On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote: > Hello all > > In March, I reported some issues with SELinux contexts in /run. (I seem > to have misplaced the email -- archive at > http://article.gmane.org/gmane.linux.gentoo.hardened/6180). > > It look like Sven added the functionality a few months ago, and it is > available in version 2.20140311-r5 (currently ~arch).
I actually fixed this, its a problem with OpenRC not with SELinux per-se https://bugs.gentoo.org/show_bug.cgi?id=516956 Checkpath now does a restorecon when it creates things, it will be in openRC-0.13 which is not yet released. Can you test openrc-9999 (it has all the fixes in it and is quite close to release). > > Note 1: There are a few pacakges that need this implemented. Fail2ban > is one on my machine. Should I file a bug report (probably against > sec-policy/selinux-fail2ban)? > > Note 2: There's possibly a bug in the new tmpfiles module > (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath > should have context tmpfiles_exec_t. Again, this seems to make several > directories (and maybe files) in /run have context var_run_t. The tmpfiles module goes along with the new OpenRC the current stable (0.12) is missing the relabel parts. > What I think is happening is that init_daemon_pid_file() only allows > transitions for the initrc_t domain, and checkpath is no longer running in > that domain. Therefore, the file transition from var_run_t to whatever > type is specified as the first argument in init_daemon_pid_file is > not done. > > Changing the context of /lib/rc/bin/checkpath to bin_t makes many more > of the files in /run have the correct context again on boot. Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the tmpfiles labels and see if that fixes it. If that does not fix it, we will need to add in fcontexts for things, filing bugs would be great :) > (perhaps this belongs on the selinux mailing list?) No, this is gentoo related (for now at least, we're working on upstreaming it) -- Jason
