Hello all In March, I reported some issues with SELinux contexts in /run. (I seem to have misplaced the email -- archive at http://article.gmane.org/gmane.linux.gentoo.hardened/6180).
It look like Sven added the functionality a few months ago, and it is available in version 2.20140311-r5 (currently ~arch). Note 1: There are a few pacakges that need this implemented. Fail2ban is one on my machine. Should I file a bug report (probably against sec-policy/selinux-fail2ban)? Note 2: There's possibly a bug in the new tmpfiles module (policy/modules/system/tmpfiles.fc). I'm not so sure /lib/rc/bin/checkpath should have context tmpfiles_exec_t. Again, this seems to make several directories (and maybe files) in /run have context var_run_t. What I think is happening is that init_daemon_pid_file() only allows transitions for the initrc_t domain, and checkpath is no longer running in that domain. Therefore, the file transition from var_run_t to whatever type is specified as the first argument in init_daemon_pid_file is not done. Changing the context of /lib/rc/bin/checkpath to bin_t makes many more of the files in /run have the correct context again on boot. (perhaps this belongs on the selinux mailing list?) Thanks -- Ben Pritchard
