From ab33653ef312e18042be08854aa0dec2c7254fc2 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 24 Jan 2014 19:36:33 +0000 Subject: [PATCH] daemon: Bind-mount /sys/fs/selinux into sysroot when running commands. Even though we are already bind-mounting /sys, it is necessary to also bind-mount /sys/fs/selinux in order for SELinux commands (in particular, 'load_policy') to work. This fixes/reverts commit 7367729ec7a5d016878dd00b32cce45cec372931. --- daemon/command.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/daemon/command.c b/daemon/command.c index 066c77367..1aa1a527b 100644 --- a/daemon/command.c +++ b/daemon/command.c @@ -48,7 +48,8 @@ struct bind_state { char *sysroot_dev_pts; char *sysroot_proc; char *sysroot_sys; - bool dev_ok, dev_pts_ok, proc_ok, sys_ok; + char *sysroot_sys_fs_selinux; + bool dev_ok, dev_pts_ok, proc_ok, sys_ok, sys_fs_selinux_ok; }; struct resolver_state { @@ -76,14 +77,17 @@ bind_mount (struct bind_state *bs) bs->sysroot_dev_pts = sysroot_path ("/dev/pts"); bs->sysroot_proc = sysroot_path ("/proc"); bs->sysroot_sys = sysroot_path ("/sys"); + bs->sysroot_sys_fs_selinux = sysroot_path ("/sys/fs/selinux"); if (bs->sysroot_dev == NULL || bs->sysroot_dev_pts == NULL || - bs->sysroot_proc == NULL || bs->sysroot_sys == NULL) { + bs->sysroot_proc == NULL || bs->sysroot_sys == NULL || + bs->sysroot_sys_fs_selinux == NULL) { reply_with_perror ("malloc"); free (bs->sysroot_dev); free (bs->sysroot_dev_pts); free (bs->sysroot_proc); free (bs->sysroot_sys); + free (bs->sysroot_sys_fs_selinux); return -1; } @@ -95,6 +99,8 @@ bind_mount (struct bind_state *bs) bs->proc_ok = r != -1; r = command (NULL, NULL, str_mount, "--bind", "/sys", bs->sysroot_sys, NULL); bs->sys_ok = r != -1; + r = command (NULL, NULL, str_mount, "--bind", "/sys/fs/selinux", bs->sysroot_sys_fs_selinux, NULL); + bs->sys_fs_selinux_ok = r != -1; bs->mounted = true; @@ -111,6 +117,8 @@ static void free_bind_state (struct bind_state *bs) { if (bs->mounted) { + if (bs->sys_fs_selinux_ok) umount_ignore_fail (bs->sysroot_sys_fs_selinux); + free (bs->sysroot_sys_fs_selinux); if (bs->sys_ok) umount_ignore_fail (bs->sysroot_sys); free (bs->sysroot_sys); if (bs->proc_ok) umount_ignore_fail (bs->sysroot_proc);