[DSE-Dev] SELinux state for Bullseye
Christian Göttsche
cgzones at googlemail.com
Fri Feb 12 15:22:08 GMT 2021
Am Fr., 12. Feb. 2021 um 01:05 Uhr schrieb Russell Coker <russell at coker.com.au>:
>
> On Tuesday, 9 February 2021 20:27:37 AEDT Laurent Bigonville wrote:
> > OK for libselinux, I've restored the different individual commits from
> > Christian and force pushed everything. I also have added my change to
> > drop the usage of gettid() to fix the remaining RC bug.
> >
> > Please before doing anything, run git pull --rebase in the "debian"
> > branch so you have the last revision and do not force push any changes
> > as a result of my own force push today.
> >
> > I'll try to see if I can restore the individual commits for the other
> > components, but to be honest it's a bit late in the cycle to push non
> > essential changes to the archive, the freeze is this Friday
>
> Thanks for all your great work, sorry for messing that up.
>
> I don't think it's too late for changes that don't have the potential to break
> other things, I think the freeze rules should be treated strictly and
> literally, if they permit it then we can do it.
>
Thanks for reviewing and you overall maintainer work.
I took a brief look over SELinux related Debian bugs:
#740562 "policycoreutils: cannot disable modules defining types
required only by disabled modules"
This was probably a policy issue, not using an apache interface
inside an optional_policy block.
The module yam is no longer part of upstream refpolicy.
Maybe close?
#955805 "policycoreutils: should give details on errors even when
verbose isn't enabled"
One can patch src:libsepol to increase the severity of the output:
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 37a44415..5a3d518e 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -2249,7 +2249,7 @@ static int __cil_post_report_conflict(struct
cil_tree_node *node, uint32_t *fini
} else if (node->flavor == li->flavor) {
if (node->data == li->data) {
char *path = cil_tree_get_cil_path(node);
- cil_log(CIL_WARN, " at %s:%d\n", path, node->line);
+ cil_log(CIL_ERR, " at %s:%d\n", path, node->line);
}
}
return SEPOL_OK;
@@ -2276,7 +2276,7 @@ static int
__cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
concompar(&sort->array[i],
&sort->array[j]) != 0) {
struct cil_list_item li;
int rc2;
- cil_log(CIL_WARN, "Found
conflicting %s rules\n",
+ cil_log(CIL_ERR, "Found
conflicting %s rules\n",
flavor_str);
rc = SEPOL_ERR;
li.flavor = flavor;
#734174 "openssh-server: SELinux errors in syslog"
Might be closed as requested be the submitter.
#638304 "install: The selinux options are confusing and not all useful
cases are covered"
I think you, Russel, misunderstood the behavior of the -Z flag. It
does not require an argument,
works fine on non-SELinux enabled systems and creates new files
with the default SELinux
context.
#981629 "selinux-utils: /usr/sbin/sefcontext_compile needs execmem on riscv"
Could you, Russel, try the suggested commands to figure out what
library is responsible?
#738524 "libsepol1: strange error message about Duplicate declaration"
Is this still valid, or can it be closed?
#769803 "policycoreutils: Please include /run/resolvconf/resolv.conf
in /etc/selinux/restorecond.conf"
One should probably use a type_transition for this case, but I
think adding /run/resolvconf/resolv.conf
in https://salsa.debian.org/selinux-team/restorecond/-/blob/debian/debian/patches/0006-default-config.patch
does not hurt.
#666049 "Problems with restorecond while watching on named pipes or sockets"
Maybe close after 8 years of no response?
#775610 "policycoreutils: strange access to /root/tmpfiles.d from restorecond"
Is there anything to do here?
Note: /root/* is part of the restorecond configuration, so it's
normal restorecond accesses it.
#943728 "policycoreutils-dev: do not depend on binutils"
Any comment why policycoreutils-dev depends on binutils?
Best regards,
Christian Göttsche
More information about the SELinux-devel
mailing list