[DSE-Dev] Bug#888967: selinux-policy-default: Default policy breaks semanage tool

Maksim K. debian_bug at k-max.name
Thu Jun 4 20:35:09 BST 2020 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Followup-For: Bug #888967

I would like to add more information.
After apply workaround:
$ echo '(allow semanage_t semanage_tmp_t (file (getattr open read execute ioctl)))' > semanage_mmap_tmp.cil 
$ sudo semodule -i semanage_mmap_tmp.cil

semanage is working, but I've still got AVC errors:
--
type=AVC msg=audit(1591299268.883:8358): avc:  denied  { execute } for  pid=12319 comm="semanage" name="ldconfig" dev="vda1" ino=1177350 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1591299268.895:8359): avc:  denied  { execute_no_trans } for  pid=12321 comm="gcc" path="/usr/lib/gcc/x86_64-linux-gnu/6/collect2" dev="vda1" ino=141628 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1591299268.903:8360): avc:  denied  { execute } for  pid=12322 comm="semanage" name="ldconfig" dev="vda1" ino=1177350 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1591299268.911:8361): avc:  denied  { execute_no_trans } for  pid=12324 comm="gcc" path="/usr/lib/gcc/x86_64-linux-gnu/6/collect2" dev="vda1" ino=141628 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
--



-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list