From 3a0bf6d6aa08a267aefd5d5620fb6bee2556affb Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Mon, 31 Jul 2017 17:45:33 +0200 Subject: [PATCH] namespace: keep selinuxfs mounted read-write with ProtectKernelTunables (#5741) When a service unit uses "ProtectKernelTunables=yes", it currently remounts /sys/fs/selinux read-only. This makes libselinux report SELinux state as "disabled", because most SELinux features are not usable. For example it is not possible to validate security contexts (with security_check_context_raw() or /sys/fs/selinux/context). This behavior of libselinux has been described in http://danwalsh.livejournal.com/73099.html and confirmed in a recent email, https://marc.info/?l=selinux&m=149220233032594&w=2 . Since commit 0c28d51ac849 ("units: further lock down our long-running services"), systemd-localed unit uses ProtectKernelTunables=yes. Nevertheless this service needs to use libselinux API in order to create /etc/vconsole.conf, /etc/locale.conf... with the right SELinux contexts. This is broken when /sys/fs/selinux is mounted read-only in the mount namespace of the service. Make SELinux-aware systemd services work again when they are using ProtectKernelTunables=yes by keeping selinuxfs mounted read-write. --- src/core/namespace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/core/namespace.c b/src/core/namespace.c index 05175e9552..3eb171c702 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -100,6 +100,7 @@ static const MountEntry protect_kernel_tunables_table[] = { { "/sys/kernel/debug", READONLY, true }, { "/sys/kernel/tracing", READONLY, true }, { "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */ + { "/sys/fs/selinux", READWRITE, true }, }; /* ProtectKernelModules= option */