[systemd-devel] This patch adds SELinux support to systemd for socket creation.

Harald Hoyer harald at redhat.com
Fri Jul 23 04:49:18 PDT 2010


On 07/23/2010 01:39 PM, Kay Sievers wrote:
> On Fri, Jul 23, 2010 at 13:21, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>> On 07/23/2010 06:56 AM, Kay Sievers wrote:
>>> On Fri, Jul 23, 2010 at 12:30, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>>>> I though I saw avc's caused because systemd creating some devices with
>>>> the wrong labels?  I searched for mknod but found no calls.  Does
>>>> systemd create any nodes?
>>>
>>> It should not create any nodes. Systemd depends on the
>>> kernel-maintained devtmpfs for all device nodes.
>>>
>>> Udev runs on top of devtmpfs and adjusts permissions/selinux context
>>> in the background. Could there be a timing problem, that some nodes
>>> which the kernel has created get accessed, but don't have the proper
>>> context in the moment udev is still iterating over them?
>>>
>> Probably.  It could be devices created in initd are being accessed
>> before udev relabels.
>>
>> I think we need a restorecon -Rv /dev in dracut before /bin/init is
>> executed.  I tried to put this into
>> /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh
>>
>> but as I remember it told me that /dev was read/only at the time.
>
> Hmm, initramfs mounts /dev, which is the kernel's devtmpfs. Before
> init/systemd is started the same /dev from initramfs is moved to the
> rootfs' /dev. The initial /dev inside the initramfs is the kernel's
> ramfs root, which should also be writable. So /dev should always be
> writable.
>
> Kay

selinux-loadpolicy.sh should look like this:

http://dracut.git.sourceforge.net/git/gitweb.cgi?p=dracut/dracut;a=blob;f=modules.d/98selinux/selinux-loadpolicy.sh

....
mount --bind /dev "$NEWROOT/dev"
chroot "$NEWROOT" /sbin/restorecon -R /dev
....

maybe, you forgot to mount bind before restorecon...


More information about the systemd-devel mailing list