Your message dated Sun, 15 Dec 2013 22:20:35 +0000
with message-id <e1vsk39-0004qr...@franck.debian.org>
and subject line Bug#722700: fixed in refpolicy 2:2.20131214-1
has caused the Debian Bug report #722700,
regarding selinux-policy-default: Permission block_suspend in class capability2
not defined in policy.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
722700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722700
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: grave
Tags: upstream
Justification: renders package unusable
Dear Maintainer,
this is an example from "ausearch -m avc":
type=SYSCALL msg=audit(1379073446.149:88): arch=40000003 syscall=255
success=yes exit=0 a0=e a1=2 a2=1f a3=bfff9d34 items=0 ppid=1 pid=2597
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=4294967295 tty=(none) comm="master" exe="/usr/lib/postfix/master"
subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1379073446.149:88): avc: denied { block_suspend } for
pid=2597 comm="master" capability=36
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability2
This cannot be solved with usual audit2allow, because when rebuilding the
policy there is this error message from the kernel: "SELinux: Permission
block_suspend in class capability2 not defined in policy."
Check the samme issue in Fedora:
https://lists.fedoraproject.org/pipermail/users/2012-August/423398.html
Please update the package selinux-policy-default to newer version from upstream
to make it compatible with the used kernel (currently 3.10 in jessie).
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.10-2-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.3-9
ii libselinux1 2.1.13-2
ii libsepol1 2.1.9-2
ii policycoreutils 2.1.13-2+b1
ii python 2.7.5-4
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.1.12-1
ii setools 3.3.8-1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20131214-1
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 722...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bi...@debian.org> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Dec 2013 22:53:06 +0100
Source: refpolicy
Binary: selinux-policy-default selinux-policy-mls selinux-policy-src
selinux-policy-dev selinux-policy-doc
Architecture: source all
Version: 2:2.20131214-1
Distribution: unstable
Urgency: low
Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bi...@debian.org>
Description:
selinux-policy-default - Strict and Targeted variants of the SELinux policy
selinux-policy-dev - Headers from the SELinux reference policy for building
modules
selinux-policy-doc - Documentation for the SELinux reference policy
selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy
selinux-policy-src - Source of the SELinux reference policy for customization
Closes: 552147 559356 691284 700326 700403 707243 711083 712970 716753 720631
722700
Changes:
refpolicy (2:2.20131214-1) unstable; urgency=low
.
* Team upload.
[ Laurent Bigonville ]
* New GIT snapshot of the policy
- Drop all the Debian specific patches, some of the patches have been
merged upstream, but the rest was making it really difficult to upgrade
the policy to the new upstream versions.
- Add block_suspend access vectors (Closes: #722700)
- libvirt should now run when compiled with selinux support
(Closes: #559356)
- Allow smartd daemon to write in /var/lib/smartmontools directory
(Closes: #720631)
- NetworkManager should now be able to write /run/network/ifstate
(Closes: #711083)
- Allow dovecot self:process setsched permission (Closes: #716753)
- Add denyhosts policy package (Closes: #700403)
- deny_ptrace boolean is now gone (Closes: #691284)
- Allow fail2ban dac_read_search and dac_override capabilities
(Closes: #700326)
- irqbalance has now the getsched permission (Closes: #707243)
* Refresh debian/modules.conf.* for new release, build all the policy
packages as modules now
* Drop debian/file_contexts.subs_dist, install upstream one instead
* debian/rules: policy/rolemap file is gone
* debian/control: Bump {build-}dependencies to the last userspace release
* debian/rules: Disable UBAC for the default policy
* debian/rules: Build the default policy with UNK_PERMS=allow
* debian/control: Add dependency against selinux-utils for selinuxenabled
* debian/NEWS: Add some information about the proper way to permanently
disable a module
* d/p/0004-init-startpar-initrc_t-gets-attributes-of-dev-dm-0-d.patch:
Fix FTBFS and allow startpar can getattr of some devices
* Add d/p/0005-add-missing-newline.patch: Add missing newline at the end of
the file, this is causing weird behaviour, thanks M4
* d/p/0006-allow-udev-write-rulesd.patch: Allow udev to write in
/etc/udev/rules.d (Closes: #712970)
.
[ Mika Pflüger ]
* debian/postinst.policy: Rewrite the postinst script for the
selinux-policy-* packages to automatically upgrade the running policy.
(Closes: #552147)
* debian/copyright: Update to machine-readable copyright format.
* debian/postrm.policy: Use common postrm script for selinux-policy-*
packages.
Checksums-Sha1:
e43bd81251d9c7e83b5d2decf3bdabd6f74c243e 2028 refpolicy_2.20131214-1.dsc
2bef75c1582562906f407a92c187f426bff58cbb 485350
refpolicy_2.20131214.orig.tar.bz2
b4a0533ff153764feb26c63fbf04607a1a2fe5d8 59842
refpolicy_2.20131214-1.debian.tar.gz
c0fbb83d4bb9307f191c058a4211a0f738db2891 2885148
selinux-policy-default_2.20131214-1_all.deb
5913acd420f5becbc4558b464fb5170c7cf73d39 2935304
selinux-policy-mls_2.20131214-1_all.deb
27fd3b97b5964b1f422369f94881b65203a76b8a 1167640
selinux-policy-src_2.20131214-1_all.deb
0ba31d6ca998bc52d275f305e396083f98aa5b56 440436
selinux-policy-dev_2.20131214-1_all.deb
a7a6d5d636848704d7a4118a16ca38bf91b7e415 398866
selinux-policy-doc_2.20131214-1_all.deb
Checksums-Sha256:
fd63c3b718d882256f58929959338966586ee2e1240b04bbaa40951fcbd760ef 2028
refpolicy_2.20131214-1.dsc
6f1c759c2599699e45630dc15542c481c4877818ce2ee0dfcae6d765e5669ff4 485350
refpolicy_2.20131214.orig.tar.bz2
71842f684e160735bbf76c12ab7e4bd760e8f34a4e2fc50ec85b735089f84b4c 59842
refpolicy_2.20131214-1.debian.tar.gz
aede061f7f96463564a4266fd2d576852d9a75b317157a309c1c17659915341b 2885148
selinux-policy-default_2.20131214-1_all.deb
7671993e7e32562eec4dcf6310b77c37de4c45d2195a767dffbed31215c8ac05 2935304
selinux-policy-mls_2.20131214-1_all.deb
b1696f5d3d842b4dd056531386c4ee752a0de4b331dfda703052adbc4648b026 1167640
selinux-policy-src_2.20131214-1_all.deb
fcbf8c9035153cdbe7a70fc29ca04e14d1f8f68ab0097b3be0aea3023a356b20 440436
selinux-policy-dev_2.20131214-1_all.deb
6bfddcf99adc0f3a8f639814f0f0bb382e87641d3ad54e6529f727c2a9e502dc 398866
selinux-policy-doc_2.20131214-1_all.deb
Files:
009fedb1b5b513c8123b2ba2088026b4 2028 admin optional refpolicy_2.20131214-1.dsc
b66c7c9a265d91e16b9f134e076c5ec6 485350 admin optional
refpolicy_2.20131214.orig.tar.bz2
6792723027c93c25a12f8bab2e746608 59842 admin optional
refpolicy_2.20131214-1.debian.tar.gz
2275eb2d63b198c245a3353985e247ea 2885148 admin optional
selinux-policy-default_2.20131214-1_all.deb
d6e649027c6e3d95344a104ae1be1e50 2935304 admin extra
selinux-policy-mls_2.20131214-1_all.deb
ef3ac2ea73ff2d09f0126045ce0f4b6e 1167640 admin optional
selinux-policy-src_2.20131214-1_all.deb
d59dd550ae8cde1a99c786e63391c8c6 440436 admin optional
selinux-policy-dev_2.20131214-1_all.deb
3c19766a4b2a78e2eb0a11911dcc4044 398866 doc optional
selinux-policy-doc_2.20131214-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAEBCAAGBQJSrii4AAoJEB/FiR66sEPVh1kH/2PzUsu94edbBWhzac59dnHU
eEXTa9FcPgBN0CGw7km2G6RYz+6nQ8XSknhJq4AIu3NrryNidGRvW6mOLcTLQhTy
xLI7Z6Fbh0OzCw8UNlOs7KucgPbqhS4JLYvZKGzmOEp/06JfFJ1+l3QM2Y77Sfik
ZsB5J8zsKt16bqfafF3qH+T67W6CX+lzQasMz1O3MK8PVNLrBKz2MHYwKdtJmwDG
zNsLJU6gonEEdrDX1dUUXJPYad7riOpqmHjr3v45xMxTeak6Y2+aHRt2OxrtA3JO
C6V9KiSubqJ+LK5kiovCJUUN9plRj1cOkutvS+YxjFfNtNlFil2y1Wpts9OFPH4=
=aM4B
-----END PGP SIGNATURE-----
--- End Message ---
