| Summary: | sec-policy/selinux-bind-2.20120725-r8: missing init_daemon_run_dir | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
| Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | VERIFIED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sec-policy r9 | ||
| Package list: | Runtime testing required: | --- | |
Thanks! Made available in the repo, will be in r9 r9 in hardened-dev overlay r9 in main repo, ~arch'ed Forgot to mention... stabilized a while ago ;) |
The /run/named folder is now created by the init script ('checkpath -q -d -o root:named -m 0770 "${piddir}"') but there is no corresponding init_daemon_run_dir rule. As a result, named doesn't starts ("exiting (due to fatal error)") because of the following avs: [ 21.287321] type=1400 audit(1354165077.761:203): avc: denied { getattr } for pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.288670] type=1400 audit(1354165077.762:204): avc: denied { search } for pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.290563] type=1400 audit(1354165077.764:205): avc: denied { getattr } for pid=1918 comm="named" path="/run/named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir [ 21.290783] type=1400 audit(1354165077.764:206): avc: denied { search } for pid=1918 comm="named" name="named" dev="tmpfs" ino=4651 scontext=system_u:system_r:named_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Adding 'init_daemon_run_dir(named_var_run_t, "named")' fixes the issue