[DSE-Dev] Bug#823184: umount mounts /proc as a side effect
Yuri D'Elia
wavexx at thregr.org
Fri May 13 13:12:22 UTC 2016
On Fri, May 13 2016, Laurent Bigonville <bigon at debian.org> wrote:
> libselinux mounts /proc, check is the machine supports SELinux and then
> unmounts it. This is supposed to happen at early boot.
I don't understand what selinux is trying to solve here. It's not the
job of a library to mount filesystems. If you want to ensure that /proc
exists, mount it before.
The lazy unmount performed by selinuxfs_exists and
selinux_init_load_policy is racy.
Processes, run in parallel, *will* cause /proc to disappear right
between the mount call and the subsequent fopen call, so the code does
not function as upstream intends it to in any case.
> I would be interested to know what this behavior is breaking.
My main issue is within containers and chroots. I have my own
initialization process for these containers, I don't use selinux, but at
some point /proc gets mounted before I expect it to.
Even if the fix is simply the removal of the mountpoint, I consider the
solution broken by design.
> As I said on the other bugreport, please bring this upstream if you want
> this to change.
I'd like to know why, early at boot, this behavior is needed at all,
where it could be handled /without/ races.
For me this represents a regression in *all* binaries linked with
libselinux where selinux is disabled.
More information about the SELinux-devel
mailing list