Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: normal https://github.com/systemd/systemd/issues/3845 https://bugzilla.redhat.com/show_bug.cgi?id=1411981 https://stackoverflow.com/questions/44127247/does-anyone-know-a-workaround-for-no-new-privileges-blocking-selinux-transitions https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Above are some relevant URLs to this issue (search for NoNewPrivileges in the last one). Currently I've noticed this problem with tor and mysql, but I expect that other daemons have the same issue: # ps axZ|grep init_t|grep -v grep system_u:system_r:init_t:s0 1 ? Ss 95:19 /sbin/init system_u:system_r:init_t:s0 1287 ? Ssl 1042:39 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 system_u:system_r:init_t:s0 30280 ? Ssl 7:49 /usr/sbin/mysqld For tor the following policy is needed to fix it. This type of change means that init_t needs EVERY permission that every domain it enters with NoNewPrivileges=yes has. typebounds init_t tor_t; allow init_t tor_exec_t:file entrypoint; allow init_t tmpfs_t:lnk_file read; The workaround for this is to run a command like "systemctl edit tor@default.service" and put in something like the following: [Service] NoNewPrivileges=no But we don't want to disable NoNewPrivileges as that reduces protections on non-SE systems, which hurts people who run in permissive some of the time and allows the possibility of a security issue that is stopped by NoNewPrivileges but not by SE Linux to exploit systems. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b1 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information
