Package: selinux-policy-default Version: 2:2.20161023.1-9 Severity: important
Dear Maintainer, The current version of the default SELinux policy prevents the semanage tool from executing when SELinux is placed into enforcing mode. The problem appears to be that the tool tries to create a file in /tmp and execute it, but the policy doesn't allow this. This has been reported upstream, but is not included in the stable packages for Debian: http://oss.tresys.com/pipermail/refpolicy/2017-May/009484.html A workaround suggested by sfix in Freenode's #selinux channel is: $ echo '(allow semanage_t semanage_tmp_t (file (getattr open read execute ioctl)))' > semanage_mmap_tmp.cil $ sudo semodule -i semanage_mmap_tmp.cil This fixes the issue, but it would obviously better if that small patch from upstream could be applied to the stable packages. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol1 2.6-2 ii policycoreutils 2.6-3 ii selinux-utils 2.6-3+b3 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.6-2 ii setools 4.0.1-6 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information
