Package: selinux-basics
Version: 0.5.2
Severity: normal
The selinux-basic init script fails, with little info:
# invoke-rc.d selinux-basics start
[....] Checking SELinux contexts: selinux-basics
invoke-rc.d: initscript selinux-basics, action "start" failed.
I pinned the problem down to the function 'relabel_minimal',
specifically line 45:
/sbin/restorecon -R /dev /etc/mtab 2>/dev/null
The behavior of restorecon is odd here. Running
# /sbin/restorecon -R /dev /etc/mtab ; echo $?
1
gives exit status 1, but running
# /sbin/restorecon -R /dev ; echo $?
0
# /sbin/restorecon -R /etc/mtab ; echo $?
0
# /sbin/restorecon -R /etc/mtab /dev ; echo $?
0
all give exit status 0.
For a while now, /etc/mtab has been a symlink to /proc/mounts, which
I'd guess is a crucial part of the problem since the restorecon man
page says it doesn't operate on symlinks.
Anyway, relabeling /etc/mtab -> /proc/mounts seems to not do anything
on my system. The first run of restorecon after a reboot gives:
# ls -Z /etc/mtab /proc/mounts
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts
# restorecon -R -v /etc/mtab
# ls -Z /etc/mtab /proc/mounts
system_u:object_r:etc_t:SystemLow /etc/mtab
system_u:object_r:proc_t:SystemLow /proc/mounts
Attached is a patch that removes the relabeling of /etc/mtab.
Thanks.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-basics depends on:
ii checkpolicy 2.1.12-1
ii policycoreutils 2.1.13-2+b1
pn python:any <none>
ii selinux-utils 2.1.13-3
Versions of packages selinux-basics recommends:
ii selinux-policy-default 2:2.20110726-13
ii setools 3.3.8-1
Versions of packages selinux-basics suggests:
ii logcheck 1.3.15
pn syslog-summary <none>
-- no debconf information
--- selinux-basics.orig 2013-10-23 12:32:39.866014812 -0700
+++ selinux-basics 2013-10-23 14:52:25.886330625 -0700
@@ -37,11 +37,11 @@
fi
fi
-# Relabel /dev and /etc/mtab
+# Relabel /dev
relabel_minimal() {
# when selinux is enabled, relabel /dev
if [ -n "$selinuxenabled" -a -x /sbin/restorecon ]; then
- /sbin/restorecon -R /dev /etc/mtab 2>/dev/null
+ /sbin/restorecon -R /dev 2>/dev/null
fi
}
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
