Re: [PATCH v2] libselinux: Mount procfs before checking /proc/filesystems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 13/05/16 à 17:19, Stephen Smalley a écrit :

On 05/13/2016 10:07 AM, Laurent Bigonville wrote:

Hey,

Le 16/04/15 à 13:54, Stephen Smalley a écrit :

On 04/15/2015 04:56 PM, Ben Shelton wrote:

In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:

Mount failed for selinuxfs on /sys/fs/selinux:  No such file or
directory

To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted.  This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.

Signed-off-by: Ben Shelton <ben.shelton@xxxxxx>

Thanks, applied.

In debian, I've a user complaining about the fact that libselinux is
mounting /proc by itself and that it might racy.

What do you think?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823184

Do you have this one?

commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
Author: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date:   Mon Feb 29 10:10:55 2016 -0500

     libselinux: only mount /proc if necessary

     Commit 9df498884665d ("libselinux: Mount procfs before checking
     /proc/filesystems") changed selinuxfs_exists() to always try
     mounting /proc before reading /proc/filesystems.  However, this is
     unnecessary if /proc is already mounted and can produce avc denials
     if the process is not allowed to perform the mount.  Check first
     to see if /proc is already present and only try the mount if it is not.

     Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>


Yes the package in debian includes this patch.


Alternatively, I could see fixing this in selinux_init_load_policy()
[just retain the /proc mount across the selinuxfs_exists call] and
dropping the mount/umount entirely from selinuxfs_exists.
Might be better as this would not impact all the binaries linking against libselinux 
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux