkg -l | grep selinux
ii  libselinux1:amd64  2.3-1   amd64
SELinux runtime shared libraries
ii  python-selinux 2.3-1   amd64
Python bindings to SELinux shared libraries
ii  selinux-basics 0.5.2   all  
SELinux basic support
ii  selinux-policy-default 2:2.20140421-4  all  
Strict and Targeted variants of the SELinux policy
ii  selinux-policy-dev 2:2.20140421-4  all  
Headers from the SELinux reference policy for building modules
ii  selinux-utils  2.3-1   amd64
SELinux utility programs


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: Problem also occurs in Jessie with systemd installed

[Andreas Florath]

Hello!

Some more thoughts to this problem:

@Russel: I think you are right: these AVCs are logged, but (maybe) do
not influence the system.

In one of my earlier mails to this problem, I reported, that this was
not reproducible on Jessie. This is correct - as long as SYSV-init is
used.  Today I installed systemd on Jessie and run into exactly this
problem.

Also here always the '/sys/class/net/eth0/operstate' is 'down'.

One observation (which might have nothing to do with this problem):
When using Jessie with SYSV-init, it takes quiet a long time to boot.
Most of the time is spend in:
 'Waiting for /dev to be fully populated': 30sec
Using systemd the whole booting takes about 2sec.

When disabling SELinux (setting to permissive), the problem vanishes.
Here the 'operstate' is 'up' - and the network device is initialized.
I do not see any logged AVC either in permissive nor in enforcing
mode.  And I'm not sure if this is a really problem of
selinux-policy-default or some other package.

All tests were done on a minimal installation of Debian in a VM.
The host system is Debian Jessie running KVM 2.0.0+dfsg-6+b1.

If you want, I can provide the VM where this problem occurs every
boot.

Kind regards

Andre

root@debselinux01:~# dpkg -l | grep selinux
ii  libselinux1:amd64  2.3-1   amd64
SELinux runtime shared libraries
ii  python-selinux 2.3-1   amd64
Python bindings to SELinux shared libraries
ii  selinux-basics 0.5.2   all  
SELinux basic support
ii  selinux-policy-default 2:2.20140421-4  all  
Strict and Targeted variants of the SELinux policy
ii  selinux-utils  2.3-1   amd64
SELinux utility programs
root@debselinux01:~# dpkg -l | grep systemd
ii  libpam-systemd:amd64   208-6   amd64
system and service manager - PAM module
ii  libsystemd-daemon0:amd64   208-6   amd64
systemd utility library
ii  libsystemd-journal0:amd64  208-6   amd64
systemd journal utility library
ii  libsystemd-login0:amd64208-6   amd64
systemd login utility library
ii  systemd208-6   amd64
system and service manager
ii  systemd-sysv   208-6   amd64
system and service manager - SysV links


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

[Andreas Florath]

Hello!

As suggested, I retested this with Jessie:
There are still some AVCs logged, but these differ from the ones logged in 
Wheezy.

Aug  5 09:26:11 debselinux01 kernel: [1.197831] audit: type=1400 
audit(1407223571.360:4): avc:  denied  { net_admin } for  pid=166 
comm="systemd-tmpfile" capability=12  
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability
Aug  5 09:26:11 debselinux01 kernel: [1.199479] audit: type=1400 
audit(1407223571.360:5): avc:  denied  { read } for  pid=166 
comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [1.199488] audit: type=1400 
audit(1407223571.360:6): avc:  denied  { read } for  pid=166 
comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [1.199942] audit: type=1400 
audit(1407223571.360:7): avc:  denied  { read } for  pid=166 
comm="systemd-tmpfile" name="urandom" dev="devtmpfs" ino=1033 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [1.202553] audit: type=1400 
audit(1407223571.364:8): avc:  denied  { getcap } for  pid=166 
comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process
Aug  5 09:26:11 debselinux01 kernel: [1.202763] audit: type=1400 
audit(1407223571.364:9): avc:  denied  { getattr } for  pid=166 
comm="systemd-tmpfile" path="/dev/autofs" dev="devtmpfs" ino=5287 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file
Aug  5 09:26:11 debselinux01 kernel: [1.203130] audit: type=1400 
audit(1407223571.364:10): avc:  denied  { getcap } for  pid=166 
comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1  2.3-1
ii  libsepol12.3-1
ii  policycoreutils  2.3-1
ii  python   2.7.8-1
ii  selinux-utils2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools  3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756468: Reasons for closing?

[Andreas Florath]

Hello Laurent,

can you please tell me, why you set this bug to 'done'?
You wrote, that this is 'still a problem in wheezy'. Will this not be fixed in 
wheezy?

I do not want to argue against your decision - simply want to understand it.

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: [DSE-Dev] Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

[Andreas Florath]

Hello Mika,

some more observations:

I found a workaround: Changing 'allowed-hotplug eth0' to
'auto eth0' in /etc/network/interfaces fixes the problem
for me.

In the cases where this problem occurs, the
/sys/class/net/eth0/operstate is 'down'.  Therefore the
hotplug function will not pick up the device.

But why and how does (not) enforcing influence the
setting of the device's operstate?

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: [DSE-Dev] Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

[Andreas Florath]

Hello Mika,

looks that my yesterday's reply was lost - maybe because of the attachments.
Attached to this mail you find the lost mail.

The dhcp module was already loaded:

root@debselinux01:~# sestatus
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: denied
Max kernel policy version:  26

root@debselinux01:~# semodule -l
apm 1.11.0  
dbus1.15.0  
devicekit   1.1.0   
dhcp1.9.0   
dmidecode   1.4.0   
gpg 2.4.0   
lvm 1.13.0  
netutils1.11.0  
ptchown 1.1.0   
ssh 2.2.0   
tcpd1.4.0   
tzdata  1.4.0   
unconfined  3.3.0   
usbmodules  1.2.0


Trying to load it again does not change things - the problem still
exists:

root@debselinux01:~# semodule -i /usr/share/selinux/default/dhcp.pp
root@debselinux01:~# semodule -l
apm 1.11.0  
dbus1.15.0  
devicekit   1.1.0   
dhcp1.9.0   
dmidecode   1.4.0   
gpg 2.4.0   
lvm 1.13.0  
netutils1.11.0  
ptchown 1.1.0   
ssh 2.2.0   
tcpd1.4.0   
tzdata  1.4.0   
unconfined  3.3.0   
usbmodules  1.2.0   

Then I tried:

root@debselinux01:~# cd /usr/share/selinux/default
root@debselinux01:/usr/share/selinux/default# for f in *.pp; do echo "Loading 
$f" ; semodule -i $f; done
Loading acct.pp
Loading ada.pp
Loading afs.pp
[...]

Some are failing because of unmet dependencies; therefore another round:

root@debselinux01:/usr/share/selinux/default# for f in *.pp; do echo "Loading 
$f" ; semodule -u $f; done

With the result that it now reliable fails :-)
Every time after reboot eth0 is not available.

The only AVC I found in the logging is the one about mounts and modules.dep.

Also here: after disabling SELinux (setting it to permissive) the
problem is not reproducible. (Tried 47 reboots).

Kind regards

Andre

P.S.: I tried to reproduce this with Jessie: 428 reboots without any
  occurrence of the problem.



- The lost mail -

Hello Mika,

very strange things happen: yesterday this bug happened (as I
remember) every time I booted.  Today this changed somehow: it only
happens from time to time - but at least it happens

Because the network interface is not working when the problem appears,
I attached some console screenshots with the output of the commands
you suggested.

My idea then was that this might not be a problem of the
selinux-policy package. Therefore I set SELINUX=permissive and wrote a
small script which connects via network interface to the machine and
reboots it.  I stopped the test after 238 reboots - not one occurrence
of the problem.  I set SELINUX back to enforcing, and the
problem occurs any some 1-4 boots.

So there might be the possibility that is has something to
do with the selinux-policy.

I manage to create a minimal Debian 7 VM with SELinux set to enforced
where this problem occurs (from time to time).  If you want, I can
provide the VM - and my reboot-test script.  (The size of the
compressed image is about 265MiByte.)

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756731: [DSE-Dev] Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

[Andreas Florath]

Hello Mika,

thank you very much for your detailed explanation.
Looks that I miss some basics here.

I'll try to reproduce the bugs I found with Jessie.
(It might take some time, because I start vacation
in the next days...)

Thanks for your offer about the VMs - but I am able
to setup a VM on my own ;-)

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756468: Please think about fixing this bug in stable

[Andreas Florath]

Hello!

I learned from a comment to another bug
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756731)
that only bugs starting from 'important' will be fixed in stable.

IMHO this bug should be fixed in stable, because it prevents
installing packages that use addgroup when SELinux is set to
enforcing.

Please think about changing the severity to 'important' and
fixing this bug.

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756542: [DSE-Dev] Bug#756542: selinux-policy-default: Installation of systemd from wheezy-backports results in many AVCs

[Andreas Florath]

Hello Mika,

thanks for your answer. And Yes: you are right.

Just checked the description from backports:
 Backports cannot be tested as extensively as Debian stable,
 and backports are provided on an as-is basis, with risk of
 incompatibilities with other components in Debian stable.
 Use with care!

Checked this after I read your comment - did not know this before.

This means: when it is from backports, it might be incompatible
and therefore it's not a bug. Because of this IMHO this bug be closed.

Nevertheless there are some problems that also occur in the
stable release. I filed them as separate bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756729
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756730
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756731

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756730: selinux-policy-default: Setting SELinux to enforce logs AVC: mount wants to access modules.dep

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: minor

Dear Maintainer,

after SELinux is set to enforcing the following AVC is logged during boot,
Nevertheless I did not find any problems with the system:

type=1400 audit(1406807193.926:4): avc:  denied  { read } for  pid=1385 
comm="mount" name="modules.dep" dev=dm-0 ino=914388 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file

When allowing this (audit2allow & semodule -u) , the following AVCs are logged:
Jul 31 15:30:13 debtest kernel: [4.029846] type=1400 
audit(1406813412.816:4): avc:  denied  { open } for  pid=1385 comm="mount" 
name="modules.dep" dev=dm-0 ino=914388 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
Jul 31 15:34:17 debtest kernel: [4.286956] type=1400 
audit(1406813655.960:4): avc:  denied  { getattr } for  pid=1383 comm="mount" 
path="/lib/modules/3.2.0-4-amd64/modules.dep" dev=dm-0 ino=914388 
scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file

I found two mail threads where this issue is discussed upstream:
http://oss.tresys.com/pipermail/refpolicy/2013-January/006267.html
http://oss.tresys.com/pipermail/refpolicy/2013-September/006529.html

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1  2.1.9-5
ii  libsepol12.1.4-3
ii  policycoreutils  2.1.10-9
ii  python   2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools  

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756731: selinux-policy-default: Setting SELinux to enforce when using systemd some AVCs are logged during boot

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

when SELinux is enabled (set to enforced) and when using systemd some AVCs are 
logged:

Jul 31 16:02:42 debtest kernel: [3.292205] type=1400 
audit(1406815358.096:4): avc:  denied  { write } for  pid=214 comm="mount" 
name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:security_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [3.292228] type=1400 
audit(1406815358.096:5): avc:  denied  { setattr } for  pid=214 comm="mount" 
name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:security_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [3.362846] type=1400 
audit(1406815358.164:6): avc:  denied  { setattr } for  pid=224 comm="mount" 
name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [3.850978] type=1400 
audit(1406815358.652:7): avc:  denied  { mounton } for  pid=237 comm="mount" 
path="/run/user" dev=tmpfs ino=1948 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 31 16:02:42 debtest kernel: [3.851420] type=1400 
audit(1406815358.652:8): avc:  denied  { mounton } for  pid=237 comm="mount" 
path="/run/user" dev=tmpfs ino=1948 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:var_auth_t:s0 tclass=dir

type=AVC msg=audit(1406815362.316:10): avc:  denied  { read } for  pid=723 
comm="dmesg" name="locale.alias" dev=dm-0 ino=522685 
scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 
tclass=file

Please note that the stable (V44) systemd is used.

Andre


# dpkg -l | grep systemd
ii  libpam-systemd:amd64   44-11+deb7u4  amd64
system and service manager - PAM module
ii  libsystemd-daemon0:amd64   44-11+deb7u4  amd64
systemd utility library
ii  libsystemd-id128-0:amd64   44-11+deb7u4  amd64
systemd 128 bit ID utility library
ii  libsystemd-journal0:amd64  44-11+deb7u4  amd64
systemd journal utility library
ii  libsystemd-login0:amd6444-11+deb7u4  amd64
systemd login utility library
ii  systemd44-11+deb7u4  amd64
system and service manager
ii  systemd-sysv   44-11+deb7u4  amd64
system and service manager - SysV links

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1  2.1.9-5
ii  libsepol12.1.4-3
ii  policycoreutils  2.1.10-9
ii  python   2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools  

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important

Dear Maintainer,

after enableing SELinux the eth0 network device is not longer configured 
automatically during boot time.

There is a similar bug
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950
but it differs in the command. Here it is 'dhclient' there the scripts.

IMHO this is an 'important' bug, because systems using dhcp cannot switch to 
enforce - or they will not work properly any more.

The eth0 device is configured as:

allow-hotplug eth0
iface eth0 inet dhcp

After booting with SELinux set to enforced the eth0 network interface is not 
configured. ifconfig shows only 'lo'.

During boot, the following two AVCs are reported:

Jul 31 12:55:55 debtest kernel: [4.489454] type=1400 
audit(1406804155.296:5): avc:  denied  { name_bind } for  pid=1677 
comm="dhclient" src=1356 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 31 12:55:55 debtest kernel: [4.489641] type=1400 
audit(1406804155.296:6): avc:  denied  { name_bind } for  pid=1677 
comm="dhclient" src=14762 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

When I use these both lines as input to 'audit2allow' and 'semodule

$ audit2allow -M localdhclient
$ semodule -i localdhclient.pp

after booting, the interface comes up, but it looks that the further setup 
needs 'hostname' and 'ip':

Jul 31 13:39:41 debtest kernel: [4.954371] type=1400 
audit(1406806780.651:5): avc:  denied  { read write } for  pid=1723 comm="ip" 
path="socket:[7251]" dev=sockfs ino=7251 
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [4.954457] type=1400 
audit(1406806780.651:6): avc:  denied  { read write } for  pid=1723 comm="ip" 
path="socket:[7252]" dev=sockfs ino=7252 
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [5.005695] type=1400 
audit(1406806780.703:7): avc:  denied  { read write } for  pid=1751 
comm="hostname" path="socket:[7251]" dev=sockfs ino=7251 
scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [5.005781] type=1400 
audit(1406806780.703:8): avc:  denied  { read write } for  pid=1751 
comm="hostname" path="socket:[7252]" dev=sockfs ino=7252 
scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [5.007904] type=1400 
audit(1406806780.703:9): avc:  denied  { read write } for  pid=1752 comm="ip" 
path="socket:[7251]" dev=sockfs ino=7251 
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [5.007988] type=1400 
audit(1406806780.703:10): avc:  denied  { read write } for  pid=1752 comm="ip" 
path="socket:[7252]" dev=sockfs ino=7252 
scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket

After another 'autid2allow' and 'semodule' there are no further AVCs in the log 
after a reboot and the interface works fine.

Kind regards

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1  2.1.9-5
ii  libsepol12.1.4-3
ii  policycoreutils  2.1.10-9
ii  python   2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools  

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756468: Also other packages installation (example systemd) is failing

[Andreas Florath]

Hello!

Looks that this problem also occurs with other packages as well:

$ se_apt-get install -t wheezy-backports systemd
[...]
Adding group `systemd-journal' (GID 104) ...
addgroup: `/usr/sbin/groupadd -g 104 systemd-journal' returned error code 10. 
Exiting.
dpkg: error processing systemd (--configure):
 subprocess installed post-installation script returned error exit status 1

type=SYSCALL msg=audit(1406719264.095:12): arch=c03e syscall=59 success=yes 
exit=0 a0=24d7880 a1=24d73c0 a2=27ad900 a3=0 items=0 ppid=3018 pid=3019 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406719264.111:13): avc:  denied  { search } for  pid=3019 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406719264.111:13): arch=c03e syscall=2 success=no 
exit=-13 a0=16da340 a1=0 a2=1b6 a3=0 items=0 ppid=3018 pid=3019 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406719264.111:14): avc:  denied  { search } for  pid=3019 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406719264.111:14): arch=c03e syscall=2 success=no 
exit=-13 a0=16da2d0 a1=0 a2=1b6 a3=0 items=0 ppid=3018 pid=3019 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406719264.111:15): avc:  denied  { search } for  pid=3019 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406719264.111:15): arch=c03e syscall=2 success=no 
exit=-13 a0=16d9c40 a1=0 a2=1b6 a3=0 items=0 ppid=3018 pid=3019 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#756542: selinux-policy-default: Installation of systemd from wheezy-backports results in many AVCs

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

using systemd from backports (version see below) many AVCs appear in the 
logging.
The system is (partially) unusable - e.g. eth0 works not reliable.

This is needed to reproduce the problem:

Install a new (minimal) Debian 7.6.

Install selinux.

During the installation of systemd I have to set SELinux to
permissive, because there is a problem with groupadd:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756468

# getenforce
Enforcing
# setenforce 0
# se_apt-get install -t wheezy-backports systemd
# setenforce 1
# reboot

When the system comes up, it has some 'hickups' - like eth0 is not reliable.
The audit.log is full of AVCs - and even there are some in the 
/var/log/messages (because IMHO they occur when the auditd is not up and 
running.)

/var/log/messages

Jul 30 13:31:05 debselinux kernel: [3.995920] type=1400 
audit(1406719861.688:4): avc:  denied  { setattr } for  pid=224 comm="mount" 
name="/" dev=debugfs ino=1 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [4.381726] type=1400 
audit(1406719862.076:5): avc:  denied  { read } for  pid=239 
comm="systemd-journal" name="kmsg" dev=devtmpfs ino=1034 
scontext=system_u:system_r:syslogd_t:s0 
tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file
Jul 30 13:31:05 debselinux kernel: [4.381773] type=1400 
audit(1406719862.076:6): avc:  denied  { write } for  pid=239 
comm="systemd-journal" name="journal" dev=tmpfs ino=1351 
scontext=system_u:system_r:syslogd_t:s0 
tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [6.214468] type=1400 
audit(1406719863.908:7): avc:  denied  { mounton } for  pid=502 comm="mount" 
path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [6.214861] type=1400 
audit(1406719863.908:8): avc:  denied  { mounton } for  pid=502 comm="mount" 
path="/run/user" dev=tmpfs ino=4987 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:var_auth_t:s0 tclass=dir
Jul 30 13:31:05 debselinux kernel: [6.748974] type=1400 
audit(1406719864.444:9): avc:  denied  { getattr } for  pid=587 
comm="systemd-tmpfile" path="/dev/xconsole" dev=devtmpfs ino=4500 
scontext=system_u:system_r:systemd_tmpfiles_t:s0 
tcontext=system_u:object_r:xconsole_device_t:s0 tclass=fifo_file
Jul 30 13:31:05 debselinux kernel: [6.765430] type=1107 
audit(1406719864.460:10): user pid=1 uid=0 auid=4294967295 ses=4294967295 
subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=-1 uid=0 
gid=0 path="/lib/systemd/system/ifup@.service" 
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
Jul 30 13:31:05 debselinux kernel: [6.824456] type=1400 
audit(1406719864.520:11): avc:  denied  { name_bind } for  pid=708 
comm="dhclient" src=9131 scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [6.824535] type=1400 
audit(1406719864.520:12): avc:  denied  { name_bind } for  pid=708 
comm="dhclient" src=10664 scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 30 13:31:05 debselinux kernel: [7.214021] type=1107 
audit(1406719864.908:13): user pid=1 uid=0 auid=4294967295 ses=4294967295 
subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=-1 uid=0 
gid=0 path="/lib/systemd/system/systemd-journald.service" 
scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service

/var/log/audit/audit.log

type=AVC msg=audit(1406719814.627:15): avc:  denied  { use } for  pid=3117 
comm="groupadd" path="/dev/pts/2" dev=devpts ino=5 
scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 
tclass=fd
type=AVC msg=audit(1406719814.635:16): avc:  denied  { search } for  pid=3117 
comm="groupadd" name="files" dev=dm-0 ino=522863 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1406719814.635:16): avc:  denied  { read } for  pid=3117 
comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:16): avc:  denied  { open } for  pid=3117 
comm="groupadd" name="file_contexts.subs_dist" dev=dm-0 ino=522865 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1406719814.635:17): avc:  denied  { getattr } for  pid=3117 
comm="groupadd" 
path="/etc/selinux/default/contexts/files/file_contexts.subs_dist" dev=dm-0 
ino=522865 scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:file_

Bug#756468: selinux-policy-default: Installation of utempter fails because of deny of groupadd when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

the installation of selinux-policy-src when SELinux is set to enforcing
fails:

# sestatus
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: denied
Max kernel policy version:  26

# se_apt-get install selinux-policy-src
[...]
Setting up libutempter0 (1.1.5-4) ...
Creating utempter group...
addgroup: `/usr/sbin/groupadd -g 104 utempter' returned error code 10. Exiting.
dpkg: error processing libutempter0 (--configure):
 subprocess installed post-installation script returned error exit status 1

(looks that selinux-policy-src is dependent on libutempter0.)

Here is the audit.log of this event:
type=SYSCALL msg=audit(1406697782.110:13): arch=c03e syscall=59 success=yes 
exit=0 a0=132a3d0 a1=132a450 a2=1601060 a3=0 items=0 ppid=7956 pid=7957 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406697782.122:14): avc:  denied  { search } for  pid=7957 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:14): arch=c03e syscall=2 success=no 
exit=-13 a0=cfc340 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406697782.122:15): avc:  denied  { search } for  pid=7957 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:15): arch=c03e syscall=2 success=no 
exit=-13 a0=cfc2d0 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)
type=AVC msg=audit(1406697782.122:16): avc:  denied  { search } for  pid=7957 
comm="groupadd" name="contexts" dev=dm-0 ino=522851 
scontext=system_u:system_r:groupadd_t:s0 
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:16): arch=c03e syscall=2 success=no 
exit=-13 a0=cfbc40 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 
comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 
key=(null)

The system is a fresh and minimalistic installation of Debian 7.6.

Kind regards

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1  2.1.9-5
ii  libsepol12.1.4-3
ii  policycoreutils  2.1.10-9
ii  python   2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools  3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck
pn  syslog-summary  

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#739044: Located place of core dump

[Andreas Florath]

Hello!

I compiled the opensc with debug symbols and get the following:
$ gdb /usr/bin/ssh
GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/ssh...(no debugging symbols found)...done.
(gdb) r -I opensc-pkcs11.so florath@10.0.0.25
Starting program: /usr/bin/ssh -I opensc-pkcs11.so florath@10.0.0.25
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x751dac6d in get_fw_data (p11card=0x557f7940, 
app_info=0x557f8f40, out_idx=0x7fffb930) at framework-pkcs15.c:192
192 if (file_app->path.len != app_info->path.len)
(gdb) p file_app
$1 = (struct sc_file *) 0x0


=== Experiment
I have no idea about why here file_app is null (and is allowed to be null?).
Experimentally changed line 188 to also add

if ( ... | !fw_data->p15_card->file_app)

which at least gives no more cores. Nevertheless this does not fix the problem 
for me:

$ ssh -I opensc-pkcs11.so florath@10.0.0.25
GOST engine already loaded
GOST engine already loaded
no slots
florath@10.0.0.25's password:

When you need more info, just drop me a mail.

Kind regards - Andreas


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#739044: opensc: ssh dumps core when used with opensc-pkcs11.so

[Andreas Florath]

Package: opensc
Version: 0.13.0-3
Severity: normal

Dear Maintainer,

when using opensc-pkcs11.so with ssh, ssh dumps a core:
$ ssh -I opensc-pkcs11.so florath@10.0.0.25
Segmentation fault (core dumped)

gdb /usr/bin/ssh core.4318 
GNU gdb (GDB) 7.6.2 (Debian 7.6.2-1)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/ssh...(no debugging symbols found)...done.
[New LWP 4318]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x7fffb9945000
Core was generated by `ssh -I opensc-pkcs11.so florath@10.0.0.25'.
Program terminated with signal 11, Segmentation fault.
#0  0x7f1f01abe7df in ?? () from /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
(gdb) bt
#0  0x7f1f01abe7df in ?? () from /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#1  0x7f1f01ab2e20 in ?? () from /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#2  0x7f1f01ab3068 in ?? () from /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#3  0x7f1f01aaeb27 in ?? () from /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#4  0x7f1f0491a79e in ?? ()
#5  0x7f1f048e1ac3 in ?? ()
#6  0x7f1f03498995 in __libc_start_main (main=0x7f1f048dfb80, argc=4, 
ubp_av=0x7fffb98e6b38, init=, fini=, 
rtld_fini=, stack_end=0x7fffb98e6b28)
at libc-start.c:276
#7  0x7f1f048e22dc in ?? ()

The expected outcome is: ssh should not dump a core.

Some facts:
o 'Fresh' jessie installation - about two days old.
o The smart card works within thunderbird-24.3.0 do encrypt, decrypt and sign 
emails (mainstream)
o The following commands work fine and gave the expected result:
  $ opensc-tool --list-readers
  $ opensc-tool --name
  $ pkcs11-tool --list-slots --module 
/usr/local/lib64/libpkcs11tcos3NetKey_amd64.so.1.4.0.3
  $ pkcs15-tool --list-certificates
  $ pkcs15-tool --list-keys
  $ pkcs15-tool --list-pins
  $ pkcs15-tool --list-certificates
  $ pkcs15-tool --read-certificate 45 | openssl x509 -noout -text


Kind regards - Andreas


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages opensc depends on:
ii  libc6  2.17-97
ii  libreadline6   6.2+dfsg-0.1
ii  libssl1.0.01.0.1f-1
ii  multiarch-support  2.17-97
ii  zlib1g 1:1.2.8.dfsg-1

opensc recommends no packages.

opensc suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#592806: Please reopen

[Andreas Florath]

Hello!

I think, the problem still exists in the latest available version
of squid3 (3.1.6-1.2) for Squeeze.
Running a Debian 6 system - last 'apt-get upgrade' from yesterday
(2011-03-17). Fresh installed on last Monday (2011-03-14).
Core file is available.

If you need more information, just drop me mail.

Kind regards - Andreas Florath


--- Package Information ---

# dpkg -l | grep squid
ii  squid-langpack  20100628-1
Localized error pages for Squid
ii  squid3  3.1.6-1.2A
full featured Web Proxy cache (HTTP proxy)
ii  squid3-common   3.1.6-1.2A
full featured Web Proxy cache (HTTP proxy) - common files
ii  squid3-dbg  3.1.6-1.2A
full featured Web Proxy cache (HTTP proxy) - Debug symbols


--- Stack Trace ---
#0  storeRead (sio=, buf=0x4178710 "", size=4096,
offset=0, callback=0x551670 ,
callback_data=0x3cd7018) at store_io.cc:92
#1  0x0055024a in store_client::fileRead (this=0x3cd7018) at
store_client.cc:471
#2  0x005b0de9 in UFSStoreState::readCompleted (this=0x3baab28,
buf=0x3bab440 "", len=0, errflag=, result=) at ufs/store_io_ufs.cc:338
#3  0x005bfcae in DiskThreadsDiskFile::readDone (this=, rvfd=75, buf=0x3bab440 "", len=0, errflag=0,
request=DWARF-2 expression error: DW_OP_reg operations must be used
either alone or in conjuction with DW_OP_piece.
) at DiskIO/DiskThreads/DiskThreadsDiskFile.cc:323
#4  0x005bfdfb in DiskThreadsDiskFile::ReadDone (fd=75,
my_data=0x3ba7328, buf=0x3bab440 "", len=0, errflag=5576304) at
DiskIO/DiskThreads/DiskThreadsDiskFile.cc:286
#5  0x005bc963 in DiskThreadsIOStrategy::callback
(this=0x9c7300) at DiskIO/DiskThreads/DiskThreadsIOStrategy.cc:149
#6  0x00554cb6 in StoreHashIndex::callback (this=) at store_dir.cc:743
#7  0x00526ed6 in StoreRootEngine::checkEvents (this=, timeout=68650768) at main.cc:162
#8  0x004de1e3 in EventLoop::checkEngine (this=0x7fffb55d9370,
engine=0x7fffb55d93f0, primary=false) at EventLoop.cc:48
#9  0x004de30c in EventLoop::runOnce (this=0x7fffb55d9370) at
EventLoop.cc:114
#10 0x004de468 in EventLoop::run (this=0x7fffb55d9370) at
EventLoop.cc:94
#11 0x0052685a in SquidMain (argc=,
argv=) at main.cc:1400
#12 0x00526da6 in SquidMainSafe (argc=0, argv=0x4178710) at
main.cc:1160
#13 main (argc=0, argv=0x4178710) at main.cc:1152



--- Extract from /var/log/messages ---
(The machine is called 'squidv2' but runs Version 3 of squid.)

Mar 17 15:09:24 squidv2 kernel: [274670.636400] squid3[13170]: segfault
at 0 ip 0054f143 sp 7fffb0ddf148 error 4 in
squid3[40+29f000]
Mar 17 15:09:24 squidv2 squid[1412]: Squid Parent: child process 13170
exited due to signal 11 with status 0
Mar 17 15:09:27 squidv2 squid[1412]: Squid Parent: child process 13183
started
Mar 17 15:10:28 squidv2 kernel: [274734.458103] squid3[13183]: segfault
at 0 ip 0054f143 sp 7fff9a009308 error 4 in
squid3[40+29f000]
Mar 17 15:10:28 squidv2 squid[1412]: Squid Parent: child process 13183
exited due to signal 11 with status 0
Mar 17 15:10:31 squidv2 squid[1412]: Squid Parent: child process 13195
started
Mar 17 15:14:58 squidv2 kernel: [275004.895957] squid3[13195]: segfault
at 0 ip 0054f143 sp 7fff88ea13f8 error 4 in
squid3[40+29f000]
Mar 17 15:14:58 squidv2 squid[1412]: Squid Parent: child process 13195
exited due to signal 11 with status 0
Mar 17 15:15:01 squidv2 squid[1412]: Squid Parent: child process 13207
started
Mar 17 15:29:59 squidv2 kernel: [275905.526196] squid3[13207]: segfault
at 0 ip 0054f143 sp 7fff4c7525b8 error 4 in
squid3[40+29f000]
Mar 17 15:29:59 squidv2 squid[1412]: Squid Parent: child process 13207
exited due to signal 11 with status 0
Mar 17 15:30:02 squidv2 squid[1412]: Squid Parent: child process 13225
started
Mar 17 15:45:10 squidv2 kernel: [276816.711815] squid3[13225]: segfault
at 0 ip 0054f143 sp 7fff01331b58 error 4 in
squid3[40+29f000]
Mar 17 15:45:10 squidv2 squid[1412]: Squid Parent: child process 13225
exited due to signal 11 with status 0
Mar 17 15:45:13 squidv2 squid[1412]: Squid Parent: child process 13237
started
Mar 17 15:46:12 squidv2 kernel: [276878.294847] squid3[13237]: segfault
at 0 ip 0054f143 sp 7fffa6864178 error 4 in
squid3[40+29f000]
Mar 17 15:46:12 squidv2 squid[1412]: Squid Parent: child process 13237
exited due to signal 11 with status 0
Mar 17 15:46:15 squidv2 squid[1412]: Squid Parent: child process 13249
started
Mar 17 16:00:00 squidv2 kernel: [277706.546509] squid3[13249]: segfault
at 0 ip 0054f143 sp 7fff18c000d8 error 4 in
squid3[40+29f000]
Mar 17 16:00:00 squidv2 squid[1412]: Squid Parent: child process 13249
exited due to signal 11 with status 0
Mar 17 16:00:03 squidv2 squid[1412]: Squid Parent: child process 13262
st

Bug#603508: kernel crashes during raid6 resync

[Andreas Florath]

Package: linux-2.6
Version: 2.6.32-27
File: /boot/vmlinuz-2.6.32-5-amd64
Severity: normal

*** Please type your report below this line ***
After installation of four new disks and configuring RAID 6 using
those four disks, the kernel keeps crashing every some minutes.
When using programs which exercise the disk (like bonnie++) it only
takes seconds to get an Oops.

The RAID 6 is syncing:
# cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md127 : active raid6 sda1[0] sdd1[3] sdc1[2] sdb1[1]
  976768640 blocks super 1.2 level 6, 64k chunk, algorithm 2 [4/4] []
  [>]  resync =  1.0% (5155568/488384320) 
finish=171.1min speed=47044K/sec

unused devices: 

Attached there are two different Oops kernel stack traces.

IMHO the kernel should not crash. Even if the 'attempt to access
beyond end of device' is true, the disk should be mapped out of the
RAID and the others should continue working.

I'm not sure if this matters, but all four disks are WD disks which
report physical sector size of 4096 byte.

If you have any further questions, please drop me a mail.

Kind regards

Andreas Florath



Nov 14 18:50:10 peleus kernel: [  989.048138] JBD2: Detected IO errors while 
flushing file data on dm-0-8
Nov 14 18:50:14 peleus kernel: [  992.624892] BUG: unable to handle kernel NULL 
pointer dereference at 0008
Nov 14 18:50:14 peleus kernel: [  992.625081] IP: [] 
mempool_free+0x14/0x7e
Nov 14 18:50:14 peleus kernel: [  992.625238] PGD 7a5be067 PUD 77886067 PMD 0
Nov 14 18:50:14 peleus kernel: [  992.625458] Oops:  [#1] SMP
Nov 14 18:50:14 peleus kernel: [  992.625613] last sysfs file: 
/sys/devices/virtual/block/dm-0/dm/name
Nov 14 18:50:14 peleus kernel: [  992.625684] CPU 1
Nov 14 18:50:14 peleus kernel: [  992.625788] Modules linked in: ext4 jbd2 
crc16 dm_mod loop snd_pcm snd_timer i2c_i801 i2c_core snd soundcore 
snd_page_alloc pcspkr evdev joydev button processor ext3 jbd mbcache raid10 
raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx 
raid1 raid0 multipath linear md_mod sd_mod crc_t10dif usbhid hid usb_storage 
ahci libata uhci_hcd thermal scsi_mod e1000e ehci_hcd thermal_sys usbcore 
nls_base [last unloaded: scsi_wait_scan]
Nov 14 18:50:14 peleus kernel: [  992.628146] Pid: 335, comm: md127_raid6 
Tainted: GB  2.6.32-5-amd64 #1 X7SPA-HF
Nov 14 18:50:14 peleus kernel: [  992.628233] RIP: 0010:[]  
[] mempool_free+0x14/0x7e
Nov 14 18:50:14 peleus kernel: [  992.628364] RSP: 0018:88013b703c90  
EFLAGS: 00010286
Nov 14 18:50:14 peleus kernel: [  992.628432] RAX:  RBX: 
 RCX: 0001
Nov 14 18:50:14 peleus kernel: [  992.628503] RDX: ff00 RSI: 
 RDI: 88000fd2c2b8
Nov 14 18:50:14 peleus kernel: [  992.628515] RBP: 88000fd2c2b8 R08: 
 R09: 88013be07a00
Nov 14 18:50:14 peleus kernel: [  992.628515] R10:  R11: 
a01da608 R12: 88000fd2c2b8
Nov 14 18:50:14 peleus kernel: [  992.628515] R13: 88013bd29400 R14: 
88000fd2d1b8 R15: 00020001
Nov 14 18:50:14 peleus kernel: [  992.628515] FS:  () 
GS:88000528() knlGS:
Nov 14 18:50:14 peleus kernel: [  992.628515] CS:  0010 DS: 0018 ES: 0018 CR0: 
8005003b
Nov 14 18:50:14 peleus kernel: [  992.628515] CR2: 0008 CR3: 
8b42f000 CR4: 06e0
Nov 14 18:50:14 peleus kernel: [  992.628515] DR0:  DR1: 
 DR2: 
Nov 14 18:50:14 peleus kernel: [  992.628515] DR3:  DR6: 
0ff0 DR7: 0400
Nov 14 18:50:14 peleus kernel: [  992.628515] Process md127_raid6 (pid: 335, 
threadinfo 88013b702000, task 88013c44dbd0)
Nov 14 18:50:14 peleus kernel: [  992.628515] Stack:
Nov 14 18:50:14 peleus kernel: [  992.628515]   
 880138187000 a01da692
Nov 14 18:50:14 peleus kernel: [  992.628515] <0> 88000fcc16c0 
88013bfa1420 88013be07a00 0004
Nov 14 18:50:14 peleus kernel: [  992.628515] <0>  
a018fc65 000300015780 88013be07b50
Nov 14 18:50:14 peleus kernel: [  992.628515] Call Trace:
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
clone_endio+0x8a/0xad [dm_mod]
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
handle_stripe+0xc83/0x1785 [raid456]
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
__release_stripe+0x165/0x199 [raid456]
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
raid5d+0x3a5/0x3ee [raid456]
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
schedule_timeout+0x2e/0xdd
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
md_thread+0xf1/0x10f [md_mod]
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
autoremove_wake_function+0x0/0x2e
Nov 14 18:50:14 peleus kernel: [  992.628515]  [] ? 
md_thread+0x0/0x10f [md_mod]
Nov 14 18:50:1

Bug#536720: xen-utils-3.2-1: Missing import statement / Syntax Errors in XendPBD.py

[Andreas Florath]

Package: xen-utils-3.2-1
Severity: important


Hello!

When using xenapi.PBD.create() the following error occurs:
xen.xm.XenAPI.Failure: Internal error: global name 'genuuid' is not defined.
(Attached you can find the logging of the remote host.)

This (and other syntax errors) are already fixed in the
xen-unstable.hg (see
http://xenbits.xensource.com/xen-unstable.hg?rev/7fd49c55c0b0).

The xenapi.PBD.create() is mostly one step to create a new
vm, so the XenAPI can currently not be used to create new VMs.

It would be great to add the patch to the lenny package.

Kind regards

Andreas Florath


--

Logging on the remote host:

[2009-07-10 16:37:21 3649] ERROR (xmlrpclib2:166) Internal error
handling PBD.create
Traceback (most recent call last):
  File "/usr/lib/xen-3.2-1/lib/python/xen/util/xmlrpclib2.py", line 131,
in _marshaled_dispatch
response = self._dispatch(method, params)
  File "/usr/lib/python2.5/SimpleXMLRPCServer.py", line 415, in _dispatch
return func(*params)
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 619, in

wrapped_f = (lambda *args: new_f(f, *args))
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 642, in

_ctor_event_dispatch(s, ctor, api_cls, session, args))
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 154, in
_ctor_event_dispatch
result = ctor(xenapi, session, *args)
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 221, in f
return func(self, *args, **kwargs)
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 256, in
check_session
return func(self, session, *args, **kwargs)
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendAPI.py", line 600, in

f(*args)))
  File "/usr/lib/xen-3.2-1/lib/python/xen/xend/XendPBD.py", line 68, in
create
uuid = genuuid.createString()
NameError: global name \047genuuid\047 is not defined




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#511350: Use $I in pcre for client IP address

[Andreas Florath]

Package: atftpd
Version: 0.7.dfsg-6
Severity: wishlist
Tags: patch

Hello!

The attached patch adds the possibility of adding the IP address of
the tftp client to the file path on the server side using $I.

With this extension it is possible, that each client sees only it's
own directory and files.  So it is impossible that one client fetches
files that are dedicated to another client.

Example: The line
^(\S+)$  $I/$0
allows that each client has access to exactly the one well defined
directory (base dir appended with the client's IP address).

Regards

Andreas Florath


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages atftpd depends on:
ii  debconf [debconf-2.0]   1.5.24   Debian configuration
management sy
ii  libc6   2.7-16   GNU C Library: Shared libraries
ii  libpcre37.8-2Perl 5 Compatible Regular
Expressi
ii  libwrap07.6.q-16 Wietse Venema's TCP
wrappers libra
ii  openbsd-inetd [inet-superse 0.20080125-2 The OpenBSD Internet
Superserver

atftpd recommends no packages.

Versions of packages atftpd suggests:
ii  logrotate 3.7.7-2Log rotation utility

-- debconf information excluded

diff -ru atftp-0.7.dfsg-6_orig/test/pcre_pattern.txt
atftp-0.7.dfsg-6/test/pcre_pattern.txt
--- atftp-0.7.dfsg-6_orig/test/pcre_pattern.txt2003-02-21
06:46:04.0 +0100
+++ atftp-0.7.dfsg-6/test/pcre_pattern.txt2008-12-22
14:34:10.0 +0100
@@ -6,3 +6,4 @@
 str$  replaced3
 repl(ace)  m$1
 ^\w*\.conf$  master.conf
+^iptest/(\S+)$  $I/$1
diff -ru atftp-0.7.dfsg-6_orig/tftpd.c atftp-0.7.dfsg-6/tftpd.c
--- atftp-0.7.dfsg-6_orig/tftpd.c2008-12-22 14:59:32.0 +0100
+++ atftp-0.7.dfsg-6/tftpd.c2008-12-22 12:11:35.0 +0100
@@ -962,7 +962,7 @@
 /* remove \n from input */
 string[strlen(string) - 1] = '\0';
 /* do the substitution */
-if (tftpd_pcre_sub(pcre_top, out, MAXLEN, string) < 0)
+if (tftpd_pcre_sub(pcre_top, out, MAXLEN, string,
0x7f01) < 0)
  printf("Substitution: \"%s\" -> \"\"\n", string);
 else
  printf("Substitution: \"%s\" -> \"%s\"\n",
string, out);
diff -ru atftp-0.7.dfsg-6_orig/tftpd_file.c atftp-0.7.dfsg-6/tftpd_file.c
--- atftp-0.7.dfsg-6_orig/tftpd_file.c2004-02-18 03:21:47.0
+0100
+++ atftp-0.7.dfsg-6/tftpd_file.c2008-12-22 14:55:48.0 +0100
@@ -409,7 +409,7 @@
  struct sockaddr_in from;
  int sockfd = data->sockfd;
  struct tftphdr *tftphdr = (struct tftphdr *)data->data_buffer;
- FILE *fp;
+ FILE *fp = NULL;
  char filename[MAXLEN];
  char string[MAXLEN];
  int timeout = data->timeout;
@@ -429,7 +429,7 @@
  int prev_file_pos = 0;
  int temp = 0;
 
- /* look for mode option */
+/* look for mode option */
  if (strcasecmp(data->tftp_options[OPT_MODE].value, "netascii") == 0)
  {
   convert = 1;
@@ -448,9 +448,6 @@
   return ERR;
  }
 
- /* verify that the requested file exist */
- fp = fopen(filename, "r");
-
 #ifdef HAVE_PCRE
  if (fp == NULL)
  {
@@ -458,7 +455,8 @@
   if (pcre_top != NULL)
   {
if (tftpd_pcre_sub(pcre_top, string, MAXLEN,
- 
data->tftp_options[OPT_FILENAME].value) < 0)
+  data->tftp_options[OPT_FILENAME].value,
+  ntohl(sa->sin_addr.s_addr)) < 0)
{
 logger(LOG_DEBUG, "PCRE failed to match");
}
@@ -484,6 +482,9 @@
}
   }
  }
+#else
+ /* verify that the requested file exist */
+ fp = fopen(filename, "r");
 #endif
  if (fp == NULL)
  {
diff -ru atftp-0.7.dfsg-6_orig/tftpd_pcre.c atftp-0.7.dfsg-6/tftpd_pcre.c
--- atftp-0.7.dfsg-6_orig/tftpd_pcre.c2008-12-22 14:59:32.0
+0100
+++ atftp-0.7.dfsg-6/tftpd_pcre.c2008-12-22 15:13:04.0 +0100
@@ -195,7 +195,7 @@
 int tftpd_pcre_makesub(struct tftpd_pcre_pattern *pat,
char *outstr, int outsize,
char *str,
-   int *ovector, int matches)
+   int *ovector, int matches, in_addr_t client_ip)
 {
  char *chp, *outchp;
  const char *tmpstr;
@@ -231,6 +231,24 @@
 break;
}
   }
+  

Bug#142042: dependency problem of libcompat and libdpkg

[Andreas Florath]

Source: dpkg
Source-Version: 1.14.18

This does not fix the problem for me.  With the current version the 
compilation stops with:


gcc -std=gnu99  -g -O2  -Wl,-O1 -o dpkg archives.o cleanup.o configure.o 
depcon.o enquiry.o errors.o filesdb.o help.o main.o packages.o 
processarc.o remove.o select.o trigproc.o update.o 
../libcompat/libcompat.a -lintl ../lib/libdpkg.a
../lib/libdpkg.a(tarfn.o): In function `StoC':
/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/lib/tarfn.c:65: 
undefined reference to `strnlen'

collect2: ld returned 1 exit status
make[2]: *** [dpkg] Error 1
make[2]: Leaving directory 
`/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/build/src'

make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/build'
make: *** [all] Error 2

The configure script sees no strnlen:

[from config.log]
 checking for strnlen... no

and also the compat strnlen is build:

[from make output]
Making all in libcompat
make[2]: Entering directory 
`/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/build/libcompat'
gcc -std=gnu99 -DHAVE_CONFIG_H -I. 
-I/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat -I.. 
-idirafter 
/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat-g -O2 
-MT obstack.o -MD -MP -MF .deps/obstack.Tpo -c -o obstack.o 
/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat/obstack.c

mv -f .deps/obstack.Tpo .deps/obstack.Po
gcc -std=gnu99 -DHAVE_CONFIG_H -I. 
-I/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat -I.. 
-idirafter 
/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat-g -O2 
-MT strnlen.o -MD -MP -MF .deps/strnlen.Tpo -c -o strnlen.o 
/opt/gnu4u/pkg/0/0/64/build/stageP_dpkg/dpkg-1.14.18/libcompat/strnlen.c

mv -f .deps/strnlen.Tpo .deps/strnlen.Po
rm -f libcompat.a
ar cru libcompat.a   obstack.o strnlen.o
ranlib libcompat.a

It's realy definded in the libcompat:
> nm libcompat/libcompat.a | fgrep strnlen
strnlen.o:
 T strnlen

*BUT* (and this is IMHO the problem), libdpkg.a needs strnlen:
> nm lib/libdpkg.a | fgrep strnlen
U strnlen

So IMHO the ../libcompat/libcompat.a should be after the
../lib/libdpkg.a.  And this is true for at least 'dpkg', 'dpkg-query',
'dpkg-trigger', 'dpkg-deb'.

(The later ones miss some _obstack_XXX functions.)

My environment:
SunOS 5.10 Generic_118833-33 sun4u sparc Solaris
gcc 4.3.0 / binutils 2.18

The attached patch solves the problem for me, but I don't know the
(intended) dependencies between libcompat, libdpkg and $(LIBINTL).

Regards

Andreas Florath

==
diff -r -u dpkg-1.14.18_orig/dpkg-deb/Makefile.am 
dpkg-1.14.18/dpkg-deb/Makefile.am
--- dpkg-1.14.18_orig/dpkg-deb/Makefile.am  2008-04-09 
08:35:16.0 +0200

+++ dpkg-1.14.18/dpkg-deb/Makefile.am   2008-05-23 16:13:17.575618000 +0200
@@ -17,5 +17,5 @@
   main.c

dpkg_deb_LDADD = \
-   ../libcompat/libcompat.a \
-   $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS) $(SELINUX_LIBS)
+   ../lib/libdpkg.a ../libcompat/libcompat.a \
+   $(LIBINTL) $(ZLIB_LIBS) $(BZ2_LIBS) $(SELINUX_LIBS)
diff -r -u dpkg-1.14.18_orig/dpkg-split/Makefile.am 
dpkg-1.14.18/dpkg-split/Makefile.am
--- dpkg-1.14.18_orig/dpkg-split/Makefile.am2008-04-09 
08:35:16.0 +0200

+++ dpkg-1.14.18/dpkg-split/Makefile.am 2008-05-23 16:13:33.952855000 +0200
@@ -19,9 +19,9 @@
   split.c

dpkg_split_LDADD = \
+   ../lib/libdpkg.a \
   ../libcompat/libcompat.a \
-   $(LIBINTL) \
-   ../lib/libdpkg.a
+   $(LIBINTL)


pkglib_SCRIPTS = mksplit
diff -r -u dpkg-1.14.18_orig/src/Makefile.am dpkg-1.14.18/src/Makefile.am
--- dpkg-1.14.18_orig/src/Makefile.am   2008-04-09 08:35:17.0 +0200
+++ dpkg-1.14.18/src/Makefile.am2008-05-23 16:12:52.448082000 +0200
@@ -28,8 +28,8 @@
   update.c

dpkg_LDADD = \
-   ../libcompat/libcompat.a \
-   $(LIBINTL) ../lib/libdpkg.a $(ZLIB_LIBS) $(BZ2_LIBS) $(SELINUX_LIBS)
+   ../lib/libdpkg.a ../libcompat/libcompat.a \
+   $(LIBINTL) $(ZLIB_LIBS) $(BZ2_LIBS) $(SELINUX_LIBS)

dpkg_query_SOURCES = \
   errors.c \
@@ -37,17 +37,17 @@
   query.c

dpkg_query_LDADD = \
+   ../lib/libdpkg.a \
   ../libcompat/libcompat.a \
-   $(LIBINTL) \
-   ../lib/libdpkg.a
+   $(LIBINTL)

dpkg_trigger_SOURCES = \
   trigcmd.c

dpkg_trigger_LDADD = \
+   ../lib/libdpkg.a \
   ../libcompat/libcompat.a \
-   $(LIBINTL) \
-   ../lib/libdpkg.a
+   $(LIBINTL)

install-data-local:
   $(mkdir_p) $(DESTDIR)$(admindir)/alternatives




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]