SELinux type transition rule not working

SELinux type transition rule not working

[Ian Pilcher]

I am using systemd's RuntimeDirectory to create a directory for a
service.

    RuntimeDirectory=squoxy

This causes systemd to create /run/squoxy before starting my service,
but I haven't been able to get the SELinux context set correctly on the
directory.

I've set file context rules for both /run/squoxy and /var/run/squoxy:

^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
^/run/squoxy(/.*)?      all files  system_u:object_r:squoxy_var_run_t:s0

And, indeed, restorecon will set the context of the directory to
squoxy_var_run_t.

I've also added a type transition rule, attempting to get the correct
context applied automatically when systemd creates the directory:

type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";

But the directory is still being created as var_run_t:

drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0   /run/squoxy

What am I doing wrong?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: [systemd-devel] SELinux type transition rule not working

[Lennart Poettering]

On Wed, 01.03.17 15:40, Ian Pilcher (arequipeno@gmail.com) wrote:

> I am using systemd's RuntimeDirectory to create a directory for a
> service.
> 
>    RuntimeDirectory=squoxy
> 
> This causes systemd to create /run/squoxy before starting my service,
> but I haven't been able to get the SELinux context set correctly on the
> directory.
> 
> I've set file context rules for both /run/squoxy and /var/run/squoxy:
> 
> ^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
> ^/run/squoxy(/.*)?      all files  system_u:object_r:squoxy_var_run_t:s0
> 
> And, indeed, restorecon will set the context of the directory to
> squoxy_var_run_t.
> 
> I've also added a type transition rule, attempting to get the correct
> context applied automatically when systemd creates the directory:
> 
> type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
> 
> But the directory is still being created as var_run_t:
> 
> drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0   /run/squoxy
> 
> What am I doing wrong?

Hmm, so the relevant code in systemd actually labels the dir after
creating it after an selinux database lookup, so from our side all
should be good:

https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857

(specifically, we all mkdir_p_label() instead of plain mkdir_p() there)

My own understanding of SELinux is finite however. I'd recommend
pinging the SELinux folks for help on this, 

Lennart

-- 
Lennart Poettering, Red Hat

Re: [systemd-devel] SELinux type transition rule not working

[Simon Sekidde]

----- Original Message -----
> From: "Lennart Poettering" <lennart@poettering.net>
> To: "Ian Pilcher" <arequipeno@gmail.com>
> Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, selinux@tycho.nsa.gov
> Sent: Wednesday, March 1, 2017 5:25:11 PM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> On Wed, 01.03.17 15:40, Ian Pilcher (arequipeno@gmail.com) wrote:
> 
> > I am using systemd's RuntimeDirectory to create a directory for a
> > service.
> > 
> >    RuntimeDirectory=squoxy
> > 
> > This causes systemd to create /run/squoxy before starting my service,
> > but I haven't been able to get the SELinux context set correctly on the
> > directory.
> > 
> > I've set file context rules for both /run/squoxy and /var/run/squoxy:
> > 
> > ^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
> > ^/run/squoxy(/.*)?      all files  system_u:object_r:squoxy_var_run_t:s0
> > 
> > And, indeed, restorecon will set the context of the directory to
> > squoxy_var_run_t.
> > 
> > I've also added a type transition rule, attempting to get the correct
> > context applied automatically when systemd creates the directory:
> > 
> > type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
> > 
> > But the directory is still being created as var_run_t:
> > 
> > drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0   /run/squoxy
> > 
> > What am I doing wrong?
> 

Ian, 

I assume this would be a pid file?

If so then what you are probably looking for is a filename_trans rule and will require a new interface in squid.if for this. 

Try something like

interface(`squid_filetrans_named_content',`
        gen_require(`
		     type_squid_var_run_t; 
	')

        files_pid_filetrans($1, squid_var_run_t, dir, "squozy")
')

> Hmm, so the relevant code in systemd actually labels the dir after
> creating it after an selinux database lookup, so from our side all
> should be good:
> 
> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
> 
> (specifically, we all mkdir_p_label() instead of plain mkdir_p() there)
> 
> My own understanding of SELinux is finite however. I'd recommend
> pinging the SELinux folks for help on this,
> 

We got you covered! 

> Lennart
> 
> --
> Lennart Poettering, Red Hat
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
> 

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
ssekidde@redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

Re: [systemd-devel] SELinux type transition rule not working

[Ian Pilcher]

On 03/02/2017 09:13 AM, Simon Sekidde wrote:
> I assume this would be a pid file?

You assume correctly.

> If so then what you are probably looking for is a filename_trans rule
> and will require a new interface in squid.if for this.
>
> Try something like
>
> interface(`squid_filetrans_named_content',` gen_require(`
> type_squid_var_run_t; ')
>
> files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ')

Not sure where squid came from.  The service is one of my own making
called "squoxy" (short for "Squeezebox proxy").  Its purpose is to
forward Squeezebox discovery broadcast packets from one network to
another.

So I assume that I would need to add something like this to my policy
module:

   files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy")

(I'm guessing at what to put in for $1.)

>> Hmm, so the relevant code in systemd actually labels the dir after
>> creating it after an selinux database lookup, so from our side all
>> should be good:
>>
>> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
>>
>>
>>(specifically, we all mkdir_p_label() instead of plain mkdir_p()
 >> there)

And this is working now, presumably after a reboot?  I do so love
non-deterministic computers.  :-/

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: [systemd-devel] SELinux type transition rule not working

[Simon Sekidde]

----- Original Message -----
> From: "Ian Pilcher" <arequipeno@gmail.com>
> To: "Simon Sekidde" <ssekidde@redhat.com>
> Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, selinux@tycho.nsa.gov, lennart@poettering.net
> Sent: Friday, March 3, 2017 10:44:18 AM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> On 03/02/2017 09:13 AM, Simon Sekidde wrote:
> > I assume this would be a pid file?
> 
> You assume correctly.
> 
> > If so then what you are probably looking for is a filename_trans rule
> > and will require a new interface in squid.if for this.
> >
> > Try something like
> >
> > interface(`squid_filetrans_named_content',` gen_require(`
> > type_squid_var_run_t; ')
> >
> > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ')
> 
> Not sure where squid came from.  The service is one of my own making
> called "squoxy" (short for "Squeezebox proxy").  Its purpose is to
> forward Squeezebox discovery broadcast packets from one network to
> another.
> 

Sorry I must have been doing something in the squid policy while I was responding to this... 

> So I assume that I would need to add something like this to my policy
> module:
> 
>    files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy")
> 
> (I'm guessing at what to put in for $1.)
> 

files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") 

Files created by the squoxy_t processes in the var_run_t directory will be created with the squoxy_var_run_t label

> >> Hmm, so the relevant code in systemd actually labels the dir after
> >> creating it after an selinux database lookup, so from our side all
> >> should be good:
> >>
> >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
> >>
> >>
> >>(specifically, we all mkdir_p_label() instead of plain mkdir_p()
>  >> there)
> 
> And this is working now, presumably after a reboot?  I do so love
> non-deterministic computers.  :-/
> 
> --
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> 

Re: [systemd-devel] SELinux type transition rule not working

[Simon Sekidde]

Ian do you have a copy of this custom policy somewhere?

----- Original Message -----
> From: "Simon Sekidde" <ssekidde@redhat.com>
> To: "Ian Pilcher" <arequipeno@gmail.com>
> Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, lennart@poettering.net, selinux@tycho.nsa.gov
> Sent: Friday, March 3, 2017 11:01:59 AM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> 
> 
> ----- Original Message -----
> > From: "Ian Pilcher" <arequipeno@gmail.com>
> > To: "Simon Sekidde" <ssekidde@redhat.com>
> > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, selinux@tycho.nsa.gov,
> > lennart@poettering.net
> > Sent: Friday, March 3, 2017 10:44:18 AM
> > Subject: Re: [systemd-devel] SELinux type transition rule not working
> > 
> > On 03/02/2017 09:13 AM, Simon Sekidde wrote:
> > > I assume this would be a pid file?
> > 
> > You assume correctly.
> > 
> > > If so then what you are probably looking for is a filename_trans rule
> > > and will require a new interface in squid.if for this.
> > >
> > > Try something like
> > >
> > > interface(`squid_filetrans_named_content',` gen_require(`
> > > type_squid_var_run_t; ')
> > >
> > > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ')
> > 
> > Not sure where squid came from.  The service is one of my own making
> > called "squoxy" (short for "Squeezebox proxy").  Its purpose is to
> > forward Squeezebox discovery broadcast packets from one network to
> > another.
> > 
> 
> Sorry I must have been doing something in the squid policy while I was
> responding to this...
> 
> > So I assume that I would need to add something like this to my policy
> > module:
> > 
> >    files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy")
> > 
> > (I'm guessing at what to put in for $1.)
> > 
> 
> files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy")
> 
> Files created by the squoxy_t processes in the var_run_t directory will be
> created with the squoxy_var_run_t label
> 
> > >> Hmm, so the relevant code in systemd actually labels the dir after
> > >> creating it after an selinux database lookup, so from our side all
> > >> should be good:
> > >>
> > >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
> > >>
> > >>
> > >>(specifically, we all mkdir_p_label() instead of plain mkdir_p()
> >  >> there)
> > 
> > And this is working now, presumably after a reboot?  I do so love
> > non-deterministic computers.  :-/
> > 
> > --
> > ========================================================================
> > Ian Pilcher                                         arequipeno@gmail.com
> > -------- "I grew up before Mark Zuckerberg invented friendship" --------
> > ========================================================================
> > 
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
> 

Re: [systemd-devel] SELinux type transition rule not working

[Ian Pilcher]

On 03/03/2017 10:45 AM, Simon Sekidde wrote:
> Ian do you have a copy of this custom policy somewhere?

https://github.com/ipilcher/squoxy/blob/master/squoxy.te

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: [systemd-devel] SELinux type transition rule not working

[Simon Sekidde]

----- Original Message -----
> From: "Ian Pilcher" <arequipeno@gmail.com>
> To: "Simon Sekidde" <ssekidde@redhat.com>
> Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, selinux@tycho.nsa.gov
> Sent: Friday, March 3, 2017 2:32:54 PM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> On 03/03/2017 10:45 AM, Simon Sekidde wrote:
> > Ian do you have a copy of this custom policy somewhere?
> 
> https://github.com/ipilcher/squoxy/blob/master/squoxy.te
> 

Thanks. Lets try to get a template going and we can help clean it up. 

 sepolicy generate --init -n squoxy /usr/local/bin/squoxy

> --
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> 

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
ssekidde@redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

Re: [systemd-devel] SELinux type transition rule not working

[Ian Pilcher]

On 03/03/2017 02:19 PM, Simon Sekidde wrote:
> Thanks. Lets try to get a template going and we can help clean it up.

I've been scrambling to get my home network setup (after migrating the
main network server/router from CentOS 6 -> 7), so it's not surprise if
things are a bit hacky right now.

>  sepolicy generate --init -n squoxy /usr/local/bin/squoxy

Yet another tool that I've never heard of before.  So much outdated
info on SELinux out there.  :-(

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: SELinux type transition rule not working

[cgzones]

[-- Attachment #1: Type: text/plain, Size: 1590 bytes --]

On 1 Mar 2017 10:41 pm, "Ian Pilcher" <arequipeno@gmail.com> wrote:

I am using systemd's RuntimeDirectory to create a directory for a
service.

   RuntimeDirectory=squoxy

This causes systemd to create /run/squoxy before starting my service,
but I haven't been able to get the SELinux context set correctly on the
directory.

I've set file context rules for both /run/squoxy and /var/run/squoxy:

^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
^/run/squoxy(/.*)?      all files  system_u:object_r:squoxy_var_run_t:s0

And, indeed, restorecon will set the context of the directory to
squoxy_var_run_t.

I've also added a type transition rule, attempting to get the correct
context applied automatically when systemd creates the directory:

type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";

Can you try a transition from initrc_t or the interface
init_daemon_pid_file()

But the directory is still being created as var_run_t:

drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0   /run/squoxy

What am I doing wrong?

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to
Selinux-request@tycho.nsa.gov.

[-- Attachment #2: Type: text/html, Size: 2679 bytes --]

Re: SELinux type transition rule not working

[Ian Pilcher]

On 03/01/2017 04:28 PM, cgzones wrote:
> Can you try a transition from initrc_t or the interface

I've added a rule for initrc_t (although I'm 99% sure that is no longer
used under systemd):

   type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
   type_transition initrc_t var_run_t : dir squoxy_var_run_t "squoxy";

No change in behavior.  The directory still ends up as var_run_t.

> init_daemon_pid_file()

I can't find any documentation of this interface, and it doesn't appear
to exist on Fedora 25 or CentOS 7.  Attempting to use it just gives me a
syntax error:

squoxy.te:17:ERROR 'syntax error' at token 'init_daemon_pid_file' on 
line 3513:
# PID file 

init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")

Here is the entire file:

policy_module(squoxy, 0.0.1)

require {
	type kernel_t;
	type devlog_t;
	type node_t;
};

type squoxy_t;
type squoxy_exec_t;
type squoxy_var_run_t;

init_daemon_domain(squoxy_t, squoxy_exec_t)
files_type(squoxy_var_run_t)

# PID file
init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")
allow squoxy_t squoxy_var_run_t:dir { search write add_name };
allow squoxy_t squoxy_var_run_t:file { create write open };

# Sockets
allow squoxy_t self:rawip_socket { create bind setopt ioctl read write };
allow squoxy_t node_t:rawip_socket { node_bind };
allow squoxy_t self:capability { net_raw };

# syslog
allow squoxy_t self:unix_dgram_socket { create connect write };
allow squoxy_t kernel_t:unix_dgram_socket { sendto };
allow squoxy_t devlog_t:sock_file { write };

Per Lennart's response, systemd *should* be honoring the file context
rules when creating the directory.  It's almost as if the directory is
being created with the proper context, but something is changing it
after the fact.  I have absolutely no idea what that might be, though.

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: SELinux type transition rule not working

[Ian Pilcher]

On 03/01/2017 05:28 PM, Ian Pilcher wrote:
> Per Lennart's response, systemd *should* be honoring the file context
> rules when creating the directory.  It's almost as if the directory is
> being created with the proper context, but something is changing it
> after the fact.  I have absolutely no idea what that might be, though.

Hmm.  Just for grins, I created a tmpfiles config file:

d /run/squoxy 0755 nobody nobody - -

This gives me the correct context on the directory:

drwxr-xr-x. nobody nobody system_u:object_r:squoxy_var_run_t:s0 /run/squoxy

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: SELinux type transition rule not working

[Jason Zaman]

On Wed, Mar 01, 2017 at 05:51:01PM -0600, Ian Pilcher wrote:
> On 03/01/2017 05:28 PM, Ian Pilcher wrote:
> > Per Lennart's response, systemd *should* be honoring the file context
> > rules when creating the directory.  It's almost as if the directory is
> > being created with the proper context, but something is changing it
> > after the fact.  I have absolutely no idea what that might be, though.

Try using auditd to get details on everything going on in there:
auditctl -w /var/run/squoxy -p rwa -k watchsquoxy

then start things up and get everything matching with:
ausearch -k watchsquoxy

also, not sure if it was just weirdness in your email formatting, but
you dont need the ^ at the front of an fcontext:
^/var/run/squoxy

-- Jason

> Hmm.  Just for grins, I created a tmpfiles config file:
> 
> d /run/squoxy 0755 nobody nobody - -
> 
> This gives me the correct context on the directory:
> 
> drwxr-xr-x. nobody nobody system_u:object_r:squoxy_var_run_t:s0 /run/squoxy
> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: SELinux type transition rule not working

[Ian Pilcher]

On 03/02/2017 12:12 AM, Jason Zaman wrote:
> On Wed, Mar 01, 2017 at 05:51:01PM -0600, Ian Pilcher wrote:
>> On 03/01/2017 05:28 PM, Ian Pilcher wrote:
>>> Per Lennart's response, systemd *should* be honoring the file context
>>> rules when creating the directory.  It's almost as if the directory is
>>> being created with the proper context, but something is changing it
>>> after the fact.  I have absolutely no idea what that might be, though.
>
> Try using auditd to get details on everything going on in there:
> auditctl -w /var/run/squoxy -p rwa -k watchsquoxy
>
> then start things up and get everything matching with:
> ausearch -k watchsquoxy

And wouldn't you know ... I can't reproduce the behavior now.  Sheesh!
Must be one of these fancy new quantum computers.  (Something about
rebooting 3 times comes to mind.)

> also, not sure if it was just weirdness in your email formatting, but
> you dont need the ^ at the front of an fcontext:
> ^/var/run/squoxy

Does SELinux add an implicit ^ at the beginning of each expression?
Otherwise, wouldn't /run/squoxy(/.*)? also match /foo/run/squoxy?  (Not
necessarily likely, but ...)

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

Re: SELinux type transition rule not working

[Stephen Smalley]

On Fri, 2017-03-03 at 09:36 -0600, Ian Pilcher wrote:
> On 03/02/2017 12:12 AM, Jason Zaman wrote:
> > 
> > On Wed, Mar 01, 2017 at 05:51:01PM -0600, Ian Pilcher wrote:
> > > 
> > > On 03/01/2017 05:28 PM, Ian Pilcher wrote:
> > > > 
> > > > Per Lennart's response, systemd *should* be honoring the file
> > > > context
> > > > rules when creating the directory.  It's almost as if the
> > > > directory is
> > > > being created with the proper context, but something is
> > > > changing it
> > > > after the fact.  I have absolutely no idea what that might be,
> > > > though.
> > 
> > Try using auditd to get details on everything going on in there:
> > auditctl -w /var/run/squoxy -p rwa -k watchsquoxy
> > 
> > then start things up and get everything matching with:
> > ausearch -k watchsquoxy
> 
> And wouldn't you know ... I can't reproduce the behavior
> now.  Sheesh!
> Must be one of these fancy new quantum computers.  (Something about
> rebooting 3 times comes to mind.)
> 
> > 
> > also, not sure if it was just weirdness in your email formatting,
> > but
> > you dont need the ^ at the front of an fcontext:
> > ^/var/run/squoxy
> 
> Does SELinux add an implicit ^ at the beginning of each expression?
> Otherwise, wouldn't /run/squoxy(/.*)? also match
> /foo/run/squoxy?  (Not
> necessarily likely, but ...)

SELinux implicitly anchors the regexes at both ends (^regex$).

Re: SELinux type transition rule not working

[Russell Coker]

On Thu, 2 Mar 2017 08:40:49 AM Ian Pilcher wrote:
> I am using systemd's RuntimeDirectory to create a directory for a
> service.
> 
>     RuntimeDirectory=squoxy
> 
> This causes systemd to create /run/squoxy before starting my service,
> but I haven't been able to get the SELinux context set correctly on the
> directory.
> 
> I've set file context rules for both /run/squoxy and /var/run/squoxy:
> 
> ^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
> ^/run/squoxy(/.*)?      all files  system_u:object_r:squoxy_var_run_t:s0
> 
> And, indeed, restorecon will set the context of the directory to
> squoxy_var_run_t.

If restorecon gives the correct context and systemd-tmpfiles does too 
(according to one of your later messages) then this is a bug in systemd.

It's probably best to raise it in the systemd bug tracker.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/