Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 413719

Summary: sys-fs/udev-init-scripts need to set selinux context on /run/udev
Product: Gentoo Linux Reporter: Amadeusz Sławiński <amade>
Component: Current packagesAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r11
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 412421    
Attachments: patch adding selinux support to checkpatch

Description Amadeusz Sławiński 2012-04-27 12:45:03 UTC
openrc's checkpath needs selinux support in order to apply correct context to created files, it is also a TODO item in source code

Reproducible: Always

Steps to Reproduce:
install ~amd64 selinux
>=sys-fs/udev-180 doesn't work due to migration among other things
try to run in enforcing

Actual Results:  
/run/udev is created by "checkpath -d -m 0755 -o root:root -q /run/udev" in /etc/init.d/udev with improper system_u:object_r:var_run_t label, instead of the one set in local (there is currently no rule in Gentoo) or global policy

Expected Results:  
/run/udev has system_u:object_r:udev_tbl_t context
Comment 1 Amadeusz Sławiński 2012-04-27 12:58:00 UTC
Created attachment 310259 [details, diff]
patch adding selinux support to checkpatch

This patch adds support for applying context to newly created files

Because I'm not sure what is the preferred method of setting SELINUX there is #define SELINUX 1 in patch, but in no way it is meant to be final ;), also LDADD+= (...) -lselinux should be conditional, I would gladly fix this, when knowing preferred method
Comment 2 William Hubbs gentoo-dev 2012-04-27 15:02:10 UTC
That directory is actually created inside the udev init script.
So, what I need to know is how to test for selinux from the command line
and restore the context inside the init script.
Comment 3 Amadeusz Sławiński 2012-04-27 16:50:43 UTC
From /etc/init.d/udev-mount

        # Selinux lovin; /selinux should be mounted by selinux-patched init
        if [ -x /sbin/restorecon -a -c /selinux/null ]; then
                HAVE_SELINUX=true
                restorecon /dev > /selinux/null
        else
                HAVE_SELINUX=false
        fi

Going with this logic probably something like
if [ -x /sbin/restorecon ]; then
        restorecon /run/udev > /dev/null
fi
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-16 18:06:40 UTC
In most scripts (non Gentoo that is) I notice they check the existence of and returncode of the selinuxenabled command. In Gentoo, it is installed by libselinux (which is part of any SELinux-profile base system) but in /usr/sbin. Not sure if that's okay (as it requires that /usr is mounted then if /usr is a separate file system).

The use of the selinux file system is also a good idea, but be aware that there are two locations to check:
/selinux (old location)
/sys/fs/selinux (new location)

Gentoo currently still uses /selinux (a few bugs are open on that) but that's a matter of months (most fixes are already in ~arch) before we switch to /sys/fs/selinux.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-26 16:35:38 UTC
Amadeusz,

Can you try installing the tools & policies available in hardened-dev overlay (if you run ~arch, just add hardened-development overlay and update world) and add the following to your /etc/fstab:

"""
tmpfs  /run   tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
"""

Don't forget removing any local changes you did to work around this as that might cloud our results...
Comment 6 Amadeusz Sławiński 2012-05-27 13:39:45 UTC
ok, with rev10 it's better, but still stuff in /run doesn't get correct labels, it prevents using X (no mouse or keyboard input)
after running "restorecon -R -F /run" X works fine

before restorecon
system_u:object_r:initrc_var_run_t lock
system_u:object_r:initrc_var_run_t openrc
system_u:object_r:initrc_var_run_t udev

after restorecon
system_u:object_r:var_lock_t lock
 system_u:object_r:var_run_t openrc
system_u:object_r:udev_tbl_t udev
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 08:14:56 UTC
Will be resolved using named file transitions in the policy
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 09:16:07 UTC
In hardened-dev overlay, rev 11
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2012-06-27 21:57:23 UTC
In main tree, ~arch'ed
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:39:13 UTC
Stabilized