[DSE-Dev] Bug#796693: selinux-basics: Has init script in runlevel S but no matching service file
Felipe Sateler
fsateler at debian.org
Mon Sep 14 12:46:25 UTC 2015
Hi Russell,
On 14 September 2015 at 06:29, Russell Coker <russell at coker.com.au> wrote:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796693
>
> What do you suggest that we do in regard to this bug? The problem we have is
> that this isn't like your typical service script (most of which start daemons
> etc). It has more in common with a fsck than any other operation on a non-SE
> system.
>
> For correct operation the script has to relabel all files (if requested) and
> then reboot afterwards. It should run before any daemons are started as such
> daemons might run with the wrong security context which could prevent them
> from performing their normal functions and/or allow them to access sensitive
> data.
The init script in question is this one[1]. It can be seen there that
it performs either a minimal or a full relabel, depending on either a
file (/.autorelabel) or a kernel command line argument.
I would suggest to create two distinct units. One for the minimal
relabeling that happens at every boot (With proper ConditionSecurity
and any other checks it might need). This unit should probably happen
as early as possible, and order itself Before=local-fs.target, and have
RequireMountsFor=/dev.
For the second unit, I would suggest mimicking the approach of the
system update specification[2]. Create a generator that if the kernel
command line or the relabel file exist, point default.target to
selinux-full-relabel.target in the early directory. This target then
only includes the full relabel unit, which removes the trigger file
and reboots. This unit does not need DefaultDependencies=no, and
should probably be Type=simple so that systemd considers the boot
complete as soon as the command starts (and thus does not lockup when
triggering a reboot).
I could not find what the fedora people are doing, but they likely
already faced this problem, it is probably worth checking what they
did.
[1] http://sources.debian.net/src/selinux-basics/0.5.2/debian/selinux-basics.init/
[2] http://freedesktop.org/wiki/Software/systemd/SystemUpdates/
--
Saludos,
Felipe Sateler
More information about the SELinux-devel
mailing list