[Pkg-sysvinit-devel] Bug#628107: initscripts: Needs to set SELinux labels after /run is moved from initramfs

Martin Orr martin at martinorr.name
Fri May 27 10:38:04 UTC 2011 

Package: initscripts
Version: 2.88dsf-13.7
Severity: important
Tags: patch

Now that /run is created in the initramfs, it gets no SELinux label
because SELinux policy is not loaded until init starts.  So it needs to
be relabelled after this and before udev starts.  I attach a patch to do
this in mountkernfs.sh.

We need to use restorecon -r here because existing contents of /run also
need to be relabelled, in particular /run/udev.

I know that mountkernfs.sh is run multiple times.  Redundant calls to
restorecon are usually harmless, except for the time it takes to walk
the directory tree, and for /run that should not be a problem.

Best wishes,
Martin Orr

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages initscripts depends on:
ii  coreutils                   8.5-1        GNU core utilities
ii  debianutils                 4            Miscellaneous utilities specific t
ii  libc6                       2.13-4       Embedded GNU C Library: Shared lib
ii  lsb-base                    3.2-27       Linux Standard Base 3.2 init scrip
ii  mount                       2.17.2-9.1   Tools for mounting and manipulatin
ii  sysv-rc                     2.88dsf-13.7 System-V-like runlevel change mech
ii  sysvinit-utils              2.88dsf-13.7 System-V-like utilities

Versions of packages initscripts recommends:
ii  e2fsprogs                     1.41.12-4  ext2/ext3/ext4 file system utiliti
ii  psmisc                        22.13-1    utilities that use the proc file s

initscripts suggests no packages.

-- Configuration Files:
/etc/init.d/mountkernfs.sh changed [not included]

-- no debconf information
-------------- next part --------------
--- debian/src/initscripts/etc/init.d/mountkernfs.sh.orig	2011-05-26 23:03:48.000000000 +0100
+++ debian/src/initscripts/etc/init.d/mountkernfs.sh	2011-05-26 23:03:48.000000000 +0100
@@ -40,6 +40,7 @@
 	fi
 	# TODO: Add -onodev once checkroot no longer creates a device node.
 	domount "$MNTMODE" tmpfs shmfs /run tmpfs "-onosuid$RUNEXEC$RUN_OPT"
+	[ -x /sbin/restorecon ] && /sbin/restorecon -r /run
 	[ -f /run/.ramfs ] || touch /run/.ramfs
 
 	# Make lock directory as the replacement for /var/lock

More information about the Pkg-sysvinit-devel mailing list