554514 – labeled init script symlinks need to be readable by run_init_t

Bug 554514 - labeled init script symlinks need to be readable by run_init_t

Summary: labeled init script symlinks need to be readable by run_init_t

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r8
Keywords:

Depends on:
Blocks:

Reported:	2015-07-11 13:30 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-09-06 12:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2015-07-11 13:30:46 UTC

When executing a symlink'ed labeled init script, the following occurs:

~$ sudo /etc/init.d/ceph-mon.0 status
openrc-run should not be run directly

In the denials we notice:

time->Sat Jul 11 15:24:53 2015
type=AVC msg=audit(1436621093.701:1165): avc:  denied  { read } for  pid=30786 comm="openrc" name="ceph-mon.0" dev="vda3" ino=1966780 scontext=staff_u:staff_r:run_init_t:s0 tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file permissive=0



Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2015-07-11 13:36:19 UTC

Suggested fix is to enhance init_read_all_script_files to allow reading the symlinks as well. Then grant this to the run_init_t domain for Gentoo specifically.

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
 
        files_search_etc($1)
        allow $1 init_script_file_type:file read_file_perms;
+
+       ifdef(`distro_gentoo',`
+               # Bug 554514
+               allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+       ')
 ')
 
 #######################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
 ifndef(`direct_sysadm_daemon',`
        ifdef(`distro_gentoo',`
                # Gentoo integrated run_init:
+               # Bug 554514
+               init_read_all_script_files(run_init_t)  
                init_script_file_entry_type(run_init_t)
 
                init_exec_rc(run_init_t)

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2015-07-11 13:45:55 UTC

Is in policy, will be in rev 8

Comment 3 Jason Zaman gentoo-dev

2015-08-04 18:22:07 UTC

r8 is in ~arch now

Comment 4 Jason Zaman gentoo-dev

2015-09-06 12:55:08 UTC

r8 is stable