Re: [gentoo-hardened] Incorrect contexts in /run revisited

[Ben Pritchard <ben@bennyp.org>]

Thanks, that fixed a lot of it. Sven's answer makes a bit more sense
now :)

The only ones remaining (for me anyway) don't seem to be related to file
contexts (ie, fail2ban is still incorrect, since it doesn't use
start-stop-daemon -- it's just missing the init_daemon_pid_file),
so there may be a few reports coming your way.


Thanks for the help
-- 
Ben Pritchard


On Sun, Aug 17, 2014 at 12:01:51AM +0400, Jason Zaman wrote:
> On Sat, Aug 16, 2014 at 03:46:43PM -0400, Ben Pritchard wrote:
> > Hello all
> > 
> > In March, I reported some issues with SELinux contexts in /run. (I seem
> > to have misplaced the email -- archive at
> > http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
> > 
> > It look like Sven added the functionality a few months ago, and it is
> > available in version 2.20140311-r5 (currently ~arch).
> 
> I actually fixed this, its a problem with OpenRC not with SELinux per-se
> 
> https://bugs.gentoo.org/show_bug.cgi?id=516956
> 
> Checkpath now does a restorecon when it creates things, it will be in
> openRC-0.13 which is not yet released. Can you test openrc-9999 (it has
> all the fixes in it and is quite close to release).
> > 
> > Note 1: There are a few pacakges that need this implemented. Fail2ban
> > is one on my machine. Should I file a bug report (probably against
> > sec-policy/selinux-fail2ban)?
> > 
> > Note 2: There's possibly a bug in the new tmpfiles module
> > (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath
> > should have context tmpfiles_exec_t. Again, this seems to make several
> > directories (and maybe files) in /run have context var_run_t.
> 
> The tmpfiles module goes along with the new OpenRC the current stable
> (0.12) is missing the relabel parts.
> 
> > What I think is happening is that init_daemon_pid_file() only allows
> > transitions for the initrc_t domain, and checkpath is no longer running in
> > that domain. Therefore, the file transition from var_run_t to whatever
> > type is specified as the first argument in init_daemon_pid_file is
> > not done.
> > 
> > Changing the context of /lib/rc/bin/checkpath to bin_t makes many more
> > of the files in /run have the correct context again on boot.
> 
> Can you try OpenRC-0.13 and have checkpath and tmpfiles.sh with the
> tmpfiles labels and see if that fixes it.
> 
> If that does not fix it, we will need to add in fcontexts for things,
> filing bugs would be great :)
> 
> > (perhaps this belongs on the selinux mailing list?)
> 
> No, this is gentoo related (for now at least, we're working on
> upstreaming it)
> 
> -- Jason
>