[DSE-User] security_bounded_transition denied for apt-daily.timer
Gerald Turner
gturner at unzane.com
Thu Aug 17 16:31:26 UTC 2017
On Wed, Aug 16 2017, Gerald Turner wrote:
> On Sun, Jun 25 2017, Gerald Turner wrote:
>> Now I've noticed several timers (apt-daily.timer,
>> apt-daily-upgrade.service, and painintheapt-daily.timer) also cause
>> similar audit messages every time their services are executed:
>>
>> audit: type=1401 audit(1498417202.987:9091):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:initrc_t:s0
>> newcontext=system_u:system_r:dpkg_t:s0
>
> FWIW I seem to have solved my problem by cluelessly running:
>
> # semanage fcontext -a -t dpkg_exec_t /usr/sbin/painintheapt
> # restorecon /usr/sbin/painintheapt
>
> I probably conflated the three aforementioned timers when the problem
> was really limited to just painintheapt.
Actually the type_transition error occurs for apt-daily and
apt-daily-upgrade timers as well, "fixed" with the following:
# semanage fcontext -a -t dpkg_exec_t /usr/lib/apt/apt.systemd.daily
Since these timers are installed by 'apt', wouldn't every Debian stretch
user of selinux-policy-default be hitting these denials?
> I'd appreciate any feedback as to whether there's any better type to
> use than dpkg_exec_t, as I imagine dpkg_exec_t has a great number of
> privileges and not suitable for a Python script, running as root,
> connecting to XMPP!
--
Gerald Turner <gturner at unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20170817/c3020efe/attachment.sig>
More information about the Selinux-user
mailing list