Bug 519749 - /var/run/utmp & /var/run/wtmp selinux context incorrectly set by rc.sysinit
Summary: /var/run/utmp & /var/run/wtmp selinux context incorrectly set by rc.sysinit
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 519748
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-27 16:49 UTC by Joey Boggs
Modified: 2014-03-17 03:20 UTC (History)
3 users (show)

Fixed In Version:
Clone Of: 519748
Environment:
Last Closed: 2009-08-27 17:28:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch (332 bytes, patch)
2009-08-27 16:49 UTC, Joey Boggs
no flags Details | Diff

Description Joey Boggs 2009-08-27 16:49:01 UTC
Created attachment 358916 [details]
patch

+++ This bug was initially created as a clone of Bug #519748 +++

Created an attachment (id=358915)
patch

Description of problem:
Fedora 11 machine boots /var/run/* is deleted and in particular /var/run/utmp is removed and recreated/chmoded and chgrped. Hoever the security context is not set until the restorecond service starts. During that time the network service starts and networks that provide the nisdomain dhcp option will get the following avc denied messages.

kernel: type=1400 audit(1249788594.546:7): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

kernel: type=1400 audit(1249788594.546:8): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

The fix is to get the context type set to initrc_var_run_t  rather than init_var_run_t which is what rc.sysint creates the file as.


Version-Release number of selected component (if applicable):
initscripts-8.95-1

How reproducible:


Steps to Reproduce:
1. install Fedora 11 with dhcp networking and selinux enforcing/permissive
2. setup dhcp to serve the nisdomain option (for dnsmasq it's  "dhcp-option=40,$nisdomain"
3. boot system
4. check /var/log/messages or /var/log/audit/audit.log for avc denied errors like above
  
Actual results:
AVC errors in above problem description

Expected results:
/var/run/* contexts set correctly and no further avc denied errors.

Additional info:
This doesn't seem to break anything but since it produces unwanted avc errors it should be corrected.


Note You need to log in before you can comment on or make changes to this bug.