| 1 |
The seclabel option isn't sufficient unless the /run location has its |
| 2 |
labels reset as part of the bootup (akin to "restorecon -R /run" which |
| 3 |
might be the case with systems and/or in fedora. |
| 4 |
|
| 5 |
/run *must* have var_run_t as label. The context= mount option is "just" a |
| 6 |
way to achieve that. |
| 7 |
|
| 8 |
Wkr, |
| 9 |
Sven |
| 10 |
On Mar 11, 2014 10:43 AM, "wraeth" <wraeth@××××××××××××.net> wrote: |
| 11 |
|
| 12 |
> On Fri, 2014-03-07 at 18:56 +1100, wraeth wrote: |
| 13 |
> |
| 14 |
> Firstly, sorry for double-post before - bad connection and all :-/ |
| 15 |
> |
| 16 |
> > On Thu, 2014-03-06 at 15:15 +0000, Sven Vermeulen wrote: |
| 17 |
> > > If you do something like the following, does the context then appear? |
| 18 |
> > > |
| 19 |
> > > #v+ |
| 20 |
> > > mount -o remount,context=system_u:object_r:var_run_t /run |
| 21 |
> > > #v- |
| 22 |
> |
| 23 |
> So I've been slowly plugging away at this trying to figure out why I |
| 24 |
> can't seem to get my /run filesystem mounted with the correct security |
| 25 |
> context. Here's what I've tried so far: |
| 26 |
> |
| 27 |
> manually issue `mount -o remount,context=...` |
| 28 |
> Fails with "/run not mounted or bad option". From my readings on the |
| 29 |
> 'net, the kernel will actually refuse to remount context-labelled |
| 30 |
> filesystems. This is also echoed in mount's manpage: |
| 31 |
> "Note that kernel rejects any remount request that includes the context |
| 32 |
> option even if unchanged from the current context." |
| 33 |
> |
| 34 |
> drop into emergency boot shell and remount /run |
| 35 |
> Same as above, the filesystem refuses to remount. |
| 36 |
> |
| 37 |
> patch init script for dracut initramfs |
| 38 |
> I actually thought this could be the best way to resolve the issue. I |
| 39 |
> was quickly disillusioned. At the time the init script mounts the /run |
| 40 |
> filesystem, the kernel has yet to initialize SELinux, and according to |
| 41 |
> mail archive [1] (I see I'm not the first) mount will actually strip |
| 42 |
> context options from mount commands if it finds that SELinux is not |
| 43 |
> active. I can't help but agree with this as per the dmesg output: |
| 44 |
> |
| 45 |
> [ 8.540741] dracut: Mounted root filesystem |
| 46 |
> /dev/mapper/luks-dbfe9b56-8185-4cea-8f52-086bd41382df |
| 47 |
> [ 8.809942] dracut: Switching root |
| 48 |
> <snip> |
| 49 |
> [ 9.420023] SELinux: Completing initialization. |
| 50 |
> [ 9.420024] SELinux: Setting up existing superblocks. |
| 51 |
> |
| 52 |
> sysinit service |
| 53 |
> I even went to the length of creating a service in the sysinit.target |
| 54 |
> prior to systemd-udevd.service to remount the run filesystem using the |
| 55 |
> same method that the dracut init script uses - to mount the filesystem |
| 56 |
> as /newrun, copy everything over, then `mount --move` it. This again |
| 57 |
> failed, but honestly I'm not surprised at that. |
| 58 |
> |
| 59 |
> So at this stage I was somewhat frustrated that I hadn't come up with |
| 60 |
> any solution, so I decided to try looking at a working example to see |
| 61 |
> where the difference may lie. So I fired up a freshly installed virtual |
| 62 |
> machine running Fedora 20, got into a terminal and: |
| 63 |
> |
| 64 |
> [root@asinine ~]# mount | grep run |
| 65 |
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
| 66 |
> |
| 67 |
> This looks remarkably familiar... |
| 68 |
> nemesis ~ # mount | grep run |
| 69 |
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755) |
| 70 |
> |
| 71 |
> So now I feel I should ask the obvious question: does the /run |
| 72 |
> filesystem, being a tmpfs-based filesystem, need to be mounted with |
| 73 |
> specific security contexts, or is the mount option of 'seclabel' |
| 74 |
> sufficient? |
| 75 |
> |
| 76 |
> If 'seclabel' is sufficient, then I don't think I need to do anything |
| 77 |
> else with regards to filesystem labelling or anything like that - just |
| 78 |
> the copious avc denials to contend with now! :) |
| 79 |
> |
| 80 |
> Cheers; |
| 81 |
> wraeth |
| 82 |
> |
| 83 |
> [1] http://www.gossamer-threads.com/lists/gentoo/hardened/269150 |
| 84 |
> |
Archives