Summary: | >=sys-fs/udev-180 on selinux | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | h.v.bruinehsen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r10 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 413719 | ||
Bug Blocks: |
Description
Amadeusz Sławiński
2012-04-17 21:11:56 UTC
Looks like, if we need to patch openrc, it'll be in src/src/checkpath.c. Something similar to #ifdef SELINUX if(matchpathcon(path, 0700, &context) == 0) { setfscreatecon(context) freecon(context) } #endif ... create file or directory ... #ifdef SELINUX setfscreatecon(NULL) #endif Looks like the following steps are needed: ---[ In /etc/fstab: ] tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t ---[ As additional policy ] allow kernel_t device_t:chr_file setattr; With these two in place, I am able to boot up a ~arch system in enforcing mode immediately. A few denials are still visible, but do not influence the system behavior. The fstab line has been added to the installation instructions. The SELinux policy update is in hardened-dev overlay In main tree, ~arch'ed Stabilized |