[DSE-Dev] Bug#772828: (no subject)

Bart-Jan Vrielink bartjan at vrielink.net
Thu Dec 11 14:53:49 UTC 2014

Package: selinux-policy-default
Version: 2:2.20140421-7
Severity: important

Dear Maintainer,

I am trying to get this machine to work properly under SELinux enforcing mode,
but run into all kinds of interesting issues.

One of these issues is that etckeeper, when run from cron, tries to read and
write various files in /etc, but this is not allowed by the system_cronjob_t
type the cronjob runs under.

How etckeeper works is that it scans /etc and for each file that was changed,
it commits it into git (or similar). The default path of this repository is
/etc/.git (etc_t). It also wants to modify /etc/.etckeeper and have read access
to each and any file in /etc (except for files that are ignored in

I do not think it is wise to grant system_cronjob_t write permission to etc_t
files, and also not wise to grant it read permission to each and any file in
/etc. I'm not sure what the best approach should be, but I think it should
start with a process transion, so that etckeeper runs in its own type.

root at ix:˜# dpkg -l etckeeper
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
ii  etckeeper      1.15         all          store /etc in git, mercurial, bzr
root at ix:˜# 

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (750, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.8-2
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list