Discussion:
RFE: diagnose when selinux context is not init_t
(too old to reply)
John Reiser
2018-03-20 11:26:21 UTC
Permalink
Raw Message
Hi,

If systemd is running as the init process on a system that uses selinux,
then mysterious bad things are likely to happen if the selinux context
is not init_t. For instance:
https://bugzilla.redhat.com/show_bug.cgi?id=1520580#c13

So, I'd like to see systemd diagnose this situation. Please comment,
and give a hint about where and how to implement such an enhancement.
Lennart Poettering
2018-03-20 15:27:31 UTC
Permalink
Raw Message
Post by John Reiser
Hi,
If systemd is running as the init process on a system that uses selinux,
then mysterious bad things are likely to happen if the selinux context
https://bugzilla.redhat.com/show_bug.cgi?id=1520580#c13
So, I'd like to see systemd diagnose this situation. Please comment,
and give a hint about where and how to implement such an enhancement.
When initializing systemd uses the label to figure out whether selinux
still needs initialization. See:

https://github.com/systemd/systemd/blob/master/src/core/selinux-setup.c#L67

Hence, if we see the label isn't "kernel", then we won't do any
further initialization under the assumption is already has been done.

Any debugging code would have to be added to a similar location
actually.

It would actually be great if the selinux libraries would return
proper errors. Currently, we can't generate much useful output since
we have no idea what selinux failed on, as its APIs generally just
return "-1" on failure and "0" on success without any further hint
what went wrong... Actually, for a professional project that's kinda
poor error handling in general...

(That said, maybe the actually do report proper errors these days, but
if they do then that fact is still pretty much undocumented, which
means we still can't rely on using errno or such...)

Lennart
--
Lennart Poettering, Red Hat
Loading...