commit: 2444e174c98a308ab6a27892f38028dbe4d0516b Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sat Jun 7 17:45:56 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sat Jun 7 17:45:56 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2444e174
Fix bug #512676 - Enable create/bind on SELinux netlink socket for run_init The run_init code calls avc_* functions, but the following failure occurs: ~# run_init rc-service nfs status Authenticating swift. run_init: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed. Segmentation fault AVC denials are shown related to the netlink_selinux_socket class (create/bind privileges) and signal (possibly to handle failure). Allowing them has the run_init code run properly again. --- policy/modules/system/selinuxutil.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 2b99c9b..b4d7bc3 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -650,6 +650,10 @@ ifdef(`distro_gentoo',` allow run_init_t self:passwd rootok; + # Fix bug #512676 + allow run_init_t self:process signal; + allow run_init_t self:selinux_netlink_socket { create bind }; + # Denials upon loading policy fs_getattr_tmpfs(setfiles_t) dev_getattr_fs(setfiles_t)