On 09/20/2015 10:25 PM, Matthew Cengia wrote: > NOTE: I originally sent this to LKML > (https://lkml.org/lkml/2015/9/17/888), but was directed here. > > Hi all, > > Please CC me directly when responding, as I'm not subscribed to the > mailing list. > > > Summary > ------- > I deploy diskless Debian kiosks in prisons, for use by inmates. > As part of the Debian 7 to 8 upgrade, I want to enable SELinux. > My initrd uses overlayfs to combine a ro squashfs and a rw tmpfs. > > When I add SELinux into the mix, I get a lot of EOPNOTSUPP. > > > Long and boring history > ----------------------- > I was happy with Debian 7 / Linux 3.16 / sysvinit / aufs. > Then, new hardware arrived, which needed a newer Xorg. > So I had to switch to Debian 8 / Linux 3.16. > Debian 8 defaults to systemd, so I went with that. > > I used to put $XDG_RUNTIME_DIR under a /tmp mounted -onoexec. > Systemd v215 is hard-coded to mount $XDG_RUNTIME_DIR as a dedicated tmpfs, > and provides no way to mount/remount it with -onoexec. > > src/login/logind-user.c:336:user_mkdir_runtime_path() > > When I complained about this, regulars on #systemd on Freenode said: > > Just use SELinux, already! > -o noexec might break something, and it won't stop interpreters. > > ...which was mostly reasonable. > So adopting SELinux was reprioritized from "some day" to "right now!" > > aufs doesn't support SELinux, so I had to switch to overlayfs. > So now my target is Debian 8 / Linux 4.1 / systemd / overlayfs / SELinux. > > > Current problem > --------------- > When I built & booted that combination, hostnames didn't resolve. > > The initrd uses klibc ipconfig as a DHCP client, > then tries to create /etc/resolv.conf in the rootfs. > (This happens before switch_root.) > > When SELinux is enabled, resolv.conf can't be opened for writing. > The attached strace (output.txt) shows open(2) gets EOPNOTSUPP. > > > Tests completed > --------------- > This problem *ONLY* occurs in the initrd, > which is *BEFORE* the SELinux policy loads. > I'm not sure if this is relevant. Yes, I believe it is. Most likely culprit is: security/selinux/hooks.c: 2890 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 2891 const void *value, size_t size, int flags) 2892 { 2893 struct inode *inode = dentry->d_inode; 2894 struct inode_security_struct *isec = inode->i_security; 2895 struct superblock_security_struct *sbsec; 2896 struct common_audit_data ad; 2897 u32 newsid, sid = current_sid(); 2898 int rc = 0; 2899 2900 if (strcmp(name, XATTR_NAME_SELINUX)) 2901 return selinux_inode_setotherxattr(dentry, name); 2902 2903 sbsec = inode->i_sb->s_security; 2904 if (!(sbsec->flags & SBLABEL_MNT)) 2905 return -EOPNOTSUPP; ^^^^^^^^^^^^ That's to prevent setting SELinux attributes on a filesystem that does not support labeling due to use of a context= mount or policy genfscon rules to override any xattrs on the filesystem. Maybe that should be exempted if no policy is loaded (!ss_initialized). At this point, I have to ask: which is easier, patching systemd to do what you want, loading policy earlier (in general, the earlier you load SELinux policy, the better), or patching the kernel. > > This problem *DOES NOT* occur if the file/directory being written to > already exists in the read/write portion of the overlay mount before the > overlayfs is mounted. I've attached a script to demonstrate this. > > Booting the kernel with permissive=1 *DOES NOT* prevent the problem. > > > Test script > ----------- > Attached is a script called 'bootstrap'. > When run on a Debian Jessie system with debootstrap, squashfs-tools, and kvm installed, > and selinux installed and enabled (even if it's in permissive mode), > 'bootstrap' will: > > * Mount a tmpfs without -o nodev at /tmp/bootstrap/live, to build in; > * Build an SOE in /tmp/bootstrap/live/; > * Create a squashfs of the built system; > * Leave the squashfs, kernel, and initrd in /tmp/bootstrap/live/boot/; and > * Start up a VM using KVM to demonstrate the behaviour. > > The script that the initrd runs does several things, all of which are > detailed within the script, and in output.txt; look for lines > containing '-->'. > > output.txt contains a full KVM run of the system exhibiting the problem, > in which I've also run an 'strace touch' to demonstrate the failing > syscall. > > > Help? > ----- > How can I set about debugging this problem further? > Has anybody dealt with this before? > How can I solve (or workaround) this problem? > > > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
