[DSE-Dev] Bug#1012756: Package: libselinux1 - SELINUXDEFAULT "targeted" should be "default"
gyptazy
gyptazy at gyptazy.ch
Mon Jun 13 12:36:38 BST 2022
Package: libselinux1
Version: 3.3-1+b2
Info:
‚libselinux1‘ doesn’t evaluate the correct ‚SELINUXDEFAULT‘ value. The current used default value points to a non existing path.
Issue:
When running SELinux on a freshly installed ‚Debian‘ (‚Stable‘, ‚Testing‘) in ‚enforcing‘ mode, ‚libselinux‘ seems to source the hardcoded var ‚SELINUXDEFAULT‘ (see also: https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_config.c#L16). This is set to ‚targeted‘ and as far as I can see this won’t be re-evaluated at any time. However, ‚targeted‘ is the ‚RHEL‘ specific path and Debian uses ‚default‘ this may fail later when labels are evaluated (e.g. when starting ‚systemd-resolved‘). This is no issue when ‚SELinux‘ only runs in ‚permissive‘ mode, but when running in ‚enforcing‘ mode this will fail.
Changing ‚SELINUXDEFAULT‘ to ‚SELINUXDEFAULT "default“‘, recompile ‚libselinux1‘ fixes this issues immediately.
How to reproduce:
• Use a Debian Stable or Testing minimal installation
• Remove AppArmor (apt remove apparmor)
• Install SELinux (apt-get install selinux-basics selinux-policy-default auditd)
• Run ‚selinux-activate‘ (Keep in mind, this will only set SELinux to ‚permissive‘ mode, not ‚enforcing’)
• Reboot (it will ‚relabel‘ during the boot)
• Edit ‚/etc/selinux/config‘ an switch ‚SELINUX‘ from ‚permissive‘ to ‚enforcing‘
• Reboot
• Now, you can reproduce the mentioned issue (‚systemctl start systemd-resolved‘)
If you need further information or help for debugging, feel free to ask. I may also contribute a PR fixing this issue on Salsa.
Thanks,
gyptazy
More information about the SELinux-devel
mailing list