Bug#738946: selinux-policy-default: Bind's ndc_t denied block_suspend on epollwakeup

Thu, 13 Feb 2014 22:22:24 -0800 

Package: selinux-policy-default
Version: 2:2.20140206-1
Severity: normal

ndc_t being prevented from block_suspend on itself:

    Feb 13 00:46:38 a6 kernel: [  541.076682] type=1400 
audit(1392281198.624:176): avc:  denied  { block_suspend } for  pid=4506 
comm="rndc" capability=36  scontext=system_u:system_r:ndc_t:s0 
tcontext=system_u:system_r:ndc_t:s0 tclass=capability2

This also came up in Redhat Bug#895070 but the fix was seemingly never pushed
upstream.

Patch attached.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-9
ii  libselinux1      2.2.2-1
ii  libsepol1        2.2-1
ii  policycoreutils  2.2.5-1
ii  python           2.7.5-5
ii  selinux-utils    2.2.2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.2-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- debconf-show failed

commit 5aacc83a8e267ea4dada5d6044a42f598b8b1735
Author: Devin Carraway <g...@devin.com>
Date:   Thu Feb 13 21:59:54 2014 -0800

    Allow ndc_t to prevent suspend on epoll events.
    
    Capability background: http://thread.gmane.org/gmane.linux.kernel/1289986
    
    Fixes audit denial:
    
    Feb 13 00:46:38 a6 kernel: [  541.076682] type=1400 audit(1392281198.624:176): avc:  denied  { block_suspend } for  pid=4506 comm="rndc" capability=36  scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=capability2

diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index 1241123..101893f 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -215,6 +215,7 @@ optional_policy(`
 #
 
 allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process signal_perms;
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };

Reply via email to