Created attachment 997245 [details]
Files needed to reproduce (selinux policy, unit files, service directory)
Description of problem:
When systemd creates a new socket for socket activation it does not set the right selinux label on the created socket.
Steps to Reproduce:
1. See my example selinux policy module (install it)
2. Install my lala.service and lala.socket systemd unit files
3. Create a directory /lala
4. Check if ls -lahZ /lala shows the lala_t label for /lala
5. If not run restorecon on /lala
6. Start the lala.socket service with systemctl start lala.socket
7. Check if /lala/lala.sock has the lala_t label:
It has not!!! <- bug?
8. Restart service lala.socket with systemctl restart lala.socket
9. Check if /lala/lala.sock has the lala_t label:
It has! <- This should have happened in the first place
I can't compile a module from the files that you've provided.
# checkmodule -o lala.mod lala.te
checkmodule: loading policy configuration from lala.te
lala.te:1:ERROR 'syntax error' at token 'policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
I used make -f /usr/share/selinux/devel/Makefile in the selinux module directory to compile the module. See: https://fedoraproject.org/wiki/PackagingDrafts/SELinux
Ok, I can reproduce this on the latest upstream version from git (commit 9a71b1122c6e49dd9227f82b2f53837c7ea13019).
Do we need to create an upstream ticket?
I'm not sure. After I rebooted the machine, the socket is always created with the correct label...
Maybe we do not reload the policy correctly? It would be good to test the patch from https://bugzilla.redhat.com/show_bug.cgi?id=1195330 along with this.
So I managed to reproduce this again by disabling the lala policy, rebooting and enabling it again.
So yes, it looks like the policy is not correctly reloaded. In shared/selinux-util.c, in mac_selinux_bind() this line
selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK)
sets fcon to system_u:object_r:default_t:s0. The problem is re-reproducible by stopping the lala.socket service, removing /lala/lala.sock and starting the socket again.
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora 'version'
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 21 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.
Not sure if this is still a problem...
I can confirm this still is a bug on CentOS7.
I've been facing this problem for a long time on CentOS 7. I thought I was doing something wrong.
systemctl daemon-reload will now also reload the selinux policy (https://github.com/systemd/systemd/commit/a9dfac21ec, in v245).
As a work-around, calling daemon-reload after installing a policy module should be enough.
I'll leave this open though, since we should make this automatic.
*** Bug 1660141 has been marked as a duplicate of this bug. ***
A better fix is being discussed in https://github.com/systemd/systemd/pull/14781. I hope we can make this work.
Built in rawhide.