Bug#734454: Please mount selinuxfs to /sys/fs/selinux

[Laurent Bigonville]

Package: pbuilder
Version: 0.215
Severity: normal

Hello,

Since Wheezy, the selinuxfs mountpoint is mounted under /sys/fs/selinux
and not under /selinux anymore. Since jessie, the /selinux mountpoint
is even completely gone.

I'm seeing in the code that pbuilder is unconditionally mounting the
selinuxfs on /selinux directory. You should probably start mounting it
to /sys/fs/selinux.

Note that only the selinux userspace of Wheezy and later is
supporting /sys/fs/selinux. So if you want to support pre-wheezy, some
hack will be required to mount it in /selinux.

On the host, the location where the selinuxfs is mounted can be found
by looking at /proc/mount.

Also according to this discussion[0][1], the proper way to mount a
selinuxfs in a chroot is to bind mount it from the host, not mount a new
fs.

This mountpoint should also be read-only to make the userspace think
that selinux linux is disabled in the chroot. Otherwise, dpkg (and
other selinux-aware tools) might fail, see #734193.

The proper commands, would then be:

mount --bind /sys/fs/selinux /var/chroot/sys/fs/selinux
mount -o remount,ro,bind /var/chroot/sys/fs/selinux

If you have any questions, do not hesitate to contact me.

Cheers

Laurent Bigonville

[0] http://comments.gmane.org/gmane.comp.security.selinux/15349
[1] http://permalink.gmane.org/gmane.comp.security.selinux/15870