From gturner at unzane.com  Sun Jun 25 19:40:40 2017
From: gturner at unzane.com (Gerald Turner)
Date: Sun, 25 Jun 2017 12:40:40 -0700
Subject: [DSE-User] security_bounded_transition denied for apt-daily.timer
Message-ID: <87mv8vdfev.fsf@zoth-ommog.unzane.com>

I have a host running Debian stretch with SELinux in non-enforcing mode.

I had few services which I had manually hardened with various
systemd.exec(5) directives, and whenever they were restarted, the audit
subsystem would emit a security_bounded_transition denied message, and
'ps' with the -Z flag showed the service was running with init_t context
instead of initrc_t.  My understanding is that there is a bug? with
which systemd handles the NoNewPrivileges directive.  I simply removed
the NoNewPrivileges=yes configuration for these services and
security_bounded_transition denials have stopped, the daemons now
running in initrc_t context, and all is good.

Now I've noticed several timers (apt-daily.timer,
apt-daily-upgrade.service, and painintheapt-daily.timer) also cause
similar audit messages every time their services are executed:

  audit: type=1401 audit(1498417202.987:9091): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:initrc_t:s0 newcontext=system_u:system_r:dpkg_t:s0

AFAICT there is no "NoNewPrivileges=no" work-around like I had done with
my zealously hardened daemons.

What can be done to make these timers execute correctly?


? https://github.com/systemd/systemd/issues/3845

PS: thank you Russell Coker for bringing refpolicy back to Debian
stable!

-- 
Gerald Turner <gturner at unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20170625/8a4a911b/attachment.sig>