namespace: keep selinuxfs mounted read-write with ProtectKernelTunables (#5741)

When a service unit uses "ProtectKernelTunables=yes", it currently remounts /sys/fs/selinux read-only. This makes libselinux report SELinux state as "disabled", because most SELinux features are not usable. For example it is not possible to validate security contexts (with security_check_context_raw() or /sys/fs/selinux/context). This behavior of libselinux has been described in http://danwalsh.livejournal.com/73099.html and confirmed in a recent email, https://marc.info/?l=selinux&m=149220233032594&w=2 . Since commit 0c28d51ac8 ("units: further lock down our long-running services"), systemd-localed unit uses ProtectKernelTunables=yes. Nevertheless this service needs to use libselinux API in order to create /etc/vconsole.conf, /etc/locale.conf... with the right SELinux contexts. This is broken when /sys/fs/selinux is mounted read-only in the mount namespace of the service. Make SELinux-aware systemd services work again when they are using ProtectKernelTunables=yes by keeping selinuxfs mounted read-write.
2017-07-31 17:45:33 +02:00 · 2017-07-31 17:45:33 +02:00 · 3a0bf6d6aa
parent b305bd3aab
commit 3a0bf6d6aa
1 changed files with 1 additions and 0 deletions
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -100,6 +100,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
        { "/sys/kernel/debug",   READONLY,     true  },
        { "/sys/kernel/tracing", READONLY,     true  },
        { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
+        { "/sys/fs/selinux",     READWRITE,    true  },
 };

 /* ProtectKernelModules= option */