Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 871963 - sys-apps/gentoo-systemd-integration-9: On a SELinux+systemd host, 10-gentoo-path fails to read /etc/profile.env
Summary: sys-apps/gentoo-systemd-integration-9: On a SELinux+systemd host, 10-gentoo-p...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-19 23:38 UTC by David Sardari
Modified: 2022-10-03 12:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Sardari 2022-09-19 23:38:22 UTC
10-gentoo-path requires read access on "/etc/profile.env", but fails due to the fcontext of "/etc/profile.env".

Reproducible: Always

Steps to Reproduce:
1. Setup Gentoo with systemd and SELinux
2. Boot

Actual Results:  
You get the following denials:

[   12.208682] audit: type=1400 audit(1663626722.916:3): avc:  denied  { read } for  pid=951 comm="10-gentoo-path" name="profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
[   12.211534] audit: type=1400 audit(1663626722.916:4): avc:  denied  { open } for  pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
[   12.214297] audit: type=1400 audit(1663626722.916:5): avc:  denied  { getattr } for  pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1


Expected Results:  
10-gentoo-path should be able to read "/etc/profile.env".


I circumvented above denials with:

❯ find / -inum 285848
/etc/profile.env

❯ semanage fcontext -l | grep '/etc/profile\\\.env' | column -t
/etc/profile\.env  regular  file  system_u:object_r:etc_runtime_t:s0

❯ sesearch -A -s systemd_generator_t -c file -p getattr,open,read | grep etc
allow systemd_generator_t etc_t:file { getattr ioctl lock open read };
allow systemd_generator_t lvm_etc_t:file { getattr ioctl lock map open read };

❯ semanage fcontext -m -f f -t etc_t '/etc/profile\.env'

❯ restorecon -Fv /etc/profile.env
Relabeled /etc/profile.env from system_u:object_r:etc_runtime_t:s0 to system_u:object_r:etc_t:s0
Comment 1 Mike Gilbert gentoo-dev 2022-09-21 03:48:57 UTC
I know nothing about selinux. Patches welcome.
Comment 2 Kenton Groombridge gentoo-dev 2022-09-21 14:36:03 UTC
The labeling of /etc/profile.env as etc_runtime_t goes all the way back to the initial commit of refpolicy in git... I'm not convinced that this file should be etc_runtime_t since it is created by env-update and not during system init, which would mean this is a policy bug.