Bug#909523: Intent to NMU (Re: Bug#909523: Default configuration is incompatible with a non-SELinux active LSM)

2019-07-19 Thread Dmitry Smirnov 
On Saturday, 20 July 2019 1:09:11 AM AEST intrigeri wrote:
> Done (0.10.10-0.2). This was my first attempt at using dgit to NMU so
> let's hope I did not bork it.
> 
> I'm attaching the 3 commits I did on top of 0.10.10-0.1.

Awesome, thank you. I've just realised that we had no _cachefilesd_ on Salsa 
so I've imported old repository and applied your patches on top:

  https://salsa.debian.org/debian/cachefilesd

-- 
Best wishes,
 Dmitry Smirnov.

---

A man who knows a subject thoroughly, a man so soaked in it that he eats
it, sleeps it and dreams it - this man can always teach it with success, no
matter how little he knows of technical pedagogy.
-- H. L. Mencken


signature.asc
Description: This is a digitally signed message part.

Bug#909523: Intent to NMU (Re: Bug#909523: Default configuration is incompatible with a non-SELinux active LSM)

2019-07-19 Thread intrigeri 
Hi,

intrigeri:
> Dmitry Smirnov:
>>> If one of you feels responsible for maintaining this package but
>>> temporarily lacks time, I (or one of the attendees to one of the many
>>> upcoming BSPs) will gladly fix this with a NMU.

>> Please, please. That would be really nice if you could. Thanks.

Done (0.10.10-0.2). This was my first attempt at using dgit to NMU so
let's hope I did not bork it.

I'm attaching the 3 commits I did on top of 0.10.10-0.1.

Cheers,
-- 
intrigeri

>From 6c9e84a021b24d98314e44c1063712596752e1aa Mon Sep 17 00:00:00 2001
From: intrigeri 
Date: Fri, 19 Jul 2019 14:49:19 +
Subject: [PATCH 1/3] Disable secctx in the default cachefilesd.conf (Closes:
 #909523).

This configuration line assumes that:

 - either there is no active LSM, which is wrong on Buster
   where AppArmor is enabled by default;

 - or SELinux is the active LSM, which is a rare configuration on Debian.

When this assumption is wrong, i.e. in most cases on current Debian
Buster/testing/sid, cachefilesd fails to start if this configuration
line is enabled.
---
 cachefilesd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cachefilesd.conf b/cachefilesd.conf
index 6905281..bf14950 100644
--- a/cachefilesd.conf
+++ b/cachefilesd.conf
@@ -21,4 +21,4 @@ fstop 3%
 
 # Assuming you're using SELinux with the default security policy included in
 # this package
-secctx system_u:system_r:cachefiles_kernel_t:s0
+# secctx system_u:system_r:cachefiles_kernel_t:s0
-- 
2.22.0

>From a5b3654d8f7fbdf81293be906f4f8603a59bad99 Mon Sep 17 00:00:00 2001
From: intrigeri 
Date: Fri, 19 Jul 2019 14:54:11 +
Subject: [PATCH 2/3] README.Debian: document how to set the correct security
 context under SELinux.

---
 debian/README.Debian | 7 +++
 1 file changed, 7 insertions(+)
 create mode 100644 debian/README.Debian

diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000..4658b2b
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,7 @@
+SELinux
+===
+
+When the SELinux LSM is active, in order to set the correct security
+context for cachefilesd, uncomment the "secctx" line in
+/etc/cachefilesd.conf.
+
-- 
2.22.0

>From 044f44ed267e084cc24103a662456b0c7199ee09 Mon Sep 17 00:00:00 2001
From: intrigeri 
Date: Fri, 19 Jul 2019 14:55:38 +
Subject: [PATCH 3/3] cachefilesd (0.10.10-0.2)

Git-Dch: Ignore
---
 debian/changelog | 9 +
 1 file changed, 9 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1ec7b2f..74c5188 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+cachefilesd (0.10.10-0.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Disable secctx in the default cachefilesd.conf (Closes: #909523).
+Accordingly, document in README.Debian how to set the correct security
+context under SELinux.
+
+ -- intrigeri   Fri, 19 Jul 2019 14:55:33 +
+
 cachefilesd (0.10.10-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
-- 
2.22.0

Bug#909523: Intent to NMU (Re: Bug#909523: Default configuration is incompatible with a non-SELinux active LSM)

2018-12-17 Thread intrigeri 
Hi,

Dmitry Smirnov:
> IMHO something that is so easy to fix hardly qualifies for severity 
> "serious"...

To fix this a user needs to first guess that the problem is related to
AppArmor and then find a workaround (either a way to fully disable
AppArmor, which causes unfortunate regressions elsewhere; or the
better fix I've proposed here, which I found only by reading the
kernel source code). This process does not look easy to me but YMMV
and I won't argue about it endlessly: I can very well live with this
bug severity being downgraded if you prefer :)

>> If one of you feels responsible for maintaining this package but
>> temporarily lacks time, I (or one of the attendees to one of the many
>> upcoming BSPs) will gladly fix this with a NMU.

> Please, please. That would be really nice if you could. Thanks.

OK, will do next time I go through the AppArmor-related bugs, probably
in a few weeks or so.

Cheers,
-- 
intrigeri