Debian Bug report logs - #687314
selinux-policy-default: Symlink /var/run incorrectly labeled

Package: selinux-policy-default; Maintainer for selinux-policy-default is Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>; Source for selinux-policy-default is src:refpolicy (PTS, buildd, popcon).

Reported by: Henrik Ahlgren <pablo@seestieto.com>

Date: Tue, 11 Sep 2012 16:36:02 UTC

Severity: critical

Done: Laurent Bigonville <bigon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>:
Bug#687314; Package selinux-policy-default. (Tue, 11 Sep 2012 16:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Henrik Ahlgren <pablo@seestieto.com>:
New Bug report received and forwarded. Copy sent to Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>. (Tue, 11 Sep 2012 16:36:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henrik Ahlgren <pablo@seestieto.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: selinux-policy-default: Symlink /var/run incorrectly labeled
Date: Tue, 11 Sep 2012 19:32:42 +0300
Package: selinux-policy-default
Version: 2:2.20110726-10
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

Debian is transitioning to /run instead of /var/run, and
/var/run is a symlink to /run. 

However lots of software still uses the old path, causing a lot of
avc messages like:

type=AVC msg=audit(1347379376.519:295): avc:  denied  { read } for  pid=3506 comm="dhclient" name="run" dev=sda1 ino=5505027 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
type=AVC msg=audit(1347379429.407:327): avc:  denied  { read } for  pid=2437 comm="dbus-daemon" name="run" dev=sda1 ino=5505027 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file

sudo grep var_t /var/log/audit/audit.log|wc -l
187

semanage fcontext -l reports the following:

SELinux Distribution fcontext Equivalence 

/var/run/lock = /var/lock
/run = /var/run
/var/run/shm = /dev/shm
/lib64 = /lib
/run/shm = /dev/shm
/run/lock = /var/lock

I don't know what this means exactly, but it does not seem to prevent
the avc flood. Also, policy/modules/kernel/files.fc have these
entries:

/var/run                        -d      gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run                        -l      gen_context(system_u:object_r:var_run_t,s0)

But for some reason it appears that the symlink does not get labeled
correctly, and "semanage fcontext -l" does list only the directory, not
the symlink. Manually changing the context to var_run_t does seem to help.

Cheers, Henrik

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3~rc2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>:
Bug#687314; Package selinux-policy-default. (Tue, 11 Sep 2012 17:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Henrik Ahlgren <pablo@seestieto.com>:
Extra info received and forwarded to list. Copy sent to Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>. (Tue, 11 Sep 2012 17:39:03 GMT) (full text, mbox, link).

Message #10 received at 687314@bugs.debian.org (full text, mbox, reply):

From: Henrik Ahlgren <pablo@seestieto.com>
To: 687314@bugs.debian.org
Subject: Re: selinux-policy-default: Symlink /var/run incorrectly labeled
Date: Tue, 11 Sep 2012 20:10:03 +0300
It appears that this problem is somehow related to this error when
trying to manually install modules:

libsepol.permission_copy_callback: Module xserver depends on
permission audit_access in class dir, not satisfied (No such file or
directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
semodule:  Failed!

After purging and re-installing selinux-policy-default, I no longer
get the error, and also /var/run is labeled correctly.

Please close this bug. However, there clearly is something that
can go wrong with the selinux-policy package, probably during
squeeze -> wheezy upgrade. The package installation does not
fail, but the policy does not get upgraded fully.

Sorry for thee inconvenience.

Henrik

Reply sent to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility. (Wed, 12 Sep 2012 09:51:04 GMT) (full text, mbox, link).

Notification sent to Henrik Ahlgren <pablo@seestieto.com>:
Bug acknowledged by developer. (Wed, 12 Sep 2012 09:51:04 GMT) (full text, mbox, link).

Message #15 received at 687314-close@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>
To: 687314-submitter@bugs.debian.org
Cc: 687314-close@bugs.debian.org
Subject: Re: selinux-policy-default: Symlink /var/run incorrectly labeled
Date: Wed, 12 Sep 2012 11:47:20 +0200
Hi,

It would have been interesting to give us the label of the symlink, you
can get this information with the -Z option of the ls command.

About the fact that "semodule fcontext -l" command was not listing the
label for the symlink and that you cannot load the xserver module,
that might be because you were still running the old version of the
policy.
After the upgrade you should reinstall/upgrade all the modules that you
are using. You can have a look at the selinux-policy-upgrade command ti
achive this.

This should probably be documented somewhere in the release notes...

Closing this bugreport

Cheers

Laurent Bigonville

Message sent on to Henrik Ahlgren <pablo@seestieto.com>:
Bug#687314. (Wed, 12 Sep 2012 09:51:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 11 Oct 2012 07:25:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 13 13:54:10 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.