| 1 |
I think that the call to init_daemon_pidfile is probably missing a context |
| 2 |
definition in the .fc file for those locations that checkpath is enforcing. |
| 3 |
|
| 4 |
You can file a bug for this (a single bug is fine, we don't need one for |
| 5 |
every missing definition). We will upstream it when appropriate. |
| 6 |
|
| 7 |
Wkr |
| 8 |
Sven |
| 9 |
On Aug 16, 2014 9:46 PM, "Ben Pritchard" <ben@××××××.org> wrote: |
| 10 |
|
| 11 |
> Hello all |
| 12 |
> |
| 13 |
> In March, I reported some issues with SELinux contexts in /run. (I seem |
| 14 |
> to have misplaced the email -- archive at |
| 15 |
> http://article.gmane.org/gmane.linux.gentoo.hardened/6180). |
| 16 |
> |
| 17 |
> It look like Sven added the functionality a few months ago, and it is |
| 18 |
> available in version 2.20140311-r5 (currently ~arch). |
| 19 |
> |
| 20 |
> Note 1: There are a few pacakges that need this implemented. Fail2ban |
| 21 |
> is one on my machine. Should I file a bug report (probably against |
| 22 |
> sec-policy/selinux-fail2ban)? |
| 23 |
> |
| 24 |
> Note 2: There's possibly a bug in the new tmpfiles module |
| 25 |
> (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath |
| 26 |
> should have context tmpfiles_exec_t. Again, this seems to make several |
| 27 |
> directories (and maybe files) in /run have context var_run_t. |
| 28 |
> |
| 29 |
> What I think is happening is that init_daemon_pid_file() only allows |
| 30 |
> transitions for the initrc_t domain, and checkpath is no longer running in |
| 31 |
> that domain. Therefore, the file transition from var_run_t to whatever |
| 32 |
> type is specified as the first argument in init_daemon_pid_file is |
| 33 |
> not done. |
| 34 |
> |
| 35 |
> Changing the context of /lib/rc/bin/checkpath to bin_t makes many more |
| 36 |
> of the files in /run have the correct context again on boot. |
| 37 |
> |
| 38 |
> (perhaps this belongs on the selinux mailing list?) |
| 39 |
> |
| 40 |
> Thanks |
| 41 |
> |
| 42 |
> -- |
| 43 |
> Ben Pritchard |
| 44 |
> |
| 45 |
> |
| 46 |
> |
| 47 |
> |
Archives