[DSE-User] security_bounded_transition denied for apt-daily.timer
Gerald Turner
gturner at unzane.com
Sun Jun 25 19:40:40 UTC 2017
I have a host running Debian stretch with SELinux in non-enforcing mode.
I had few services which I had manually hardened with various
systemd.exec(5) directives, and whenever they were restarted, the audit
subsystem would emit a security_bounded_transition denied message, and
'ps' with the -Z flag showed the service was running with init_t context
instead of initrc_t. My understanding is that there is a bug¹ with
which systemd handles the NoNewPrivileges directive. I simply removed
the NoNewPrivileges=yes configuration for these services and
security_bounded_transition denials have stopped, the daemons now
running in initrc_t context, and all is good.
Now I've noticed several timers (apt-daily.timer,
apt-daily-upgrade.service, and painintheapt-daily.timer) also cause
similar audit messages every time their services are executed:
audit: type=1401 audit(1498417202.987:9091): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:initrc_t:s0 newcontext=system_u:system_r:dpkg_t:s0
AFAICT there is no "NoNewPrivileges=no" work-around like I had done with
my zealously hardened daemons.
What can be done to make these timers execute correctly?
¹ https://github.com/systemd/systemd/issues/3845
PS: thank you Russell Coker for bringing refpolicy back to Debian
stable!
--
Gerald Turner <gturner at unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20170625/8a4a911b/attachment.sig>
More information about the Selinux-user
mailing list