[Pkg-sysvinit-devel] This is about new functionality in base0files

srivasta at acm.org srivasta at acm.org
Mon Sep 8 04:34:09 UTC 2008 

On Sun, 7 Sep 2008 11:27:48 +0200 (CEST), Santiago Vila <sanvila at unex.es> said: 

> On Sat, 6 Sep 2008, Manoj Srivastava wrote:
>> reassign 498010 base-files thanks
>> 
>> Hi,
>> 
>> policycoreutils already installs the /selinux directory. This
>> report is not about that -- since policycoreutils is not, and
>> should not be, essential, people who do not install policycoreutils
>> see an error message from init about not being able to mount
>> selnuxfs.
>> 
>> policycoreutils cant help that when it is not installed.
>> 
>> base-files folks need to determine if that dir should indeed live
>> on all machines (I see no harm in that), or not, and deal with this
>> bug accordingly.

> Simple question: It is useful or desirable to mount the selinux fs
> on /selinux when policycoreutils is not installed?

        Yes and no. The amount of utility is an issue, however. The
 utility essentially cones from avoiding an unnecessary but harmless
 diagnostic message from init, and perhaps other daemons. It is not
 useful in the sense that it improves security, or that it makes a
 functional difference.

        For example, this is what lead up to this: this is detailed
 account of the activity in /sbin/init during bootup (whether or
 not SELinux is  deployed):
,----
|  0. Init looks at env var SELINUX_INIT, and if that is zero, skips the
|     rest of the steps below.
|  1. init tries to load security policy.
|  2. First, selinux configuration (from /etc/selinux/config) is re-read.
|  3. We check to see if we are in enforcing mode in the config file
|  4. mount the /proc file system
|  5. look at /proc/cmdline, parse it to see if have an enforcing=
|     overrides. 
|  6. umount /proc is we mounted it
|  7. determine desired mode (enforcing or not based on above)
|  8. try to mount selinuxfs on /selinux (tests whether kernel knows of
|     selinux
|    a. If ENODEV, selinux is disabled in kernel
|    b. ERROR: We do not know if selinux is enabled or not, but this is an
|       error.
|  9. if selinux is disabled in the config, 
|    a. disable security
|    b. unmount selinuxfs
|    c go to end
| 10. Change kernel enforcing status to match
| 11. load security policy
`----

        The problem is step 8, since the only way to know whether the
 kernel  knows about selinux is to try to mount selinuxfs
 _somewhere_. The somewhere happens to be /selinux. 

        init shows this, as well as a few other daemons (I think sshd
 is another one). So just hainv /selinux helps avoid a warning  from
 init and sshd, and perhaps other daemons.


> If yes, I could agree to add /selinux to base-files.

        I feel that addding the directory does no harm, but I do not
 personally think it is enough benefir to ask for a freeze exception
 for an essential package. But I am not a RM, so my opinion has
 limited value.

> If not, then this would be just an aesthetic issue (that we might
> want to fix for lenny, anyway). The package trying to mount selinux
> fs on /selinux (initscripts it seems) should do so only if /selinux
> exists, so that no error message is shown and the user is not
> alarmed if /selinux does not exist.

        Hmm. This is somewhat tricky. The code is asking if selinux is
 known to the kernel, and the next question is whether it is in strict
 or enforcing mode. Unless we try to mount selinuxfs, we cannot really
 answer the question correctly. I do not like not answering the
 question correctly just because the directory is missing.

        Of course, we can create the directory on demand -- but I do
 not like libraries creating top level directories  on their own.

        I would also not want to deviate to much from upstream
 behaviour in libselinux unless it is for a darned good reason; and
 a diagnostic for a missing /selinux on a machine with selinux support
 (default kernels have it, all the major relevant packages have it, so
 we kinda support selinux)  is not a good enough reason, I think.

        My preference would be to let the error message remain for now,
 but post lenny we should introduce the empty mount point directory in
 an essential package.

        manoj
-- 
"Neurotic: Self-taut person." Author Unknown
Manoj Srivastava <manoj.srivastava at stdc.com> <srivasta at acm.org> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the Pkg-sysvinit-devel mailing list