diff options
author | Nicolas Iooss <fishilico@users.noreply.github.com> | 2017-07-31 17:45:33 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-07-31 17:45:33 +0200 |
commit | 3a0bf6d6aa08a267aefd5d5620fb6bee2556affb (patch) | |
tree | b237dd4b1f837ac5972bdb8d7b6077969ecdd535 | |
parent | b305bd3aab0446095bf28ffc28b3d908a7ace6b9 (diff) | |
download | systemd-3a0bf6d6aa08a267aefd5d5620fb6bee2556affb.tar.gz |
namespace: keep selinuxfs mounted read-write with ProtectKernelTunables (#5741)
When a service unit uses "ProtectKernelTunables=yes", it currently
remounts /sys/fs/selinux read-only. This makes libselinux report SELinux
state as "disabled", because most SELinux features are not usable. For
example it is not possible to validate security contexts (with
security_check_context_raw() or /sys/fs/selinux/context). This behavior
of libselinux has been described in
http://danwalsh.livejournal.com/73099.html and confirmed in a recent
email, https://marc.info/?l=selinux&m=149220233032594&w=2 .
Since commit 0c28d51ac849 ("units: further lock down our long-running
services"), systemd-localed unit uses ProtectKernelTunables=yes.
Nevertheless this service needs to use libselinux API in order to create
/etc/vconsole.conf, /etc/locale.conf... with the right SELinux contexts.
This is broken when /sys/fs/selinux is mounted read-only in the mount
namespace of the service.
Make SELinux-aware systemd services work again when they are using
ProtectKernelTunables=yes by keeping selinuxfs mounted read-write.
-rw-r--r-- | src/core/namespace.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index 05175e9552..3eb171c702 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -100,6 +100,7 @@ static const MountEntry protect_kernel_tunables_table[] = { { "/sys/kernel/debug", READONLY, true }, { "/sys/kernel/tracing", READONLY, true }, { "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */ + { "/sys/fs/selinux", READWRITE, true }, }; /* ProtectKernelModules= option */ |