10-gentoo-path requires read access on "/etc/profile.env", but fails due to the fcontext of "/etc/profile.env". Reproducible: Always Steps to Reproduce: 1. Setup Gentoo with systemd and SELinux 2. Boot Actual Results: You get the following denials: [ 12.208682] audit: type=1400 audit(1663626722.916:3): avc: denied { read } for pid=951 comm="10-gentoo-path" name="profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 [ 12.211534] audit: type=1400 audit(1663626722.916:4): avc: denied { open } for pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 [ 12.214297] audit: type=1400 audit(1663626722.916:5): avc: denied { getattr } for pid=951 comm="10-gentoo-path" path="/etc/profile.env" dev="dm-1" ino=285848 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 Expected Results: 10-gentoo-path should be able to read "/etc/profile.env". I circumvented above denials with: ❯ find / -inum 285848 /etc/profile.env ❯ semanage fcontext -l | grep '/etc/profile\\\.env' | column -t /etc/profile\.env regular file system_u:object_r:etc_runtime_t:s0 ❯ sesearch -A -s systemd_generator_t -c file -p getattr,open,read | grep etc allow systemd_generator_t etc_t:file { getattr ioctl lock open read }; allow systemd_generator_t lvm_etc_t:file { getattr ioctl lock map open read }; ❯ semanage fcontext -m -f f -t etc_t '/etc/profile\.env' ❯ restorecon -Fv /etc/profile.env Relabeled /etc/profile.env from system_u:object_r:etc_runtime_t:s0 to system_u:object_r:etc_t:s0
I know nothing about selinux. Patches welcome.
The labeling of /etc/profile.env as etc_runtime_t goes all the way back to the initial commit of refpolicy in git... I'm not convinced that this file should be etc_runtime_t since it is created by env-update and not during system init, which would mean this is a policy bug.