Your message dated Mon, 21 Apr 2014 21:51:18 +0000 with message-id <[email protected]> and subject line Bug#740682: fixed in refpolicy 2:2.20140421-1 has caused the Debian Bug report #740682, regarding avc: denied { getattr } for /sbin/setfiles (virtual filesystem roots) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 740682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: refpolicy Version: 2:2.20140206-1 Severity: normal This seems to happen on any invocation of restorecon (as the unconfined superuser): type=AVC msg=audit(1393898218.762:233): avc: denied { getattr } for pid=3902 comm="setfiles" name="/" dev=sysfs ino=1 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1393898218.762:233): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=75736f6e2c6c6562 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1393898218.762:234): avc: denied { getattr } for pid=3902 comm="setfiles" name="/" dev=devtmpfs ino=1025 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=filesystem type=SYSCALL msg=audit(1393898218.762:234): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d295 a1=7fffe0d11a70 a2=7f74fdd8d295 a3=6f6d2c3738353332 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1393898218.762:235): avc: denied { getattr } for pid=3902 comm="setfiles" name="/" dev=devpts ino=1 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem type=SYSCALL msg=audit(1393898218.762:235): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d297 a1=7fffe0d11a70 a2=7f74fdd8d297 a3=3d65646f6d2c353d items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1393898218.762:236): avc: denied { getattr } for pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) This is one of the last things I need to correct before I can switch to enforcing mode, but I'm at a complete loss as to what might be wrong. Possibly relevant: # mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,relatime,seclabel,size=10240k,nr_inodes=123587,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,seclabel,size=102028k,mode=755) /dev/xvda on / type ext3 (rw,noatime,seclabel,errors=remount-ro,barrier=1,data=ordered) selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,size=5120k) tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,size=256480k) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,rootcontext=system_u:object_r:tmp_t:s0,seclabel,size=256480k) # ls -ldZ / /sys /proc /dev /dev/pts /run /run/lock /run/shm /tmp drwxr-xr-x. 22 root root system_u:object_r:root_t:SystemLow 4096 Mar 2 23:23 / drwxr-xr-x. 11 root root system_u:object_r:device_t:SystemLow 2580 Mar 4 01:17 /dev drwxr-xr-x. 2 root root system_u:object_r:devpts_t:SystemLow 0 Mar 4 01:16 /dev/pts dr-xr-xr-x. 95 root root system_u:object_r:proc_t:SystemLow 0 Mar 4 01:16 /proc drwxr-xr-x. 15 root root system_u:object_r:var_run_t:SystemLow 600 Mar 4 01:17 /run drwxrwxrwt. 3 root root system_u:object_r:var_lock_t:SystemLow 60 Mar 4 01:17 /run/lock drwxrwxrwt. 2 root root system_u:object_r:tmpfs_t:SystemLow 60 Mar 4 01:16 /run/shm drwxr-xr-x. 13 root root system_u:object_r:sysfs_t:SystemLow 0 Mar 4 01:16 /sys drwxrwxrwt. 2 root root system_u:object_r:tmp_t:SystemLow 40 Mar 4 02:02 /tmp # ls -lZ /sbin/setfiles -rwxr-xr-x. 1 root root system_u:object_r:setfiles_exec_t:SystemLow 26488 Dec 29 13:44 /sbin/setfiles I'm running a mostly-stable system with selected things from testing: in particular, everything to do with SELinux is from testing. I cannot run the kernel from testing because the cloud provider's pv-grub is too old for it. -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable'), (100, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20140421-1 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laurent Bigonville <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 21 Apr 2014 23:37:53 +0200 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20140421-1 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Laurent Bigonville <[email protected]> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 707246 740591 740682 Changes: refpolicy (2:2.20140421-1) unstable; urgency=medium . * Team upload. * New GIT snapshot of the policy - Drop debian/patches/upstream/*.patch: Applied upstream - Label /etc/locale.alias as locale_t (Closes: #707246) - Allow xdm_t to execute gkeyringd_domains and to transition to them - Label postgresql manpages properly (Closes: #740591) - Allow setfiles_t and restorecond_t to getattr from all fs that support xattr (Closes: #740682) * Refresh debian/modules.conf.default, debian/modules.conf.mls: Start building the shibboleth module Checksums-Sha1: 4228b3a76a725668758c9b0de32b378a51b2ad9c 2011 refpolicy_2.20140421-1.dsc c1134b778e0a62b5692a8284454bfc91fd72914e 684349 refpolicy_2.20140421.orig.tar.bz2 a0567fc9fea78b82c162ac0d7e250f76c73319cb 43100 refpolicy_2.20140421-1.debian.tar.xz 6fe2ed3b89a2fcd4cca1ecac16652ac45408e82a 2876734 selinux-policy-default_2.20140421-1_all.deb c49541f8252c32053f4a3ad2fce1a45233cb2787 2947422 selinux-policy-mls_2.20140421-1_all.deb d8bc16361cbaa6c8ff010bf480a3801dc8a35406 1179872 selinux-policy-src_2.20140421-1_all.deb 19e041103157df8cee53be35f0f0d7219d351b1a 430006 selinux-policy-dev_2.20140421-1_all.deb f53f9d29dd62850b12200e851eccc085a058646d 405992 selinux-policy-doc_2.20140421-1_all.deb Checksums-Sha256: e99abf0c7f1e73c95f8dc570ddeb242c3116ab4b8f4e0706a078441086a54084 2011 refpolicy_2.20140421-1.dsc 258ff813c84139175db63958ac8bff2bcce32982bb0d902e06aaaf17dd644367 684349 refpolicy_2.20140421.orig.tar.bz2 8b46bcdebf6f9ac392fe7974cf285d00c34c011acaa508d74f89a1ddacbaf2bf 43100 refpolicy_2.20140421-1.debian.tar.xz 8027f22ec99a7c861bd0ff4466f190afa879e2c699146a53fef25a5e855621da 2876734 selinux-policy-default_2.20140421-1_all.deb 051aa88a6540bcc1110e4019d8d99d966847c2263bd5be094dc887abca0d70c9 2947422 selinux-policy-mls_2.20140421-1_all.deb a1ac38a9aa7cbeb2cae9a29a5d21c7b0d8beba95aac208a401a32a12e3b7072c 1179872 selinux-policy-src_2.20140421-1_all.deb 589504d8518539fdafa94b3065348da699bb96b3325f2ad0ecd77375c360f015 430006 selinux-policy-dev_2.20140421-1_all.deb 515e89fcea4c0c9d438344cd62e9b412f5b951a045323c4d36d5ef8ab67226d6 405992 selinux-policy-doc_2.20140421-1_all.deb Files: 6cfdb5ceed887f771b96965ee15a6544 2011 admin optional refpolicy_2.20140421-1.dsc a43b25c3a748659cddbf2df89920ee6d 684349 admin optional refpolicy_2.20140421.orig.tar.bz2 df8497b3b4d75f2f9b3a8eafcc5ded46 43100 admin optional refpolicy_2.20140421-1.debian.tar.xz a25297b5921dfbeceb149ef188ecad12 2876734 admin optional selinux-policy-default_2.20140421-1_all.deb dddb60e880cecff136a36d627160a7a5 2947422 admin extra selinux-policy-mls_2.20140421-1_all.deb 7be3f7486871130189f0974311de586c 1179872 admin optional selinux-policy-src_2.20140421-1_all.deb 7602d9e96682c7ac3419154c1c99bb04 430006 admin optional selinux-policy-dev_2.20140421-1_all.deb 740469f1f44fdbd224b8ff0a5de0606c 405992 doc optional selinux-policy-doc_2.20140421-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJTVZGnAAoJEB/FiR66sEPVNnwIAKIvyCK3l41HrCWsBkGuyjVb +6yQ5nR36TnUI0DAPZnsND6mJOhlFzfzEjVUM7xRBjhHzuNzt9nC4p8okn7xZ/Rg ADJCmGDm80CWssHSJqij97WimPSK9PQHXg2jBdJxlUzN5lZyHsUFbopQqRKwi1tc F9GJbSRJPnSzYdjP/MrkL4HK2Djawl9GahwqJRg6eeQVXvX19u0Xrj3hvvj1YGWQ EceVI6WT31VVgoz2C0IERoyNpXWh/JyIm0ITt3ztd997QYy6ZfJIkb6H8lPEYNpX o2TbWbZ58zArx8r6FJr/UqfhK9QNXb9lWLXhSKCvy+f53Wrt0tXBOrNUo/e3NFQ= =Ktyh -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
