1 |
Hello all |
2 |
|
3 |
In March, I reported some issues with SELinux contexts in /run. (I seem |
4 |
to have misplaced the email -- archive at |
5 |
http://article.gmane.org/gmane.linux.gentoo.hardened/6180). |
6 |
|
7 |
It look like Sven added the functionality a few months ago, and it is |
8 |
available in version 2.20140311-r5 (currently ~arch). |
9 |
|
10 |
Note 1: There are a few pacakges that need this implemented. Fail2ban |
11 |
is one on my machine. Should I file a bug report (probably against |
12 |
sec-policy/selinux-fail2ban)? |
13 |
|
14 |
Note 2: There's possibly a bug in the new tmpfiles module |
15 |
(policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath |
16 |
should have context tmpfiles_exec_t. Again, this seems to make several |
17 |
directories (and maybe files) in /run have context var_run_t. |
18 |
|
19 |
What I think is happening is that init_daemon_pid_file() only allows |
20 |
transitions for the initrc_t domain, and checkpath is no longer running in |
21 |
that domain. Therefore, the file transition from var_run_t to whatever |
22 |
type is specified as the first argument in init_daemon_pid_file is |
23 |
not done. |
24 |
|
25 |
Changing the context of /lib/rc/bin/checkpath to bin_t makes many more |
26 |
of the files in /run have the correct context again on boot. |
27 |
|
28 |
(perhaps this belongs on the selinux mailing list?) |
29 |
|
30 |
Thanks |
31 |
|
32 |
-- |
33 |
Ben Pritchard |