From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 012FD138A2F for ; Sat, 16 Aug 2014 20:02:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 34E5DE0A8B; Sat, 16 Aug 2014 20:01:58 +0000 (UTC) Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6391AE0A88 for ; Sat, 16 Aug 2014 20:01:57 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id w62so3430885wes.8 for ; Sat, 16 Aug 2014 13:01:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=/9Es1WCmiO5OBlS5DRXrwdmDYkAVT4jZ1QjKnSgsoMY=; b=dd9N5OqY7WoVIAvkK/GGn4IiglL9+uknPklpsrSKI1BFOHQqk2pkY/V297kt8+FMO3 qEFdo+Grl14TSKcp6ZEh5khUoHOis0IveWdTX/69Ed1GHii13qtVhQMa/oQVeQOadZZK DFIQXz7MzUJrBcF+Cgh+++cnoIKkqI1nKfXHVPU4agJYWPSgLNtRaxRdrhId1dd7/lg4 pEuUhpecR954yYhfKqbiPylA/gL5CISn8XxQiM6zTbrERR2rY8koD/186vDzCwB7iv99 OWaOvcQRdQePPdfO3q2veHqjARtaku5iJ6DlBz6a8hPVg09qCbFVEC6bQogCjRWFH6cg C+Eg== X-Gm-Message-State: ALoCoQm3ipeL4IwsN+VCX047y7Blkd08f0PWz4sEjqxp5YOElHj5UopvD1t8eiCXv3iymLTIcTI/ X-Received: by 10.180.95.66 with SMTP id di2mr30258981wib.60.1408219315928; Sat, 16 Aug 2014 13:01:55 -0700 (PDT) Received: from localhost ([94.204.5.233]) by mx.google.com with ESMTPSA id x11sm28734545wjr.15.2014.08.16.13.01.54 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sat, 16 Aug 2014 13:01:55 -0700 (PDT) Date: Sun, 17 Aug 2014 00:01:51 +0400 From: Jason Zaman To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Incorrect contexts in /run revisited Message-ID: <20140816200151.GA1840@pippin.Home> References: <53efb50f.0938320a.5045.ffff9eb8SMTPIN_ADDED_BROKEN@mx.google.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53efb50f.0938320a.5045.ffff9eb8SMTPIN_ADDED_BROKEN@mx.google.com> User-Agent: Mutt/1.5.22 (2013-10-16) X-Archives-Salt: 0fbb7755-4f1d-4776-9379-0a15cb71f481 X-Archives-Hash: aa98afaad0dd435665f4e8f4d86752ca On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote: > Hello all > > In March, I reported some issues with SELinux contexts in /run. (I seem > to have misplaced the email -- archive at > http://article.gmane.org/gmane.linux.gentoo.hardened/6180). > > It look like Sven added the functionality a few months ago, and it is > available in version 2.20140311-r5 (currently ~arch). I actually fixed this, its a problem with OpenRC not with SELinux per-se https://bugs.gentoo.org/show_bug.cgi?id=516956 Checkpath now does a restorecon when it creates things, it will be in openRC-0.13 which is not yet released. Can you test openrc-9999 (it has all the fixes in it and is quite close to release). > > Note 1: There are a few pacakges that need this implemented. Fail2ban > is one on my machine. Should I file a bug report (probably against > sec-policy/selinux-fail2ban)? > > Note 2: There's possibly a bug in the new tmpfiles module > (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath > should have context tmpfiles_exec_t. Again, this seems to make several > directories (and maybe files) in /run have context var_run_t. The tmpfiles module goes along with the new OpenRC the current stable (0.12) is missing the relabel parts. > What I think is happening is that init_daemon_pid_file() only allows > transitions for the initrc_t domain, and checkpath is no longer running in > that domain. Therefore, the file transition from var_run_t to whatever > type is specified as the first argument in init_daemon_pid_file is > not done. > > Changing the context of /lib/rc/bin/checkpath to bin_t makes many more > of the files in /run have the correct context again on boot. Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the tmpfiles labels and see if that fixes it. If that does not fix it, we will need to add in fcontexts for things, filing bugs would be great :) > (perhaps this belongs on the selinux mailing list?) No, this is gentoo related (for now at least, we're working on upstreaming it) -- Jason