In the Hardened guide(http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1) it says that we have to add these lines to /etc/fstab: tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0 tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 *This lines are for the strict or targeted policy, but I think that the same error occurs with the other ones. This makes systemd-remount-fs to fail during boot. $ sudo journalctl -b 1 -u systemd-remount-fs.service Password: -- Logs begin at Sat 2014-04-19 02:17:27 CEST, end at Tue 2014-04-22 11:51:35 CEST. -- Apr 19 02:17:28 localhost systemd[1]: Starting Remount Root and Kernel File Systems... Apr 19 02:17:28 localhost systemd-remount-fs[3604]: mount: /run not mounted or bad option Apr 19 02:17:28 localhost systemd-remount-fs[3604]: In some cases useful info is found in syslog - t Apr 19 02:17:28 localhost systemd-remount-fs[3604]: dmesg | tail or so Apr 19 02:17:28 localhost systemd-remount-fs[3604]: /bin/mount for /run exited with exit status 32. Apr 19 02:17:28 localhost systemd[1]: systemd-remount-fs.service: main process exited, code=exited, Apr 19 02:17:28 localhost systemd[1]: Failed to start Remount Root and Kernel File Systems. Apr 19 02:17:28 localhost systemd[1]: Unit systemd-remount-fs.service entered failed state. lines 1-9/9 (END) Commenting out the /run line in /etc/fstab makes systemd-remount-fs load without any problem and /run seems to have the context as well as the permissions set correctly: $ stat /run File: ‘/run’ Size: 420 Blocks: 0 IO Block: 4096 directory Device: fh/15d Inode: 1188 Links: 18 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:var_run_t Access: 2014-04-22 11:36:51.118278482 +0200 Modify: 2014-04-22 11:38:53.970274852 +0200 Change: 2014-04-22 11:38:53.970274852 +0200 Birth: - $ mount | grep /run none on /run type tmpfs (rw,nosuid,nodev,relatime,seclabel,mode=755) However I don't know for sure if it is that the documentation needs to be updated or it is a bug of the systemd-remount-fs unit.
Using Openrc gives problems if this line: tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 is added to /etc/fstab From /var/log/rc.log mkdir: cannot create directory ‘/sys/fs/cgroup/openrc’: File exists mount: openrc is already mounted or /sys/fs/cgroup/openrc busy openrc is already mounted on /sys/fs/cgroup/openrc mkdir: cannot create directory ‘/sys/fs/cgroup/cpuset’: File exists mount: cpuset is already mounted or /sys/fs/cgroup/cpuset busy cpuset is already mounted on /sys/fs/cgroup/cpuset mkdir: cannot create directory ‘/sys/fs/cgroup/cpu’: File exists mount: cpu is already mounted or /sys/fs/cgroup/cpu busy cpu is already mounted on /sys/fs/cgroup/cpu mkdir: cannot create directory ‘/sys/fs/cgroup/cpuacct’: File exists mount: cpuacct is already mounted or /sys/fs/cgroup/cpuacct busy cpuacct is already mounted on /sys/fs/cgroup/cpuacct mkdir: cannot create directory ‘/sys/fs/cgroup/freezer’: File exists mount: freezer is already mounted or /sys/fs/cgroup/freezer busy freezer is already mounted on /sys/fs/cgroup/freezer * ERROR: sysfs failed to start * setting up tmpfiles.d entries for /dev ... [ ok ] * Using /dev mounted from kernel ... [ ok ] * ERROR: cannot start udev as sysfs would not start However if the line is not added to /etc/fstab then the selinux context is not set properly: $ stat run File: ‘/run’ Size: 340 Blocks: 0 IO Block: 4096 directory Device: fh/15d Inode: 9247 Links: 12 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:tmpfs_t Access: 2014-04-23 19:53:48.393353691 +0200 Modify: 2014-04-23 19:54:04.323999901 +0200 Change: 2014-04-23 19:54:04.323999901 +0200 Birth: -
And here is my emerge --info in case that someone finds it useful: $ emerge --info Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.7.3, glibc-2.17, 3.13.6-hardened-r3 x86_64) ================================================================= System uname: Linux-3.13.6-hardened-r3-x86_64-Intel-R-_Core-TM-_i5-2450M_CPU_@_2.50GHz-with-gentoo-2.2 KiB Mem: 8024136 total, 7067980 free KiB Swap: 0 total, 0 free Timestamp of tree: Wed, 23 Apr 2014 13:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r3, 3.3.3 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://mirrors.linuxant.fr/distfiles.gentoo.org/ http://mirrors.linuxant.fr/distfiles.gentoo.org/ ftp://mirror.ovh.net/gentoo-distfiles/ http://mirror.ovh.net/gentoo-distfiles/ http://mirror.netcologne.de/gentoo/ rsync://mirror.netcologne.de/gentoo/ ftp://mirror.netcologne.de/gentoo/ rsync://mirror.opteamax.de/gentoo/ http://mirror.opteamax.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo-euetib.upc.es/mirror/gentoo/ ftp://mirror.mcs.anl.gov/pub/gentoo/ http://mirror.mcs.anl.gov/pub/gentoo/ rsync://mirror.mcs.anl.gov/gentoo/ rsync://rsync.gtlib.gatech.edu/gentoo http://www.gtlib.gatech.edu/pub/gentoo ftp://ftp.gtlib.gatech.edu/pub/gentoo http://lug.mtu.edu/gentoo/ ftp://lug.mtu.edu/gentoo/ ftp://gentoo.llarian.net/pub/gentoo http://gentoo.llarian.net/ http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X acpi aes aes-ni amd64 apm autoipd avahi avx bash-completion berkdb bindist bzip2 cairo cdda cli cracklib crypt cryptsetup cups curl cxx dbus dri dvd dvdr gbm gdbm gnome gnome-keyring gstreamer gtk gtk3 gudev hardened iconv icu ipv6 jpeg justify libcaca mmx modules mozilla mpeg multilib ncurses nls nptl nvidia ogg open_perms opengl openmp pam pax_kernel pcre png policykit pulseaudio python readline selinux session socks5 sse sse2 sse4 sse4_1 sse4_2 ssl ssse3 systemd tcpd theora threads udev udisks unconfined unicode urandom vala wayland wifi x264 xtpax xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="nss" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
The line is definitely needed on openrc systems. The errors you displayed seem to be related to the cgroup or sysfs stuff, although I don't have these problems on my system. For systemd, there's little I can do at the moment. SELinux support with systemd is still absent, and the efforts of upstreaming the SELinux support of systemd by Fedora to refpolicy (which is the upstream project for SELinux policies) is still in its infancy due to different approaches and unclear results...
The tmpfiles issues should have been resolved in openrc-0.13.1 and higher (as we now also include tmpfiles policy support).
Right now we don't have any SELinux policy to go on for systemd. Work is on the way for it, and once it is in refpolicy we will pull it in and can then start working on systemd support in Gentoo with SELinux. Assigning to tracker 528674 so that, once it is available, we know what bugs to look into as well. Marking as CANTFIX for now.
