[Pkg-sysvinit-devel] Bug#628107: initscripts: Needs to set SELinux labels after /run is moved from initramfs

Martin Orr Fri, 27 May 2011 03:39:18 -0700

Package: initscripts
Version: 2.88dsf-13.7
Severity: important
Tags: patch

Now that /run is created in the initramfs, it gets no SELinux label
because SELinux policy is not loaded until init starts.  So it needs to
be relabelled after this and before udev starts.  I attach a patch to do
this in mountkernfs.sh.


We need to use restorecon -r here because existing contents of /run also
need to be relabelled, in particular /run/udev.

I know that mountkernfs.sh is run multiple times.  Redundant calls to
restorecon are usually harmless, except for the time it takes to walk
the directory tree, and for /run that should not be a problem.

Best wishes,
Martin Orr

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages initscripts depends on:
ii  coreutils                   8.5-1        GNU core utilities
ii  debianutils                 4            Miscellaneous utilities specific t
ii  libc6                       2.13-4       Embedded GNU C Library: Shared lib
ii  lsb-base                    3.2-27       Linux Standard Base 3.2 init scrip
ii  mount                       2.17.2-9.1   Tools for mounting and manipulatin
ii  sysv-rc                     2.88dsf-13.7 System-V-like runlevel change mech
ii  sysvinit-utils              2.88dsf-13.7 System-V-like utilities

Versions of packages initscripts recommends:
ii  e2fsprogs                     1.41.12-4  ext2/ext3/ext4 file system utiliti
ii  psmisc                        22.13-1    utilities that use the proc file s

initscripts suggests no packages.

-- Configuration Files:
/etc/init.d/mountkernfs.sh changed [not included]

-- no debconf information

--- debian/src/initscripts/etc/init.d/mountkernfs.sh.orig       2011-05-26 
23:03:48.000000000 +0100
+++ debian/src/initscripts/etc/init.d/mountkernfs.sh    2011-05-26 
23:03:48.000000000 +0100
@@ -40,6 +40,7 @@
        fi
        # TODO: Add -onodev once checkroot no longer creates a device node.
        domount "$MNTMODE" tmpfs shmfs /run tmpfs "-onosuid$RUNEXEC$RUN_OPT"
+       [ -x /sbin/restorecon ] && /sbin/restorecon -r /run
        [ -f /run/.ramfs ] || touch /run/.ramfs
 
        # Make lock directory as the replacement for /var/lock

_______________________________________________
Pkg-sysvinit-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sysvinit-devel

[Pkg-sysvinit-devel] Bug#628107: initscripts: Needs to set SELinux labels after /run is moved from initramfs

Reply via email to