[pkg-apparmor] Bug#903633: Please set proper SELinux labels

Laurent Bigonville bigon at debian.org
Thu Jul 12 10:24:19 BST 2018 

Source: apparmor
Version: 2.13-2
Severity: normal
Tags: patch
User: selinux-devel at lists.alioth.debian.org
Usertags: selinux

Hi,

When updating/installing the apparmor package, the postinstallation
script is creating a bunch of files in /tmp and the moves them in
/etc/apparmor.

If SELinux is enabled on the machine (that can happen as apparmor is now
installed by default) the files get a wrong label.

To fix that you can use the -Z option of the mv command, this is an
option that is available since coreutils 8.22 (which is already in
oldstable).

Could you please apply the attached patch?

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

-- debconf information:
* apparmor/homedirs:
-------------- next part --------------
diff -Nru apparmor-2.13/debian/aa-update-browser apparmor-2.13/debian/aa-update-browser
--- apparmor-2.13/debian/aa-update-browser	2018-07-07 19:15:31.000000000 +0200
+++ apparmor-2.13/debian/aa-update-browser	2018-07-12 11:11:05.000000000 +0200
@@ -139,7 +139,7 @@
         rm -f "$tmp"
         continue
     fi
-    mv -f "$tmp" "$dir/$include" || {
+    mv -Z -f "$tmp" "$dir/$include" || {
         rm -f "$tmp"
         exit 1
     }
diff -Nru apparmor-2.13/debian/apparmor.postinst apparmor-2.13/debian/apparmor.postinst
--- apparmor-2.13/debian/apparmor.postinst	2018-07-07 19:15:31.000000000 +0200
+++ apparmor-2.13/debian/apparmor.postinst	2018-07-12 11:10:41.000000000 +0200
@@ -56,7 +56,7 @@
 EOM
         fi
         mkdir -p /etc/apparmor.d/tunables/home.d 2>/dev/null || true
-        mv -f "$tmp" /etc/apparmor.d/tunables/home.d/ubuntu
+        mv -Z -f "$tmp" /etc/apparmor.d/tunables/home.d/ubuntu
         chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu
 
         if [ ! -e /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local ]; then
@@ -86,7 +86,7 @@
 EOM
 
             mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d 2>/dev/null || true
-            mv -n "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
+            mv -Z -n "$tmp" /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
             chmod 644 /etc/apparmor.d/tunables/xdg-user-dirs.d/site.local
         fi

More information about the pkg-apparmor-team mailing list