Summary: | sys-fs/udev-init-scripts need to set selinux context on /run/udev | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | Current packages | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r11 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 412421 | ||
Attachments: | patch adding selinux support to checkpatch |
Created attachment 310259 [details, diff]
patch adding selinux support to checkpatch
This patch adds support for applying context to newly created files
Because I'm not sure what is the preferred method of setting SELINUX there is #define SELINUX 1 in patch, but in no way it is meant to be final ;), also LDADD+= (...) -lselinux should be conditional, I would gladly fix this, when knowing preferred method
That directory is actually created inside the udev init script. So, what I need to know is how to test for selinux from the command line and restore the context inside the init script. From /etc/init.d/udev-mount # Selinux lovin; /selinux should be mounted by selinux-patched init if [ -x /sbin/restorecon -a -c /selinux/null ]; then HAVE_SELINUX=true restorecon /dev > /selinux/null else HAVE_SELINUX=false fi Going with this logic probably something like if [ -x /sbin/restorecon ]; then restorecon /run/udev > /dev/null fi In most scripts (non Gentoo that is) I notice they check the existence of and returncode of the selinuxenabled command. In Gentoo, it is installed by libselinux (which is part of any SELinux-profile base system) but in /usr/sbin. Not sure if that's okay (as it requires that /usr is mounted then if /usr is a separate file system). The use of the selinux file system is also a good idea, but be aware that there are two locations to check: /selinux (old location) /sys/fs/selinux (new location) Gentoo currently still uses /selinux (a few bugs are open on that) but that's a matter of months (most fixes are already in ~arch) before we switch to /sys/fs/selinux. Amadeusz, Can you try installing the tools & policies available in hardened-dev overlay (if you run ~arch, just add hardened-development overlay and update world) and add the following to your /etc/fstab: """ tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 """ Don't forget removing any local changes you did to work around this as that might cloud our results... ok, with rev10 it's better, but still stuff in /run doesn't get correct labels, it prevents using X (no mouse or keyboard input) after running "restorecon -R -F /run" X works fine before restorecon system_u:object_r:initrc_var_run_t lock system_u:object_r:initrc_var_run_t openrc system_u:object_r:initrc_var_run_t udev after restorecon system_u:object_r:var_lock_t lock system_u:object_r:var_run_t openrc system_u:object_r:udev_tbl_t udev Will be resolved using named file transitions in the policy In hardened-dev overlay, rev 11 In main tree, ~arch'ed Stabilized |
openrc's checkpath needs selinux support in order to apply correct context to created files, it is also a TODO item in source code Reproducible: Always Steps to Reproduce: install ~amd64 selinux >=sys-fs/udev-180 doesn't work due to migration among other things try to run in enforcing Actual Results: /run/udev is created by "checkpath -d -m 0755 -o root:root -q /run/udev" in /etc/init.d/udev with improper system_u:object_r:var_run_t label, instead of the one set in local (there is currently no rule in Gentoo) or global policy Expected Results: /run/udev has system_u:object_r:udev_tbl_t context