When init calls up the necessary SELinux support routines, one of them is to mount the selinuxfs. Since libselinux-2.1.9, the default location is /sys/fs/selinux. However, because /sys is not mounted yet, libselinux falls back to the /selinux location. Users that boot with an initramfs can probably ignore this bug, as /sys is premounted by the initramfs. Users that hit this issue are recommended to stick with /selinux (i.e. update your fstab and make sure /selinux exists) until this bug is fixed. Reproducible: Always
Created attachment 310907 [details, diff] Possible libselinux patch This patch updates libselinux so that /sys is mounted before selinuxfs is. This shouldn't cause any issues (but code is as of yet untested)
Seems to work # cat /etc/mtab rootfs / rootfs rw 0 0 /dev/mapper/root / ext4 rw,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0 sysfs /sys sysfs rw,seclabel,relatime 0 0 selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,relatime,mode=755 0 0 rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0 debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0 cgroup_root /sys/fs/cgroup tmpfs rw,rootcontext=system_u:object_r:sysfs_t,seclabel,nosuid,nodev,noexec,relatime,size=10240k,mode=755 0 0 openrc /sys/fs/cgroup/openrc cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0 cpu /sys/fs/cgroup/cpu cgroup rw,nosuid,nodev,noexec,relatime,cpu 0 0 udev /dev devtmpfs rw,seclabel,nosuid,relatime,size=10240k,nr_inodes=374871,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620 0 0 shm /dev/shm tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,nodev,noexec,relatime 0 0 /dev/sda1 /boot ext2 rw,noatime 0 0 binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0 usbfs /proc/bus/usb usbfs rw,noexec,nosuid,devmode=0664,devgid=85 0 0 # id -Z staff_u:sysadm_r:sysadm_t # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: strict Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 26
Possible fix in hardened-dev. Simple confirmation made, but more testing needed.
Tests look okay, but I found that the other change in portage is still needed. Without the (current ~arch version) Portage newly installed packages will not get a proper file context (due to a check). Hence, the documentation itself is reverted to still require users to include /selinux. i'll follow up when portage is stabilized.
In main tree, ~arch'ed
Small update, the portage "fix" is not needed anymore. Sandboxing is handled through the profile
Stable in portage tree
