[DSE-Dev] Bug#722700: selinux-policy-default: Permission block_suspend in class capability2 not defined in policy.

Leos Bitto Leos.Bitto at gmail.com
Fri Sep 13 12:17:18 UTC 2013

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: grave
Tags: upstream
Justification: renders package unusable

Dear Maintainer,

this is an example from "ausearch -m avc":

type=SYSCALL msg=audit(1379073446.149:88): arch=40000003 syscall=255 success=yes exit=0 a0=e a1=2 a2=1f a3=bfff9d34 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="master" exe="/usr/lib/postfix/master" subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1379073446.149:88): avc:  denied  { block_suspend } for  pid=2597 comm="master" capability=36  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability2

This cannot be solved with usual audit2allow, because when rebuilding the policy there is this error message from the kernel: "SELinux:  Permission block_suspend in class capability2 not defined in policy."

Check the samme issue in Fedora: https://lists.fedoraproject.org/pipermail/users/2012-August/423398.html

Please update the package selinux-policy-default to newer version from upstream to make it compatible with the used kernel (currently 3.10 in jessie).

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.10-2-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-9
ii  libselinux1      2.1.13-2
ii  libsepol1        2.1.9-2
ii  policycoreutils  2.1.13-2+b1
ii  python           2.7.5-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.12-1
ii  setools      3.3.8-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list