Le 13/05/16 à 15:12, Yuri D'Elia a écrit :
On Fri, May 13 2016, Laurent Bigonville <bi...@debian.org> wrote:
libselinux mounts /proc, check is the machine supports SELinux and then
unmounts it. This is supposed to happen at early boot.
I don't understand what selinux is trying to solve here. It's not the
job of a library to mount filesystems. If you want to ensure that /proc
exists, mount it before.
There are tools that needs to know the state of SELinux on the system at
early boot, and these tools could be run before init has mounted proc.
The lazy unmount performed by selinuxfs_exists and
selinux_init_load_policy is racy.
Processes, run in parallel, *will* cause /proc to disappear right
between the mount call and the subsequent fopen call, so the code does
not function as upstream intends it to in any case.
Again this is supposed to happen at early boot, and at this stage, only
PID1 exists. So I doubt there is a lot of concurrent processes at that time.
I would be interested to know what this behavior is breaking.
My main issue is within containers and chroots. I have my own
initialization process for these containers, I don't use selinux, but at
some point /proc gets mounted before I expect it to.
Even if the fix is simply the removal of the mountpoint, I consider the
solution broken by design.
What about mounting /proc really early?
In the init of initramfs it's the 14th line in the script... With
sysvinit, it is done in the 2nd initscript being run. I would expect
that it's also happening really early with systemd too.
As I said on the other bugreport, please bring this upstream if you want
this to change.
I'd like to know why, early at boot, this behavior is needed at all,
where it could be handled /without/ races.
The commit message says:
libselinux: Mount procfs before checking /proc/filesystems
In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:
Mount failed for selinuxfs on /sys/fs/selinux: No such file or
directory
To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted. This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.
If you think you know a better way, please provide a patch to upstream.
I'll not carry a patch in debian and make libselinux behave differently
than on 99% of the other distributions.
For me this represents a regression in *all* binaries linked with
libselinux where selinux is disabled.
