| 1 |
On 8 April 2012 12:44, Sven Vermeulen <swift@g.o> wrote: |
| 2 |
|
| 3 |
> Hmm, I can't seem to reproduce all you see, although I can see it is |
| 4 |
> becoming quite messy nowadays. Is the /run mislabeling still a fact? What |
| 5 |
> might be happening (although I can't confirm this here) is that your |
| 6 |
> (unmounted) /run has no good label. The moment openrc mounts it (through |
| 7 |
> /lib64/rc/sh/init.sh) the mount inherits the context, but it also means |
| 8 |
> that |
| 9 |
> if you relabel, you are only relabeling the tmpfs (and not the real |
| 10 |
> directory). |
| 11 |
> |
| 12 |
> The label of the /run directory was wrong. I'll check later whether that |
| 13 |
has fixed it (I don't really want to reboot now for that). It's strange as |
| 14 |
I did the same trick with /proc, /sys etc. (copying whatever was set |
| 15 |
through restorecon). The context was "system_u:var_run_t:file_t" |
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
> You can "solve" it by bindmounting your root file system, and then setting |
| 20 |
> the context of /run (chcon -t var_run_t should suffice). |
| 21 |
> |
| 22 |
> The /dev is another issue. I currently don't have to deal with it as I'm |
| 23 |
> forced to use an initramfs (as I have a separate /usr) so I need to relabel |
| 24 |
> /dev anyhow before switching to enforcing mode :-( But I can imagine what |
| 25 |
> happens... kdevtmpfs runs as kernel_t and creates device files in /dev |
| 26 |
> (which are labeled device_t). |
| 27 |
> |
| 28 |
|
| 29 |
My system uses an initrd as well (as it has an lvm based root filesystem). |
| 30 |
|
| 31 |
|
| 32 |
> |
| 33 |
> From what I read, udev is supposed to relabel the files. Although I can't |
| 34 |
> confirm this, I also see that udev isn't the first thing that is started |
| 35 |
> (and that, if it gets started in enforcing mode, it might already need a |
| 36 |
> correctly labeled /dev when running without unconfined domains). |
| 37 |
|
| 38 |
|
| 39 |
If you have some info that I could look at I'd like to help. I'm fairly new |
| 40 |
at selinux and I still find it rather complex, but what better way to learn |
| 41 |
it than to get your hands dirty ;-). Btw. This is a desktop system which |
| 42 |
might provide its own interesting challenges. |
| 43 |
|
| 44 |
Paul |
| 45 |
|
| 46 |
-- |
| 47 |
Paul de Vrieze |
| 48 |
Developer |
| 49 |
Mail: pauldv@g.o |
| 50 |
Homepage: http://www.devrieze.net |
Archives