Package: initscripts
Version: 2.88dsf-18
Severity: wishlist
Tags: patch
This actually started out as a real bug, then I got carried away ;)
So, bug report first:
mountkernfs.sh restores the context for /run/lock before mounting it as a
separate filesystem. This doesn't go down well with selinux policy, because
we're not supposed to mount on top of var_lock_t:
avc: denied { mounton } for pid=287 comm="mount" path="/run/lock" dev=tmpfs
ino=3033 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
Wishlist item next:
The solution I'm using tends to be a bit broader than just moving the
restorecon invocation below the mount: the selinux context for a tmpfs
mount can be set with -o rootcontext. Since there already is a facility
for setting tmpfs mount options, I decided to use it.
Current implementation does not make the contexts configurable. Doing so
would be analogous to _SIZE and _MODE, but I don't see the benefit; the
selinux contexts are part of the base policy and I don't see a good reason
to allow to deviate from it. According to that same policy, /run/shm has
type tmpfs_t which is the default, so no explicit rootcontext is required.
Tested on both selinux and non-selinux systems, the rootcontext appears to
be happily ignored on a non-selinux kernel.
Regards,
Arno
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (900, 'stable'), (300, 'unstable'), (200,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages initscripts depends on:
ii coreutils 8.13-3
ii debianutils 4.1
ii libc6 2.13-24
ii lsb-base 3.2-28
ii mount 2.19.1-5
ii sysv-rc 2.88dsf-18
ii sysvinit-utils 2.88dsf-18
Versions of packages initscripts recommends:
ii e2fsprogs 1.42-1
ii psmisc 22.13-1
initscripts suggests no packages.
-- Configuration Files:
/etc/init.d/mountkernfs.sh changed [not included]
-- no debconf information
diff -aur /etc/init.d/mountkernfs.sh ./etc/init.d/mountkernfs.sh
--- /etc/init.d/mountkernfs.sh 2011-12-13 21:16:15.000000000 +0100
+++ ./etc/init.d/mountkernfs.sh 2012-01-14 15:25:32.496772901 +0100
@@ -39,12 +39,10 @@
fi
# TODO: Add -onodev once checkroot no longer creates a device node.
domount "$MNTMODE" tmpfs shmfs /run tmpfs "-onosuid$RUNEXEC$RUN_OPT"
- [ -x /sbin/restorecon ] && /sbin/restorecon -r /run
[ -f /run/.ramfs ] || touch /run/.ramfs
# Make lock directory as the replacement for /var/lock
[ -d /run/lock ] || mkdir --mode=755 /run/lock
- [ -x /sbin/restorecon ] && /sbin/restorecon /run/lock
# Mount /run/lock as tmpfs if enabled. This prevents user DoS
# of /run by filling /run/lock at the expense of using an
@@ -53,6 +54,7 @@
domount "$MNTMODE" tmpfs shmfs /run/lock tmpfs "-onodev,noexec,nosuid$LOCK_OPT"
else
chmod "$LOCK_MODE" /run/lock
+ [ -x /sbin/restorecon ] && /sbin/restorecon /run/lock
fi
[ -f /run/lock/.ramfs ] || touch /run/lock/.ramfs
@@ -61,7 +64,6 @@
if [ -L /tmp ] && [ ! -d /tmp ]; then
TMPPATH="$(readlink /tmp)"
mkdir -p --mode=755 "$TMPPATH"
- [ -x /sbin/restorecon ] && /sbin/restorecon "$TMPPATH"
fi
# If root is read only, default to mounting a tmpfs on /tmp,
@@ -84,6 +86,7 @@
# When root is still read only, this will fail.
if [ mount_noupdate != "$MNTMODE" ] && [ rw = "$rootmode" ]; then
chmod "$TMP_MODE" /tmp
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$TMPPATH"
fi
fi
diff -aur /lib/init/mount-functions.sh ./lib/init/mount-functions.sh
--- /lib/init/mount-functions.sh 2011-12-13 21:16:15.000000000 +0100
+++ ./lib/init/mount-functions.sh 2012-01-14 15:25:32.492773343 +0100
@@ -215,9 +215,6 @@
is_empty_dir "$MTPT" >/dev/null 2>&1 || log_warning_msg "Files under mount point '$MTPT' will be hidden."
fi
mount $MOUNTFLAGS -t $FSTYPE $CALLER_OPTS $FSTAB_OPTS $FS_OPTS $DEVNAME $MTPT
- if [ "$FSTYPE" = "tmpfs" -a -x /sbin/restorecon ]; then
- /sbin/restorecon $MTPT
- fi
fi
;;
remount)
diff -aur /lib/init/tmpfs.sh ./lib/init/tmpfs.sh
--- /lib/init/tmpfs.sh 2011-12-13 21:16:15.000000000 +0100
+++ ./lib/init/tmpfs.sh 2012-01-14 15:25:32.512771131 +0100
@@ -28,18 +28,18 @@
. /etc/default/tmpfs
fi
-RUN_OPT=
-[ "${RUN_SIZE:=$TMPFS_SIZE}" ] && RUN_OPT=",size=$RUN_SIZE"
+RUN_OPT=,rootcontext=system_u:object_r:var_run_t:s0
+[ "${RUN_SIZE:=$TMPFS_SIZE}" ] && RUN_OPT="$RUN_OPT,size=$RUN_SIZE"
[ "${RUN_MODE:=$TMPFS_MODE}" ] && RUN_OPT="$RUN_OPT,mode=$RUN_MODE"
-LOCK_OPT=
-[ "${LOCK_SIZE:=$TMPFS_SIZE}" ] && LOCK_OPT=",size=$LOCK_SIZE"
+LOCK_OPT=,rootcontext=system_u:object_r:var_lock_t:s0
+[ "${LOCK_SIZE:=$TMPFS_SIZE}" ] && LOCK_OPT="$LOCK_OPT,size=$LOCK_SIZE"
[ "${LOCK_MODE:=$TMPFS_MODE}" ] && LOCK_OPT="$LOCK_OPT,mode=$LOCK_MODE"
SHM_OPT=
-[ "${SHM_SIZE:=$TMPFS_SIZE}" ] && SHM_OPT=",size=$SHM_SIZE"
+[ "${SHM_SIZE:=$TMPFS_SIZE}" ] && SHM_OPT="$SHM_OPT,size=$SHM_SIZE"
[ "${SHM_MODE:=$TMPFS_MODE}" ] && SHM_OPT="$SHM_OPT,mode=$SHM_MODE"
-TMP_OPT=
-[ "${TMP_SIZE:=$TMPFS_SIZE}" ] && TMP_OPT=",size=$TMP_SIZE"
+TMP_OPT=,rootcontext=system_u:object_r:tmp_t:s0
+[ "${TMP_SIZE:=$TMPFS_SIZE}" ] && TMP_OPT="$TMP_OPT,size=$TMP_SIZE"
[ "${TMP_MODE:=$TMPFS_MODE}" ] && TMP_OPT="$TMP_OPT,mode=$TMP_MODE"
--- /etc/init.d/mountdevsubfs.sh 2012-01-16 23:36:37.000000000 +0100
+++ ./etc/init.d/mountdevsubfs.sh 2012-01-16 23:45:10.000000000 +0100
@@ -36,13 +36,13 @@
if [ ! -d /run/shm ]
then
mkdir --mode=755 /run/shm
- [ -x /sbin/restorecon ] && /sbin/restorecon /run/shm
fi
if [ yes = "$RAMSHM" ] || read_fstab_entry /run/shm tmpfs; then
domount "$MNTMODE" tmpfs shmfs /run/shm tmpfs "-onosuid,nodev$SHM_OPT"
else
chmod "$SHM_MODE" /run/shm
+ [ -x /sbin/restorecon ] && /sbin/restorecon /run/shm
fi
# Migrate early, so /dev/shm is available from the start
_______________________________________________
Pkg-sysvinit-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sysvinit-devel