Hello,
I am trying to use selinux (refpolicy-targeted) in read-only root filesystem
with kirkstone. Volatile-binds recipe create overlays, but we have multiple
selinux denied logs (even with allow_mount_anyfile boolean set to on).
Most of them are because scontext is "system_u:system_r:mount_t:s0". In the
following example, it should be systemd_tmpfiles_t:
audit[240]: AVC avc: denied { relabelfrom } for pid=240
comm="systemd-tmpfile" name="dbus" dev="tmpfs" ino=31
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=1
"rootcontext" mount option (added by
https://github.com/yoctoproject/poky/commit/e325390b91da7d3b43e78ad840a9fe5cd14a9ab7)
seems to not have impact.
If volatile-binds variable "AVOID_OVERLAYFS" is equal to 1 (bind is used
instead of overlay), we do not have these errors.
In read-write rootfs, we seem to have the same behavior with overlays (scontext
equal to mount_t).
I see that some options have been added in the mount-copybind script for
selinux support, but I got denials. What is missing to not have these denied
logs?
Best regards,
Sebastien
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#61432): https://lists.yoctoproject.org/g/yocto/message/61432
Mute This Topic: https://lists.yoctoproject.org/mt/102080334/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
