On Sun, May 15, 2011 at 01:41:41PM +0100, Roger Leigh wrote: > On Sat, May 14, 2011 at 06:44:29PM +0100, Martin Orr wrote: > > Directories and symlinks created as part of the /run transition are not > > labelled for SELinux. The effect is that most services fail to start on > > boot after transitioning to /run. > > > > You need to run restorecon after creating a directory or symbolic link > > in an init script or maintainer script. Attached patch does this. > > > > /run with SELinux also requires the refpolicy patch I have submitted in > > #626720. Once that is fixed, initscripts should probably have > > Breaks: selinux-policy-default (<< $FIXEDVERSION) > > Hi Martin, > > Is it safe to apply the patch /before/ refpolicy is updated or would > this break anything? Or is the Breaks: essential? > > I could apply the patch today and then add the Breaks once refpolicy > is updated. Or I could wait until refpolicy is updated and do both > then.
If it is safe to apply now, this is my proposed patch (same as yours
with one conflict fixed):
diff --git a/debian/changelog b/debian/changelog
index 5c6bfeb..4c5a324 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,8 +10,10 @@ sysvinit (2.88dsf-13.7) unstable; urgency=low
already bind mounted on the chroot /run, which would remove the
contents of the host /run if upgrading initscripts in the chroot.
* Restore rpcbind/portmap changes from 2.88dsf-13.5.
+ * Add restorecon support for selinux using new paths (Closes: #626725).
+ Thanks to Martin Orr for this patch.
- -- Roger Leigh <[email protected]> Sun, 15 May 2011 10:01:37 +0100
+ -- Roger Leigh <[email protected]> Sun, 15 May 2011 14:42:43 +0100
sysvinit (2.88dsf-13.6) unstable; urgency=low
diff --git a/debian/initscripts.postinst b/debian/initscripts.postinst
index 9d40169..8b5fbd1 100755
--- a/debian/initscripts.postinst
+++ b/debian/initscripts.postinst
@@ -76,6 +76,7 @@ bind_mount ()
# Bind mount $SRC on $DEST
if [ -n "$ssrc" ] && [ "$ssrc" != "$sdest" ]; then
[ -d "$DEST" ] || mkdir "$DEST"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
if mount -t $FSTYPE "$SRC" "$DEST" $OPTS ; then
return 0
fi
@@ -111,6 +112,7 @@ compat_link () {
echo "Can't symlink $DEST to $SRC; please fix manually."
return 1
}
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
fi
return 0
diff --git a/debian/src/initscripts/etc/init.d/mountkernfs.sh
b/debian/src/initscripts/etc/init.d/mountkernfs.sh
index 85a02fb..25653b1 100755
--- a/debian/src/initscripts/etc/init.d/mountkernfs.sh
+++ b/debian/src/initscripts/etc/init.d/mountkernfs.sh
@@ -44,6 +44,7 @@ mount_filesystems () {
# Make lock directory as the replacement for /var/lock
[ -d /run/lock ] || mkdir --mode=755 /run/lock
+ [ -x /sbin/restorecon ] && /sbin/restorecon /run/lock
# Mount /run/lock as tmpfs if enabled. This prevents user DoS
# of /run by filling /run/lock at the expense of using an
@@ -60,6 +61,7 @@ mount_filesystems () {
if [ -L /tmp ] && [ ! -d /tmp ]; then
TMPPATH="$(readlink /tmp)"
mkdir -p --mode=755 "$TMPPATH"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$TMPPATH"
fi
# If root is read only, default to mounting a tmpfs on /tmp,
diff --git a/debian/src/initscripts/lib/init/mount-functions.sh
b/debian/src/initscripts/lib/init/mount-functions.sh
index 666a5d3..3c97ed5 100644
--- a/debian/src/initscripts/lib/init/mount-functions.sh
+++ b/debian/src/initscripts/lib/init/mount-functions.sh
@@ -294,6 +294,7 @@ run_migrate ()
if [ -L "$OLD" ] && [ "$(readlink "$OLD")" != "$RUN" ]; then
rm -f "$OLD"
ln -fs "$RUN" "$OLD"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
fi
# If both directories are the same, we don't need to do
@@ -327,6 +328,7 @@ run_migrate ()
else
rm -f "$OLD"
ln -fs "$RUN" "$OLD"
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
fi
fi
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
_______________________________________________ Pkg-sysvinit-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-sysvinit-devel
