Comment 1 Jason Zaman 2014-07-12 19:02:22 UTC

So tmpfiles is used to initialize various directories. The following cats out all the rules that are used:
cat /usr/lib/tmpfiles.d/* /etc/tmpfiles.d/* /run/tmpfiles.d/*

It looks like anything that is set in /run gets labelled initrc_var_run_t which is almost certainly wrong.
We will need to use init_daemon_pid_file to set the labels for all the dirs that are wrong.

Here is the output on my system:

# cat /usr/lib/tmpfiles.d/* /etc/tmpfiles.d/* /run/tmpfiles.d/*
d /run/lock/lvm 0700 root root -
d /run/lvm 0700 root root -
d /var/run/mysqld 0755 mysql mysql -
d /var/lib/nfs/rpc_pipefs
d /var/lib/nfs/v4recovery
d /var/lib/nfs/v4root
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -
d /run/sepermit 0755 root root
D /run/vpnc 0755 root root -
cat: /etc/tmpfiles.d/*: No such file or directory
d /dev/net 0755 - - -
c /dev/net/tun 0600 - - - 10:200
d /dev/mapper 0755 - - -
c /dev/mapper/control 0600 - - - 10:236
c /dev/vhost-net 0600 - - - 10:238

# ls -alZ /run/
total 68
drwxr-xr-x. 21 root  root  system_u:object_r:var_run_t                 800 Jul 12 21:36 ./
drwxr-xr-x.  1 root  root  system_u:object_r:root_t                    148 Jul  7 13:44 ../
drwxr-xr-x.  2 root  root  system_u:object_r:consolekit_var_run_t       80 Jul 12 21:36 ConsoleKit/
drwxr-xr-x.  2 root  root  system_u:object_r:NetworkManager_var_run_t   60 Jul 12 21:35 NetworkManager/
-rw-r--r--.  1 root  root  system_u:object_r:apmd_var_run_t              5 Jul 12 21:35 acpid.pid
srw-rw-rw-.  1 root  root  system_u:object_r:apmd_var_run_t              0 Jul 12 21:35 acpid.socket=
-rw-r--r--.  1 root  root  system_u:object_r:auditd_var_run_t            5 Jul 12 21:35 auditd.pid
-rw-r--r--.  1 root  root  system_u:object_r:cachefilesd_var_run_t       5 Jul 12 21:35 cachefilesd.pid
drwxr-xr-x.  2 root  root  system_u:object_r:pam_var_console_t          60 Jul 12 21:36 console/
-rw-r--r--.  1 root  root  system_u:object_r:crond_var_run_t             5 Jul 12 21:35 cron.pid
drwxr-xr-x.  2 root  root  system_u:object_r:system_dbusd_var_run_t     60 Jul 12 21:35 dbus/
-rw-r--r--.  1 root  root  system_u:object_r:system_dbusd_var_run_t      5 Jul 12 21:35 dbus.pid
-rw-r--r--.  1 root  root  system_u:object_r:dhcpc_var_run_t             5 Jul 12 21:36 dhcpcd-wlp3s0.pid
drwx--x--x.  3 root  root  system_u:object_r:xdm_var_run_t              60 Jul 12 21:35 lightdm/
-rw-r--r--.  1 root  root  system_u:object_r:xdm_var_run_t               5 Jul 12 21:35 lightdm.pid
drwxrwxr-x.  3 root  uucp  system_u:object_r:var_lock_t                 60 Jul 12 21:35 lock/
drwx------.  2 root  root  system_u:object_r:initrc_var_run_t           40 Jul 12 21:35 lvm/
drwxr-xr-x.  2 root  root  system_u:object_r:mount_var_run_t            60 Jul 12 21:35 mount/
drwxr-xr-x.  2 mysql mysql system_u:object_r:mysqld_var_run_t           40 Jul 12 21:35 mysqld/
-rw-r--r--.  1 root  root  system_u:object_r:ntpd_var_run_t              4 Jul 12 21:35 ntpd.pid
drwxr-xr-x.  2 ldap  ldap  system_u:object_r:slapd_var_run_t            40 Jul 12 21:35 openldap/
drwxrwxr-x. 14 root  root  system_u:object_r:initrc_state_t            380 Jul 12 21:35 openrc/
drwxr-xr-x.  4 root  root  system_u:object_r:devicekit_var_run_t        80 Jul 12 21:35 pm-utils/
-rw-r--r--.  1 root  root  system_u:object_r:privoxy_var_run_t           5 Jul 12 21:36 privoxy.pid
drwxr-xr-x.  4 root  root  system_u:object_r:initrc_var_run_t           80 Jul 12 21:35 resolvconf/
-rw-r--r--.  1 root  root  system_u:object_r:restorecond_var_run_t       5 Jul 12 21:35 restorecond.pid
-rw-r--r--.  1 root  root  system_u:object_r:rpcd_var_run_t              5 Jul 12 21:35 rpc.statd.pid
-r--r--r--.  1 root  root  system_u:object_r:rpcbind_var_run_t           0 Jul 12 21:35 rpcbind.lock
srw-rw-rw-.  1 root  root  system_u:object_r:rpcbind_var_run_t           0 Jul 12 21:35 rpcbind.sock=
drwxr-xr-x.  2 root  root  system_u:object_r:pam_var_run_t              40 Jul 12 21:35 sepermit/
-rw-------.  1 root  root  system_u:object_r:rpcd_var_run_t              5 Jul 12 21:35 sm-notify.pid
-rw-r--r--.  1 root  root  system_u:object_r:sshd_var_run_t              5 Jul 12 21:35 sshd.pid
srwxr-xr-x.  1 root  root  system_u:object_r:devlog_t                    0 Jul 12 21:35 syslog-ng.ctl=
-rw-r--r--.  1 root  root  system_u:object_r:syslogd_var_run_t           5 Jul 12 21:35 syslog-ng.pid
drwxrwxr-x.  2 root  root  system_u:object_r:initrc_var_run_t           60 Jul 12 21:35 tmpfiles.d/
drwxr-xr-x.  2 tor   tor   system_u:object_r:tor_var_run_t              60 Jul 12 21:36 tor/
drwxr-xr-x.  7 root  root  system_u:object_r:udev_var_run_t            180 Jul 12 22:38 udev/
drwx------.  2 root  root  system_u:object_r:devicekit_var_run_t        40 Jul 12 21:36 udisks2/
-rw-rw-r--.  1 root  utmp  system_u:object_r:initrc_var_run_t         4224 Jul 12 21:36 utmp
drwxr-xr-x.  2 root  root  system_u:object_r:initrc_var_run_t           40 Jul 12 21:35 vpnc/

Comment 2 Jason Zaman 2014-07-12 19:59:14 UTC

For reference, here is similar output from feandil on #gentoo-hardened. openvpn / openvpn.pid are good examples of where the label is wrong.



# cat /usr/lib/tmpfiles.d/*
d /var/lib/dhcp/ 0755 dhcp dhcp
f /var/lib/dhcp/dhcpd.leases 0644 dhcp dhcpd /run/lock/lvm 0700 root root -
d /run/lvm 0700 root root -
d /run/mdadm 0710 root root -
d /run/named 0755 named root -
D /var/run/openvpn 0710 root openvpn -
d /run/php-fpm 755 root root
d /run/postgresql 0775 postgres postgres -
D /var/run/samba 0755 root root
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -
d /run/sepermit 0755 root root
Fea ~ #  ls -alZ /run/
total 80K
drwxr-xr-x. 21 root     root     system_u:object_r:var_run_t             760 2014-07-09 12:29 ./
drwxr-xr-x. 22 root     root     system_u:object_r:root_t               4.0K 2014-07-06 13:15 ../
-rw-r--r--.  1 root     root     system_u:object_r:auditd_var_run_t        5 2014-06-06 22:23 auditd.pid
drwxr-xr-x.  2 bitlbee  bitlbee  system_u:object_r:initrc_var_run_t       60 2014-06-06 22:23 bitlbee/
drwxr-xr-x.  2 root     root     system_u:object_r:var_run_t              80 2014-06-06 22:23 blkid/
-rw-r--r--.  1 root     collectd system_u:object_r:collectd_var_run_t      6 2014-07-05 15:26 collectd.pid
-rw-r--r--.  1 root     root     system_u:object_r:crond_var_run_t         5 2014-06-06 22:23 cron.pid
drwxr-xr-x.  4 root     root     system_u:object_r:dhcpc_var_run_t        80 2014-07-12 20:36 dhcpcd/
-rw-r--r--.  1 root     root     system_u:object_r:dhcpc_var_run_t         5 2014-06-06 22:23 dhcpcd-enp0s25.pid
drwxr-xr-x.  5 root     root     system_u:object_r:dovecot_var_run_t     680 2014-06-06 22:28 dovecot/
drwxrwxr-x.  3 root     uucp     system_u:object_r:var_lock_t             60 2014-06-06 22:23 lock/
drwx------.  2 root     root     system_u:object_r:initrc_var_run_t       40 2014-06-06 22:23 lvm/
drwxr-xr-x.  2 root     root     system_u:object_r:mdadm_var_run_t       120 2014-06-06 22:23 mdadm/
-rw-r--r--.  1 root     root     system_u:object_r:mdadm_var_run_t         5 2014-06-06 22:23 mdadm.pid
drwxr-xr-x.  2 root     root     system_u:object_r:mount_var_run_t        60 2014-06-06 22:23 mount/
drwxrwx---.  2 root     named    system_u:object_r:named_var_run_t        80 2014-06-22 08:42 named/
-rw-r--r--.  1 root     root     system_u:object_r:nginx_var_run_t         6 2014-07-09 12:29 nginx.pid
-rw-r--r--.  1 root     root     system_u:object_r:ntpd_var_run_t          4 2014-06-06 22:23 ntpd.pid
drwxr-xr-x.  2 milter   milter   system_u:object_r:dkim_milter_data_t     80 2014-06-06 22:23 opendkim/
drwxr-xr-x.  2 ldap     ldap     system_u:object_r:slapd_var_run_t        40 2014-06-06 22:23 openldap/
drwxrwxr-x. 14 root     root     system_u:object_r:initrc_state_t        360 2014-06-06 22:23 openrc/
drwx--x---.  2 root     openvpn  system_u:object_r:initrc_var_run_t       40 2014-06-06 22:23 openvpn/
-rw-r--r--.  1 root     root     system_u:object_r:openvpn_var_run_t       5 2014-06-06 22:23 openvpn.pid
drwxr-xr-x.  2 root     root     system_u:object_r:initrc_var_run_t       40 2014-06-06 22:23 php-fpm/
-rw-r--r--.  1 root     root     system_u:object_r:phpfpm_var_run_t        5 2014-07-09 08:34 php-fpm.pid
drwxr-xr-x.  2 root     root     system_u:object_r:var_run_t              60 2014-07-09 08:34 php5-fpm/
drwxrwxr-x.  2 postgres postgres system_u:object_r:postgresql_var_run_t   80 2014-06-06 22:23 postgresql/
-rw-r--r--.  1 root     root     system_u:object_r:rsync_var_run_t         5 2014-06-06 22:23 rsyncd.pid
-rw-r--r--.  1 root     root     system_u:object_r:syslogd_var_run_t       5 2014-06-06 22:23 rsyslogd-remote.pid
-rw-r--r--.  1 root     root     system_u:object_r:syslogd_var_run_t       5 2014-06-06 22:23 rsyslogd.pid
drwxr-xr-x.  2 root     root     system_u:object_r:initrc_var_run_t       80 2014-06-06 22:25 samba/
-rw-r--r--.  1 root     root     system_u:object_r:initrc_var_run_t        5 2014-06-06 22:23 sensord.pid
drwxr-xr-x.  2 root     root     system_u:object_r:pam_var_run_t          40 2014-06-06 22:23 sepermit/
-rw-------.  1 root     root     system_u:object_r:fsdaemon_var_run_t      5 2014-06-06 22:23 smartd.pid
-rw-r--r--.  1 root     root     system_u:object_r:sshd_var_run_t          5 2014-06-06 22:23 sshd.pid
drwxr-xr-x.  6 root     root     system_u:object_r:udev_var_run_t        160 2014-07-11 09:06 udev/
-rw-r--r--.  1 root     root     system_u:object_r:nut_var_run_t           5 2014-06-29 10:28 upsmon.pid
-rw-rw-r--.  1 root     utmp     system_u:object_r:initrc_var_run_t      11K 2014-07-12 20:34 utmp






root@lerya /home/feandil # cat /usr/lib/tmpfiles.d/*
d /run/clamav 0710 clamav clamav
d /var/lock/ejabberdctl 0750 jabber jabber
D /run/fail2ban 0755 root root -d /run/lock/lvm 0700 root root -
d /run/lvm 0700 root root -
d /var/run/mysqld 0755 mysql mysql -
d /run/named 0755 named root -
D /var/run/openvpn 0710 root openvpn -
d /run/php-fpm 755 root root
d /run/postgresql 0775 postgres postgres -
d /run/sepermit 0755 root root
root@lerya /home/feandil # ls -alZ /run/
total 56K
drwxr-xr-x. 18 root     root     system_u:object_r:var_run_t             620 2014-07-08 23:56 ./
drwxr-xr-x. 23 root     root     system_u:object_r:root_t               4.0K 2014-06-07 12:32 ../
drwxr-xr-x.  2 asterisk root     system_u:object_r:asterisk_var_run_t     40 2014-06-07 17:16 asterisk/
-rw-r--r--.  1 root     root     system_u:object_r:auditd_var_run_t        5 2014-07-08 22:48 auditd.pid
drwx--x---.  2 clamav   clamav   system_u:object_r:initrc_var_run_t       40 2014-06-07 17:15 clamav/
drwxr-xr-x.  2 root     root     system_u:object_r:var_run_t              60 2014-07-12 17:59 collectd/
-rw-r--r--.  1 root     root     system_u:object_r:crond_var_run_t         6 2014-07-08 23:56 cron.pid
drwxr-xr-x.  5 root     root     system_u:object_r:dovecot_var_run_t     680 2014-06-07 17:15 dovecot/
drwxrwxr-x.  4 root     uucp     system_u:object_r:var_lock_t             80 2014-06-07 17:15 lock/
drwx------.  2 root     root     system_u:object_r:initrc_var_run_t       40 2014-06-07 17:15 lvm/
srwxr-xr-x.  1 root     root     system_u:object_r:mcelog_var_run_t        0 2014-06-07 17:15 mcelog-client=
-rw-r--r--.  1 root     root     system_u:object_r:mcelog_var_run_t        4 2014-06-07 17:15 mcelog.pid
drwxr-xr-x.  2 root     root     system_u:object_r:mount_var_run_t        60 2014-06-07 17:15 mount/
drwxr-xr-x.  2 mysql    mysql    system_u:object_r:mysqld_var_run_t       40 2014-06-07 17:15 mysqld/
drwxrwx---.  2 root     named    system_u:object_r:named_var_run_t        80 2014-06-07 17:15 named/
-rw-r--r--.  1 root     root     system_u:object_r:nginx_var_run_t         6 2014-07-08 23:44 nginx.pid
-rw-r--r--.  1 root     root     system_u:object_r:ntpd_var_run_t          4 2014-06-07 17:15 ntpd.pid
drwxrwxr-x. 14 root     root     system_u:object_r:initrc_state_t        360 2014-06-07 17:15 openrc/
drwx--x---.  2 root     openvpn  system_u:object_r:initrc_var_run_t       40 2014-06-07 17:15 openvpn/
-rw-r--r--.  1 root     root     system_u:object_r:openvpn_var_run_t       5 2014-07-08 22:48 openvpn.pid
drwxr-xr-x.  2 root     root     system_u:object_r:initrc_var_run_t       40 2014-06-07 17:15 php-fpm/
-rw-r--r--.  1 root     root     system_u:object_r:phpfpm_var_run_t        4 2014-07-08 22:59 php-fpm.pid
drwxr-xr-x.  2 root     root     system_u:object_r:var_run_t              60 2014-07-08 22:59 php5-fpm/
drwxrwxr-x.  2 postgres postgres system_u:object_r:postgresql_var_run_t   80 2014-07-08 23:55 postgresql/
drwxr-xr-x.  2 root     root     system_u:object_r:pam_var_run_t          40 2014-06-07 17:15 sepermit/
-rw-------.  1 root     root     system_u:object_r:fsdaemon_var_run_t      6 2014-07-08 23:56 smartd.pid
-rw-r--r--.  1 root     root     system_u:object_r:sshd_var_run_t          5 2014-06-07 17:15 sshd.pid
srwxr-xr-x.  1 root     root     system_u:object_r:devlog_t                0 2014-07-08 23:56 syslog-ng.ctl=
-rw-r--r--.  1 root     root     system_u:object_r:syslogd_var_run_t       6 2014-07-08 23:56 syslog-ng.pid
drwxr-xr-x.  6 root     root     system_u:object_r:udev_var_run_t        160 2014-07-08 22:48 udev/
-rw-rw-r--.  1 root     utmp     system_u:object_r:initrc_var_run_t     9.0K 2014-07-12 20:41 utmp
root@lerya /home/feandil # llaZ /run/clamav
total 0
root@lerya /home/feandil # llaZ /run/openvpn
total 0
root@lerya /home/feandil # llaZ /run/php-fpm
total 0
root@lerya /home/feandil # llaZ /run/php5-fpm
total 0
0 srw-rw----. 1 phpfpm phpfpm system_u:object_r:phpfpm_var_run_t 0 2014-07-08 22:59 php-fpm.sock=

Comment 3 Jason Zaman 2014-07-13 23:27:08 UTC

okay I have narrowed this down to two sort of separate problems.

One is /lib64/rc/sh/tmpfiles.sh (run from tmpfiles.setup, tmpfiles.dev) to parse and create the dirs. It runs in the initrc_t domain so everything gets created based on that which is incorrect. tmpfiles.sh needs to restorecon the dir after it is created. I have verified that from the systemd source and have a patch for tmpfiles.sh that needs a little more testing.

The second problem is in checkpath which is used from many init scripts. It also needs to set the label when it creates the dir otherwise it ends up in initrc_t.
This requires patching openrc's src/rc/checkpath.c.

Does this seem sane?

Comment 4 Sven Vermeulen (RETIRED) 2014-07-14 09:02:07 UTC

If the patch can make sure that restorecon is called after creating the resources and before applications are using it further (i.e. no chance that the small period between creation and restorecon where the label will be "incorrect" will be causing application troubles) then I can agree with calling restorecon in tmpfiles.sh.

From the looks of it, it is indeed quite configurable and thus could be difficult to track policy-wise if we want to include file transitions for everything.

I'll look into the checkpath.c code

Comment 5 Jason Zaman 2014-07-14 16:06:29 UTC

Created attachment 380714 [details, diff]
patch for tmpfiles.sh

This is the patch to fix tmpfiles. It basically just calls restorecon when it creates anything. I used a function to wrap restorecon to so that it first checks if it exists on the system. My system boots fine with the patch applied manually to /lib64/rc/sh/tmpfiles.sh.

Comments?

Comment 6 Sven Vermeulen (RETIRED) 2014-07-14 19:21:41 UTC

The restorecon application might be installed but SELinux can still be disabled. You might want to check for SELinux being enabled (run selinuxenabled, check returncode - RC=0 is SELinux is enabled, RC=1 is disabled). The command is part of libselinux (so yes, need to check for selinuxenabled existence as well).

I'm wondering if the restorecon command shouldn't use recursive either (will tmpfiles.sh always create just a single file/path).

Also, what if restorecon fails when the $path no longer exists (there's a find $path ... rm -rf {} + )?

Comment 7 Jason Zaman 2014-07-14 19:37:08 UTC

(In reply to Sven Vermeulen from comment #6)
> The restorecon application might be installed but SELinux can still be
> disabled. You might want to check for SELinux being enabled (run
> selinuxenabled, check returncode - RC=0 is SELinux is enabled, RC=1 is
> disabled). The command is part of libselinux (so yes, need to check for
> selinuxenabled existence as well).

Good point. I will fix the patch.

> I'm wondering if the restorecon command shouldn't use recursive either (will
> tmpfiles.sh always create just a single file/path).

http://0pointer.de/public/systemd-man/tmpfiles.d.html
The definitions of each of the types are at this link.

I only made it restorecon on: b c f F d D L p. (x and X already called restorecon)
The only ones that recursing would apply is d and D but those are for empty dirs so it should not be required.

> Also, what if restorecon fails when the $path no longer exists (there's a
> find $path ... rm -rf {} + )?

the find one is "D" which is to empty out a directory but leave the dir itself there so that one is fine. "R" and "r" are to rm -rf the whole thing, so I do not call restorecon for those.

Comment 8 Jason Zaman 2014-07-15 11:02:42 UTC

Created attachment 380732 [details, diff]
tmpfiles patch

This replaces the old tmpfiles patch.
I booted without selinux enabled and running restorecon is a no-op so checking /sys/fs/selinux is not required.

Comment 9 Jason Zaman 2014-07-15 11:03:57 UTC

Created attachment 380734 [details, diff]
0002-Fix-SELinux-contexts-in-dev-after-it-is-mounted.patch

the labels on /dev are all device_t on boot which is wrong so must restorecon immediately after mounting /dev.

Comment 10 Jason Zaman 2014-07-15 11:08:40 UTC

Created attachment 380736 [details, diff]
0003-checkpath-restore-the-SELinux-context.patch

this patch sets the labels on the dirs right after checkpath has created it. It builds fine and I have tested it manually with a few test cases but I have not booted my system with it yet. It checks if selinux is enabled before doing anything and if only exits with errors if selinux is in enforcing mode. I have left some printf debug lines in this version still, will clean them up before the final patch.

Any comments on this patch series?

Comment 11 William Hubbs 2014-07-15 16:15:15 UTC

Currently OpenRc depends on a Gentoo-specific package for SELinux
support. The Gentoo SELinux team is working with me to add SELinux
support directly to OpenRc and remove that dependency.

Comment 12 William Hubbs 2014-07-15 16:57:28 UTC

Created attachment 380762 [details, diff]
0001-Add-SELinux-support-to-the-build-system.patch

This is the first patch we will need for SELinux support.
This patch defines the HAVE_SELINUX pre-processor macro and adds
-lselinux to the libraries when MKSELINUX=yes is passed to make.

Comment 13 Sven Vermeulen (RETIRED) 2014-07-15 19:06:26 UTC

The patches that perfinion sent apply against openrc-9999. A full SELinux-enforcing system with openrc-9999 + patches work as expected (service stop/start, etc.) I do get a massive amount of "runscript is deprecated; please use openrc-run instead" but except for the messages the init scripts work.

Comment 14 William Hubbs 2014-07-18 20:43:34 UTC

All of the below commits add SELinux support. Now OpenRc links directly
to libselinux if SELinux support is needed.
This will all be included in OpenRc-0.13.

I would like to thank Jason Zaman for the patches.
4a1afa69
4f784bd4
525d7140
9c689542
99939b98