Baselayout-2 OpenRC mount-point rc-svcdir in /lib/rc/init.d gets selinux context of tmpfs_t. Patch to init.sh makes selinux context correct. Reproducible: Always Steps to Reproduce: 1. Boot SELinux system with baselayout-2 using v2ref profile. 2. 3. Actual Results: ls -dZ /lib64/rc/init.d shows context of tmpfs_t Expected Results: Context should be correct according to policy loaded on system (current policy makes it lib_t, however this is also incorrect. New policy will assign initrc_state_t.) Patch is necessary to allow other selinux policy to operate correctly and get to a fully operational system.
Created attachment 256091 [details, diff] patch to /lib/rc/sh/init.sh Patch for init.sh in baselayout 2.0.1
Can you please post your patch as a unified diff (diff -u)? The diff you posted cannot be applied to the tree. Thanks, William
Created attachment 256177 [details, diff] patch to /lib/rc/sh/init.sh Sorry about that. Here's the patch in unified format. That's what I get for generating patches while I'm tired......
There are questions about a couple of lines in the patch. if [ rc -a selinuxenabled ]; then # are you sure this is valid? Also, [ rc ] && return 0 # and what about this line? These just have rc mentioned, but not $rc, and there is no testing of the value.
Created attachment 256182 [details, diff] openrc-0.6.6-selinux-init-svcdir.patch Please test the attached patch on your system.
the indentation in that svcdir_restorecon needs fixing
This thing is borked on so many levels I'm ashamed I submitted it. In my defence, it DOES do what I needed it to do on my system; it's just likely that it won't work on anyone else's. Give me a bit to sort this out.
The patch from post #5 works fine on my system. Thanks for correcting my stupidity.
Created attachment 256278 [details] openrc-0.6.7-selinux-init-svcdir.patch Mike, how is the indentation on this version? If it is good, I'll apply it to the git tree. Thanks, William
typically the style is something like: <tab>if [ -x /usr/sbin/selinuxenabled -a -c /selinux/null ] \ <tab><spaces>&& selinuxenabled; then you also dont need the line continuation marker
This has been applied to the overlay and will be included in the next release. Thanks, Robin, for the patch, and thanks, Chris, for the report. William
