[DSE-Dev] Bug#890208: selinux-policy-default: Debian Stretch SELinux enforcing causes systemd --user unit to fail
C J du Preez
cjdupreez at protonmail.com
Sun Feb 11 23:28:40 UTC 2018
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal
Dear Maintainer,
I have SELinux enabled and enforcing on Debian Stretch (commandline via SSH
only, no GUI is installed at all). I am trying to start a systemd --user unit
(which I know is correct, because it works with SELinux in permissive mode).
Here are my findings:
SELinux permissive
==================
==================
$ sudo sestatus
[sudo] password for testuser:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
================
$ systemctl --user start ssh-agent
$ echo $?
0
$ ssh-add
Enter passphrase for /home/testuser/.ssh/id_rsa:
Identity added: /home/testuser/.ssh/id_rsa (/home/testuser/.ssh/id_rsa)
=================
SELinux enforcing
=================
=================
$ sudo sestatus
[sudo] password for testuser:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
================
$ systemctl --user start ssh-agent
Failed to connect to bus: No such file or directory
*** /home/testuser/.config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent
[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
[Install]
WantedBy=default.target
*** /home/testuser/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list