[DSE-Dev] Bug#757994: selinux-policy-default: Installing x11-common fails when SELinux is set to enforcing

Andreas Florath andre at flonatel.org
Wed Aug 13 07:25:14 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: normal

Dear Maintainer,

installing x11-common fails:

root at debselinux01:~# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

root at debselinux01:~# se_apt-get install x11-common
[...]
Setting up x11-common (1:7.7+7) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Failed to issue method call: Access denied
invoke-rc.d: initscript x11-common, action "start" failed.
dpkg: error processing package x11-common (--configure):
 subprocess installed post-installation script returned error exit status 4
E: Sub-process /usr/bin/dpkg returned an error code (1)

Two AVC are logged:
type=USER_AVC msg=audit(1407870310.296:105): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl -p LoadState show x11-common.service" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1407870310.336:106): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=0 uid=0 gid=0 path="/dev/null" cmdline="systemctl start x11-common.service" scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=service  exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

The cause for this is, that the x11-common.service is a link to /dev/null.

I'm currently working on a patch for this - and hopefully can provide this during the next days.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1      2.3-1
ii  libsepol1        2.3-1
ii  policycoreutils  2.3-1
ii  python           2.7.8-1
ii  selinux-utils    2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list