Bug#626725: [Pkg-sysvinit-devel] Bug#626725: initscripts: Needs to set SELinux labels for /run
On Sun, May 15, 2011 at 11:47:46AM -0300, Henrique de Moraes Holschuh wrote: Don't we also need tmpfs with support for security attributes, for it to work (i.e. for labels to work inside /run)? Does squeeze 2.6.32 support such labelling? Yes. I tested this with the squeeze kernel (and patched refpolicy) and it works fine: martin@claudius:~$ uname -a Linux claudius 2.6.32-5-amd64 #1 SMP Mon Mar 7 21:35:22 UTC 2011 x86_64 GNU/Linux martin@claudius:~$ mount | grep /run tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=755,size=10%,mode=755) tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,size=20%,mode=1777,size=20%,mode=1777) martin@claudius:~$ ls -Z /run system_u:object_r:crond_var_run_t:s0 atd.pid system_u:object_r:audisp_var_run_t:s0 audispd_events system_u:object_r:auditd_var_run_t:s0 auditd.pid system_u:object_r:clamd_var_run_t:s0 clamav system_u:object_r:courier_var_run_t:s0 courier system_u:object_r:crond_var_run_t:s0 crond.pid system_u:object_r:crond_var_run_t:s0 crond.reboot system_u:object_r:system_dbusd_var_run_t:s0 dbus system_u:object_r:dhcpc_var_run_t:s0 dhclient.wlan0.pid system_u:object_r:var_run_t:s0 kdm system_u:object_r:xdm_var_run_t:s0 kdm.pid system_u:object_r:var_lock_t:s0 lock system_u:object_r:initrc_var_run_t:s0 motd system_u:object_r:restorecond_var_run_t:s0 restorecond.pid system_u:object_r:syslogd_var_run_t:s0 rsyslogd.pid system_u:object_r:var_run_t:s0 sendsigs.omit.d system_u:object_r:tmpfs_t:s0 shm system_u:object_r:initrc_var_run_t:s0 smartd.pid system_u:object_r:device_t:s0 udev system_u:object_r:initrc_var_run_t:s0 utmp system_u:object_r:NetworkManager_var_run_t:s0 wpa_supplicant system_u:object_r:NetworkManager_var_run_t:s0 wpa_supplicant.wlan0.pid system_u:object_r:xdm_var_run_t:s0 xauth system_u:object_r:xdm_var_run_t:s0 xdmctl -- Martin Orr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#626725: [Pkg-sysvinit-devel] Bug#626725: initscripts: Needs to set SELinux labels for /run
On Sun 15 May 15:47:46 2011, Henrique de Moraes Holschuh wrote: On Sat, 14 May 2011, Martin Orr wrote: Directories and symlinks created as part of the /run transition are not labelled for SELinux. The effect is that most services fail to start on boot after transitioning to /run. You need to run restorecon after creating a directory or symbolic link in an init script or maintainer script. Attached patch does this. /run with SELinux also requires the refpolicy patch I have submitted in #626720. Once that is fixed, initscripts should probably have Breaks: selinux-policy-default ( $FIXEDVERSION) Don't we also need tmpfs with support for security attributes, for it to work (i.e. for labels to work inside /run)? Does squeeze 2.6.32 support such labelling? Yes, tmpfs needs to support the SELinux attributes. I didn't think about this because I build my own kernels. But /dev has been on tmpfs for a long time, so surely someone would have noticed if there is a problem? (or else noone runs the squeeze kernel and SELinux) Unfortunately I am unable to do any tests of this this week. -- Martin Orr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#626725: [Pkg-sysvinit-devel] Bug#626725: initscripts: Needs to set SELinux labels for /run
On Sat, 14 May 2011, Martin Orr wrote: Directories and symlinks created as part of the /run transition are not labelled for SELinux. The effect is that most services fail to start on boot after transitioning to /run. You need to run restorecon after creating a directory or symbolic link in an init script or maintainer script. Attached patch does this. /run with SELinux also requires the refpolicy patch I have submitted in #626720. Once that is fixed, initscripts should probably have Breaks: selinux-policy-default ( $FIXEDVERSION) Don't we also need tmpfs with support for security attributes, for it to work (i.e. for labels to work inside /run)? Does squeeze 2.6.32 support such labelling? -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
