1 |
On Sun, Mar 02, 2014 at 04:36:23PM -0500, Ben Pritchard wrote: |
2 |
> I have a few files/directories in /run (or /var/run) that do not have the |
3 |
> correct selinux contexts. Notably, files belonging to samba and fail2ban, |
4 |
> but there may be others. |
5 |
> |
6 |
> I thought this might be related to the /run migration bug (424173) but |
7 |
> it seems to restore to the correct contexts, just that the files are not |
8 |
> created with the correct contexts. How are the contexts of these files |
9 |
> usually managed? |
10 |
> |
11 |
> |
12 |
> #output from matchpathcon: |
13 |
> /run/dbus.pid has context system_u:object_r:system_dbusd_var_run_t, should be <<none>> |
14 |
> /run/fail2ban has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:fail2ban_var_run_t |
15 |
> /run/lvm has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t |
16 |
> /run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t |
17 |
> /run/privoxy-tor.pid has context system_u:object_r:privoxy_var_run_t, should be <<none>> |
18 |
> /run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t |
19 |
> /run/saslauthd has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:var_run_t |
20 |
> /run/sepermit has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:pam_var_run_t |
21 |
> /run/sshd.pid has context system_u:object_r:sshd_var_run_t, should be <<none>> |
22 |
> /run/syslog-ng.ctl has context system_u:object_r:devlog_t, should be system_u:object_r:syslogd_var_run_t |
23 |
|
24 |
The matchpathcon and restorecon actions should be the same: matchpathcon |
25 |
tells the user what the value should be, restorecon applies this value. |
26 |
|
27 |
When matchpathcon sais that a label should be <<none>> then no specific |
28 |
action is taken. This is usually the case for files that get a file context |
29 |
assigned by the process that creates the file, and which might be different |
30 |
depending on circumstances. Or in other words, SELinux keeps the label |
31 |
as-is, even during a restorecon operation. |
32 |
|
33 |
For instance: |
34 |
|
35 |
# matchpathcon |
36 |
> /run/ntpd.pid has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:ntpd_var_run_t |
37 |
> /run/samba has context system_u:object_r:initrc_var_run_t, should be system_u:object_r:smbd_var_run_t |
38 |
|
39 |
# restorecon |
40 |
> restorecon reset /run/ntpd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:ntpd_var_run_t |
41 |
> restorecon reset /run/samba context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t |
42 |
> restorecon reset /run/samba/nmbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:nmbd_var_run_t |
43 |
> restorecon reset /run/samba/smbd.pid context system_u:object_r:initrc_var_run_t->system_u:object_r:smbd_var_run_t |
44 |
|
45 |
In order to have the files immediately with the right context, we need to |
46 |
find out which process (actually, which SELinux domain) is responsible for |
47 |
creating the files in the first place (and thus having the files stored with |
48 |
a particular label). |
49 |
|
50 |
For most of the files, this is easy to deduce. |
51 |
|
52 |
For instance, /run/ntpd.pid got label initrc_var_run_t, so it's most likely |
53 |
initrc_t (the domain used for init scripts) that created the PID file. And |
54 |
if I'd take a long guess, it would be /etc/init.d/ntpd ;-) |
55 |
|
56 |
In order to fix this, we need to add in a statement that equals to: |
57 |
|
58 |
#v+ |
59 |
files_pid_filetrans(initrc_t, ntpd_var_run_t, file, "ntpd.pid") |
60 |
#v- |
61 |
|
62 |
Sadly, this statement calls two types not part of the same module (initrc_t |
63 |
is of the "init" module while ntpd_var_run_t is of the "ntp" module). |
64 |
Coding-style wise, this is not allowed, so we need to seek (or write) |
65 |
another statement that only calls types of the same module. |
66 |
|
67 |
For directories, we created an "init_daemon_run_dir" call. It looks like we |
68 |
might need to introduce a similar one for files, namely |
69 |
"init_daemon_run_file". Then the call would be (inside ntp.te): |
70 |
|
71 |
#v+ |
72 |
init_daemon_run_file(ntpd_var_run_t, "ntpd.pid") |
73 |
#v- |
74 |
|
75 |
For the samba directory, we can already use the init_daemon_run_dir() call, |
76 |
as /run/samba has context initrc_var_run_t (thus also created most likely by |
77 |
the smb* or other samba related init scripts). |
78 |
|
79 |
I'll put your mail in a bugreport and might even work on it this evening |
80 |
(depending on available time). I'll get back to you when the necessary |
81 |
commits have occurred ;-) |
82 |
|
83 |
Wkr, |
84 |
Sven Vermeulen |