Your message dated Mon, 21 Apr 2014 21:51:18 +0000 with message-id <[email protected]> and subject line Bug#707246: fixed in refpolicy 2:2.20140421-1 has caused the Debian Bug report #707246, regarding selinux-policy-default: dmesg produce AVC when trying to access to /etc/locale.alias to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 707246: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707246 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20110726-12 Severity: normal Hi, Having decided to give a test at SElinux, I have installed a debian 6.0 and later upgraded to 7.0. As recommended on the wiki, I first did a boot with selinux in permissive mode to see if there is potential errors, and found several AVC. On boot, it seems something is running dmesg in a confined domain : [ 11.562532] type=1400 audit(1367756552.570:6): avc: denied { read } for pid=626 comm="dmesg" name="locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file [ 11.562557] type=1400 audit(1367756552.570:7): avc: denied { open } for pid=626 comm="dmesg" name="locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file [ 11.562617] type=1400 audit(1367756552.570:8): avc: denied { getattr } for pid=626 comm="dmesg" path="/etc/locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file And domain system_u:system_r:dmesg_t:s0 cannot read /etc/locale.alias, as that file is not labeled to something special. I assume that it should be labeled locale_t, since dmesg has access to that domain : # sesearch -s dmesg_t -A -c file -t locale_t Found 1 semantic av rules: allow dmesg_t locale_t : file { ioctl read getattr lock open } ; There is however no side effect to the AVC, except noise. -- System Information: Debian Release: 7.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3-4 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 ii setools 3.3.7-3 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- no debconf information
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20140421-1 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laurent Bigonville <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 21 Apr 2014 23:37:53 +0200 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20140421-1 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Laurent Bigonville <[email protected]> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 707246 740591 740682 Changes: refpolicy (2:2.20140421-1) unstable; urgency=medium . * Team upload. * New GIT snapshot of the policy - Drop debian/patches/upstream/*.patch: Applied upstream - Label /etc/locale.alias as locale_t (Closes: #707246) - Allow xdm_t to execute gkeyringd_domains and to transition to them - Label postgresql manpages properly (Closes: #740591) - Allow setfiles_t and restorecond_t to getattr from all fs that support xattr (Closes: #740682) * Refresh debian/modules.conf.default, debian/modules.conf.mls: Start building the shibboleth module Checksums-Sha1: 4228b3a76a725668758c9b0de32b378a51b2ad9c 2011 refpolicy_2.20140421-1.dsc c1134b778e0a62b5692a8284454bfc91fd72914e 684349 refpolicy_2.20140421.orig.tar.bz2 a0567fc9fea78b82c162ac0d7e250f76c73319cb 43100 refpolicy_2.20140421-1.debian.tar.xz 6fe2ed3b89a2fcd4cca1ecac16652ac45408e82a 2876734 selinux-policy-default_2.20140421-1_all.deb c49541f8252c32053f4a3ad2fce1a45233cb2787 2947422 selinux-policy-mls_2.20140421-1_all.deb d8bc16361cbaa6c8ff010bf480a3801dc8a35406 1179872 selinux-policy-src_2.20140421-1_all.deb 19e041103157df8cee53be35f0f0d7219d351b1a 430006 selinux-policy-dev_2.20140421-1_all.deb f53f9d29dd62850b12200e851eccc085a058646d 405992 selinux-policy-doc_2.20140421-1_all.deb Checksums-Sha256: e99abf0c7f1e73c95f8dc570ddeb242c3116ab4b8f4e0706a078441086a54084 2011 refpolicy_2.20140421-1.dsc 258ff813c84139175db63958ac8bff2bcce32982bb0d902e06aaaf17dd644367 684349 refpolicy_2.20140421.orig.tar.bz2 8b46bcdebf6f9ac392fe7974cf285d00c34c011acaa508d74f89a1ddacbaf2bf 43100 refpolicy_2.20140421-1.debian.tar.xz 8027f22ec99a7c861bd0ff4466f190afa879e2c699146a53fef25a5e855621da 2876734 selinux-policy-default_2.20140421-1_all.deb 051aa88a6540bcc1110e4019d8d99d966847c2263bd5be094dc887abca0d70c9 2947422 selinux-policy-mls_2.20140421-1_all.deb a1ac38a9aa7cbeb2cae9a29a5d21c7b0d8beba95aac208a401a32a12e3b7072c 1179872 selinux-policy-src_2.20140421-1_all.deb 589504d8518539fdafa94b3065348da699bb96b3325f2ad0ecd77375c360f015 430006 selinux-policy-dev_2.20140421-1_all.deb 515e89fcea4c0c9d438344cd62e9b412f5b951a045323c4d36d5ef8ab67226d6 405992 selinux-policy-doc_2.20140421-1_all.deb Files: 6cfdb5ceed887f771b96965ee15a6544 2011 admin optional refpolicy_2.20140421-1.dsc a43b25c3a748659cddbf2df89920ee6d 684349 admin optional refpolicy_2.20140421.orig.tar.bz2 df8497b3b4d75f2f9b3a8eafcc5ded46 43100 admin optional refpolicy_2.20140421-1.debian.tar.xz a25297b5921dfbeceb149ef188ecad12 2876734 admin optional selinux-policy-default_2.20140421-1_all.deb dddb60e880cecff136a36d627160a7a5 2947422 admin extra selinux-policy-mls_2.20140421-1_all.deb 7be3f7486871130189f0974311de586c 1179872 admin optional selinux-policy-src_2.20140421-1_all.deb 7602d9e96682c7ac3419154c1c99bb04 430006 admin optional selinux-policy-dev_2.20140421-1_all.deb 740469f1f44fdbd224b8ff0a5de0606c 405992 doc optional selinux-policy-doc_2.20140421-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJTVZGnAAoJEB/FiR66sEPVNnwIAKIvyCK3l41HrCWsBkGuyjVb +6yQ5nR36TnUI0DAPZnsND6mJOhlFzfzEjVUM7xRBjhHzuNzt9nC4p8okn7xZ/Rg ADJCmGDm80CWssHSJqij97WimPSK9PQHXg2jBdJxlUzN5lZyHsUFbopQqRKwi1tc F9GJbSRJPnSzYdjP/MrkL4HK2Djawl9GahwqJRg6eeQVXvX19u0Xrj3hvvj1YGWQ EceVI6WT31VVgoz2C0IERoyNpXWh/JyIm0ITt3ztd997QYy6ZfJIkb6H8lPEYNpX o2TbWbZ58zArx8r6FJr/UqfhK9QNXb9lWLXhSKCvy+f53Wrt0tXBOrNUo/e3NFQ= =Ktyh -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
