[DSE-Dev] Bug#999441: selinux-policy-default: SELinux prevents dbus and firewalld from running properly

Blake Lee blake at volitank.com
Thu Nov 11 03:45:06 GMT 2021 

Package: selinux-policy-default
Version: 2:2.20210203-10
Severity: important

Dear Maintainer,

On a fresh install of Debian sid I installed firewalld and selinux.
I rebooted to allow the system to do the autorelabling. Once done and the system came back up I got an error about dbus and firewalld would not start.

I added modules using audit2allow and was able to get dbus to come up but I was
unable to get firewalld to operate fully, I did get it to start at least.
Commands like firewall-cmd --state doesn't work. Everything I tested was working
fine in permissive mode. I'll paste my .te files created from audit2allow for you.

module dbus 1.0;

require {
        type system_dbusd_t;
        type security_t;
        class file map;
}

#============= system_dbusd_t ==============
allow system_dbusd_t security_t:file map;


This firewalld one has an extra one that was causing an error too, I'm not sure if
it has any weight on what is going on, but the null was making it hard to make a module
I had to `cat /var/log/audit/audit.log | grep firewalld_t | grep -v null | audit2allow`

module firewalld_volian. 1.0;

require {
        type xdg_data_t;
        type lib_t;
        type firewalld_etc_rw_t;
        type firewalld_t;
        type sysctl_kernel_t;
        type unconfined_t;
        type tmpfs_t;
        type kernel_t;
        type user_home_dir_t;
        class dir { search watch };
        class file { execute map open read write };
        class netlink_netfilter_socket { create getopt read setopt write };
        class process { getcap setcap };
        class capability setpcap;
        class (null) 0x2;
        class system module_request;
}

#============= firewalld_t ==============

allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t kernel_t:system module_request;
allow firewalld_t lib_t:dir watch;
allow firewalld_t self:capability setpcap;
allow firewalld_t self:netlink_netfilter_socket { create getopt read setopt write };
allow firewalld_t self:process { getcap setcap };
allow firewalld_t sysctl_kernel_t:dir search;
allow firewalld_t sysctl_kernel_t:file { open read };
allow firewalld_t tmpfs_t:file { map write };
allow firewalld_t tmpfs_t:file { execute read };
allow firewalld_t unconfined_t:(null) 0x2;
allow firewalld_t user_home_dir_t:dir search;
allow firewalld_t xdg_data_t:dir search;

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-4-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.3-1
ii  libsemanage2     3.3-1
ii  libsepol2        3.3-1
ii  policycoreutils  3.3-1
ii  selinux-utils    3.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  3.3-1
ii  setools      4.4.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list