1192726 – RuntimeDirectory must honor SELinux filesystem labels

Bug 1192726 - RuntimeDirectory must honor SELinux filesystem labels

Summary: RuntimeDirectory must honor SELinux filesystem labels

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-14 18:53 UTC by Anthony Messina
Modified:	2015-04-02 15:37 UTC (History)
CC List:	8 users (show)
Fixed In Version:	systemd-216-24.fc21
Clone Of:
Environment:
Last Closed:	2015-04-02 15:37:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anthony Messina 2015-02-14 18:53:30 UTC

When updating some F21 systemd unit files to use RuntimeDirectory rather than tmpfiles.d, I came across the following issue:

When using tmpfiles.d, directories are created with the proper SELinux file contexts.  However, when using RuntimeDirectory within a *.service unit, the directories are created with system_u:object_r:init_var_run_t:s0 which generates AVCs similar to the following:

type=AVC msg=audit(1423937941.998:14406): avc:  denied  { write } for  pid=16392 comm="asterisk" name="asterisk" dev="tmpfs" ino=3804883 scontext=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir

In this case, the current SELinux policy expects /run/asterisk to be labeled with system_u:object_r:asterisk_var_run_t:s0

Using:
systemd-216-17.fc21.x86_64
selinux-policy-3.13.1-105.3.fc21.noarch

# /etc/tmpfiles.d/asterisk.conf
d /run/asterisk 0755 asterisk asterisk

# /etc/systemd system/asterisk.service
[Unit]
Description=Asterisk PBX and telephony daemon
After=network-online.target

[Service]
Type=simple
Environment=HOME=/var/lib/asterisk
WorkingDirectory=/var/lib/asterisk
User=asterisk
Group=asterisk
ExecStart=/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf
ExecStop=/usr/sbin/asterisk -rx 'core stop now'
ExecReload=/usr/sbin/asterisk -rx 'core reload'

PrivateTmp=true
RuntimeDirectory=asterisk
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

Comment 1 Zbigniew Jędrzejewski-Szmek 2015-02-14 19:14:59 UTC

Fixed upstream in http://cgit.freedesktop.org/systemd/systemd/commit/?id=ca905b2fce. Should be easy enough to backport.

Comment 2 Fedora Update System 2015-03-26 14:30:45 UTC

systemd-216-23.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/systemd-216-23.fc21

Comment 3 Fedora Update System 2015-03-30 07:04:17 UTC

Package systemd-216-24.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-216-24.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4991/systemd-216-24.fc21
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-04-02 15:37:49 UTC

systemd-216-24.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.