[DSE-Dev] Bug#888967: selinux-policy-default: Default policy breaks semanage tool
Mark Raynsford
co+org.debian at io7m.com
Wed Jan 31 17:04:34 UTC 2018
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: important
Dear Maintainer,
The current version of the default SELinux policy prevents the semanage
tool from executing when SELinux is placed into enforcing mode. The
problem appears to be that the tool tries to create a file in /tmp
and execute it, but the policy doesn't allow this.
This has been reported upstream, but is not included in the stable
packages for Debian:
http://oss.tresys.com/pipermail/refpolicy/2017-May/009484.html
A workaround suggested by sfix in Freenode's #selinux channel is:
$ echo '(allow semanage_t semanage_tmp_t (file (getattr open read execute ioctl)))' > semanage_mmap_tmp.cil
$ sudo semodule -i semanage_mmap_tmp.cil
This fixes the issue, but it would obviously better if that small patch
from upstream could be applied to the stable packages.
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list