445142 – SELinux policy 2.20120725-r8 & sys-apps/openrc-0.11.5: daemon errors due to new symlink /var/run -> /run

Bug 445142 - SELinux policy 2.20120725-r8 & sys-apps/openrc-0.11.5: daemon errors due to new symlink /var/run -> /run

Summary: SELinux policy 2.20120725-r8 & sys-apps/openrc-0.11.5: daemon errors due to n...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-29 04:54 UTC by Vincent Brillault
Modified:	2012-11-29 12:43 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2012-11-29 04:54:48 UTC

When I rebooted my server today, most of my daemon crashed or refused to start according to rc-status. After some analysis I discovered that the /var/run folder have been replaced by a symlink to /run. Some daemons seems to miss the right to follow this symlink.

Here is a non-exhaustive list of impacted domains:

allow asterisk_t var_t:lnk_file read;
allow crond_t var_t:lnk_file read;
allow dovecot_auth_t var_t:lnk_file read;
allow iptables_t var_t:lnk_file read;
allow mcelog_t var_t:lnk_file read;
allow named_t var_t:lnk_file read;
allow nginx_t var_t:lnk_file read;
allow ntpd_t var_t:lnk_file read;
allow openvpn_t var_t:lnk_file read;
allow phpfpm_t var_t:lnk_file read;
allow postfix_master_t var_t:lnk_file read;
allow sshd_t var_t:lnk_file read;
allow syslogd_t var_t:lnk_file read;

I added those rules one by one in order to be able to correctly start my services. I also added other rules (e.g. other postfix domains) based on avc but, as I have no proof that those other avcs change the daemon behaviour, I didn't put them here.

Comment 1 Vincent Brillault 2012-11-29 05:07:45 UTC

I forgot to mention that in the case of named (bind), there is also a missing file_transition: /run/named is created as initrc_var_run_t, resulting in the following avcs (and a 'exiting (due to fatal error)'):
[   21.287321] type=1400 audit(1354165077.761:203): avc:  denied  { getattr } for  pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
[   21.288670] type=1400 audit(1354165077.762:204): avc:  denied  { search } for  pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
[   21.290563] type=1400 audit(1354165077.764:205): avc:  denied  { getattr } for  pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir
[   21.290783] type=1400 audit(1354165077.764:206): avc:  denied  { search } for  pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir


Manually fixing the file context (together with the allow named_t var_t:lnk_file read;) temporary fixes the problem (but it will not survive a reboot)

Comment 2 Vincent Brillault 2012-11-29 12:27:33 UTC

I just discover the following file_context rule:
'kernel/files.fc:/var/run   -l   gen_context(system_u:object_r:var_run_t,s0)'

In that case the problem is mainly a missing file transition ?

A lot of modules (e.g asterisk, mcelog, iptables, ssh), uses the interface 'files_pid_filetrans' which would give them 'allow $1 var_run_t:lnk_file read_lnk_file_perms;' and thus fixe the issue.

Comment 3 Vincent Brillault 2012-11-29 12:43:58 UTC

Ok, it was really just a label problem (the symlink have been created I don't know how but didn't have the right label): changing it and restarting the system makes every thing work (except named).

Sorry for the noise.
I'll open a new clean bug for named