[DSE-Dev] Bug#1042838: selinux-basics: selinux-config-enforcing should explicitely set mode of /etc/selinux/config

Russell Coker russell at coker.com.au
Tue Aug 1 17:20:57 BST 2023


Package: selinux-basics
Version: 0.5.8
Severity: important
Tags: patch

/etc/selinux/config needs to be world-readable so user space object managers
running as non-root can find the SELINUXTYPE, otherwise they default to
targeted which is the source of error messages about
/etc/selinux/targeted/contexts being unavailable.  In some situations this
can prevent a graphical login.

As a combination of a umask such as 027 and running the script as-is will
cause things to break unexpectedly (including systemd processes run for the
user) this might be worth an update to bookworm.

The fix is to add the following line to the end of the file:
chmod 644 $CONF

-- System Information:
Debian Release: 12.1
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages selinux-basics depends on:
ii  checkpolicy      3.4-1+b2
ii  perl             5.36.0-7
ii  policycoreutils  3.4-1
ii  python3          3.11.2-1+b1
ii  selinux-utils    3.4-1+b6

Versions of packages selinux-basics recommends:
ii  policycoreutils-python-utils  3.4-1
ii  selinux-policy-default        2:2.20230710-1
ii  setools                       4.4.1-2

Versions of packages selinux-basics suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- debconf-show failed



More information about the SELinux-devel mailing list