RFE: diagnose when selinux context is not init_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Di, 20.03.18 04:26, John Reiser (jreiser at bitwagon.com) wrote:

> Hi,
> 
> If systemd is running as the init process on a system that uses selinux,
> then mysterious bad things are likely to happen if the selinux context
> is not init_t.  For instance:
>    https://bugzilla.redhat.com/show_bug.cgi?id=1520580#c13
> 
> So, I'd like to see systemd diagnose this situation.  Please comment,
> and give a hint about where and how to implement such an enhancement.

When initializing systemd uses the label to figure out whether selinux
still needs initialization. See:

https://github.com/systemd/systemd/blob/master/src/core/selinux-setup.c#L67

Hence, if we see the label isn't "kernel", then we won't do any
further initialization under the assumption is already has been done.

Any debugging code would have to be added to a similar location
actually.

It would actually be great if the selinux libraries would return
proper errors. Currently, we can't generate much useful output since
we have no idea what selinux failed on, as its APIs generally just
return "-1" on failure and "0" on success without any further hint
what went wrong... Actually, for a professional project that's kinda
poor error handling in general...

(That said, maybe the actually do report proper errors these days, but
if they do then that fact is still pretty much undocumented, which
means we still can't rely on using errno or such...)

Lennart

-- 
Lennart Poettering, Red Hat
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux