Package: initscripts
Version: 2.88dsf-13.5
Severity: important
Tags: patch
Directories and symlinks created as part of the /run transition are not
labelled for SELinux. The effect is that most services fail to start on
boot after transitioning to /run.
You need to run restorecon after creating a directory or symbolic link
in an init script or maintainer script. Attached patch does this.
/run with SELinux also requires the refpolicy patch I have submitted in
#626720. Once that is fixed, initscripts should probably have
Breaks: selinux-policy-default (<< $FIXEDVERSION)
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages initscripts depends on:
ii coreutils 8.5-1 GNU core utilities
ii debianutils 3.4.5 Miscellaneous utilities specific t
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip
ii mount 2.17.2-9.1 Tools for mounting and manipulatin
ii sysv-rc 2.88dsf-13.5 System-V-like runlevel change mech
ii sysvinit-utils 2.88dsf-13.5 System-V-like utilities
Versions of packages initscripts recommends:
ii e2fsprogs 1.41.12-4 ext2/ext3/ext4 file system utiliti
ii psmisc 22.13-1 utilities that use the proc file s
initscripts suggests no packages.
-- no debconf information
diff -Nbaru sysvinit-2.88dsf-13.6/debian/initscripts.postinst sysvinit-2.88dsf-13.6+orr/debian/initscripts.postinst
--- sysvinit-2.88dsf-13.6/debian/initscripts.postinst 2011-05-14 17:12:43.312000975 +0100
+++ sysvinit-2.88dsf-13.6+orr/debian/initscripts.postinst 2011-05-14 11:23:36.380000446 +0100
@@ -76,6 +76,7 @@
# Bind mount $SRC on $DEST
if [ -n "$ssrc" ] && [ "$ssrc" != "$sdest" ]; then
[ -d "$DEST" ] || mkdir "$DEST"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
if mount -t $FSTYPE "$SRC" "$DEST" $OPTS ; then
return 0
fi
@@ -97,6 +98,7 @@
( rm -fr $DEST &&
ln -fs $SRC $DEST) ||
{ echo "Can't symlink $DEST to $SRC; please fix manually."; return 1; }
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
fi
return 0
diff -Nbaru sysvinit-2.88dsf-13.6/debian/src/initscripts/etc/init.d/mountkernfs.sh sysvinit-2.88dsf-13.6+orr/debian/src/initscripts/etc/init.d/mountkernfs.sh
--- sysvinit-2.88dsf-13.6/debian/src/initscripts/etc/init.d/mountkernfs.sh 2011-05-14 17:12:43.368000975 +0100
+++ sysvinit-2.88dsf-13.6+orr/debian/src/initscripts/etc/init.d/mountkernfs.sh 2011-05-14 11:02:38.412000126 +0100
@@ -44,6 +44,7 @@
# Make lock directory as the replacement for /var/lock
[ -d /run/lock ] || mkdir --mode=755 /run/lock
+ [ -x /sbin/restorecon ] && /sbin/restorecon /run/lock
# Mount /run/lock as tmpfs if enabled. This prevents user DoS
# of /run by filling /run/lock at the expense of using an
@@ -60,6 +61,7 @@
if [ -L /tmp ] && [ ! -d /tmp ]; then
TMPPATH="$(readlink /tmp)"
mkdir -p --mode=755 "$TMPPATH"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$TMPPATH"
fi
# If root is read only, default to mounting a tmpfs on /tmp,
diff -Nbaru sysvinit-2.88dsf-13.6/debian/src/initscripts/lib/init/mount-functions.sh sysvinit-2.88dsf-13.6+orr/debian/src/initscripts/lib/init/mount-functions.sh
--- sysvinit-2.88dsf-13.6/debian/src/initscripts/lib/init/mount-functions.sh 2011-05-14 17:12:43.380000975 +0100
+++ sysvinit-2.88dsf-13.6+orr/debian/src/initscripts/lib/init/mount-functions.sh 2011-05-14 11:03:18.212000131 +0100
@@ -294,6 +294,7 @@
if [ -L "$OLD" ] && [ "$(readlink "$OLD")" != "$RUN" ]; then
rm -f "$OLD"
ln -fs "$RUN" "$OLD"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
fi
# If both directories are the same, we don't need to do
@@ -327,6 +328,7 @@
else
rm -f "$OLD"
ln -fs "$RUN" "$OLD"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
fi
fi
