Bug 417857

Summary:	Support dynamic /run directories
Product:	Gentoo Linux	Reporter:	Sven Vermeulen (RETIRED) <swift>
Component:	Hardened	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	VERIFIED FIXED
Severity:	normal	CC:	h.v.bruinehsen, selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	sec-policy r11
Package list:		Runtime testing required:	---

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-05-27 18:59:03 UTC

Without /run, most init scripts use /var/run/<service> as their var_run_t location (like sshd_var_run_t). This location is often created by a package and, by just setting the right context, the package manager makes this location correctly labeled from the start.

With /run however, these directories are (re)created over and over again at every boot (since /run is a tmpfs). The directories are often created by init scripts, running in initrc_t but are otherwise not SELinux-aware. As a result, all created directories in /run inherit the initrc_var_run_t label.

Although one fix could be to update all init scripts to run "restorecon" afterwards, this might be fixed by the policy as well (using named file transitions).

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 08:13:51 UTC

Necessary named file transitions will be supported in r11

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 09:14:49 UTC

In hardened-dev overlay, rev 11

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-06-27 21:59:48 UTC

In main tree, ~arch'ed

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-30 16:35:50 UTC

Stabilized