Bug 414779

Summary:	init (libselinux) wants to mount on /sys/fs/selinux before /sys is mounted
Product:	Gentoo Linux	Reporter:	Sven Vermeulen (RETIRED) <swift>
Component:	Hardened	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	VERIFIED FIXED
Severity:	major	CC:	selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Possible libselinux patch

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-05-05 18:53:40 UTC

When init calls up the necessary SELinux support routines, one of them is to mount the selinuxfs. Since libselinux-2.1.9, the default location is /sys/fs/selinux. However, because /sys is not mounted yet, libselinux falls back to the /selinux location.

Users that boot with an initramfs can probably ignore this bug, as /sys is premounted by the initramfs.

Users that hit this issue are recommended to stick with /selinux (i.e. update your fstab and make sure /selinux exists) until this bug is fixed.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-05 18:54:54 UTC

Created attachment 310907 [details, diff]
Possible libselinux patch

This patch updates libselinux so that /sys is mounted before selinuxfs is. This shouldn't cause any issues (but code is as of yet untested)

Comment 2 Amadeusz Sławiński 2012-05-06 00:15:46 UTC

Seems to work

# cat /etc/mtab 
rootfs / rootfs rw 0 0
/dev/mapper/root / ext4 rw,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,relatime,mode=755 0 0
rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
cgroup_root /sys/fs/cgroup tmpfs rw,rootcontext=system_u:object_r:sysfs_t,seclabel,nosuid,nodev,noexec,relatime,size=10240k,mode=755 0 0
openrc /sys/fs/cgroup/openrc cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
cpu /sys/fs/cgroup/cpu cgroup rw,nosuid,nodev,noexec,relatime,cpu 0 0
udev /dev devtmpfs rw,seclabel,nosuid,relatime,size=10240k,nr_inodes=374871,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620 0 0
shm /dev/shm tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,nodev,noexec,relatime 0 0
/dev/sda1 /boot ext2 rw,noatime 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0
usbfs /proc/bus/usb usbfs rw,noexec,nosuid,devmode=0664,devgid=85 0 0
# id -Z
staff_u:sysadm_r:sysadm_t
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             strict
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Max kernel policy version:      26

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-06 12:55:38 UTC

Possible fix in hardened-dev. Simple confirmation made, but more testing needed.

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-07 20:14:15 UTC

Tests look okay, but I found that the other change in portage is still needed. Without the (current ~arch version) Portage newly installed packages will not get a proper file context (due to a check).

Hence, the documentation itself is reverted to still require users to include /selinux. i'll follow up when portage is stabilized.

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-13 08:47:47 UTC

In main tree, ~arch'ed

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-20 18:44:07 UTC

Small update, the portage "fix" is not needed anymore. Sandboxing is handled through the profile

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-10 20:07:55 UTC

Stable in portage tree