Package: dpkg
Version: 1.16.4.3
Severity: normal
I am giving this bug "normal" severity, but for certain types of SE Linux use
it might be regarded as more severe.
1) rjc:user_r:user_t:s0-s0:c0.c1023
2) rjc:user_r:user_t:SystemLow-SystemHigh
The way things currently work is that dpkg converts the sensitivity range of
a file from the computer readable form to the human readable form (the first of
the above two lines to the second). Then before writing the data to disk it
converts it back to the first form. mcstransd is used for the conversions
both ways, if it's running when dpkg tries to convert from #1 to #2 but not
running when dpkg wants to convert from #2 to #1 then dpkg will try to write
#2 to disk, which is a violation of SE Linux policy.
This can happen when dpkg upgrades multiple packages including policycoreutils
(which contains mcstransd). A mitigating factor for the users is that it's
recommended that upgrades of SE Linux policy and related packages (including
policycoreutils) between Debian releases be done in permissive mode with a
full relabel afterwards. But if someone upgraded from Squeeze to Testing a
few weeks ago and then upgraded to the latest Testing today it would mess
things up.
Error setting security context for next file object:: Invalid argument
To demonstrate this problem instruct dpkg to install a couple of big packages
(I use libreoffice-common and libreoffice-core) and then stop mcstransd while
dpkg is working. You may need to do it two or three times to get it to happen.
If the system is in permissive mode then the string "SystemLow" will be
included in contexts written to disk and in enforcing mode dpkg will write a
message such as the above to stderr. In both cases a message such as the
below will be written to the audit log (or the kernel message log if auditd
isn't running).
type=AVC msg=audit(1341055747.187:1390): avc: denied { mac_admin } for
pid=10131 comm="dpkg" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (350, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.6-3
ii libc6 2.13-33
ii liblzma5 5.1.1alpha+20120614-1
ii libselinux1 2.1.9-5
ii tar 1.26-4
ii zlib1g 1:1.2.7.dfsg-13
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 0.9.7
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
