Summary: | SELinux policy 2.20120725-r8 & sys-apps/openrc-0.11.5: daemon errors due to new symlink /var/run -> /run | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED INVALID | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Vincent Brillault
2012-11-29 04:54:48 UTC
I forgot to mention that in the case of named (bind), there is also a missing file_transition: /run/named is created as initrc_var_run_t, resulting in the following avcs (and a 'exiting (due to fatal error)'): [ 21.287321] type=1400 audit(1354165077.761:203): avc: denied { getattr } for pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.288670] type=1400 audit(1354165077.762:204): avc: denied { search } for pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.290563] type=1400 audit(1354165077.764:205): avc: denied { getattr } for pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.290783] type=1400 audit(1354165077.764:206): avc: denied { search } for pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Manually fixing the file context (together with the allow named_t var_t:lnk_file read;) temporary fixes the problem (but it will not survive a reboot) I just discover the following file_context rule: 'kernel/files.fc:/var/run -l gen_context(system_u:object_r:var_run_t,s0)' In that case the problem is mainly a missing file transition ? A lot of modules (e.g asterisk, mcelog, iptables, ssh), uses the interface 'files_pid_filetrans' which would give them 'allow $1 var_run_t:lnk_file read_lnk_file_perms;' and thus fixe the issue. Ok, it was really just a label problem (the symlink have been created I don't know how but didn't have the right label): changing it and restarting the system makes every thing work (except named). Sorry for the noise. I'll open a new clean bug for named |