On Thu, Mar 06, 2014 at 12:40:21AM +1100, wraeth wrote:
> * Rebuild util-linux *
> mount, provided by util-linux, does not have the functionality
> required by SELinux when coming from a non-hardened stage. In order to
> get this installed (without bricking anything) I had to:
>
> emerge -1 libselinux (this will also pull in libsepol)
> emerge -1O util-linux (-O required to prevent pols being pulled in)
>
> This should happen just prior to the first reboot (and any initrd's
> should be rebuilt to include the new mount binary, i guess).
Wouldn't the package (util-linux) be rebuild anyway? It uses USE=selinux so
the "emerge -uDN world" should rebuild it (with libselinux bindings).
> * Select policy type *
> This is more of a note on the documentation (I know it's out of date,
> (or at least so the wiki says) but for reference nonetheless).
Where on the wiki does it say that? The SELinux handbook is not out of
date. It had an issue if you use 'targeted' as you rightly said but that's a
bug, not due to potentially being outdated. And not having it registered as
a bug on bugs.gentoo.org made it so it took a while before it got properly
noticed (I can read mailinglists from work, but when I can do a bit of
Gentoo development I check the bug list and forget that there were things
mentioned on the mailinglist).
> I'm
> taking the easy road in and have selected the 'targeted' policy type for
> now. Because of this, running ``emerge -uDN @world`` prior to setting
> the policy type in /etc/selinux/config causes emerge to attempt to set
> the wrong policy, and fail the ebuild. This is in reference to code
> listings 2.3 and 2.6 of the SELinux handbook.
Indeed; I've moved the editing of /etc/selinux/config prior to the 'emerge
-uDN world' step.
> Other than that, everything has gone smoothly except for one thing:
> during boot, I'm getting:
> systemd-remount-fs[733]: mount: /run not mounted or bad option
>
> That being said, once booted, /run *is* mounted with:
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
>
> The relevant line in fstab is:
> tmpfs /run tmpfs mode=0755,nosuid,nodev,context=system_u:object_r:var_run_t 0 > 0
>
> I'm not sure why this is (current thinking is perhaps a symptom of the
> docs being outdated) and the system seems stable for the moment.
Can you check your dmesg or logs? I don't know systemd-remount-fs but
perhaps it's because /run is already mounted and thus it cannot mount it
(without being smart enough to use "-o remount").
If you do something like the following, does the context then appear?
#v+
mount -o remount,context=system_u:object_r:var_run_t /run
#v-
My system gives the following:
#v+
$ mount | grep run
tmpfs on /run type tmpfs
(rw,rootcontext=system_u:object_r:var_run_t,seclabel,nosuid,nodev,noexec,relatime)
#v-
Wkr,
Sven Vermeulen
