On 05/13/2016 10:07 AM, Laurent Bigonville wrote: > Hey, > > Le 16/04/15 à 13:54, Stephen Smalley a écrit : >> On 04/15/2015 04:56 PM, Ben Shelton wrote: >>> In the case where the SELinux security module is not loaded in the >>> kernel and it's early enough in the boot process that /proc has not yet >>> been mounted, selinuxfs_exists() will incorrectly return 1, and >>> selinux_init_load_policy() will print a message like this to the >>> console: >>> >>> Mount failed for selinuxfs on /sys/fs/selinux: No such file or >>> directory >>> >>> To fix this, mount the procfs before attempting to open >>> /proc/filesystems, and unmount it when done if it was initially not >>> mounted. This is the same thing that selinux_init_load_policy() does >>> when reading /proc/cmdline. >>> >>> Signed-off-by: Ben Shelton <ben.shelton@xxxxxx> >> Thanks, applied. > > In debian, I've a user complaining about the fact that libselinux is > mounting /proc by itself and that it might racy. > > What do you think? > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823184 Do you have this one? commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf Author: Stephen Smalley <sds@xxxxxxxxxxxxx> Date: Mon Feb 29 10:10:55 2016 -0500 libselinux: only mount /proc if necessary Commit 9df498884665d ("libselinux: Mount procfs before checking /proc/filesystems") changed selinuxfs_exists() to always try mounting /proc before reading /proc/filesystems. However, this is unnecessary if /proc is already mounted and can produce avc denials if the process is not allowed to perform the mount. Check first to see if /proc is already present and only try the mount if it is not. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> Alternatively, I could see fixing this in selinux_init_load_policy() [just retain the /proc mount across the selinuxfs_exists call] and dropping the mount/umount entirely from selinuxfs_exists. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
