Ubuntu
mountall package

mountall does not run restorecon on tmpfs

Bug #456942 reported by Kees Cook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mountall (Ubuntu)
Fix Released
Medium
Kees Cook
Ubuntu ubuntu-9.10
Karmic
Fix Released
Medium
Kees Cook
Ubuntu ubuntu-9.10

Bug Description

Binary package hint: mountall

In the old /lib/init/mount-functions.sh, domount():

...
        mount -n -t $FSTYPE $5 $OPTS $DEVNAME $MTPT
        if [ "$FSTYPE" = "tmpfs" -a -x /sbin/restorecon ]; then
                /sbin/restorecon $MTPT
        fi

the test and execution of restorecon (for SELinux support) is missing from the new mountall. This blocks SELinux from booting sanely.

It's not clear to me how to handle this in mountall's mount() function. As it stands, a mount can only execute one hook at a time, and several already-defined filesystems have a hook and are tmpfs. This needs to be generically executed for all tmpfs mounts.

Revision history for this message
Scott James Remnant (Canonical) (canonical-scott) wrote :

Hi Kees,

What does restorecon do in this case, do you know the equivalent C code - I guess the right way would be to have a function in mountall() do to SELinuxy things.

Why is this unique to tmpfs? Shouldn't we restorecon anything new we mount?

Changed in mountall (Ubuntu):
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Normally, SELinux labels are stored in inode xattrs. Since tmpfses aren't persistent, restorecon re-labels the missing base label on the root inode of that filesystem based on the SELinux policy rules. (Where those rules are, I have no idea, we'd have to check with Caleb or someone else more familiar with it.)

I suspect it would be much easier to just call out to restorecon.

Changed in mountall (Ubuntu):
status: Incomplete → New
Revision history for this message
Scott James Remnant (Canonical) (canonical-scott) wrote :

Ok, we could always adopt the same convention - tmpfs get restorecon called.

What about other virtual filesystems like proc, sysfs, etc.? Do they come pre-packaged with them since they come from the kernel?

Meh, calling out is hard - you have to deal with fork, exec, closing fds, waiting for it, etc. looks to be a simple enough app, easier to link with selinux (not to mention, fork/exec is expensive for every mount!)

Revision history for this message
Caleb Case (calebcase) wrote :

The kernel manages the labels for proc and sysfs, so no problems with these.

Kees Cook (kees)
Changed in mountall (Ubuntu):
status: New → Fix Committed
assignee: nobody → Kees Cook (kees)
importance: Undecided → Medium
Kees Cook (kees)
Changed in mountall (Ubuntu Karmic):
milestone: none → ubuntu-9.10
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mountall - 1.0

---------------
mountall (1.0) karmic; urgency=low

  [ Kees Cook ]
  * Call out to restorecon after mounting tmpfs filesystems. LP: #456942.

  [ Johan Kiviniemi ]
  * Fix a bug introduced by the 0.2.6 change. In certain situations, we’d
    quit even though we’re still waiting for some filesystems to be
    mounted. LP: #456806.

  [ Scott James Remnant ]
  * Don't clear the splash screen when we're waiting for filesystems,
    instead just output following whatever else is there. In non-verbose
    mode this won't look any different, but it means we don't clear previous
    verbose mode text. LP: #458389.
  * Only update the "waiting for one or more mounts" text if there's actually
    a change in the set we're waiting for; this removes the need for a CLEAR
    this case anyway.
  * Don't say we're waiting for mounts we're, in fact, not waiting
    for. LP: #459859.
  * Stop mountall (normally) when entering recovery mode. LP: #458060.

  * Clean up source tarball. LP: #460348.

 -- Scott James Remnant <email address hidden> Mon, 26 Oct 2009 09:30:41 +0000

Changed in mountall (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.