Package: selinux-policy-default
Version: 2:2.20140421-9
Justification: renders package unusable
Severity: grave
Dear Maintainer,
executing
# lvcreate -l "100%FREE" -n 00 bak00
hangs forever when SELinux is set to enforcing. Because the command
never returns it is unclear if the operation was successful or not;
whether or not data was written to disk (which might corrupt
the LVM data on disk).
The following AVC is logged:
type=AVC msg=audit(1427722098.297:76): avc: denied { associate } for
pid=1178 comm="dmsetup" key=223152149
scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
permissive=0
type=SYSCALL msg=audit(1427722098.297:76): arch=c000003e syscall=64 success=no
exit=-13 a0=d4d0815 a1=1 a2=0 a3=7ffe6908a9d0 items=0 ppid=1173 pid=1178
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="dmsetup" exe="/sbin/dmsetup"
subj=system_u:system_r:lvm_t:s0-s0:c0.c1023 key=(null)
Exactly the same happens when executing
# cryptsetup luksOpen /dev/mapper/bak00-00 uencbak00
Also hangs; same AVCs.
I set the severity to 'grave' because two important commands
(lvcreate / cryptsetup) do not work when SELinux is enabled
with the current default policy;
LVM is installed in more than 25% of all systems
(https://qa.debian.org/popcon.php?package=lvm2).
Also it is unclear if data is (partially) written to disk
that might corrupt the data structures on disk.
If you want I can start a root cause analysis - if you want
I can try to generate a patch: just drop me a short note.
Kind regards
Andreas
P.S.: Version information
||/ Name Version Architecture
Description
+++-=================================-=====================-=====================-========================================================================
ii cryptsetup-bin 2:1.6.6-5 amd64
disk encryption support - command line tools
ii lvm2 2.02.111-2.1 amd64
Linux Logical Volume Manager
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
