[Pkg-sysvinit-devel] Bug#656155: initscripts: SELinux and tmpfs

Martin Orr martin at martinorr.name
Thu Feb 9 09:39:46 UTC 2012 

On Tue, Jan 17, 2012 at 12:06:16AM +0100, Arno wrote:
> Package: initscripts
> Version: 2.88dsf-18
> Severity: wishlist
> Tags: patch
> 
> This actually started out as a real bug, then I got carried away ;)
> 
> So, bug report first:
> mountkernfs.sh restores the context for /run/lock before mounting it as a
> separate filesystem. This doesn't go down well with selinux policy, because
> we're not supposed to mount on top of var_lock_t:
> 
> avc:  denied  { mounton } for  pid=287 comm="mount" path="/run/lock" dev=tmpfs ino=3033 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

The correct fix is to allow mounting on var_lock_t in policy.
This makes sense because /var/lock has always been a valid mountpoint,
even before /run.

> Wishlist item next:
> The solution I'm using tends to be a bit broader than just moving the
> restorecon invocation below the mount: the selinux context for a tmpfs
> mount can be set with -o rootcontext. Since there already is a facility
> for setting tmpfs mount options, I decided to use it.
> 
> Current implementation does not make the contexts configurable. Doing so
> would be analogous to _SIZE and _MODE, but I don't see the benefit; the
> selinux contexts are part of the base policy and I don't see a good reason
> to allow to deviate from it. According to that same policy, /run/shm has
> type tmpfs_t which is the default, so no explicit rootcontext is required.

SELinux contexts should never be hardcoded anywhere outside the policy.
This goes completely against the architecture of SELinux, with even the
kernel initial SID being specified by policy.  From a practical point of
view, it would be far from obvious that you need to specify contexts in
/etc/default/tmpfs if you use a non-default policy (which need not even
be based on the refpolicy, so may not have types system_r, var_lock_t).
If you really want to use rootcontext, then you should use getfilecon to
get the context.

Your patch also removes the "restorecon -r /run" which is needed to fix
the unlabelled files in /run coming from the initramfs (see #628107).

Regards,
Martin Orr

More information about the Pkg-sysvinit-devel mailing list