[DSE-Dev] Bug#1042838: selinux-basics: selinux-config-enforcing should explicitely set mode of /etc/selinux/config
Russell Coker
russell at coker.com.au
Tue Aug 1 17:20:57 BST 2023
Package: selinux-basics
Version: 0.5.8
Severity: important
Tags: patch
/etc/selinux/config needs to be world-readable so user space object managers
running as non-root can find the SELINUXTYPE, otherwise they default to
targeted which is the source of error messages about
/etc/selinux/targeted/contexts being unavailable. In some situations this
can prevent a graphical login.
As a combination of a umask such as 027 and running the script as-is will
cause things to break unexpectedly (including systemd processes run for the
user) this might be worth an update to bookworm.
The fix is to add the following line to the end of the file:
chmod 644 $CONF
-- System Information:
Debian Release: 12.1
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages selinux-basics depends on:
ii checkpolicy 3.4-1+b2
ii perl 5.36.0-7
ii policycoreutils 3.4-1
ii python3 3.11.2-1+b1
ii selinux-utils 3.4-1+b6
Versions of packages selinux-basics recommends:
ii policycoreutils-python-utils 3.4-1
ii selinux-policy-default 2:2.20230710-1
ii setools 4.4.1-2
Versions of packages selinux-basics suggests:
pn logcheck <none>
pn syslog-summary <none>
-- debconf-show failed
More information about the SELinux-devel
mailing list