[Pkg-sysvinit-devel] Bug#656155: initscripts: SELinux and tmpfs
Arno Schuring
aelschuring at hotmail.com
Thu Feb 9 11:33:52 UTC 2012
Martin Orr (martin at martinorr.name on 2012-02-09 09:39 +0000):
> >
> > avc: denied { mounton } for pid=287 comm="mount"
> > path="/run/lock" dev=tmpfs ino=3033
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
>
> The correct fix is to allow mounting on var_lock_t in policy.
> This makes sense because /var/lock has always been a valid mountpoint,
> even before /run.
The policy allows to mount on top of /run, that should be sufficient as
long as /run/lock is not labeled before it is mounted. I'm certainly no
selinux expert, but I don't see why the mountpoint should be labeled
var_lock_t. I'm happy to defer that decision to the maintainers.
> SELinux contexts should never be hardcoded anywhere outside the
> policy. This goes completely against the architecture of SELinux,
> with even the kernel initial SID being specified by policy.
If you don't mind me asking: how is this achieved? Is part of the
policy included in the initramfs, or are kernel processes relabeled
after loading the policy?
> From a
> practical point of view, it would be far from obvious that you need
> to specify contexts in /etc/default/tmpfs if you use a non-default
> policy (which need not even be based on the refpolicy, so may not
> have types system_r, var_lock_t).
Agreed.
> If you really want to use
> rootcontext, then you should use getfilecon to get the context.
Thanks for that pointer, I'm sure it will be useful in the future.
>
> Your patch also removes the "restorecon -r /run" which is needed to
> fix the unlabelled files in /run coming from the initramfs (see
> #628107).
... unless the same rootcontext is applied from within the initramfs of
course. Well, that why it's severity wishlist. The patch was mostly for
illustratory purposes (rfc), it's not a finished work.
Regards,
Arno
More information about the Pkg-sysvinit-devel
mailing list