Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 508390 - [systemd] SELinux' requirement for /run being mounted with var_run_t gives remount failure
Summary: [systemd] SELinux' requirement for /run being mounted with var_run_t gives re...
Alias: None
Product: [OLD] Docs on
Classification: Unclassified
Component: Other documents (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: SE Linux Bugs
Depends on:
Blocks: 528674
  Show dependency tree
Reported: 2014-04-22 10:21 UTC by Javier
Modified: 2015-05-31 15:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Javier 2014-04-22 10:21:27 UTC
In the Hardened guide( it says that we have to add these lines to /etc/fstab:

tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

*This lines are for the strict or targeted policy, but I think that the same error occurs with the other ones.

This makes systemd-remount-fs to fail during boot.

$ sudo journalctl -b 1 -u systemd-remount-fs.service 
-- Logs begin at Sat 2014-04-19 02:17:27 CEST, end at Tue 2014-04-22 11:51:35 CEST. --
Apr 19 02:17:28 localhost systemd[1]: Starting Remount Root and Kernel File Systems...
Apr 19 02:17:28 localhost systemd-remount-fs[3604]: mount: /run not mounted or bad option
Apr 19 02:17:28 localhost systemd-remount-fs[3604]: In some cases useful info is found in syslog - t
Apr 19 02:17:28 localhost systemd-remount-fs[3604]: dmesg | tail or so
Apr 19 02:17:28 localhost systemd-remount-fs[3604]: /bin/mount for /run exited with exit status 32.
Apr 19 02:17:28 localhost systemd[1]: systemd-remount-fs.service: main process exited, code=exited, 
Apr 19 02:17:28 localhost systemd[1]: Failed to start Remount Root and Kernel File Systems.
Apr 19 02:17:28 localhost systemd[1]: Unit systemd-remount-fs.service entered failed state.
lines 1-9/9 (END)

Commenting out the /run line in /etc/fstab makes systemd-remount-fs load without any problem and /run seems to have the context as well as the permissions set correctly:

$ stat /run
  File: ‘/run’
  Size: 420       	Blocks: 0          IO Block: 4096   directory
Device: fh/15d	Inode: 1188        Links: 18
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:var_run_t
Access: 2014-04-22 11:36:51.118278482 +0200
Modify: 2014-04-22 11:38:53.970274852 +0200
Change: 2014-04-22 11:38:53.970274852 +0200
 Birth: -

$ mount | grep /run
none on /run type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755)

However I don't know for sure if it is that the documentation needs to be updated or it is a bug of the systemd-remount-fs unit.
Comment 1 Javier 2014-04-23 18:19:54 UTC
Using Openrc gives problems if this line:
tmpfs  /run   tmpfs	mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
is added to /etc/fstab

From /var/log/rc.log

mkdir: cannot create directory ‘/sys/fs/cgroup/openrc’: File exists
mount: openrc is already mounted or /sys/fs/cgroup/openrc busy
       openrc is already mounted on /sys/fs/cgroup/openrc
mkdir: cannot create directory ‘/sys/fs/cgroup/cpuset’: File exists
mount: cpuset is already mounted or /sys/fs/cgroup/cpuset busy
       cpuset is already mounted on /sys/fs/cgroup/cpuset
mkdir: cannot create directory ‘/sys/fs/cgroup/cpu’: File exists
mount: cpu is already mounted or /sys/fs/cgroup/cpu busy
       cpu is already mounted on /sys/fs/cgroup/cpu
mkdir: cannot create directory ‘/sys/fs/cgroup/cpuacct’: File exists
mount: cpuacct is already mounted or /sys/fs/cgroup/cpuacct busy
       cpuacct is already mounted on /sys/fs/cgroup/cpuacct
mkdir: cannot create directory ‘/sys/fs/cgroup/freezer’: File exists
mount: freezer is already mounted or /sys/fs/cgroup/freezer busy
       freezer is already mounted on /sys/fs/cgroup/freezer
 * ERROR: sysfs failed to start
 * setting up tmpfiles.d entries for /dev ...
 [ ok ]
 * Using /dev mounted from kernel ...
 [ ok ]
 * ERROR: cannot start udev as sysfs would not start

However if the line is not added to /etc/fstab then the selinux context is not set properly:

$ stat run
  File: ‘/run’
  Size: 340             Blocks: 0          IO Block: 4096   directory
Device: fh/15d  Inode: 9247        Links: 12
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmpfs_t
Access: 2014-04-23 19:53:48.393353691 +0200
Modify: 2014-04-23 19:54:04.323999901 +0200
Change: 2014-04-23 19:54:04.323999901 +0200
 Birth: -
Comment 2 Javier 2014-04-23 18:21:23 UTC
And here is my emerge --info in case that someone finds it useful:

$ emerge --info
Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.7.3, glibc-2.17, 3.13.6-hardened-r3 x86_64)
System uname: Linux-3.13.6-hardened-r3-x86_64-Intel-R-_Core-TM-_i5-2450M_CPU_@_2.50GHz-with-gentoo-2.2
KiB Mem:     8024136 total,   7067980 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Wed, 23 Apr 2014 13:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r3, 3.3.3
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo
CFLAGS="-march=native -O2 -pipe"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS=" rsync:// rsync:// rsync:// rsync://"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acpi aes aes-ni amd64 apm autoipd avahi avx bash-completion berkdb bindist bzip2 cairo cdda cli cracklib crypt cryptsetup cups curl cxx dbus dri dvd dvdr gbm gdbm gnome gnome-keyring gstreamer gtk gtk3 gudev hardened iconv icu ipv6 jpeg justify libcaca mmx modules mozilla mpeg multilib ncurses nls nptl nvidia ogg open_perms opengl openmp pam pax_kernel pcre png policykit pulseaudio python readline selinux session socks5 sse sse2 sse4 sse4_1 sse4_2 ssl ssse3 systemd tcpd theora threads udev udisks unconfined unicode urandom vala wayland wifi x264 xtpax xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="nss" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-08-02 18:20:18 UTC
The line is definitely needed on openrc systems. The errors you displayed seem to be related to the cgroup or sysfs stuff, although I don't have these problems on my system.

For systemd, there's little I can do at the moment. SELinux support with systemd is still absent, and the efforts of upstreaming the SELinux support of systemd by Fedora to refpolicy (which is the upstream project for SELinux policies) is still in its infancy due to different approaches and unclear results...
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-08-23 11:49:18 UTC
The tmpfiles issues should have been resolved in openrc-0.13.1 and higher (as we now also include tmpfiles policy support).
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-08 17:20:53 UTC
Right now we don't have any SELinux policy to go on for systemd. Work is on the way for it, and once it is in refpolicy we will pull it in and can then start working on systemd support in Gentoo with SELinux.

Assigning to tracker 528674 so that, once it is available, we know what bugs to look into as well. Marking as CANTFIX for now.