openrc's checkpath needs selinux support in order to apply correct context to created files, it is also a TODO item in source code
Steps to Reproduce:
install ~amd64 selinux
>=sys-fs/udev-180 doesn't work due to migration among other things
try to run in enforcing
/run/udev is created by "checkpath -d -m 0755 -o root:root -q /run/udev" in /etc/init.d/udev with improper system_u:object_r:var_run_t label, instead of the one set in local (there is currently no rule in Gentoo) or global policy
/run/udev has system_u:object_r:udev_tbl_t context
Created attachment 310259 [details, diff]
patch adding selinux support to checkpatch
This patch adds support for applying context to newly created files
Because I'm not sure what is the preferred method of setting SELINUX there is #define SELINUX 1 in patch, but in no way it is meant to be final ;), also LDADD+= (...) -lselinux should be conditional, I would gladly fix this, when knowing preferred method
That directory is actually created inside the udev init script.
So, what I need to know is how to test for selinux from the command line
and restore the context inside the init script.
# Selinux lovin; /selinux should be mounted by selinux-patched init
if [ -x /sbin/restorecon -a -c /selinux/null ]; then
restorecon /dev > /selinux/null
Going with this logic probably something like
if [ -x /sbin/restorecon ]; then
restorecon /run/udev > /dev/null
In most scripts (non Gentoo that is) I notice they check the existence of and returncode of the selinuxenabled command. In Gentoo, it is installed by libselinux (which is part of any SELinux-profile base system) but in /usr/sbin. Not sure if that's okay (as it requires that /usr is mounted then if /usr is a separate file system).
The use of the selinux file system is also a good idea, but be aware that there are two locations to check:
/selinux (old location)
/sys/fs/selinux (new location)
Gentoo currently still uses /selinux (a few bugs are open on that) but that's a matter of months (most fixes are already in ~arch) before we switch to /sys/fs/selinux.
Can you try installing the tools & policies available in hardened-dev overlay (if you run ~arch, just add hardened-development overlay and update world) and add the following to your /etc/fstab:
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
Don't forget removing any local changes you did to work around this as that might cloud our results...
ok, with rev10 it's better, but still stuff in /run doesn't get correct labels, it prevents using X (no mouse or keyboard input)
after running "restorecon -R -F /run" X works fine
Will be resolved using named file transitions in the policy
In hardened-dev overlay, rev 11
In main tree, ~arch'ed