[Pkg-sysvinit-devel] Bug#656155: initscripts: SELinux and tmpfs

Arno aelschuring at hotmail.com
Mon Jan 16 23:06:16 UTC 2012 

Package: initscripts
Version: 2.88dsf-18
Severity: wishlist
Tags: patch

This actually started out as a real bug, then I got carried away ;)

So, bug report first:
mountkernfs.sh restores the context for /run/lock before mounting it as a
separate filesystem. This doesn't go down well with selinux policy, because
we're not supposed to mount on top of var_lock_t:

avc:  denied  { mounton } for  pid=287 comm="mount" path="/run/lock" dev=tmpfs ino=3033 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir


Wishlist item next:
The solution I'm using tends to be a bit broader than just moving the
restorecon invocation below the mount: the selinux context for a tmpfs
mount can be set with -o rootcontext. Since there already is a facility
for setting tmpfs mount options, I decided to use it.

Current implementation does not make the contexts configurable. Doing so
would be analogous to _SIZE and _MODE, but I don't see the benefit; the
selinux contexts are part of the base policy and I don't see a good reason
to allow to deviate from it. According to that same policy, /run/shm has
type tmpfs_t which is the default, so no explicit rootcontext is required.

Tested on both selinux and non-selinux systems, the rootcontext appears to
be happily ignored on a non-selinux kernel.


Regards,
Arno

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (900, 'stable'), (300, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages initscripts depends on:
ii  coreutils       8.13-3
ii  debianutils     4.1
ii  libc6           2.13-24
ii  lsb-base        3.2-28
ii  mount           2.19.1-5
ii  sysv-rc         2.88dsf-18
ii  sysvinit-utils  2.88dsf-18

Versions of packages initscripts recommends:
ii  e2fsprogs  1.42-1
ii  psmisc     22.13-1

initscripts suggests no packages.

-- Configuration Files:
/etc/init.d/mountkernfs.sh changed [not included]

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-tmpfs.patch
Type: text/x-diff
Size: 3862 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20120117/958462a0/attachment-0001.patch>

More information about the Pkg-sysvinit-devel mailing list