Bug#626720: selinux-policy-default: Policy needs patched for /run

Martin Orr Sat, 14 May 2011 09:48:23 -0700

Package: selinux-policy-default
Version: 2:0.2.20100524-9
Severity: critical
Tags: patch


Most services fail to start when booting with SELinux enabled and with
the /run directory (initscripts 2.88dsf-13.6).

A patch is attached to solve this:

1. Add file_contexts.subs_dist file, so that files in /run are labelled
the same as corresponding files in /var/run, and likewise for /run/lock
and /run/shm.
However support for file_contexts.subs_dist requires libselinux 2.0.102,
available in upstream git.  If you don't want to update libselinux, then
you can change this to use file_contexts.subs instead.  (The intention of
2.0.102 is that file_contexts.subs_dist should be used by the distribution,
and file_contexts.subs reserved for the local admin.)

2. Allow all domains which access /var/run or /var/lock to read symlinks
of the appropriate type (because they are now symlinks to /run and to
/run/lock).

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules               1.1.2-3     Pluggable Authentication Modules f
ii  libselinux1                  2.0.98-1+b1 SELinux runtime shared libraries
ii  libsepol1                    2.0.42-1    SELinux library for manipulating b
ii  policycoreutils              2.0.82-5    SELinux core policy utilities
ii  python                       2.6.6-14    interactive high-level object-orie

Versions of packages selinux-policy-default recommends:
ii  checkpolicy              2.0.23-1        SELinux policy compiler
ii  setools                  3.3.6.ds-7.2+b1 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

diff -Nwaru 20100524-9/debian/file_contexts.subs_dist 20100524-9+orr/debian/file_contexts.subs_dist
--- 20100524-9/debian/file_contexts.subs_dist	1970-01-01 01:00:00.000000000 +0100
+++ 20100524-9+orr/debian/file_contexts.subs_dist	2011-05-14 14:31:17.316000865 +0100
@@ -0,0 +1,5 @@
+/run		/var/run
+/run/lock	/var/lock
+/var/run/lock	/var/lock
+/run/shm	/dev/shm
+/var/run/shm	/dev/shm
diff -Nwaru 20100524-9/debian/local.mk 20100524-9+orr/debian/local.mk
--- 20100524-9/debian/local.mk	2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/debian/local.mk	2011-05-14 14:36:39.616000898 +0100
@@ -213,6 +213,7 @@
               rm -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp;    \
         done
 	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/mls/
+	$(install_file)      debian/file_contexts.subs_dist  $(TMPTOP)/etc/selinux/mls/contexts/files/
 	$(install_file)      VERSION               $(DOCDIR)/
 	$(install_file)      README                $(DOCDIR)/
 	$(install_file)      debian/README.Debian  $(DOCDIR)/
@@ -249,6 +250,7 @@
              rm -f $(TMPTOP)/usr/share/selinux/default/$$module.pp;     \
         done
 	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/default/
+	$(install_file)      debian/file_contexts.subs_dist  $(TMPTOP)/etc/selinux/default/contexts/files/
 	$(install_file)      VERSION              $(DOCDIR)/
 	$(install_file)      README               $(DOCDIR)/
 	$(install_file)      debian/README.Debian $(DOCDIR)/
diff -Nwaru 20100524-9/policy/modules/kernel/files.if 20100524-9+orr/policy/modules/kernel/files.if
--- 20100524-9/policy/modules/kernel/files.if	2011-05-14 11:39:40.000000000 +0100
+++ 20100524-9+orr/policy/modules/kernel/files.if	2011-05-14 17:19:18.616001017 +0100
@@ -4861,6 +4861,7 @@
 		type var_t, var_lock_t;
 	')
 
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_lock_t)
 ')
 
@@ -4899,6 +4900,7 @@
 		type var_t, var_lock_t;
 	')
 
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	rw_dirs_pattern($1, var_t, var_lock_t)
 ')
 
@@ -4918,6 +4920,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	allow $1 var_lock_t:dir list_dir_perms;
 	getattr_files_pattern($1, var_lock_t, var_lock_t)
 ')
@@ -4939,6 +4942,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	manage_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
@@ -4960,6 +4964,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	delete_files_pattern($1, lockfile, lockfile)
 ')
 
@@ -4980,6 +4985,7 @@
 	')
 
 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	allow $1 lockfile:dir list_dir_perms;
 	read_files_pattern($1, lockfile, lockfile)
 	read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5002,6 +5008,7 @@
 	')
 
 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	manage_dirs_pattern($1, lockfile, lockfile)
 	manage_files_pattern($1, lockfile, lockfile)
 	manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5034,6 +5041,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 	filetrans_pattern($1, var_lock_t, $2, $3)
 ')
 
@@ -5072,6 +5080,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	search_dirs_pattern($1, var_t, var_run_t)
 ')
 
@@ -5110,6 +5119,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 ')
 
@@ -5128,6 +5138,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 	read_files_pattern($1, var_run_t, var_run_t)
 ')
@@ -5185,6 +5196,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	filetrans_pattern($1, var_run_t, $2, $3)
 ')
 
@@ -5203,6 +5215,7 @@
 		type var_t, var_run_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, var_run_t)
 	rw_files_pattern($1, var_run_t, var_run_t)
 ')
@@ -5242,6 +5255,7 @@
 	')
 
 	allow $1 var_t:dir search;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	allow $1 var_run_t:dir manage_dir_perms;
 ')
 
@@ -5298,6 +5312,7 @@
 		type var_t;
 	')
 
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	list_dirs_pattern($1, var_t, pidfile)
 	read_files_pattern($1, pidfile, pidfile)
 ')
@@ -5363,6 +5378,7 @@
 	')
 
 	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_run_t:lnk_file read_lnk_file_perms;
 	delete_dirs_pattern($1, pidfile, pidfile)
 ')

Bug#626720: selinux-policy-default: Policy needs patched for /run

Reply via email to