| 1 |
Thanks, that fixed a lot of it. Sven's answer makes a bit more sense |
| 2 |
now :) |
| 3 |
|
| 4 |
The only ones remaining (for me anyway) don't seem to be related to file |
| 5 |
contexts (ie, fail2ban is still incorrect, since it doesn't use |
| 6 |
start-stop-daemon -- it's just missing the init_daemon_pid_file), |
| 7 |
so there may be a few reports coming your way. |
| 8 |
|
| 9 |
|
| 10 |
Thanks for the help |
| 11 |
-- |
| 12 |
Ben Pritchard |
| 13 |
|
| 14 |
|
| 15 |
On Sun, Aug 17, 2014 at 12:01:51AM +0400, Jason Zaman wrote: |
| 16 |
> On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote: |
| 17 |
> > Hello all |
| 18 |
> > |
| 19 |
> > In March, I reported some issues with SELinux contexts in /run. (I seem |
| 20 |
> > to have misplaced the email -- archive at |
| 21 |
> > http://article.gmane.org/gmane.linux.gentoo.hardened/6180). |
| 22 |
> > |
| 23 |
> > It look like Sven added the functionality a few months ago, and it is |
| 24 |
> > available in version 2.20140311-r5 (currently ~arch). |
| 25 |
> |
| 26 |
> I actually fixed this, its a problem with OpenRC not with SELinux per-se |
| 27 |
> |
| 28 |
> https://bugs.gentoo.org/show_bug.cgi?id=516956 |
| 29 |
> |
| 30 |
> Checkpath now does a restorecon when it creates things, it will be in |
| 31 |
> openRC-0.13 which is not yet released. Can you test openrc-9999 (it has |
| 32 |
> all the fixes in it and is quite close to release). |
| 33 |
> > |
| 34 |
> > Note 1: There are a few pacakges that need this implemented. Fail2ban |
| 35 |
> > is one on my machine. Should I file a bug report (probably against |
| 36 |
> > sec-policy/selinux-fail2ban)? |
| 37 |
> > |
| 38 |
> > Note 2: There's possibly a bug in the new tmpfiles module |
| 39 |
> > (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath |
| 40 |
> > should have context tmpfiles_exec_t. Again, this seems to make several |
| 41 |
> > directories (and maybe files) in /run have context var_run_t. |
| 42 |
> |
| 43 |
> The tmpfiles module goes along with the new OpenRC the current stable |
| 44 |
> (0.12) is missing the relabel parts. |
| 45 |
> |
| 46 |
> > What I think is happening is that init_daemon_pid_file() only allows |
| 47 |
> > transitions for the initrc_t domain, and checkpath is no longer running in |
| 48 |
> > that domain. Therefore, the file transition from var_run_t to whatever |
| 49 |
> > type is specified as the first argument in init_daemon_pid_file is |
| 50 |
> > not done. |
| 51 |
> > |
| 52 |
> > Changing the context of /lib/rc/bin/checkpath to bin_t makes many more |
| 53 |
> > of the files in /run have the correct context again on boot. |
| 54 |
> |
| 55 |
> Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the |
| 56 |
> tmpfiles labels and see if that fixes it. |
| 57 |
> |
| 58 |
> If that does not fix it, we will need to add in fcontexts for things, |
| 59 |
> filing bugs would be great :) |
| 60 |
> |
| 61 |
> > (perhaps this belongs on the selinux mailing list?) |
| 62 |
> |
| 63 |
> No, this is gentoo related (for now at least, we're working on |
| 64 |
> upstreaming it) |
| 65 |
> |
| 66 |
> -- Jason |
| 67 |
> |
Archives