1 |
The seclabel option isn't sufficient unless the /run location has its |
2 |
labels reset as part of the bootup (akin to "restorecon -R /run" which |
3 |
might be the case with systems and/or in fedora. |
4 |
|
5 |
/run *must* have var_run_t as label. The context= mount option is "just" a |
6 |
way to achieve that. |
7 |
|
8 |
Wkr, |
9 |
Sven |
10 |
On Mar 11, 2014 10:43 AM, "wraeth" <wraeth@××××××××××××.net> wrote: |
11 |
|
12 |
> On Fri, 2014-03-07 at 18:56 +1100, wraeth wrote: |
13 |
> |
14 |
> Firstly, sorry for double-post before - bad connection and all :-/ |
15 |
> |
16 |
> > On Thu, 2014-03-06 at 15:15 +0000, Sven Vermeulen wrote: |
17 |
> > > If you do something like the following, does the context then appear? |
18 |
> > > |
19 |
> > > #v+ |
20 |
> > > mount -o remount,context=system_u:object_r:var_run_t /run |
21 |
> > > #v- |
22 |
> |
23 |
> So I've been slowly plugging away at this trying to figure out why I |
24 |
> can't seem to get my /run filesystem mounted with the correct security |
25 |
> context. Here's what I've tried so far: |
26 |
> |
27 |
> manually issue `mount -o remount,context=...` |
28 |
> Fails with "/run not mounted or bad option". From my readings on the |
29 |
> 'net, the kernel will actually refuse to remount context-labelled |
30 |
> filesystems. This is also echoed in mount's manpage: |
31 |
> "Note that kernel rejects any remount request that includes the context |
32 |
> option even if unchanged from the current context." |
33 |
> |
34 |
> drop into emergency boot shell and remount /run |
35 |
> Same as above, the filesystem refuses to remount. |
36 |
> |
37 |
> patch init script for dracut initramfs |
38 |
> I actually thought this could be the best way to resolve the issue. I |
39 |
> was quickly disillusioned. At the time the init script mounts the /run |
40 |
> filesystem, the kernel has yet to initialize SELinux, and according to |
41 |
> mail archive [1] (I see I'm not the first) mount will actually strip |
42 |
> context options from mount commands if it finds that SELinux is not |
43 |
> active. I can't help but agree with this as per the dmesg output: |
44 |
> |
45 |
> [ 8.540741] dracut: Mounted root filesystem |
46 |
> /dev/mapper/luks-dbfe9b56-8185-4cea-8f52-086bd41382df |
47 |
> [ 8.809942] dracut: Switching root |
48 |
> <snip> |
49 |
> [ 9.420023] SELinux: Completing initialization. |
50 |
> [ 9.420024] SELinux: Setting up existing superblocks. |
51 |
> |
52 |
> sysinit service |
53 |
> I even went to the length of creating a service in the sysinit.target |
54 |
> prior to systemd-udevd.service to remount the run filesystem using the |
55 |
> same method that the dracut init script uses - to mount the filesystem |
56 |
> as /newrun, copy everything over, then `mount --move` it. This again |
57 |
> failed, but honestly I'm not surprised at that. |
58 |
> |
59 |
> So at this stage I was somewhat frustrated that I hadn't come up with |
60 |
> any solution, so I decided to try looking at a working example to see |
61 |
> where the difference may lie. So I fired up a freshly installed virtual |
62 |
> machine running Fedora 20, got into a terminal and: |
63 |
> |
64 |
> [root@asinine ~]# mount | grep run |
65 |
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
66 |
> |
67 |
> This looks remarkably familiar... |
68 |
> nemesis ~ # mount | grep run |
69 |
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
70 |
> |
71 |
> So now I feel I should ask the obvious question: does the /run |
72 |
> filesystem, being a tmpfs-based filesystem, need to be mounted with |
73 |
> specific security contexts, or is the mount option of 'seclabel' |
74 |
> sufficient? |
75 |
> |
76 |
> If 'seclabel' is sufficient, then I don't think I need to do anything |
77 |
> else with regards to filesystem labelling or anything like that - just |
78 |
> the copious avc denials to contend with now! :) |
79 |
> |
80 |
> Cheers; |
81 |
> wraeth |
82 |
> |
83 |
> [1] http://www.gossamer-threads.com/lists/gentoo/hardened/269150 |
84 |
> |