On Sun, 7 Sep 2008 11:27:48 +0200 (CEST), Santiago Vila <[EMAIL PROTECTED]>
said:
> On Sat, 6 Sep 2008, Manoj Srivastava wrote:
>> reassign 498010 base-files thanks
>>
>> Hi,
>>
>> policycoreutils already installs the /selinux directory. This
>> report is not about that -- since policycoreutils is not, and
>> should not be, essential, people who do not install policycoreutils
>> see an error message from init about not being able to mount
>> selnuxfs.
>>
>> policycoreutils cant help that when it is not installed.
>>
>> base-files folks need to determine if that dir should indeed live
>> on all machines (I see no harm in that), or not, and deal with this
>> bug accordingly.
> Simple question: It is useful or desirable to mount the selinux fs
> on /selinux when policycoreutils is not installed?
Yes and no. The amount of utility is an issue, however. The
utility essentially cones from avoiding an unnecessary but harmless
diagnostic message from init, and perhaps other daemons. It is not
useful in the sense that it improves security, or that it makes a
functional difference.
For example, this is what lead up to this: this is detailed
account of the activity in /sbin/init during bootup (whether or
not SELinux is deployed):
,----
| 0. Init looks at env var SELINUX_INIT, and if that is zero, skips the
| rest of the steps below.
| 1. init tries to load security policy.
| 2. First, selinux configuration (from /etc/selinux/config) is re-read.
| 3. We check to see if we are in enforcing mode in the config file
| 4. mount the /proc file system
| 5. look at /proc/cmdline, parse it to see if have an enforcing=
| overrides.
| 6. umount /proc is we mounted it
| 7. determine desired mode (enforcing or not based on above)
| 8. try to mount selinuxfs on /selinux (tests whether kernel knows of
| selinux
| a. If ENODEV, selinux is disabled in kernel
| b. ERROR: We do not know if selinux is enabled or not, but this is an
| error.
| 9. if selinux is disabled in the config,
| a. disable security
| b. unmount selinuxfs
| c go to end
| 10. Change kernel enforcing status to match
| 11. load security policy
`----
The problem is step 8, since the only way to know whether the
kernel knows about selinux is to try to mount selinuxfs
_somewhere_. The somewhere happens to be /selinux.
init shows this, as well as a few other daemons (I think sshd
is another one). So just hainv /selinux helps avoid a warning from
init and sshd, and perhaps other daemons.
> If yes, I could agree to add /selinux to base-files.
I feel that addding the directory does no harm, but I do not
personally think it is enough benefir to ask for a freeze exception
for an essential package. But I am not a RM, so my opinion has
limited value.
> If not, then this would be just an aesthetic issue (that we might
> want to fix for lenny, anyway). The package trying to mount selinux
> fs on /selinux (initscripts it seems) should do so only if /selinux
> exists, so that no error message is shown and the user is not
> alarmed if /selinux does not exist.
Hmm. This is somewhat tricky. The code is asking if selinux is
known to the kernel, and the next question is whether it is in strict
or enforcing mode. Unless we try to mount selinuxfs, we cannot really
answer the question correctly. I do not like not answering the
question correctly just because the directory is missing.
Of course, we can create the directory on demand -- but I do
not like libraries creating top level directories on their own.
I would also not want to deviate to much from upstream
behaviour in libselinux unless it is for a darned good reason; and
a diagnostic for a missing /selinux on a machine with selinux support
(default kernels have it, all the major relevant packages have it, so
we kinda support selinux) is not a good enough reason, I think.
My preference would be to let the error message remain for now,
but post lenny we should introduce the empty mount point directory in
an essential package.
manoj
--
"Neurotic: Self-taut person." Author Unknown
Manoj Srivastava <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
