commit: 2444e174c98a308ab6a27892f38028dbe4d0516b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun 7 17:45:56 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun 7 17:45:56 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2444e174
Fix bug #512676 - Enable create/bind on SELinux netlink socket for run_init
The run_init code calls avc_* functions, but the following failure
occurs:
~# run_init rc-service nfs status
Authenticating swift.
run_init: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault
AVC denials are shown related to the netlink_selinux_socket class
(create/bind privileges) and signal (possibly to handle failure).
Allowing them has the run_init code run properly again.
---
policy/modules/system/selinuxutil.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 2b99c9b..b4d7bc3 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -650,6 +650,10 @@ ifdef(`distro_gentoo',`
allow run_init_t self:passwd rootok;
+ # Fix bug #512676
+ allow run_init_t self:process signal;
+ allow run_init_t self:selinux_netlink_socket { create bind };
+
# Denials upon loading policy
fs_getattr_tmpfs(setfiles_t)
dev_getattr_fs(setfiles_t)
