[DSE-Dev] Bug#900782: selinux-policy-default: Systemd fails to set context for tmpfs mounts in enforcing mode

Sebastian Hamann debian-bugs at ares-macrotechnology.com
Mon Jun 4 21:06:34 BST 2018 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal

Dear Maintainer,

I tried setting up a tmpfs mount on a SELinux enabled system.
My fstab entry looks like this:

tmpfs /tmp rootcontext=system_u:object_r:tmp_t:s0 0 0

When I boot in permissive mode, this works as expected.
However, when I boot in enforcing mode, /tmp is labelled tmpfs_t,
instead of tmp_t.
This affects other mount points that /tmp and other labels than tmp_t as
well. The default tmpfs mount points (/run, ...) do get correct labels
even in enforcing mode.
(Note: In permissive mode systemd sets the correct label for /tmp even
when it is not explicitly specified in /etc/fstab, but this obviously
does not hold for arbitrary mount points.)

I set up a unit that runs "restorecon /tmp" on boot and it successfully
relabels /tmp, so this may not be a permission/policy issue after all.
Also, I do not see any (related) AVC denials in the log.

It does not seem to make a difference (to label or logs) whether Systemd
mounts /tmp on boot or if I trigger it later with
"systemctl restart tmp.mount".
I also tried the classical "mount /tmp" as unconfined root user and
this did set the label correctly. Unlike systemd, mount would also throw
an error when the label was invalid.

I noticed that "systemctl show tmp.mount" does not list rootcontext in
"Options". But it is listed as part of the "ExecMount" command.

I also tried the "context" and "fscontext" mount options to no avail.

I did not test if other filesystems than tmpfs show a similar behaviour.

I am filing this against selinux-policy-default, because my impression
is that it may a policy issue. But honestly this is just a guess and the
issue may be elsewhere entirely. Systemd would be my next guess.

The issue is easily reproducible for me in a freshly installed VM with
all the defaults plus SELinux.

Please let me know if you need any other information.


-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list