[DSE-Dev] Bug#727305: selinux-basics: initscript fails in relabel_minimal()

Jan Medlock medlock-debian at turboshower.net
Wed Oct 23 21:56:39 UTC 2013 

Package: selinux-basics
Version: 0.5.2
Severity: normal

The selinux-basic init script fails, with little info: 

# invoke-rc.d selinux-basics start
[....] Checking SELinux contexts: selinux-basics
invoke-rc.d: initscript selinux-basics, action "start" failed.

I pinned the problem down to the function 'relabel_minimal',
specifically line 45:

	     	  /sbin/restorecon -R /dev /etc/mtab 2>/dev/null

The behavior of restorecon is odd here.  Running

# /sbin/restorecon -R /dev /etc/mtab ; echo $?
1

gives exit status 1, but running

# /sbin/restorecon -R /dev ; echo $?
0
# /sbin/restorecon -R /etc/mtab ; echo $?
0
# /sbin/restorecon -R /etc/mtab /dev ; echo $?
0

all give exit status 0.


For a while now, /etc/mtab has been a symlink to /proc/mounts, which
I'd guess is a crucial part of the problem since the restorecon man
page says it doesn't operate on symlinks.


Anyway, relabeling /etc/mtab -> /proc/mounts seems to not do anything
on my system.  The first run of restorecon after a reboot gives:

# ls -Z /etc/mtab /proc/mounts 
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts
# restorecon -R -v /etc/mtab 
# ls -Z /etc/mtab /proc/mounts 
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts


Attached is a patch that removes the relabeling of /etc/mtab.


Thanks.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-basics depends on:
ii  checkpolicy      2.1.12-1
ii  policycoreutils  2.1.13-2+b1
pn  python:any       <none>
ii  selinux-utils    2.1.13-3

Versions of packages selinux-basics recommends:
ii  selinux-policy-default  2:2.20110726-13
ii  setools                 3.3.8-1

Versions of packages selinux-basics suggests:
ii  logcheck        1.3.15
pn  syslog-summary  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initscript_remove_mtab.diff
Type: text/x-diff
Size: 414 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20131023/b870cc2d/attachment.diff>

More information about the SELinux-devel mailing list