Bug 767355
| Summary: | SELinux needs labels assigned to /sys, We need systemd to lay these labels down on boot. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | ||||||
| Component: | systemd | Assignee: | systemd-maint | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | johannbg, lpoetter, metherid, mschmidt, notting, pablomg+fedora, plautrba, systemd-maint | ||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | systemd-37-11.fc16 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-01-30 20:59:41 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Oh, on large boxes /sys can be really huge, and simply by traversing the filesystem, we instantiate sysfs entries. If possible we should limit that. Any chance to apply that only to certain directories? What kind of files do we need to relabel? Lennart pointed out that this would be better done with /etc/tmpfiles.d/ and I agree. I will add any directories that I need to have labels applied to /etc/tmpfiles.d/selinux-policy.conf . Currently only 2. Great! Sounds good. After the needed directive was added to tmpfiles, please use /usr/lib/tmpfiles.d/. We try to reserve /etc for the local administration only, not for packages. Local adminds can over-rule the files in lib with files in etc. Yes, I knew that, but needed a reminder. Turns out it is not as easy as we thought. While I still agree /usr/lib/tmpfiles.d is needed, we need a modification of systemd-tmpfiles to handle labeling of /sys. First problem is that it gets an error when it tries to write /sys/devices/system/cpu/online and does not fix the label. Secondly we really need it to recursively relabel a directory. grep ^/sys /etc/selinux/targeted/contexts/files/file_contexts /sys(/.*)? system_u:object_r:sysfs_t:s0 /sys/fs/cgroup/.* <<none>> /sys/class/net/ib.* system_u:object_r:sysctl_net_t:s0 /sys/fs/cgroup -d system_u:object_r:cgroup_t:s0 /sys/devices/system/cpu/online system_u:object_r:cpu_online_t:s0 So we would like to label /sys/class/net/ib.* and /sys/devices/system/cpu/online iff they exist otherwise exit out quietly. /sys and /sys/fs/cgroup will get labeled correctly by the kernel. I would like to see a Z option within the tmpfiles.d conf file that would set the security attributes of a file to match the specification in the conf and the SELinux labels. Z /sys/devices/system/cpu/online 0444 root root Z btw is the option that we use for looking at SELinux labels. ps -Z ls -Z ... The 'Z' action is now implemented in tmpfiles.d upstream: http://cgit.freedesktop.org/systemd/commit/?id=a8d8878329893d19106053e5008f0075f149aa16 (In reply to comment #4) > Z /sys/devices/system/cpu/online 0444 root root Well, with the way 'Z' is currently implemented, the "0444 root root" part is ignored. It only sets the security contexts. I can make it set mode/owner/group too, but is it necessary? I can imagine a administrator wanting it. For /sys, I believe those calls could either be ignored or denied. For my use case, what you have now is fine. When would this show up in Rawhide? Or can I get a scratch build? I've changed it to apply the ownership and mode too. If you want to modify them, you can say: Z /sys/devices/system/cpu/online - - - or just: Z /sys/devices/system/cpu/online http://cgit.freedesktop.org/systemd/commit/?id=062e01bbdbc3201e4c99bc0b702cb04a0ae2190c And I added a non-recursive variant, 'z': http://cgit.freedesktop.org/systemd/commit/?id=777b87e702197ad1f2d0f2a3aea5271d18062c5c globs are accepted as paths in both 'z' and 'Z'. As for when this reaches Rawhide... I'd like Lennart to make a new upstream release soon. It's been a long time since the last one. (In reply to comment #9) > I've changed it to apply the ownership and mode too. If you want to modify > them, you can say: > Z /sys/devices/system/cpu/online - - - Should have said "if you _don't_ want to modify them". Michal I think you have a bug in your code when handling the labeling of symbolic links.
strace shows
lstat("/sys/class/net/wlan0", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
setxattr("/sys/class/net/wlan0", "security.selinux", "system_u:object_r:sysfs_t:s0", 29, 0) = 0
It should be using
lsetxattr.
Created attachment 548688 [details]
Patch to fix labeling of symbolic links.
This is a problem in systemd itself. Should use lsetfilecon.
Thanks. I applied your fix: http://cgit.freedesktop.org/systemd/commit/?id=81c3f1f6aba52ac5e95241b51083b61c7401be44 systemd-37-6.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/systemd-37-6.fc16 Package systemd-37-6.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-6.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-6.fc16 then log in and leave karma (feedback). Package systemd-37-7.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-7.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-7.fc16 then log in and leave karma (feedback). Package systemd-37-8.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-8.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-8.fc16 then log in and leave karma (feedback). Package systemd-37-10.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-10.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-10.fc16 then log in and leave karma (feedback). Package systemd-37-11.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing systemd-37-11.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-11.fc16 then log in and leave karma (feedback). systemd-37-11.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 546403 [details] This patch will make systemd fix the labels on /sys at boot. The kernel is adding more and more files under /sys that require labeling, the only way we have for placing these labels is by running restorecon on early boot. Please apply this patch to run through /sys and add labels.