| Summary: | context for run files are not set properly | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Vilgot Fredenberg <vilgot> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | Restorecon -RFv /run output | ||
Created attachment 560822 [details] Restorecon -RFv /run output After manually restarting a service as unconfined_u sockets and pids in /run get labelled as unconfined_u instead of system_u. This causes problems when for example fail2bans logs are rotated through logrotate since when fail2ban connect to its socket it gets denied because fail2ban_client_t can't connect to unconfined_t unix sockets (see log). type=AVC msg=audit(1547354761.514:149): avc: denied { connectto } for pid=24664 comm="fail2ban-client" path="/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:fail2ban_client_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Doing restorecon on /run relabelled a lot of things, so this isn't just relevant to the fail2ban policy.