[Pkg-sysvinit-devel] Bug#626725: initscripts: Needs to set SELinux labels for /run

Roger Leigh rleigh at codelibre.net
Sun May 15 14:08:29 UTC 2011 

On Sun, May 15, 2011 at 01:41:41PM +0100, Roger Leigh wrote:
> On Sat, May 14, 2011 at 06:44:29PM +0100, Martin Orr wrote:
> > Directories and symlinks created as part of the /run transition are not
> > labelled for SELinux.  The effect is that most services fail to start on
> > boot after transitioning to /run.
> > 
> > You need to run restorecon after creating a directory or symbolic link
> > in an init script or maintainer script.  Attached patch does this.
> > 
> > /run with SELinux also requires the refpolicy patch I have submitted in
> > #626720.  Once that is fixed, initscripts should probably have
> > Breaks: selinux-policy-default (<< $FIXEDVERSION)
> 
> Hi Martin,
> 
> Is it safe to apply the patch /before/ refpolicy is updated or would
> this break anything?  Or is the Breaks: essential?
> 
> I could apply the patch today and then add the Breaks once refpolicy
> is updated.  Or I could wait until refpolicy is updated and do both
> then.

If it is safe to apply now, this is my proposed patch (same as yours
with one conflict fixed):

diff --git a/debian/changelog b/debian/changelog
index 5c6bfeb..4c5a324 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,8 +10,10 @@ sysvinit (2.88dsf-13.7) unstable; urgency=low
     already bind mounted on the chroot /run, which would remove the
     contents of the host /run if upgrading initscripts in the chroot.
   * Restore rpcbind/portmap changes from 2.88dsf-13.5.
+  * Add restorecon support for selinux using new paths (Closes: #626725).
+    Thanks to Martin Orr for this patch.
 
- -- Roger Leigh <rleigh at debian.org>  Sun, 15 May 2011 10:01:37 +0100
+ -- Roger Leigh <rleigh at debian.org>  Sun, 15 May 2011 14:42:43 +0100
 
 sysvinit (2.88dsf-13.6) unstable; urgency=low
 
diff --git a/debian/initscripts.postinst b/debian/initscripts.postinst
index 9d40169..8b5fbd1 100755
--- a/debian/initscripts.postinst
+++ b/debian/initscripts.postinst
@@ -76,6 +76,7 @@ bind_mount ()
 	# Bind mount $SRC on $DEST
 	if [ -n "$ssrc" ] && [ "$ssrc" != "$sdest" ]; then
 		[ -d "$DEST" ] || mkdir "$DEST"
+		[ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
 		if mount -t $FSTYPE "$SRC" "$DEST" $OPTS ; then
 			return 0
 		fi
@@ -111,6 +112,7 @@ compat_link () {
 			echo "Can't symlink $DEST to $SRC; please fix manually."
 			return 1
 		}
+		[ -x /sbin/restorecon ] && /sbin/restorecon "$DEST"
 	fi
 
 	return 0
diff --git a/debian/src/initscripts/etc/init.d/mountkernfs.sh b/debian/src/initscripts/etc/init.d/mountkernfs.sh
index 85a02fb..25653b1 100755
--- a/debian/src/initscripts/etc/init.d/mountkernfs.sh
+++ b/debian/src/initscripts/etc/init.d/mountkernfs.sh
@@ -44,6 +44,7 @@ mount_filesystems () {
 
 	# Make lock directory as the replacement for /var/lock
 	[ -d /run/lock ] || mkdir --mode=755 /run/lock
+	[ -x /sbin/restorecon ] && /sbin/restorecon /run/lock
 
 	# Mount /run/lock as tmpfs if enabled.  This prevents user DoS
 	# of /run by filling /run/lock at the expense of using an
@@ -60,6 +61,7 @@ mount_filesystems () {
 	if [ -L /tmp ] && [ ! -d /tmp ]; then
 		TMPPATH="$(readlink /tmp)"
 		mkdir -p --mode=755 "$TMPPATH"
+		[ -x /sbin/restorecon ] && /sbin/restorecon "$TMPPATH"
 	fi
 
 	# If root is read only, default to mounting a tmpfs on /tmp,
diff --git a/debian/src/initscripts/lib/init/mount-functions.sh b/debian/src/initscripts/lib/init/mount-functions.sh
index 666a5d3..3c97ed5 100644
--- a/debian/src/initscripts/lib/init/mount-functions.sh
+++ b/debian/src/initscripts/lib/init/mount-functions.sh
@@ -294,6 +294,7 @@ run_migrate ()
 	if [ -L "$OLD" ] && [ "$(readlink "$OLD")" != "$RUN" ]; then
 		rm -f "$OLD"
 		ln -fs "$RUN" "$OLD"
+		[ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
 	fi
 
 	# If both directories are the same, we don't need to do
@@ -327,6 +328,7 @@ run_migrate ()
 		else
 			rm -f "$OLD"
 			ln -fs "$RUN" "$OLD"
+			[ -x /sbin/restorecon ] && /sbin/restorecon "$OLD"
 		fi
 	fi
 

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20110515/f3539a9f/attachment.pgp>

More information about the Pkg-sysvinit-devel mailing list