Created attachment 358916 [details]
patch

+++ This bug was initially created as a clone of Bug #519748 +++

Created an attachment (id=358915)
patch

Description of problem:
Fedora 11 machine boots /var/run/* is deleted and in particular /var/run/utmp is removed and recreated/chmoded and chgrped. Hoever the security context is not set until the restorecond service starts. During that time the network service starts and networks that provide the nisdomain dhcp option will get the following avc denied messages.

kernel: type=1400 audit(1249788594.546:7): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

kernel: type=1400 audit(1249788594.546:8): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

The fix is to get the context type set to initrc_var_run_t  rather than init_var_run_t which is what rc.sysint creates the file as.


Version-Release number of selected component (if applicable):
initscripts-8.95-1

How reproducible:


Steps to Reproduce:
1. install Fedora 11 with dhcp networking and selinux enforcing/permissive
2. setup dhcp to serve the nisdomain option (for dnsmasq it's  "dhcp-option=40,$nisdomain"
3. boot system
4. check /var/log/messages or /var/log/audit/audit.log for avc denied errors like above
  
Actual results:
AVC errors in above problem description

Expected results:
/var/run/* contexts set correctly and no further avc denied errors.

Additional info:
This doesn't seem to break anything but since it produces unwanted avc errors it should be corrected.