libselinux mountpoint changing patch.

libselinux mountpoint changing patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1647 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux.  This patch changes libselinux in the following ways:

1.  load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).

2.  The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint.  If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.

NOTE:  We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.


# getenforce
Enabled
# mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
# chroot /var/chroot
# getenforce
Disabled

3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist.  Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3AFkAACgkQrlYvE4MpobNHEQCgqiU1yNXW/6hTX8VnzprqY/mY
xvIAoKVSas1YPoAjVozqOiqnDjWC3Ixq
=TZcV
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-mountpoint.patch --]
[-- Type: text/plain, Size: 4564 bytes --]

diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
 
 int is_selinux_enabled(void)
 {
-	char *buf=NULL;
-	FILE *fp;
-	ssize_t num;
-	size_t len;
 	int enabled = 0;
 	security_context_t con;
 
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
 				enabled = 0;
 			freecon(con);
 		}
-		return enabled;
         }
 
-	/* Drop back to detecting it the long way. */
-	fp = fopen("/proc/filesystems", "r");
-	if (!fp)
-		return -1;
-
-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
-	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
-			enabled = 1;
-			break;
-		}
-	}
-
-	if (num < 0)
-		goto out;
-
-	/* Since an selinux file system is available, we consider
-	 * selinux enabled. If getcon_raw fails, selinux is still
-	 * enabled. We only consider it disabled if no policy is loaded. */
-	if (getcon_raw(&con) == 0) {
-		if (!strcmp(con, "kernel"))
-			enabled = 0;
-		freecon(con);
-	}
-
-      out:
-	free(buf);
-	fclose(fp);
 	return enabled;
 }
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..c18caff 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <dlfcn.h>
+#include <sys/statvfs.h>
 #include <sys/vfs.h>
 #include <stdint.h>
 #include <limits.h>
@@ -20,31 +21,46 @@ char *selinux_mnt = NULL;
 int selinux_page_size = 0;
 int obj_class_compat = 1;
 
-static void init_selinuxmnt(void)
-{
-	char *buf=NULL, *p;
-	FILE *fp=NULL;
+static int check_mountpoint(char *mntpath) {
 	struct statfs sfbuf;
 	int rc;
-	size_t len;
-	ssize_t num;
-	int exists = 0;
-
-	if (selinux_mnt)
-		return;
 
 	/* We check to see if the preferred mount point for selinux file
 	 * system has a selinuxfs. */
 	do {
-		rc = statfs(SELINUXMNT, &sfbuf);
+		rc = statfs(mntpath, &sfbuf);
 	} while (rc < 0 && errno == EINTR);
 	if (rc == 0) {
 		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
-			selinux_mnt = strdup(SELINUXMNT);
-			return;
+			struct statvfs vfsbuf;
+			rc = statvfs(mntpath, &vfsbuf);
+			if (rc == 0) {
+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
+					selinux_mnt = strdup(mntpath);
+					return 0;
+				}
+			}
 		}
 	} 
 
+	return -1;
+}
+
+static void init_selinuxmnt(void)
+{
+	char *buf=NULL, *p;
+	FILE *fp=NULL;
+	size_t len;
+	ssize_t num;
+	int exists = 0;
+
+	if (selinux_mnt)
+		return;
+
+	if (check_mountpoint(SELINUXMNT) == 0) return;
+
+	if (check_mountpoint("/selinux") == 0) return;
+
 	/* Drop back to detecting it the long way. */
 	fp = fopen("/proc/filesystems", "r");
 	if (!fp)
@@ -87,7 +103,7 @@ static void init_selinuxmnt(void)
 
 	/* If we found something, dup it */
 	if (num > 0)
-		selinux_mnt = strdup(p);
+		check_mountpoint(p);
 
       out:
 	free(buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..4078f69 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+	char *mntpoint = NULL;
+	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
+	} else { 
+		/* check old mountpoint */
+		if (mount("selinuxfs", "/selinux", "selinuxfs", 0, 0) == 0 || errno == EBUSY) {
+			mntpoint = "/selinux";
+		}
+	} 
+
+	if (! mntpoint ) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -384,8 +394,8 @@ int selinux_init_load_policy(int *enforce)
 		}
                 
 		goto noload;
-	}
-	set_selinuxmnt(SELINUXMNT);
+	} 
+	set_selinuxmnt(mntpoint);
 
 	/*
 	 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
 		rc = security_disable();
 		if (rc == 0) {
 			/* Successfully disabled, so umount selinuxfs too. */
-			umount(SELINUXMNT);
+			umount(selinux_mnt);
 			fini_selinuxmnt();
 		}
 		/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..76f968e 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -13,7 +13,7 @@
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;

[-- Attachment #3: libselinux-mountpoint.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: libselinux mountpoint changing patch.

[Stephen Smalley]

On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The Fedora Distribution is looking to standardize kernel subsystem file
> systems to be mounted under /sys/fs. They would like us to move /selinux
> to /sys/fs/selinux.  This patch changes libselinux in the following ways:
> 
> 1.  load_policy will first check if /sys/fs/selinux exists and mount the
> selinuxfs at this location, if it does not exists it will fall back to
> mounting the file system at /selinux (if it exists).
> 
> 2.  The init functions of selinux will now check if /sys/fs/selinux is
> mounted, if it is and has an SELinuxfs mounted on it, the code will then
> check if the selinuxfs is mounted rw, if it is, libselinux will set the
> mountpoint, if it is readonly, libselinux will return no mountpoint.  If
> /sys/fs/selinux does not exists, the same check will be done for
> /selinux and finally for an entry in /proc/mounts.
> 
> NOTE:  We added the check for RO, to allow tools like mock to be able to
> tell a chroot that SELinux is disabled while enforcing it outside the
> chroot.
> 
> 
> # getenforce
> Enabled
> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux

Just to clarify, the right commands to use are:
mount --bind /selinux /var/chroot/selinux
mount -o remount,ro /var/chroot/selinux

Do not use:
mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
as this will in fact change the flags on /selinux as well.  Surprise!
Result of there only being a single instance (superblock) of selinuxfs,
although you can have multiple vfsmounts of it.

> # chroot /var/chroot
> # getenforce
> Disabled
> 
> 3. In order to make this work, I needed to stop enabled from checking if
> /proc/filesystem for entries if selinux_mnt did not exist.  Now enabeled
> checks if selinux_mnt has been discovered otherwise it will report
> selinux disabled.

Looks reasonable, minor comments below.

Can we really not get all the necessary information from a single call
(as opposed to having to call both statfs() and statvfs())?  Isn't
statvfs() implemented on Linux by calling the statfs system call?

I'd suggest adding a #define OLDSELINUXMNT "/selinux" to policy.h and
using OLDSELINUXMNT in init.c and load_policy.c rather than sprinkling
"/selinux" around multiple places.   Wouldn't hurt to #define SELINUXFS
"selinuxfs" as well and replacing all occurrences in init.c and
load_policy.c.

As check_mountpoint() sets selinux_mnt, I'd pick a more descriptive
name.  Actually, could you perhaps fold the logic into set_selinuxmnt()?
That would mean the validation would happen when set_selinuxmnt() gets
called by load_policy, which isn't strictly necessary but does no harm.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 3345 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2011 11:33 AM, Stephen Smalley wrote:
> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The Fedora Distribution is looking to standardize kernel subsystem file
>> systems to be mounted under /sys/fs. They would like us to move /selinux
>> to /sys/fs/selinux.  This patch changes libselinux in the following ways:
>>
>> 1.  load_policy will first check if /sys/fs/selinux exists and mount the
>> selinuxfs at this location, if it does not exists it will fall back to
>> mounting the file system at /selinux (if it exists).
>>
>> 2.  The init functions of selinux will now check if /sys/fs/selinux is
>> mounted, if it is and has an SELinuxfs mounted on it, the code will then
>> check if the selinuxfs is mounted rw, if it is, libselinux will set the
>> mountpoint, if it is readonly, libselinux will return no mountpoint.  If
>> /sys/fs/selinux does not exists, the same check will be done for
>> /selinux and finally for an entry in /proc/mounts.
>>
>> NOTE:  We added the check for RO, to allow tools like mock to be able to
>> tell a chroot that SELinux is disabled while enforcing it outside the
>> chroot.
>>
>>
>> # getenforce
>> Enabled
>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
> 
> Just to clarify, the right commands to use are:
> mount --bind /selinux /var/chroot/selinux
> mount -o remount,ro /var/chroot/selinux
> 
> Do not use:
> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
> as this will in fact change the flags on /selinux as well.  Surprise!
> Result of there only being a single instance (superblock) of selinuxfs,
> although you can have multiple vfsmounts of it.
> 
>> # chroot /var/chroot
>> # getenforce
>> Disabled
>>
>> 3. In order to make this work, I needed to stop enabled from checking if
>> /proc/filesystem for entries if selinux_mnt did not exist.  Now enabeled
>> checks if selinux_mnt has been discovered otherwise it will report
>> selinux disabled.
> 
> Looks reasonable, minor comments below.
> 
> Can we really not get all the necessary information from a single call
> (as opposed to having to call both statfs() and statvfs())?  Isn't
> statvfs() implemented on Linux by calling the statfs system call?
> 
Not that I can see.

> I'd suggest adding a #define OLDSELINUXMNT "/selinux" to policy.h and
> using OLDSELINUXMNT in init.c and load_policy.c rather than sprinkling
> "/selinux" around multiple places.   Wouldn't hurt to #define SELINUXFS
> "selinuxfs" as well and replacing all occurrences in init.c and
> load_policy.c.
> 
Ok
> As check_mountpoint() sets selinux_mnt, I'd pick a more descriptive
> name.  Actually, could you perhaps fold the logic into set_selinuxmnt()?
> That would mean the validation would happen when set_selinuxmnt() gets
> called by load_policy, which isn't strictly necessary but does no harm.
> 

Done

I have to change set_selinuxmnt to return an int now, though.
Does this mean we would need an API version bump?  Changing from void
return to int?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3AJ28ACgkQrlYvE4MpobPMBwCghY08MsDjpufL/NPkFWfC7M6v
9kgAoI8Gi0Z0LROlxPYgtvcShmZkLEKb
=4NO/
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-mountpoint.patch --]
[-- Type: text/plain, Size: 6219 bytes --]

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index f110dcf..644d6d2 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -513,7 +513,7 @@ extern int selinux_check_securetty_context(const security_context_t tty_context)
    Normally, this is determined automatically during libselinux 
    initialization, but this is not always possible, e.g. for /sbin/init
    which performs the initial mount of selinuxfs. */
-void set_selinuxmnt(char *mnt);
+int set_selinuxmnt(char *mnt);
 
 /* clear selinuxmnt variable and free allocated memory */
 void fini_selinuxmnt(void);
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
 
 int is_selinux_enabled(void)
 {
-	char *buf=NULL;
-	FILE *fp;
-	ssize_t num;
-	size_t len;
 	int enabled = 0;
 	security_context_t con;
 
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
 				enabled = 0;
 			freecon(con);
 		}
-		return enabled;
         }
 
-	/* Drop back to detecting it the long way. */
-	fp = fopen("/proc/filesystems", "r");
-	if (!fp)
-		return -1;
-
-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
-	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
-			enabled = 1;
-			break;
-		}
-	}
-
-	if (num < 0)
-		goto out;
-
-	/* Since an selinux file system is available, we consider
-	 * selinux enabled. If getcon_raw fails, selinux is still
-	 * enabled. We only consider it disabled if no policy is loaded. */
-	if (getcon_raw(&con) == 0) {
-		if (!strcmp(con, "kernel"))
-			enabled = 0;
-		freecon(con);
-	}
-
-      out:
-	free(buf);
-	fclose(fp);
 	return enabled;
 }
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..547f1eb 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <dlfcn.h>
+#include <sys/statvfs.h>
 #include <sys/vfs.h>
 #include <stdint.h>
 #include <limits.h>
@@ -24,8 +25,6 @@ static void init_selinuxmnt(void)
 {
 	char *buf=NULL, *p;
 	FILE *fp=NULL;
-	struct statfs sfbuf;
-	int rc;
 	size_t len;
 	ssize_t num;
 	int exists = 0;
@@ -33,17 +32,9 @@ static void init_selinuxmnt(void)
 	if (selinux_mnt)
 		return;
 
-	/* We check to see if the preferred mount point for selinux file
-	 * system has a selinuxfs. */
-	do {
-		rc = statfs(SELINUXMNT, &sfbuf);
-	} while (rc < 0 && errno == EINTR);
-	if (rc == 0) {
-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
-			selinux_mnt = strdup(SELINUXMNT);
-			return;
-		}
-	} 
+	if (set_selinuxmnt(SELINUXMNT) == 0) return;
+
+	if (set_selinuxmnt(OLDSELINUXMNT) == 0) return;
 
 	/* Drop back to detecting it the long way. */
 	fp = fopen("/proc/filesystems", "r");
@@ -52,7 +43,7 @@ static void init_selinuxmnt(void)
 
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
+		if (strstr(buf, SELINUXFS)) {
 			exists = 1;
 			break;
 		}
@@ -79,7 +70,7 @@ static void init_selinuxmnt(void)
 		tmp = strchr(p, ' ');
 		if (!tmp)
 			goto out;
-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+		if (!strncmp(tmp + 1, SELINUXFS, 10)) {
 			*tmp = '\0';
 			break;
 		}
@@ -87,7 +78,7 @@ static void init_selinuxmnt(void)
 
 	/* If we found something, dup it */
 	if (num > 0)
-		selinux_mnt = strdup(p);
+		set_selinuxmnt(p);
 
       out:
 	free(buf);
@@ -104,9 +95,30 @@ void fini_selinuxmnt(void)
 
 hidden_def(fini_selinuxmnt)
 
-void set_selinuxmnt(char *mnt)
+int set_selinuxmnt(char *mnt)
 {
-	selinux_mnt = strdup(mnt);
+	struct statfs sfbuf;
+	int rc;
+
+	/* We check to see if the preferred mount point for selinux file
+	 * system has a selinuxfs. */
+	do {
+		rc = statfs(mnt, &sfbuf);
+	} while (rc < 0 && errno == EINTR);
+	if (rc == 0) {
+		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+			struct statvfs vfsbuf;
+			rc = statvfs(mnt, &vfsbuf);
+			if (rc == 0) {
+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
+					selinux_mnt = strdup(mnt);
+					return 0;
+				}
+			}
+		}
+	} 
+
+	return -1;
 }
 
 hidden_def(set_selinuxmnt)
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..f6eae49 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+	char *mntpoint = NULL;
+	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
+	} else { 
+		/* check old mountpoint */
+		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+			mntpoint = OLDSELINUXMNT;
+		}
+	} 
+
+	if (! mntpoint ) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -384,8 +394,11 @@ int selinux_init_load_policy(int *enforce)
 		}
                 
 		goto noload;
+	} 
+	if (set_selinuxmnt(mntpoint) != 0) {
+		fprintf(stderr, "Mount failed for selinuxfs on %s:  %s\n", mntpoint, strerror(errno));
+		goto noload;
 	}
-	set_selinuxmnt(SELINUXMNT);
 
 	/*
 	 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +410,7 @@ int selinux_init_load_policy(int *enforce)
 		rc = security_disable();
 		if (rc == 0) {
 			/* Successfully disabled, so umount selinuxfs too. */
-			umount(SELINUXMNT);
+			umount(selinux_mnt);
 			fini_selinuxmnt();
 		}
 		/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..bf270b5 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -9,11 +9,15 @@
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
 
+/* selinux file system type */
+#define SELINUXFS "selinuxfs"
+
 /* selinuxfs magic number */
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
+#define OLDSELINUXMNT "/selinux"
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;

[-- Attachment #3: libselinux-mountpoint.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: libselinux mountpoint changing patch.

[Stephen Smalley]

On Tue, 2011-05-03 at 12:04 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/03/2011 11:33 AM, Stephen Smalley wrote:
> > As check_mountpoint() sets selinux_mnt, I'd pick a more descriptive
> > name.  Actually, could you perhaps fold the logic into set_selinuxmnt()?
> > That would mean the validation would happen when set_selinuxmnt() gets
> > called by load_policy, which isn't strictly necessary but does no harm.
> > 
> 
> Done
> 
> I have to change set_selinuxmnt to return an int now, though.
> Does this mean we would need an API version bump?  Changing from void
> return to int?

Ah, I missed that.  We don't want to change the ABI, so I guess you
should leave set_selinuxmnt() alone and make this a new function.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Stephen Smalley]

diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..547f1eb 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -79,7 +70,7 @@ static void init_selinuxmnt(void)
 		tmp = strchr(p, ' ');
 		if (!tmp)
 			goto out;
-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+		if (!strncmp(tmp + 1, SELINUXFS, 10)) {
 			*tmp = '\0';
 			break;
 		}

This isn't equivalent.  I suppose you could do this:
+		if (!strncmp(tmp + 1, SELINUXFS" ", sizeof SELINUXFS)) {

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 900 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2011 01:13 PM, Stephen Smalley wrote:
> 
> diff --git a/libselinux/src/init.c b/libselinux/src/init.c
> index a948920..547f1eb 100644
> --- a/libselinux/src/init.c
> +++ b/libselinux/src/init.c
> @@ -79,7 +70,7 @@ static void init_selinuxmnt(void)
>  		tmp = strchr(p, ' ');
>  		if (!tmp)
>  			goto out;
> -		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
> +		if (!strncmp(tmp + 1, SELINUXFS, 10)) {
>  			*tmp = '\0';
>  			break;
>  		}
> 
> This isn't equivalent.  I suppose you could do this:
> +		if (!strncmp(tmp + 1, SELINUXFS" ", sizeof SELINUXFS)) {
> 


Ok one more time...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3ARBQACgkQrlYvE4MpobObeQCgwz+m8Ag8hzTWBuPGzXWXjcu6
xC0An3v6Kzia20ZfKwgV/Hq9sx6TfX7q
=akdW
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-mountpoint.patch --]
[-- Type: text/plain, Size: 5532 bytes --]

diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
 
 int is_selinux_enabled(void)
 {
-	char *buf=NULL;
-	FILE *fp;
-	ssize_t num;
-	size_t len;
 	int enabled = 0;
 	security_context_t con;
 
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
 				enabled = 0;
 			freecon(con);
 		}
-		return enabled;
         }
 
-	/* Drop back to detecting it the long way. */
-	fp = fopen("/proc/filesystems", "r");
-	if (!fp)
-		return -1;
-
-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
-	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
-			enabled = 1;
-			break;
-		}
-	}
-
-	if (num < 0)
-		goto out;
-
-	/* Since an selinux file system is available, we consider
-	 * selinux enabled. If getcon_raw fails, selinux is still
-	 * enabled. We only consider it disabled if no policy is loaded. */
-	if (getcon_raw(&con) == 0) {
-		if (!strcmp(con, "kernel"))
-			enabled = 0;
-		freecon(con);
-	}
-
-      out:
-	free(buf);
-	fclose(fp);
 	return enabled;
 }
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..dd03559 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <dlfcn.h>
+#include <sys/statvfs.h>
 #include <sys/vfs.h>
 #include <stdint.h>
 #include <limits.h>
@@ -20,12 +21,41 @@ char *selinux_mnt = NULL;
 int selinux_page_size = 0;
 int obj_class_compat = 1;
 
+/* Verify the mount point for selinux file system has a selinuxfs. 
+   If the file system:
+   * Exist, 
+   * Is mounted with an selinux file system, 
+   * The file system is read/write
+   * then set this as the default file system.
+*/
+static int verify_selinuxmnt(char *mnt) 
+{
+	struct statfs sfbuf;
+	int rc;
+
+	do {
+		rc = statfs(mnt, &sfbuf);
+	} while (rc < 0 && errno == EINTR);
+	if (rc == 0) {
+		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+			struct statvfs vfsbuf;
+			rc = statvfs(mnt, &vfsbuf);
+			if (rc == 0) {
+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
+					set_selinuxmnt(mnt);
+				}
+				return 0;
+			}
+		}
+	} 
+
+	return -1;
+}
+
 static void init_selinuxmnt(void)
 {
 	char *buf=NULL, *p;
 	FILE *fp=NULL;
-	struct statfs sfbuf;
-	int rc;
 	size_t len;
 	ssize_t num;
 	int exists = 0;
@@ -33,17 +63,9 @@ static void init_selinuxmnt(void)
 	if (selinux_mnt)
 		return;
 
-	/* We check to see if the preferred mount point for selinux file
-	 * system has a selinuxfs. */
-	do {
-		rc = statfs(SELINUXMNT, &sfbuf);
-	} while (rc < 0 && errno == EINTR);
-	if (rc == 0) {
-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
-			selinux_mnt = strdup(SELINUXMNT);
-			return;
-		}
-	} 
+	if (verify_selinuxmnt(SELINUXMNT) == 0) return;
+
+	if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
 
 	/* Drop back to detecting it the long way. */
 	fp = fopen("/proc/filesystems", "r");
@@ -52,7 +74,7 @@ static void init_selinuxmnt(void)
 
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
+		if (strstr(buf, SELINUXFS)) {
 			exists = 1;
 			break;
 		}
@@ -79,7 +101,7 @@ static void init_selinuxmnt(void)
 		tmp = strchr(p, ' ');
 		if (!tmp)
 			goto out;
-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+		if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
 			*tmp = '\0';
 			break;
 		}
@@ -87,7 +109,7 @@ static void init_selinuxmnt(void)
 
 	/* If we found something, dup it */
 	if (num > 0)
-		selinux_mnt = strdup(p);
+		verify_selinuxmnt(p);
 
       out:
 	free(buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..0961912 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+	char *mntpoint = NULL;
+	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
+	} else { 
+		/* check old mountpoint */
+		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+			mntpoint = OLDSELINUXMNT;
+		}
+	} 
+
+	if (! mntpoint ) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce)
                 
 		goto noload;
 	}
-	set_selinuxmnt(SELINUXMNT);
+	set_selinuxmnt(mntpoint);
 
 	/*
 	 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
 		rc = security_disable();
 		if (rc == 0) {
 			/* Successfully disabled, so umount selinuxfs too. */
-			umount(SELINUXMNT);
+			umount(selinux_mnt);
 			fini_selinuxmnt();
 		}
 		/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..bf270b5 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -9,11 +9,15 @@
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
 
+/* selinux file system type */
+#define SELINUXFS "selinuxfs"
+
 /* selinuxfs magic number */
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
+#define OLDSELINUXMNT "/selinux"
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;

[-- Attachment #3: libselinux-mountpoint.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: libselinux mountpoint changing patch.

[Eric Paris]

On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:

>> NOTE:  We added the check for RO, to allow tools like mock to be able to
>> tell a chroot that SELinux is disabled while enforcing it outside the
>> chroot.
>>
>>
>> # getenforce
>> Enabled
>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
>
> Just to clarify, the right commands to use are:
> mount --bind /selinux /var/chroot/selinux
> mount -o remount,ro /var/chroot/selinux
>
> Do not use:
> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
> as this will in fact change the flags on /selinux as well.  Surprise!
> Result of there only being a single instance (superblock) of selinuxfs,
> although you can have multiple vfsmounts of it.

surprise, this doesn't work either!
# cat mount.F16 | grep selinux
mount --bind /selinux /mnt/F16/sys/fs/selinux/
mount -o remount,ro /mnt/F16/sys/fs/selinux/

# cat /proc/mounts | grep selinux
selinuxfs /selinux selinuxfs ro,relatime 0 0
selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0

crap.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Stephen Smalley]

On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
> 
> >> NOTE:  We added the check for RO, to allow tools like mock to be able to
> >> tell a chroot that SELinux is disabled while enforcing it outside the
> >> chroot.
> >>
> >>
> >> # getenforce
> >> Enabled
> >> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
> >
> > Just to clarify, the right commands to use are:
> > mount --bind /selinux /var/chroot/selinux
> > mount -o remount,ro /var/chroot/selinux
> >
> > Do not use:
> > mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
> > as this will in fact change the flags on /selinux as well.  Surprise!
> > Result of there only being a single instance (superblock) of selinuxfs,
> > although you can have multiple vfsmounts of it.
> 
> surprise, this doesn't work either!
> # cat mount.F16 | grep selinux
> mount --bind /selinux /mnt/F16/sys/fs/selinux/
> mount -o remount,ro /mnt/F16/sys/fs/selinux/
> 
> # cat /proc/mounts | grep selinux
> selinuxfs /selinux selinuxfs ro,relatime 0 0
> selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
> 
> crap.

Hmmm...works for me on F14 (yeah, I know - ancient history).

# mkdir -p /var/chroot/selinux
# mount --bind /selinux /var/chroot/selinux
# mount -o remount,ro /var/chroot/selinux
# cat /proc/mounts | grep selinux
none /selinux selinuxfs rw,relatime 0 0
none /var/chroot/selinux selinuxfs ro,relatime 0 0
# echo 0 > /selinux/enforce
# echo 0 > /var/chroot/selinux/enforce 
bash: /var/chroot/selinux/enforce: Read-only file system

Did something change recently in the kernel or mount?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Eric Paris]

On 08/22/2011 01:33 PM, Stephen Smalley wrote:
> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
>>
>>>> NOTE:  We added the check for RO, to allow tools like mock to be able to
>>>> tell a chroot that SELinux is disabled while enforcing it outside the
>>>> chroot.
>>>>
>>>>
>>>> # getenforce
>>>> Enabled
>>>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
>>>
>>> Just to clarify, the right commands to use are:
>>> mount --bind /selinux /var/chroot/selinux
>>> mount -o remount,ro /var/chroot/selinux
>>>
>>> Do not use:
>>> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
>>> as this will in fact change the flags on /selinux as well.  Surprise!
>>> Result of there only being a single instance (superblock) of selinuxfs,
>>> although you can have multiple vfsmounts of it.
>>
>> surprise, this doesn't work either!
>> # cat mount.F16 | grep selinux
>> mount --bind /selinux /mnt/F16/sys/fs/selinux/
>> mount -o remount,ro /mnt/F16/sys/fs/selinux/
>>
>> # cat /proc/mounts | grep selinux
>> selinuxfs /selinux selinuxfs ro,relatime 0 0
>> selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
>>
>> crap.
> 
> Hmmm...works for me on F14 (yeah, I know - ancient history).
> 
> # mkdir -p /var/chroot/selinux
> # mount --bind /selinux /var/chroot/selinux
> # mount -o remount,ro /var/chroot/selinux
> # cat /proc/mounts | grep selinux
> none /selinux selinuxfs rw,relatime 0 0
> none /var/chroot/selinux selinuxfs ro,relatime 0 0
> # echo 0 > /selinux/enforce
> # echo 0 > /var/chroot/selinux/enforce 
> bash: /var/chroot/selinux/enforce: Read-only file system
> 
> Did something change recently in the kernel or mount?

mount(8)

under F15 mount does:
mount("selinuxfs", "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0,
MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0

whereas under F14 mount does:
mount("/sleinux", "/var/chroot/selinux", 0x7ff5f154ea69,
NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0

under F15 I can get it to work if I use the command:

mount -o remount,ro,bind /var/chroot/selinux

now for me to hunt down who owns mount(8)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Stephen Smalley]

On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
> > On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
> >> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
> >>
> >>>> NOTE:  We added the check for RO, to allow tools like mock to be able to
> >>>> tell a chroot that SELinux is disabled while enforcing it outside the
> >>>> chroot.
> >>>>
> >>>>
> >>>> # getenforce
> >>>> Enabled
> >>>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
> >>>
> >>> Just to clarify, the right commands to use are:
> >>> mount --bind /selinux /var/chroot/selinux
> >>> mount -o remount,ro /var/chroot/selinux
> >>>
> >>> Do not use:
> >>> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
> >>> as this will in fact change the flags on /selinux as well.  Surprise!
> >>> Result of there only being a single instance (superblock) of selinuxfs,
> >>> although you can have multiple vfsmounts of it.
> >>
> >> surprise, this doesn't work either!
> >> # cat mount.F16 | grep selinux
> >> mount --bind /selinux /mnt/F16/sys/fs/selinux/
> >> mount -o remount,ro /mnt/F16/sys/fs/selinux/
> >>
> >> # cat /proc/mounts | grep selinux
> >> selinuxfs /selinux selinuxfs ro,relatime 0 0
> >> selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
> >>
> >> crap.
> > 
> > Hmmm...works for me on F14 (yeah, I know - ancient history).
> > 
> > # mkdir -p /var/chroot/selinux
> > # mount --bind /selinux /var/chroot/selinux
> > # mount -o remount,ro /var/chroot/selinux
> > # cat /proc/mounts | grep selinux
> > none /selinux selinuxfs rw,relatime 0 0
> > none /var/chroot/selinux selinuxfs ro,relatime 0 0
> > # echo 0 > /selinux/enforce
> > # echo 0 > /var/chroot/selinux/enforce 
> > bash: /var/chroot/selinux/enforce: Read-only file system
> > 
> > Did something change recently in the kernel or mount?
> 
> mount(8)
> 
> under F15 mount does:
> mount("selinuxfs", "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0,
> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
> 
> whereas under F14 mount does:
> mount("/sleinux", "/var/chroot/selinux", 0x7ff5f154ea69,
> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
> 
> under F15 I can get it to work if I use the command:
> 
> mount -o remount,ro,bind /var/chroot/selinux
> 
> now for me to hunt down who owns mount(8)

Does F15 and later have /etc/mtab?  The man page for mount(8) on F14
says that you have to explicitly pass bind on the remount if you lack
an /etc/mtab on your system, as mount(8) figures out whether or not it
was a bind mount originally from the /etc/mtab entry.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Eric Paris]

On 08/22/2011 02:45 PM, Stephen Smalley wrote:
> On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
>> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
>>> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>>>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
>>>>
>>>>>> NOTE:  We added the check for RO, to allow tools like mock to be able to
>>>>>> tell a chroot that SELinux is disabled while enforcing it outside the
>>>>>> chroot.
>>>>>>
>>>>>>
>>>>>> # getenforce
>>>>>> Enabled
>>>>>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
>>>>>
>>>>> Just to clarify, the right commands to use are:
>>>>> mount --bind /selinux /var/chroot/selinux
>>>>> mount -o remount,ro /var/chroot/selinux
>>>>>
>>>>> Do not use:
>>>>> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
>>>>> as this will in fact change the flags on /selinux as well.  Surprise!
>>>>> Result of there only being a single instance (superblock) of selinuxfs,
>>>>> although you can have multiple vfsmounts of it.
>>>>
>>>> surprise, this doesn't work either!
>>>> # cat mount.F16 | grep selinux
>>>> mount --bind /selinux /mnt/F16/sys/fs/selinux/
>>>> mount -o remount,ro /mnt/F16/sys/fs/selinux/
>>>>
>>>> # cat /proc/mounts | grep selinux
>>>> selinuxfs /selinux selinuxfs ro,relatime 0 0
>>>> selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
>>>>
>>>> crap.
>>>
>>> Hmmm...works for me on F14 (yeah, I know - ancient history).
>>>
>>> # mkdir -p /var/chroot/selinux
>>> # mount --bind /selinux /var/chroot/selinux
>>> # mount -o remount,ro /var/chroot/selinux
>>> # cat /proc/mounts | grep selinux
>>> none /selinux selinuxfs rw,relatime 0 0
>>> none /var/chroot/selinux selinuxfs ro,relatime 0 0
>>> # echo 0 > /selinux/enforce
>>> # echo 0 > /var/chroot/selinux/enforce 
>>> bash: /var/chroot/selinux/enforce: Read-only file system
>>>
>>> Did something change recently in the kernel or mount?
>>
>> mount(8)
>>
>> under F15 mount does:
>> mount("selinuxfs", "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0,
>> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
>>
>> whereas under F14 mount does:
>> mount("/sleinux", "/var/chroot/selinux", 0x7ff5f154ea69,
>> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
>>
>> under F15 I can get it to work if I use the command:
>>
>> mount -o remount,ro,bind /var/chroot/selinux
>>
>> now for me to hunt down who owns mount(8)
> 
> Does F15 and later have /etc/mtab?  The man page for mount(8) on F14
> says that you have to explicitly pass bind on the remount if you lack
> an /etc/mtab on your system, as mount(8) figures out whether or not it
> was a bind mount originally from the /etc/mtab entry.

that's it:

# ls -l /etc/mtab
lrwxrwxrwx. 1 root root 12 Aug 19 09:21 /etc/mtab -> /proc/mounts

At least now we know.  the right operations (which also work on F14)

mount --bind /selinux /var/chroot/selinux
mount -o remount,ro,bind /var/chroot/selinux

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/22/2011 02:52 PM, Eric Paris wrote:
> On 08/22/2011 02:45 PM, Stephen Smalley wrote:
>> On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
>>> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
>>>> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>>>>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley
>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
>>>>> 
>>>>>>> NOTE:  We added the check for RO, to allow tools like
>>>>>>> mock to be able to tell a chroot that SELinux is
>>>>>>> disabled while enforcing it outside the chroot.
>>>>>>> 
>>>>>>> 
>>>>>>> # getenforce Enabled # mount -t selinuxfs -o remount,ro
>>>>>>> selinuxfs /var/chroot/selinux
>>>>>> 
>>>>>> Just to clarify, the right commands to use are: mount
>>>>>> --bind /selinux /var/chroot/selinux mount -o remount,ro
>>>>>> /var/chroot/selinux
>>>>>> 
>>>>>> Do not use: mount -t selinuxfs -o ro selinuxfs
>>>>>> /var/chroot/selinux as this will in fact change the flags
>>>>>> on /selinux as well.  Surprise! Result of there only
>>>>>> being a single instance (superblock) of selinuxfs, 
>>>>>> although you can have multiple vfsmounts of it.
>>>>> 
>>>>> surprise, this doesn't work either! # cat mount.F16 | grep
>>>>> selinux mount --bind /selinux /mnt/F16/sys/fs/selinux/ 
>>>>> mount -o remount,ro /mnt/F16/sys/fs/selinux/
>>>>> 
>>>>> # cat /proc/mounts | grep selinux selinuxfs /selinux
>>>>> selinuxfs ro,relatime 0 0 selinuxfs /mnt/F16/sys/fs/selinux
>>>>> selinuxfs ro,relatime 0 0
>>>>> 
>>>>> crap.
>>>> 
>>>> Hmmm...works for me on F14 (yeah, I know - ancient history).
>>>> 
>>>> # mkdir -p /var/chroot/selinux # mount --bind /selinux
>>>> /var/chroot/selinux # mount -o remount,ro
>>>> /var/chroot/selinux # cat /proc/mounts | grep selinux none
>>>> /selinux selinuxfs rw,relatime 0 0 none /var/chroot/selinux
>>>> selinuxfs ro,relatime 0 0 # echo 0 > /selinux/enforce # echo
>>>> 0 > /var/chroot/selinux/enforce bash:
>>>> /var/chroot/selinux/enforce: Read-only file system
>>>> 
>>>> Did something change recently in the kernel or mount?
>>> 
>>> mount(8)
>>> 
>>> under F15 mount does: mount("selinuxfs",
>>> "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0, 
>>> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
>>> 
>>> whereas under F14 mount does: mount("/sleinux",
>>> "/var/chroot/selinux", 0x7ff5f154ea69, 
>>> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
>>> 
>>> under F15 I can get it to work if I use the command:
>>> 
>>> mount -o remount,ro,bind /var/chroot/selinux
>>> 
>>> now for me to hunt down who owns mount(8)
>> 
>> Does F15 and later have /etc/mtab?  The man page for mount(8) on
>> F14 says that you have to explicitly pass bind on the remount if
>> you lack an /etc/mtab on your system, as mount(8) figures out
>> whether or not it was a bind mount originally from the /etc/mtab
>> entry.
> 
> that's it:
> 
> # ls -l /etc/mtab lrwxrwxrwx. 1 root root 12 Aug 19 09:21 /etc/mtab
> -> /proc/mounts
> 
> At least now we know.  the right operations (which also work on
> F14)
> 
> mount --bind /selinux /var/chroot/selinux mount -o remount,ro,bind
> /var/chroot/selinux
> 
> -Eric
> 
> 
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
> 
> 

If only the kernel would record this info...

Why not just execute

# mount -t selinuxfs -o ro /selinux /var/chroot/selinux





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5Sq6wACgkQrlYvE4MpobOOJQCfWgSnW/QS+qZcKyCAcWUF26Zn
V+UAnA1dlxW4ZhmOJgKzP9wIoS3/pA2z
=FsRr
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux mountpoint changing patch.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/22/2011 03:19 PM, Daniel J Walsh wrote:
> On 08/22/2011 02:52 PM, Eric Paris wrote:
>> On 08/22/2011 02:45 PM, Stephen Smalley wrote:
>>> On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
>>>> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
>>>>> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>>>>>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley 
>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh
>>>>>>> wrote:
>>>>>> 
>>>>>>>> NOTE:  We added the check for RO, to allow tools
>>>>>>>> like mock to be able to tell a chroot that SELinux
>>>>>>>> is disabled while enforcing it outside the chroot.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> # getenforce Enabled # mount -t selinuxfs -o
>>>>>>>> remount,ro selinuxfs /var/chroot/selinux
>>>>>>> 
>>>>>>> Just to clarify, the right commands to use are: mount 
>>>>>>> --bind /selinux /var/chroot/selinux mount -o
>>>>>>> remount,ro /var/chroot/selinux
>>>>>>> 
>>>>>>> Do not use: mount -t selinuxfs -o ro selinuxfs 
>>>>>>> /var/chroot/selinux as this will in fact change the
>>>>>>> flags on /selinux as well.  Surprise! Result of there
>>>>>>> only being a single instance (superblock) of selinuxfs,
>>>>>>>  although you can have multiple vfsmounts of it.
>>>>>> 
>>>>>> surprise, this doesn't work either! # cat mount.F16 |
>>>>>> grep selinux mount --bind /selinux
>>>>>> /mnt/F16/sys/fs/selinux/ mount -o remount,ro
>>>>>> /mnt/F16/sys/fs/selinux/
>>>>>> 
>>>>>> # cat /proc/mounts | grep selinux selinuxfs /selinux 
>>>>>> selinuxfs ro,relatime 0 0 selinuxfs
>>>>>> /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
>>>>>> 
>>>>>> crap.
>>>>> 
>>>>> Hmmm...works for me on F14 (yeah, I know - ancient
>>>>> history).
>>>>> 
>>>>> # mkdir -p /var/chroot/selinux # mount --bind /selinux 
>>>>> /var/chroot/selinux # mount -o remount,ro 
>>>>> /var/chroot/selinux # cat /proc/mounts | grep selinux none 
>>>>> /selinux selinuxfs rw,relatime 0 0 none
>>>>> /var/chroot/selinux selinuxfs ro,relatime 0 0 # echo 0 >
>>>>> /selinux/enforce # echo 0 > /var/chroot/selinux/enforce
>>>>> bash: /var/chroot/selinux/enforce: Read-only file system
>>>>> 
>>>>> Did something change recently in the kernel or mount?
>>>> 
>>>> mount(8)
>>>> 
>>>> under F15 mount does: mount("selinuxfs", 
>>>> "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0, 
>>>> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
>>>> 
>>>> whereas under F14 mount does: mount("/sleinux", 
>>>> "/var/chroot/selinux", 0x7ff5f154ea69, 
>>>> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
>>>> 
>>>> under F15 I can get it to work if I use the command:
>>>> 
>>>> mount -o remount,ro,bind /var/chroot/selinux
>>>> 
>>>> now for me to hunt down who owns mount(8)
>>> 
>>> Does F15 and later have /etc/mtab?  The man page for mount(8)
>>> on F14 says that you have to explicitly pass bind on the
>>> remount if you lack an /etc/mtab on your system, as mount(8)
>>> figures out whether or not it was a bind mount originally from
>>> the /etc/mtab entry.
> 
>> that's it:
> 
>> # ls -l /etc/mtab lrwxrwxrwx. 1 root root 12 Aug 19 09:21
>> /etc/mtab -> /proc/mounts
> 
>> At least now we know.  the right operations (which also work on 
>> F14)
> 
>> mount --bind /selinux /var/chroot/selinux mount -o
>> remount,ro,bind /var/chroot/selinux
> 
>> -Eric
> 
> 
>> -- This message was distributed to subscribers of the selinux 
>> mailing list. If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" 
>> without quotes as the message.
> 
> 
> 
> If only the kernel would record this info...
> 
> Why not just execute
> 
> # mount -t selinuxfs -o ro /selinux /var/chroot/selinux
> 
> 
> 
> 
> 
> 
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.

Never mind that breaks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5SrFsACgkQrlYvE4MpobORUwCfU0dMWCt/v2DeMYNHeo/Ax5W8
PEMAn0BPiOA/6w5t/00dF+AWhCX8JyKi
=NiiC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.