Debian Bug report logs -
#900580
Please restore SELinux context after creating the files in /var/lib/texmf
Reported by: Laurent Bigonville <bigon@debian.org>
Date: Fri, 1 Jun 2018 15:39:01 UTC
Severity: normal
Found in version tex-common/6.09
Done: Norbert Preining <preining@logic.at>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Fri, 01 Jun 2018 15:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Bigonville <bigon@debian.org>:
New Bug report received and forwarded. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Fri, 01 Jun 2018 15:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tex-common
Version: 6.09
Severity: normal
User: selinux-devel@lists.alioth.debian.org
Usertags: selinux
Hi,
When installing tex related packages, files are being generated in
/var/lib/texmf by maintainer scripts/triggers
The generated files are ending being labeld as dpkg_script_tmp_t instead
of tetex_data_t as they are created in /tmp and then moved.
To fix this, there are several ways:
1) Run restorecon utility (when present) on the newly created files
2) move the files using the -Z option to the label is set atomically in
one go (the option is supported in current debian stable)
3) Copy the files instead of moving them, copied files ends with the
label of their parent folder
Kind regards,
Laurent Bigonville
# restorecon -Rv /var/lib/texmf
Relabeled /var/lib/texmf/web2c/metafont/mf.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/metafont/mf.base from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/tex/tex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/tex/tex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/pdfetex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/pdftex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/etex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/pdftex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/pdfetex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/pdftex/etex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/luatex/dviluatex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/luatex/dviluatex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/luatex/luatex.fmt from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
Relabeled /var/lib/texmf/web2c/luatex/luatex.log from unconfined_u:object_r:dpkg_script_tmp_t:s0 to unconfined_u:object_r:tetex_data_t:s0
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
Versions of packages tex-common depends on:
ii dpkg 1.19.0.5+b1
ii ucf 3.0038
tex-common recommends no packages.
Versions of packages tex-common suggests:
ii debhelper 11.3.2
Versions of packages texlive-base depends on:
ii debconf [debconf-2.0] 1.5.66
ii libpaper-utils 1.1.24+nmu5
ii texlive-binaries 2018.20180416.47457-4
ii ucf 3.0038
ii xdg-utils 1.1.3-1
Versions of packages texlive-base recommends:
ii lmodern 2.004.5-3
Versions of packages texlive-base suggests:
ii evince [postscript-viewer] 3.28.2-1
ii ghostscript [postscript-viewer] 9.22~dfsg-2.1
pn perl-tk <none>
pn xpdf-reader | pdf-viewer <none>
Versions of packages texlive-binaries depends on:
ii dpkg 1.19.0.5+b1
ii libc6 2.27-3
ii libcairo2 1.15.10-3
ii libfontconfig1 2.13.0-5
ii libfreetype6 2.8.1-2
ii libgcc1 1:8.1.0-4
ii libgmp10 2:6.1.2+dfsg-3
ii libgraphite2-3 1.3.11-2
ii libgs9 9.22~dfsg-2.1
ii libharfbuzz-icu0 1.7.6-1+b1
ii libharfbuzz0b 1.7.6-1+b1
ii libice6 2:1.0.9-2
ii libicu60 60.2-6
ii libkpathsea6 2018.20180416.47457-4
ii libmpfr6 4.0.1-1
ii libpaper1 1.1.24+nmu5
ii libpixman-1-0 0.34.0-2
ii libpng16-16 1.6.34-1
ii libpotrace0 1.15-1
ii libptexenc1 2018.20180416.47457-4
ii libsm6 2:1.2.2-1+b3
ii libstdc++6 8.1.0-4
ii libsynctex2 2018.20180416.47457-4
ii libtexlua52 2018.20180416.47457-4
ii libtexlua53 2018.20180416.47457-4
ii libtexluajit2 2018.20180416.47457-4
ii libx11-6 2:1.6.5-1
ii libxaw7 2:1.0.13-1+b2
ii libxext6 2:1.3.3-1+b2
ii libxi6 2:1.7.9-1
ii libxmu6 2:1.1.2-2
ii libxpm4 1:3.5.12-1
ii libxt6 1:1.1.5-1
ii libzzip-0-13 0.13.62-3.1
ii perl 5.26.2-5
ii t1utils 1.41-2
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages texlive-binaries recommends:
ii texlive-base 2018.20180505-1
-- debconf information excluded
-- debsums errors found:
debsums: changed file /usr/sbin/update-tl-stacked-conffile (from tex-common package)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Fri, 01 Jun 2018 16:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <norbert@preining.info>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Fri, 01 Jun 2018 16:09:08 GMT) (full text, mbox, link).
Message #10 received at 900580@bugs.debian.org (full text, mbox, reply):
Hi Laurent,
sorry to say, but ...
> The generated files are ending being labeld as dpkg_script_tmp_t instead
> of tetex_data_t as they are created in /tmp and then moved.
I have absolutely no idea what you are talking about!?!
tetex_data_t is something I heard the very first time.
It is something that I never used and there is nothing in tex-common
related to it, so I have no idea where it is coming from.
Best
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Fri, 01 Jun 2018 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Bigonville <bigon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Fri, 01 Jun 2018 17:03:03 GMT) (full text, mbox, link).
Message #15 received at 900580@bugs.debian.org (full text, mbox, reply):
Le 01/06/18 à 18:08, Norbert Preining a écrit :
> Hi Laurent,
>
> sorry to say, but ...
>
>> The generated files are ending being labeld as dpkg_script_tmp_t instead
>> of tetex_data_t as they are created in /tmp and then moved.
> I have absolutely no idea what you are talking about!?!
>
> tetex_data_t is something I heard the very first time.
>
> It is something that I never used and there is nothing in tex-common
> related to it, so I have no idea where it is coming from.
Well the problem (from a SELinux) perspective is that the files from
/var/lib/texmf are created in /tmp and the moved to their final location.
So something needs to be done to fix that (as explained), so the first
question would be, what is generating these files?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Sat, 02 Jun 2018 00:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <norbert@preining.info>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Sat, 02 Jun 2018 00:12:02 GMT) (full text, mbox, link).
Message #20 received at 900580@bugs.debian.org (full text, mbox, reply):
On Fri, 01 Jun 2018, Laurent Bigonville wrote:
> Well the problem (from a SELinux) perspective is that the files from
> /var/lib/texmf are created in /tmp and the moved to their final location.
>
> So something needs to be done to fix that (as explained), so the first
> question would be, what is generating these files?
Of course it is *us* tex-common creating these files, but I never heard
about the
tetex_foobar
stuff the SElinux ships out. This is nothing of my doing. So you need to
first find out who/what attaches any of these tags.
Thanks
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Sat, 02 Jun 2018 07:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Bigonville <bigon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Sat, 02 Jun 2018 07:33:02 GMT) (full text, mbox, link).
Message #25 received at 900580@bugs.debian.org (full text, mbox, reply):
Le 02/06/18 à 02:08, Norbert Preining a écrit :
> On Fri, 01 Jun 2018, Laurent Bigonville wrote:
>> Well the problem (from a SELinux) perspective is that the files from
>> /var/lib/texmf are created in /tmp and the moved to their final location.
>>
>> So something needs to be done to fix that (as explained), so the first
>> question would be, what is generating these files?
> Of course it is *us* tex-common creating these files, but I never heard
> about the
> tetex_foobar
> stuff the SElinux ships out. This is nothing of my doing. So you need to
> first find out who/what attaches any of these tags.
The kernel does.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Sat, 02 Jun 2018 11:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <norbert@preining.info>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Sat, 02 Jun 2018 11:51:07 GMT) (full text, mbox, link).
Message #30 received at 900580@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
>> about the
>> tetex_foobar
>> stuff the SElinux ships out. This is nothing of my doing. So you need
>to
>> first find out who/what attaches any of these tags.
>The kernel does.
Sure enough the kernel does, but based on a role set that is shipped with Debian. I'm quite sure (near to 100%) that the kernel does not contain rules about tetex!!!
So the question is who/what did set up these rules, it was none of us.
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Sat, 02 Jun 2018 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilmar Preuße <hille42@web.de>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Sat, 02 Jun 2018 19:09:03 GMT) (full text, mbox, link).
Message #35 received at 900580@bugs.debian.org (full text, mbox, reply):
On 02.06.2018 13:48, Norbert Preining wrote:
Hi,
> Sure enough the kernel does, but based on a role set that is shipped
> with Debian. I'm quite sure (near to 100%) that the kernel does not
> contain rules about tetex!!!
>
> So the question is who/what did set up these rules, it was none of us.
>
AFAICT it is in the upstream code of refpolicy (Source package).
policy/modules/system/miscfiles.te:type tetex_data_t;
policy/modules/system/miscfiles.te:files_tmp_file(tetex_data_t)
policy/modules/system/miscfiles.fc:/var/lib/texmf(/.*)?
gen_context(system_u:object_r:tetex_data_t,s0)
policy/modules/system/miscfiles.fc:/var/cache/fonts(/.*)?
gen_context(system_u:object_r:tetex_data_t,s0)
etc.
H.
--
sigfault
#206401 http://counter.li.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Mon, 04 Jun 2018 00:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Mon, 04 Jun 2018 00:12:03 GMT) (full text, mbox, link).
Message #40 received at 900580@bugs.debian.org (full text, mbox, reply):
Hi Laurent,
> 3) Copy the files instead of moving them, copied files ends with the
> label of their parent folder
I think I will implement this change upstream, so that other
distributions will profit from it at the same time.
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Mon, 04 Jun 2018 00:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Norbert Preining <preining@logic.at>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Mon, 04 Jun 2018 00:18:03 GMT) (full text, mbox, link).
Message #45 received at 900580@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Karl,
currently fmtutil *moves* the .fmt and .log (and .fls) files from the
temporary directory to $TEXMFVAR.
This is all fine in most cases, but when a distribution activated
SELinux, moved files keep the attributes of the creationg directory
(/tmp) and not the special attributes for the target.
Please see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900580
While I personally don't use selinux, I understand the need. I first
thought to implement the restorecon call in the Debian specific part,
but this seems to be wrong, since other distributions might face the
same problem.
So what about exchanging
File::Copy::move
with
File::Copy::copy
in fmtutil on installing the generated files. The temp dirs including
their content will be removed anyway.
Please see attached patch
All the best
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
[fmtutil.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian TeX maintainers <debian-tex-maint@lists.debian.org>:
Bug#900580; Package tex-common.
(Mon, 04 Jun 2018 08:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurent Bigonville <bigon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian TeX maintainers <debian-tex-maint@lists.debian.org>.
(Mon, 04 Jun 2018 08:45:04 GMT) (full text, mbox, link).
Message #50 received at 900580@bugs.debian.org (full text, mbox, reply):
Le 04/06/18 à 02:09, Norbert Preining a écrit :
> Hi Laurent,
>
>> 3) Copy the files instead of moving them, copied files ends with the
>> label of their parent folder
> I think I will implement this change upstream, so that other
> distributions will profit from it at the same time.
Yeah that's why I was asking what exactly is generating these files,
because "update-tl-stacked-conffile" script seems to be debian specific.
Reply sent
to Norbert Preining <preining@logic.at>:
You have taken responsibility.
(Sat, 01 Sep 2018 15:12:03 GMT) (full text, mbox, link).
Notification sent
to Laurent Bigonville <bigon@debian.org>:
Bug acknowledged by developer.
(Sat, 01 Sep 2018 15:12:03 GMT) (full text, mbox, link).
Message #55 received at 900580-done@bugs.debian.org (full text, mbox, reply):
Hi Laurent,
> To fix this, there are several ways:
...
> 3) Copy the files instead of moving them, copied files ends with the
> label of their parent folder
On Mon, 04 Jun 2018, Norbert Preining wrote:
> I think I will implement this change upstream, so that other
> distributions will profit from it at the same time.
That has happened already quite some time ago by upstream changes that
are already in Debian. I thus close this bug.
If you have other problems with selinux, please open a new one.
Thanks
Norbert
--
PREINING Norbert http://www.preining.info
Accelia Inc. + JAIST + TeX Live + Debian Developer
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2018 07:28:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Oct 19 16:49:51 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.