Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 528602

Summary: net-analyzer/vnstatd has an incorrect label for /etc/init.d/vnstatd
Product: Gentoo Linux Reporter: Eric Gisse <jowr.pi>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r1
Package list:
Runtime testing required: ---

Description Eric Gisse 2014-11-08 00:46:59 UTC 
My avc log has a lot of denials for vnstat, which is unexpected given it has a selinux policy.

Upon investigation, I find this out:

# ls -Z /etc/init.d/vnstatd 
system_u:object_r:initrc_exec_t /etc/init.d/vnstatd

This is incorrect, as the initrc_exec_t domain can't transition to the vnstat-specific domain so the program runs under whatever context started it. Which causes issues, even if started under sysadm_r.

Looking at vnstatd.fc, I see the following.

/etc/rc\.d/init\.d/vnstat       --      gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)

This is wrong because the actual init script is "vnstatd" rather than "vnstat". 

(I initially thought it was because rc.d no longer exists, but then I noticed the equivalence between rc.d and init.d within selinux, and the wrong filename)

Once it is changed, this resolves the issue.

Not attaching a patch for a one line fix.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-08 16:37:13 UTC 
Hi Eric, good catch. I've fixed this in our repository (which means that the live ebuilds already have the fix in them). The fix will be part of the next policy release ebuilds as well (r8 and higher)
Comment 2 Eric Gisse 2014-11-10 13:48:56 UTC 
Looking at this again I realized I wasn't fully specific about vnstatd

The init script is mislabled, but it also applies to labeling /usr/bin/vnstatd which normally has no specific:

# ls -Z /usr/bin/vnstatd
root:object_r:bin_t /usr/bin/vnstatd

Incremental work. You think you fixed something, and you come back a day later and see a periodic complaint in the avc log and think "hmmm..."
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-11 10:38:38 UTC 
Ok, context change for /usr/bin/vnstatd added as well.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 14:13:13 UTC 
r1 is now stable