Bug#727305: selinux-basics: initscript fails in relabel_minimal()

Wed, 23 Oct 2013 15:13:02 -0700 

Package: selinux-basics
Version: 0.5.2
Severity: normal

The selinux-basic init script fails, with little info: 

# invoke-rc.d selinux-basics start
[....] Checking SELinux contexts: selinux-basics
invoke-rc.d: initscript selinux-basics, action "start" failed.

I pinned the problem down to the function 'relabel_minimal',
specifically line 45:

                  /sbin/restorecon -R /dev /etc/mtab 2>/dev/null

The behavior of restorecon is odd here.  Running

# /sbin/restorecon -R /dev /etc/mtab ; echo $?
1

gives exit status 1, but running

# /sbin/restorecon -R /dev ; echo $?
0
# /sbin/restorecon -R /etc/mtab ; echo $?
0
# /sbin/restorecon -R /etc/mtab /dev ; echo $?
0

all give exit status 0.


For a while now, /etc/mtab has been a symlink to /proc/mounts, which
I'd guess is a crucial part of the problem since the restorecon man
page says it doesn't operate on symlinks.


Anyway, relabeling /etc/mtab -> /proc/mounts seems to not do anything
on my system.  The first run of restorecon after a reboot gives:

# ls -Z /etc/mtab /proc/mounts 
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts
# restorecon -R -v /etc/mtab 
# ls -Z /etc/mtab /proc/mounts 
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts


Attached is a patch that removes the relabeling of /etc/mtab.


Thanks.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-basics depends on:
ii  checkpolicy      2.1.12-1
ii  policycoreutils  2.1.13-2+b1
pn  python:any       <none>
ii  selinux-utils    2.1.13-3

Versions of packages selinux-basics recommends:
ii  selinux-policy-default  2:2.20110726-13
ii  setools                 3.3.8-1

Versions of packages selinux-basics suggests:
ii  logcheck        1.3.15
pn  syslog-summary  <none>

-- no debconf information

--- selinux-basics.orig	2013-10-23 12:32:39.866014812 -0700
+++ selinux-basics	2013-10-23 14:52:25.886330625 -0700
@@ -37,11 +37,11 @@
 	fi
 fi
 
-# Relabel /dev and /etc/mtab
+# Relabel /dev
 relabel_minimal() {
 	# when selinux is enabled, relabel /dev
 	if [ -n "$selinuxenabled" -a -x /sbin/restorecon ]; then
-		/sbin/restorecon -R /dev /etc/mtab 2>/dev/null
+		/sbin/restorecon -R /dev 2>/dev/null
 	fi
 }

Reply via email to