Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Using sys-kernel/dracut with SELinux
krissn at op
Mar 6, 2013, 3:15 AM
Post #1 of 5 (3153 views)
Permalink
Hi,

I'm trying to migrate a machine to SELinux. I was able to run all the steps related to the kernel, packages and filesystem. The system boots fine in permissive mode but I'm getting a lot of AVC denials related to /run. The obvious suspect would the lack of proper labelling so I checked the fstab and verified that the /run filesystem is present with the correct rootcontext option. To my surprise however the /run filesystem is still mounted without the rootcontext option.

I've spent some time tracking this down and eventually found out that the issue is related to the Dracut initramfs. The init script mounts /run from there. Obviously the the mount options are hard-coded and rootcontext is not among them.

So I tried to edit the Dracut's init script (/usr/lib64/dracut/modules.d/99base/init.sh) to append the rootcontext option to the mount /run line, but surprisingly it was completely ignored.

Did anybody hit a similar problem?

Regards
Chris
Re: Using sys-kernel/dracut with SELinux [ In reply to ]
h.v.bruinehsen at fu-berlin
Mar 6, 2013, 3:47 AM
Post #2 of 5 (3096 views)
Permalink
Hi,

maybe I can help you. I hit a similar problem a while ago.
I presume that you use a tmpfs for /run. If that's the case you may need
to relabel /dev/utmp (not inside the tmpfs but on the disk itself - use
bindmount and the instructions for relabeling /lib from the handbook or
unmount run).

Another hint from me: don't use dracut if you plan to boot in enforcing.
I never could get it working (if you need an initramfs build a minimal
one for yourself).


-Hinnerk

On Wed, Mar 06, 2013 at 12:15:38PM +0100, Krzysztof Nowicki wrote:
> Hi,
>
> I'm trying to migrate a machine to SELinux. I was able to run all the steps related to the kernel, packages and filesystem. The system boots fine in permissive mode but I'm getting a lot of AVC denials related to /run. The obvious suspect would the lack of proper labelling so I checked the fstab and verified that the /run filesystem is present with the correct rootcontext option. To my surprise however the /run filesystem is still mounted without the rootcontext option.
>
> I've spent some time tracking this down and eventually found out that the issue is related to the Dracut initramfs. The init script mounts /run from there. Obviously the the mount options are hard-coded and rootcontext is not among them.
>
> So I tried to edit the Dracut's init script (/usr/lib64/dracut/modules.d/99base/init.sh) to append the rootcontext option to the mount /run line, but surprisingly it was completely ignored.
>
> Did anybody hit a similar problem?
>
> Regards
> Chris
>
>
Re: Using sys-kernel/dracut with SELinux [ In reply to ]
swift at gentoo
Mar 6, 2013, 6:13 AM
Post #3 of 5 (3097 views)
Permalink
If dracut doesn't use the fstab options then you'll need to find where it gets mounted and update that. Perhaps creating an additional dracut module to remount with the correct options works as well and is more manageable in the longer term?
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Using sys-kernel/dracut with SELinux [ In reply to ]
krissn at op
Mar 6, 2013, 11:06 AM
Post #4 of 5 (3094 views)
Permalink
On 06.03.2013 15:13, Sven Vermeulen wrote:
> If dracut doesn't use the fstab options then you'll need to find where
> it gets mounted and update that. Perhaps creating an additional dracut
> module to remount with the correct options works as well and is more
> manageable in the longer term?
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Hi,

I've actually tried that. The problem is that SELinux-enabled mount
(which gets pulled into the initramfs from the system) will filter out
SELinux-related mount options (like rootcontext) if it finds that
SELinux is not running (it will call is_selinux_running() from libselinux).

One of the checks it makes is for a mounted /selinux filesystem, but
mounting it alone has no impact. I'll have to dig further.

As for remounting I tried to remount /run by adding the rootcontext
option, but mount fails with the error "mount: /run not mounted or bad
option". I have a suspicion that you cannot add/change the rootcontext
mount option during a remount. This is actually what OpenRC is trying to
do in /etc/init.d/root, but fails with the same error.

Regards
Chris
Re: Using sys-kernel/dracut with SELinux [ In reply to ]
krissn at op
Mar 6, 2013, 11:17 AM
Post #5 of 5 (3087 views)
Permalink
On 06.03.2013 20:06, Krzysztof Nowicki wrote:
> [...] (it will call is_selinux_running() from libselinux).
Actually I meant is_selinux_enabled().

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal