[Pkg-sysvinit-devel] Bug#626725: Bug#626725: initscripts: Needs to set SELinux labels for /run
Martin Orr
martin at martinorr.name
Mon May 16 12:16:20 UTC 2011
On Sun 15 May 15:47:46 2011, Henrique de Moraes Holschuh wrote:
> On Sat, 14 May 2011, Martin Orr wrote:
>> Directories and symlinks created as part of the /run transition are not
>> labelled for SELinux. The effect is that most services fail to start on
>> boot after transitioning to /run.
>>
>> You need to run restorecon after creating a directory or symbolic link
>> in an init script or maintainer script. Attached patch does this.
>>
>> /run with SELinux also requires the refpolicy patch I have submitted in
>> #626720. Once that is fixed, initscripts should probably have
>> Breaks: selinux-policy-default (<< $FIXEDVERSION)
>
> Don't we also need tmpfs with support for security attributes, for it to
> work (i.e. for labels to work inside /run)? Does squeeze 2.6.32 support
> such labelling?
Yes, tmpfs needs to support the SELinux attributes. I didn't think
about this because I build my own kernels.
But /dev has been on tmpfs for a long time, so surely someone would
have noticed if there is a problem? (or else noone runs the squeeze
kernel and SELinux)
Unfortunately I am unable to do any tests of this this week.
--
Martin Orr
More information about the Pkg-sysvinit-devel
mailing list