Ubuntu
refpolicy-ubuntu package

Policy is outdated and broken

Bug #1063924 reported by Paul Donohue
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
refpolicy-ubuntu (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The selinux-policy-default and selinux-policy-mls packages provide much newer policies than selinux-policy-ubuntu does. This package does not appear to have received any significant updates in over two years.

The selinux-policy-ubuntu package also lacks /etc/selinux/ubuntu/setrans.conf which breaks installation of the policycoreutils package.

In addition, there is something wrong with the MCS pieces of this policy. When using this policy, ssh access is denied with:
type=AVC msg=audit(1347025199.428:158): avc: denied { transition } for pid=2220 comm="sshd" path="/bin/bash" dev=dm-0 ino=555 scontext=system_u:system_r:sshd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 tclass=process
Commenting out the "mlsconstrain process { transition dyntransition }" constraint in policy/mcs fixes this problem, although I don't know enough about the internals of MCS to determine the root cause of this issue.

I suggest removing this package from the repository, or at least updating the package description to direct users to the selinux-policy-default and/or selinux-policy-mls packages.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in refpolicy-ubuntu (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.