[DSE-Dev] Bug#772828: (no subject)
Bart-Jan Vrielink
bartjan at vrielink.net
Thu Dec 11 14:53:49 UTC 2014
Package: selinux-policy-default
Version: 2:2.20140421-7
Severity: important
Dear Maintainer,
I am trying to get this machine to work properly under SELinux enforcing mode,
but run into all kinds of interesting issues.
One of these issues is that etckeeper, when run from cron, tries to read and
write various files in /etc, but this is not allowed by the system_cronjob_t
type the cronjob runs under.
How etckeeper works is that it scans /etc and for each file that was changed,
it commits it into git (or similar). The default path of this repository is
/etc/.git (etc_t). It also wants to modify /etc/.etckeeper and have read access
to each and any file in /etc (except for files that are ignored in
/etc/.gitignore).
I do not think it is wise to grant system_cronjob_t write permission to etc_t
files, and also not wise to grant it read permission to each and any file in
/etc. I'm not sure what the best approach should be, but I think it should
start with a process transion, so that etckeeper runs in its own type.
root at ix:˜# dpkg -l etckeeper
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii etckeeper 1.15 all store /etc in git, mercurial, bzr
root at ix:˜#
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (750, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.8-2
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
More information about the SELinux-devel
mailing list