[DSE-Dev] Bug#888967: selinux-policy-default: Default policy breaks semanage tool

Mark Raynsford co+org.debian at io7m.com
Wed Jan 31 17:04:34 UTC 2018


Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: important

Dear Maintainer,

The current version of the default SELinux policy prevents the semanage
tool from executing when SELinux is placed into enforcing mode. The
problem appears to be that the tool tries to create a file in /tmp
and execute it, but the policy doesn't allow this.

This has been reported upstream, but is not included in the stable
packages for Debian:

http://oss.tresys.com/pipermail/refpolicy/2017-May/009484.html

A workaround suggested by sfix in Freenode's #selinux channel is:

$ echo '(allow semanage_t semanage_tmp_t (file (getattr open read execute ioctl)))' > semanage_mmap_tmp.cil 
$ sudo semodule -i semanage_mmap_tmp.cil

This fixes the issue, but it would obviously better if that small patch
from upstream could be applied to the stable packages.

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information



More information about the SELinux-devel mailing list