[DSE-Dev] Bug#823184: umount mounts /proc as a side effect

Laurent Bigonville bigon at debian.org
Fri May 13 14:06:57 UTC 2016 

Le 13/05/16 à 15:12, Yuri D'Elia a écrit :
> On Fri, May 13 2016, Laurent Bigonville <bigon at debian.org> wrote:
>> libselinux mounts /proc, check is the machine supports SELinux and then
>> unmounts it. This is supposed to happen at early boot.
> I don't understand what selinux is trying to solve here. It's not the
> job of a library to mount filesystems. If you want to ensure that /proc
> exists, mount it before.

There are tools that needs to know the state of SELinux on the system at 
early boot, and these tools could be run before init has mounted proc.

> The lazy unmount performed by selinuxfs_exists and
> selinux_init_load_policy is racy.
>
> Processes, run in parallel, *will* cause /proc to disappear right
> between the mount call and the subsequent fopen call, so the code does
> not function as upstream intends it to in any case.

Again this is supposed to happen at early boot, and at this stage, only 
PID1 exists. So I doubt there is a lot of concurrent processes at that time.

>> I would be interested to know what this behavior is breaking.
> My main issue is within containers and chroots. I have my own
> initialization process for these containers, I don't use selinux, but at
> some point /proc gets mounted before I expect it to.
>
> Even if the fix is simply the removal of the mountpoint, I consider the
> solution broken by design.
What about mounting /proc really early?

In the init of initramfs it's the 14th line in the script... With 
sysvinit, it is done in the 2nd initscript being run. I would expect 
that it's also happening really early with systemd too.

>> As I said on the other bugreport, please bring this upstream if you want
>> this to change.
> I'd like to know why, early at boot, this behavior is needed at all,
> where it could be handled /without/ races.

The commit message says:

     libselinux: Mount procfs before checking /proc/filesystems

     In the case where the SELinux security module is not loaded in the
     kernel and it's early enough in the boot process that /proc has not yet
     been mounted, selinuxfs_exists() will incorrectly return 1, and
     selinux_init_load_policy() will print a message like this to the
     console:

     Mount failed for selinuxfs on /sys/fs/selinux:  No such file or 
directory

     To fix this, mount the procfs before attempting to open
     /proc/filesystems, and unmount it when done if it was initially not
     mounted.  This is the same thing that selinux_init_load_policy() does
     when reading /proc/cmdline.

If you think you know a better way, please provide a patch to upstream.

I'll not carry a patch in debian and make libselinux behave differently 
than on 99% of the other distributions.

> For me this represents a regression in *all* binaries linked with
> libselinux where selinux is disabled.

More information about the SELinux-devel mailing list