There are a few issues. by default the /etc/cachefilesd.conf file contains the line: secctx system_u:system_r:cachefiles_kernel_t:s0 this line is based on the redhat policy and does not match the gentoo one, it needs to be: secctx system_u:system_r:cachefilesd_t another issue is the init script has some failures checking for xattrs by default in the policy. the init script also tries to "modprobe cachefiles". the culprit from the init script is: ========= snippet from /etc/init.d/cachefilesd ================= checkxattr() { local testpath testfile ret testpath=$(awk '/^[[:space:]]*dir/ {print $2}' /etc/cachefilesd.conf) testfile="${testpath}/.tmp-xattr-test.cachefilesd" touch "${testfile}" # creates a file in the testpath and tries to set an attribute on it to check # if the support is available attr -s test -V xattr "${testfile}" 2>&1 > /dev/null ret=$? rm -f "${testfile}" [ ${ret} -ne 0 ] && eerror "xattr support missing on the ${testpath} filesystem" return ${ret} } ================ END ============================ to fix it I added the following rules from audit2allow: =================== START ================== require { type cachefilesd_t; type cachefilesd_cache_t; type initrc_t; class dir { write add_name remove_name }; class file { create write open unlink setattr }; class kernel_service use_as_override; } #============= initrc_t ============== allow cachefilesd_t self:kernel_service use_as_override; #!!!! The source type 'initrc_t' can write to a 'dir' of the following types: # etc_runtime_t, initrc_var_log_t, udev_var_run_t, device_t, etc_t, sysfs_t, tmpfs_t, udev_rules_t, virt_cache_t, var_log_t, initrc_var_run_t, ipsec_var_run_t, pam_var_run_t, var_lib_nfs_t, initrc_tmp_t, pam_var_console_t, cgroup_t, var_lock_t, tmp_t, var_t, lockfile, pidfile, tmpfile, initrc_state_t, daemonrundir, var_spool_t, var_lib_t, var_run_t allow initrc_t cachefilesd_cache_t:dir { write add_name remove_name }; #!!!! The source type 'initrc_t' can write to a 'file' of the following types: # etc_runtime_t, initrc_var_log_t, udev_var_run_t, sysctl_type, device_t, proc_t, sysfs_t, cupsd_log_t, udev_rules_t, udev_tbl_t, mysqld_log_t, virt_cache_t, ld_so_cache_t, lastlog_t, var_log_t, initrc_var_run_t, alsa_var_lib_t, ipsec_var_run_t, mdadm_var_run_t, net_conf_t, binfmt_misc_fs_t, var_lib_nfs_t, initrc_tmp_t, cgroup_t, var_lock_t, tmp_t, wtmp_t, pidfile, initrc_state_t, security_t, var_spool_t, var_lib_t, samba_etc_t allow initrc_t cachefilesd_cache_t:file { create write open unlink setattr }; =============== END ====================== the dir and file lines are pretty self explanatory but i'm sure there is better way to write the rules. i dont really know what kernel_service use_as_override means but it didnt work without it. If you want more info just let me know :) Reproducible: Always Steps to Reproduce: 1. run_init /etc/init.d/cachefilesd start 2. 3. Actual Results: it doesnt start Expected Results: it should start audit.log output: type=AVC msg=audit(1399377396.487:192): avc: denied { write } for pid=3571 comm="touch" name="fscache" dev="sda3" ino=13340157 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=dir type=MAC_POLICY_LOAD msg=audit(1399377659.728:193): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1399377664.191:194): policy loaded auid=0 ses=2 type=AVC msg=audit(1399377676.629:195): avc: denied { add_name } for pid=3758 comm="touch" name=".tmp-xattr-test.cachefilesd" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=dir type=MAC_POLICY_LOAD msg=audit(1399377775.140:196): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1399377779.954:197): policy loaded auid=0 ses=2 type=AVC msg=audit(1399377825.754:198): avc: denied { create } for pid=3833 comm="touch" name=".tmp-xattr-test.cachefilesd" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=MAC_POLICY_LOAD msg=audit(1399377938.181:199): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1399377942.447:200): policy loaded auid=0 ses=2 type=AVC msg=audit(1399377971.601:201): avc: denied { write open } for pid=3910 comm="touch" path="/var/cache/fscache/.tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=AVC msg=audit(1399377971.601:202): avc: denied { write } for pid=3910 comm="touch" name=".tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=SYSCALL msg=audit(1399377971.601:202): arch=c000003e syscall=280 success=no exit=-13 a0=ffffffffffffff9c a1=3ab87312254 a2=0 a3=0 items=1 ppid=3896 pid=3910 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="touch" exe="/bin/touch" subj=system_u:system_r:initrc_t key=(null) type=CWD msg=audit(1399377971.601:202): cwd="/" type=PATH msg=audit(1399377971.601:202): item=0 name="/var/cache/fscache/.tmp-xattr-test.cachefilesd" inode=19738303 dev=00:0f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=NORMAL type=AVC msg=audit(1399377971.603:203): avc: denied { write } for pid=3911 comm="attr" name=".tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=SYSCALL msg=audit(1399377971.603:203): arch=c000003e syscall=189 success=no exit=-13 a0=388c422dcc5 a1=388c422d610 a2=388c422dcbf a3=5 items=1 ppid=3896 pid=3911 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="attr" exe="/bin/attr" subj=system_u:system_r:initrc_t key=(null) type=CWD msg=audit(1399377971.603:203): cwd="/" type=PATH msg=audit(1399377971.603:203): item=0 name="/var/cache/fscache/.tmp-xattr-test.cachefilesd" inode=19738303 dev=00:0f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=NORMAL type=AVC msg=audit(1399377971.604:204): avc: denied { remove_name } for pid=3912 comm="rm" name=".tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=dir type=SYSCALL msg=audit(1399377971.604:204): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=25bec5fad0 a2=0 a3=2b975491618 items=2 ppid=3896 pid=3912 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t key=(null) type=CWD msg=audit(1399377971.604:204): cwd="/" type=PATH msg=audit(1399377971.604:204): item=0 name="/var/cache/fscache/" inode=13340157 dev=00:0f mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=PARENT type=PATH msg=audit(1399377971.604:204): item=1 name="/var/cache/fscache/.tmp-xattr-test.cachefilesd" inode=19738303 dev=00:0f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=DELETE type=MAC_POLICY_LOAD msg=audit(1399378148.046:205): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1399378152.734:206): policy loaded auid=0 ses=2 type=AVC msg=audit(1399378156.769:207): avc: denied { setattr } for pid=4017 comm="attr" name=".tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=SYSCALL msg=audit(1399378156.769:207): arch=c000003e syscall=189 success=no exit=-13 a0=3e13ee42823 a1=3e13ee42170 a2=3e13ee4281d a3=5 items=1 ppid=4002 pid=4017 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="attr" exe="/bin/attr" subj=system_u:system_r:initrc_t key=(null) type=CWD msg=audit(1399378156.769:207): cwd="/" type=PATH msg=audit(1399378156.769:207): item=0 name="/var/cache/fscache/.tmp-xattr-test.cachefilesd" inode=19738303 dev=00:0f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=NORMAL type=AVC msg=audit(1399378156.771:208): avc: denied { unlink } for pid=4018 comm="rm" name=".tmp-xattr-test.cachefilesd" dev="sda3" ino=19738303 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:cachefilesd_cache_t tclass=file type=SYSCALL msg=audit(1399378156.771:208): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=3de1298c50 a2=0 a3=2a3e6818618 items=2 ppid=4002 pid=4018 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t key=(null) type=CWD msg=audit(1399378156.771:208): cwd="/" type=PATH msg=audit(1399378156.771:208): item=0 name="/var/cache/fscache/" inode=13340157 dev=00:0f mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=PARENT type=PATH msg=audit(1399378156.771:208): item=1 name="/var/cache/fscache/.tmp-xattr-test.cachefilesd" inode=19738303 dev=00:0f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cachefilesd_cache_t nametype=DELETE type=MAC_POLICY_LOAD msg=audit(1399378268.032:209): policy loaded auid=0 ses=2 type=MAC_POLICY_LOAD msg=audit(1399378272.483:210): policy loaded auid=0 ses=2 type=AVC msg=audit(1399378292.041:211): avc: denied { use_as_override } for pid=4119 comm="cachefilesd" scontext=system_u:system_r:cachefilesd_t tcontext=system_u:system_r:cachefilesd_t tclass=kernel_service
I just noticed in the policy repo: /etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) adding a similar line but for /etc/init.d/ does not make a difference, the new rules are still required for the init script to work.
I'm going to see if fedora's policy can be upstreamed so we can use that. Their use of cachefiles_kernel_t makes sense, but I need to play around with it to confirm.
Created attachment 377140 [details, diff] cachefilesd init script update Update on cachefilesd init script to just return 0 if SELinux is active (/sys/fs/selinux/status exists).
I've updated the cachefilesd module in gentoo's policy repository to provide cachefilesd_kernel_t (and a cachefiles_kernel_t alias) so that we're similar in design to fedora's policy while retaining the upstream compatibility. First set of tests look promising, I'll continue and update the bug as needed. To try it out: ~# emerge -1 =sec-policy/selinux-cachefilesd-9999
I just wanted to note that I have no issues at all with the new policy. everything works as it is supposed to.
@jlec: would it be possible to apply the init script update? Currently, the test fails because the domain in which init scripts run doesn't have the rights to create test files at the cachefiles location (SELinux only allows cachefilesd to do so). As the init script domain is shared for all init scripts (and not just the cachefilesd init script) I'd rather not enable that policy wise. The patch will check for SELinux and, if SELinux is found, assume that XATTR is enabled (as SELinux requires extended attributes anyway).
(In reply to Sven Vermeulen from comment #6) > @jlec: would it be possible to apply the init script update? Sure go ahead and fix it. In general, if there any SELinux things which needs to be fixed, feel free to do it. I have no clue about SELinux so I would rely on your knowledge anyway.
Done; I revbumped the ebuild as it is a change on an installed file, small as it is.
stable
