My avc log has a lot of denials for vnstat, which is unexpected given it has a selinux policy. Upon investigation, I find this out: # ls -Z /etc/init.d/vnstatd system_u:object_r:initrc_exec_t /etc/init.d/vnstatd This is incorrect, as the initrc_exec_t domain can't transition to the vnstat-specific domain so the program runs under whatever context started it. Which causes issues, even if started under sysadm_r. Looking at vnstatd.fc, I see the following. /etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) This is wrong because the actual init script is "vnstatd" rather than "vnstat". (I initially thought it was because rc.d no longer exists, but then I noticed the equivalence between rc.d and init.d within selinux, and the wrong filename) Once it is changed, this resolves the issue. Not attaching a patch for a one line fix. Reproducible: Always
Hi Eric, good catch. I've fixed this in our repository (which means that the live ebuilds already have the fix in them). The fix will be part of the next policy release ebuilds as well (r8 and higher)
Looking at this again I realized I wasn't fully specific about vnstatd The init script is mislabled, but it also applies to labeling /usr/bin/vnstatd which normally has no specific: # ls -Z /usr/bin/vnstatd root:object_r:bin_t /usr/bin/vnstatd Incremental work. You think you fixed something, and you come back a day later and see a periodic complaint in the avc log and think "hmmm..."
Ok, context change for /usr/bin/vnstatd added as well.
r1 is now stable