Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 414779 - init (libselinux) wants to mount on /sys/fs/selinux before /sys is mounted
Summary: init (libselinux) wants to mount on /sys/fs/selinux before /sys is mounted
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Sven Vermeulen (RETIRED)
Depends on:
Reported: 2012-05-05 18:53 UTC by Sven Vermeulen (RETIRED)
Modified: 2012-07-10 20:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Possible libselinux patch (libselinux-2.1.9-mountsys.patch,957 bytes, patch)
2012-05-05 18:54 UTC, Sven Vermeulen (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2012-05-05 18:53:40 UTC
When init calls up the necessary SELinux support routines, one of them is to mount the selinuxfs. Since libselinux-2.1.9, the default location is /sys/fs/selinux. However, because /sys is not mounted yet, libselinux falls back to the /selinux location.

Users that boot with an initramfs can probably ignore this bug, as /sys is premounted by the initramfs.

Users that hit this issue are recommended to stick with /selinux (i.e. update your fstab and make sure /selinux exists) until this bug is fixed.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-05 18:54:54 UTC
Created attachment 310907 [details, diff]
Possible libselinux patch

This patch updates libselinux so that /sys is mounted before selinuxfs is. This shouldn't cause any issues (but code is as of yet untested)
Comment 2 Amadeusz Sławiński 2012-05-06 00:15:46 UTC
Seems to work

# cat /etc/mtab 
rootfs / rootfs rw 0 0
/dev/mapper/root / ext4 rw,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,relatime,mode=755 0 0
rc-svcdir /lib64/rc/init.d tmpfs rw,rootcontext=system_u:object_r:initrc_state_t,seclabel,nosuid,nodev,noexec,relatime,size=1024k,mode=755 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
cgroup_root /sys/fs/cgroup tmpfs rw,rootcontext=system_u:object_r:sysfs_t,seclabel,nosuid,nodev,noexec,relatime,size=10240k,mode=755 0 0
openrc /sys/fs/cgroup/openrc cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/,name=openrc 0 0
cpu /sys/fs/cgroup/cpu cgroup rw,nosuid,nodev,noexec,relatime,cpu 0 0
udev /dev devtmpfs rw,seclabel,nosuid,relatime,size=10240k,nr_inodes=374871,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620 0 0
shm /dev/shm tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,nodev,noexec,relatime 0 0
/dev/sda1 /boot ext2 rw,noatime 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,noexec,nosuid,nodev 0 0
usbfs /proc/bus/usb usbfs rw,noexec,nosuid,devmode=0664,devgid=85 0 0
# id -Z
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             strict
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Max kernel policy version:      26
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-06 12:55:38 UTC
Possible fix in hardened-dev. Simple confirmation made, but more testing needed.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-07 20:14:15 UTC
Tests look okay, but I found that the other change in portage is still needed. Without the (current ~arch version) Portage newly installed packages will not get a proper file context (due to a check).

Hence, the documentation itself is reverted to still require users to include /selinux. i'll follow up when portage is stabilized.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-13 08:47:47 UTC
In main tree, ~arch'ed
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-20 18:44:07 UTC
Small update, the portage "fix" is not needed anymore. Sandboxing is handled through the profile
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-10 20:07:55 UTC
Stable in portage tree