Re: [PATCH] libselinux: mount selinuxfs nodev,noexec,nosuid

Dominick Grift <dominick.grift@xxxxxxxxxxx> · Sun, 29 Mar 2020 11:27:35 +0200

Topi Miettinen <toiwoton@xxxxxxxxx> writes:

> Mount selinuxfs with mount flags nodev,noexec and nosuid. It's not
> likely that this has any effect, but it's visually more pleasing.

will nodev interfere with this?

  File: /sys/fs/selinux/null
  Size: 0               Blocks: 0          IO Block: 4096   character special file
Device: 15h/21d Inode: 23          Links: 1     Device type: 1,3
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Context: sys.id:sys.role:null.isid:s0
Access: 2020-03-28 13:04:05.578999988 +0100
Modify: 2020-03-28 13:04:05.578999988 +0100
Change: 2020-03-28 13:04:05.578999988 +0100
 Birth: -

/sys/fs/selinux/null: character special (1/3)

>
> Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
> ---
>  libselinux/src/load_policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index fa1a3bf1..3e4020a9 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -279,7 +279,7 @@ int selinux_init_load_policy(int *enforce)
>         const char *mntpoint = NULL;
>         /* First make sure /sys is mounted */
>         if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
> -               if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0
> || errno == EBUSY) {
> +               if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NODEV |
> MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
>                         mntpoint = SELINUXMNT;
>                 } else {
>                         /* check old mountpoint */

-- 
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift