Debian Bug report logs - #473048
selinux-policy-refpolicy-targeted: Policy is incorrectly built without MLS (MCS) support

version graph

Package: selinux-policy-refpolicy-targeted; Maintainer for selinux-policy-refpolicy-targeted is (unknown);

Reported by: Russell Coker <russell@coker.com.au>

Date: Thu, 27 Mar 2008 23:12:02 UTC

Severity: important

Found in version 0.0.20061018-5.3

Done: Manoj Srivastava <manoj.srivastava@stdc.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#473048; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: selinux-policy-refpolicy-targeted: Policy is incorrectly built without MLS (MCS) support
Date: Fri, 28 Mar 2008 10:06:33 +1100
Package: selinux-policy-refpolicy-targeted
Version: 0.0.20061018-5.3
Severity: important

The current policy package builds in non-MLS mode (IE without MCS support).

Changing between MCS and non-MCS requires a purge and reinstall of the package
and a reboot, it's painful and unpleasant.  Also not using it makes it
difficult to interoperate with Fedora/RHEL systems.  To avoid this we want to
not release policy without MCS support.

The following patch makes the policy build with MCS support, not sure if it's
the best way to do it, but it seems to work.


diff -ru refpolicy-0.0.20080314.org/debian/build.conf.strict refpolicy-0.0.20080314/debian/build.conf.strict
--- refpolicy-0.0.20080314.org/debian/build.conf.strict	2008-03-27 23:57:20.000000000 +1100
+++ refpolicy-0.0.20080314/debian/build.conf.strict	2008-03-28 09:27:26.000000000 +1100
@@ -14,7 +14,7 @@
 # strict, targeted,
 # strict-mls, targeted-mls,
 # strict-mcs, targeted-mcs
-TYPE ?= mcs
+TYPE = mcs
 
 # Policy Name
 # If set, this will be used as the policy
diff -ru refpolicy-0.0.20080314.org/debian/build.conf.targeted refpolicy-0.0.20080314/debian/build.conf.targeted
--- refpolicy-0.0.20080314.org/debian/build.conf.targeted	2008-03-27 15:53:40.000000000 +1100
+++ refpolicy-0.0.20080314/debian/build.conf.targeted	2008-03-28 09:27:34.000000000 +1100
@@ -12,7 +12,7 @@
 
 # Policy Type
 # standard, mls, mcs
-TYPE ?= mcs
+TYPE = mcs
 
 # Policy Name
 # If set, this will be used as the policy
diff -ru refpolicy-0.0.20080314.org/debian/local.mk refpolicy-0.0.20080314/debian/local.mk
--- refpolicy-0.0.20080314.org/debian/local.mk	2008-03-27 15:53:40.000000000 +1100
+++ refpolicy-0.0.20080314/debian/local.mk	2008-03-28 09:35:35.000000000 +1100
@@ -71,10 +71,10 @@
 	  cp debian/build.conf.strict $(SRCTOP)/debian/build-$(package)/build.conf
 	test -e debian/stamp-config-strict  ||                             \
 	  $(MAKE) -C $(SRCTOP)/debian/build-$(package)                     \
-                   NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) bare
+                   NAME=refpolicy-strict TYPE=$(MCS_MLS_TYPE) $(OPTIONS) bare
 	test -e debian/stamp-config-strict  ||                             \
 	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
-           $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) conf)
+           $(MAKE) NAME=refpolicy-strict TYPE=$(MCS_MLS_TYPE) $(OPTIONS) conf)
 	cp debian/modules.conf.strict                                      \
                      $(SRCTOP)/debian/build-$(package)/policy/modules.conf
 	echo done > debian/stamp-config-strict
@@ -96,10 +96,10 @@
 	  cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
 	test -e debian/stamp-config-targeted  ||                           \
 	  $(MAKE) -C $(SRCTOP)/debian/build-$(package)                     \
-                 NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) bare
+                 NAME=refpolicy-targeted TYPE=$(MCS_MLS_TYPE) $(OPTIONS) bare
 	test -e debian/stamp-config-targeted  ||                           \
 	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
-           $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) conf)
+           $(MAKE) NAME=refpolicy-targeted TYPE=$(MCS_MLS_TYPE) $(OPTIONS) conf)
 	cp debian/modules.conf.targeted                                    \
                      $(SRCTOP)/debian/build-$(package)/policy/modules.conf
 	echo done > debian/stamp-config-targeted
@@ -166,7 +166,7 @@
 	$(REASON)
 	test -e debian/stamp-build-strict                    ||            \
 	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
-           $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+           $(MAKE) NAME=refpolicy-strict TYPE=$(MCS_MLS_TYPE) $(OPTIONS) policy all)
 	echo done > debian/stamp-build-strict   
 STAMPS_TO_CLEAN += debian/stamp-build-strict   
 
@@ -174,7 +174,7 @@
 	$(REASON)
 	test -e debian/stamp-build-targeted                    ||            \
 	  (cd $(SRCTOP)/debian/build-$(package) ;                            \
-           $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+           $(MAKE) NAME=refpolicy-targeted TYPE=$(MCS_MLS_TYPE) $(OPTIONS) policy all)
 	echo done > debian/stamp-build-targeted 
 STAMPS_TO_CLEAN += debian/stamp-build-targeted   
 
@@ -197,7 +197,7 @@
 	test -f $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local || \
 	touch $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local
 	(cd $(SRCTOP)/debian/build-$(package);                                  \
-            $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) \
+            $(MAKE) NAME=refpolicy-strict TYPE=$(MCS_MLS_TYPE) $(OPTIONS) \
                     DESTDIR=$(TMPTOP) install  install-headers                  \
           $(TMPTOP)/etc/selinux/refpolicy-strict/users/local.users              \
           $(TMPTOP)/etc/selinux/refpolicy-strict/users/system.users)
@@ -226,7 +226,7 @@
 	test -f $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local || \
 	touch $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local
 	(cd $(SRCTOP)/debian/build-$(package);                                      \
-            $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) \
+            $(MAKE) NAME=refpolicy-targeted TYPE=$(MCS_MLS_TYPE) $(OPTIONS) \
                     DESTDIR=$(TMPTOP) install  install-headers                      \
           $(TMPTOP)/etc/selinux/refpolicy-targeted/users/local.users                \
           $(TMPTOP)/etc/selinux/refpolicy-targeted/users/system.users)
diff -ru refpolicy-0.0.20080314.org/debian/local-vars.mk refpolicy-0.0.20080314/debian/local-vars.mk
--- refpolicy-0.0.20080314.org/debian/local-vars.mk	2008-03-28 00:22:45.000000000 +1100
+++ refpolicy-0.0.20080314/debian/local-vars.mk	2008-03-28 09:35:01.000000000 +1100
@@ -45,8 +45,8 @@
 PYDEFAULT  =$(strip $(shell pyversions -vd))
 MODULES_DIR=$(TMPTOP)/usr/share/python-support/$(package)
 
-# set this to -mcs or -mls
-MCS_MLS_TYPE=-mcs
+# set this to mcs, mls, or an empty string
+MCS_MLS_TYPE=mcs
 
 # Things we have put into the base for Debian systems.
 # egrep base debian/modules.conf.targeted | grep -v '#' | \

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages selinux-policy-refpolicy-targeted depends on:
ii  libpam-modules            0.79-5         Pluggable Authentication Modules f
ii  libselinux1               2.0.15-2.etch1 SELinux shared libraries
ii  policycoreutils           2.0.16-1.etch1 SELinux core policy utilities
ii  python                    2.4.4-2        An interactive high-level object-o

Versions of packages selinux-policy-refpolicy-targeted recommends:
ii  checkpolicy                   1.32-1     SELinux policy compiler
ii  setools                       2.4-3      Tresys tools for managing Security

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#473048; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to David Härdeman <david@hardeman.nu>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #10 received at 473048@bugs.debian.org (full text, mbox):

From: David Härdeman <david@hardeman.nu>
To: 473048@bugs.debian.org
Cc: russell@coker.com.au
Subject: Policy is incorrectly built without MLS (MCS) support
Date: Sat, 12 Jul 2008 14:41:25 +0200
The non-MLS support of the current policy seems to cause quite a number 
of bugs.

For example, running se_aptitude will fail because it tries to run 
aptitude with run_init which will try to change to the context specified 
in /etc/selinux/refpolicy-targeted/contexts/initrc_context which is 
currently system_u:system_r:initrc_t:s0 which fails as the policy 
doesn't support MLS.

Please consider applying Russell's fix pre-Lenny 

-- 
David Härdeman




Reply sent to Manoj Srivastava <manoj.srivastava@stdc.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 473048-done@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <manoj.srivastava@stdc.com>
To: 463989-done@bugs.debian.org, 465072-done@bugs.debian.org, 472356-done@bugs.debian.org, 473048-done@bugs.debian.org, 475501-done@bugs.debian.org, 488504-done@bugs.debian.org, 442335-done@bugs.debian.org, 463994-done@bugs.debian.org, 463997-done@bugs.debian.org, 471044-done@bugs.debian.org, 471794-done@bugs.debian.org, 473043-done@bugs.debian.org, 474686-done@bugs.debian.org, 490140-done@bugs.debian.org, 490142-done@bugs.debian.org, 434535-done@bugs.debian.org, 405767-done@bugs.debian.org, 463835-done@bugs.debian.org
Subject: selinux-policy-refpolicy-* packages obsolete, and removed
Date: Tue, 02 Sep 2008 11:29:47 -0500
Hi,

        The packages called selinux-policy-refpolicy-* have been
 obsoleted by selinux-policy-default, and have been removed from Sid and
 Lenny. The latter package is a newer version, with various substantive
 bug fixes and improvements, and the chances are that the bug has been
 fixed in the new line of packages.

        If that happens not to be the case, please file a bug against
 the new package.

        Sorry for the inconvenience, and thanks for your help and
 consideration.

        manoj
-- 
Life is too short to be taken seriously. Oscar Wilde
Manoj Srivastava <manoj.srivastava@stdc.com> <srivasta@acm.org>        
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Oct 2008 07:30:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 13:07:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.