[DSE-Dev] Bug#948336: selinux-policy-default: systemd-journal cannot access processes with 'signull' (RedHat Bug 1676923).

[Frank Betten]

Package: selinux-policy-default
Version: 2:2.20190201-6
Severity: normal
Tags: upstream

Dear Maintainer,

Installation of selinux-default-policy and checking with audit2why turned up log entries like

type=AVC msg=audit(1578077950.172:533): avc:  denied  { signull } for  pid=281 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=process permissive=1

The problem is describes as RedHat Bug 1676923: A code change for systemd-239 (so also in Buster's systemd-241) uncovered a problem in the policy. A policy version (selinux-policy-3.14.1-61.el8) with a fix is provided by  Redhat, but I don't know if the fix can be backported.

The problem is still seen in the latest default policy availabel with Sid (Packages: libselinux1 libsemanage1 libsemanage-common libsepol1 policycoreutils selinux-policy-default upgraded selectively) as expected.

Best regards,
Frank


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_GB (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.0-1
ii  libsemanage1     3.0-1
ii  libsepol1        3.0-1
ii  policycoreutils  3.0-1
ii  selinux-utils    2.8-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information