Hello, I am trying to use selinux (refpolicy-targeted) in read-only root filesystem with kirkstone. Volatile-binds recipe create overlays, but we have multiple selinux denied logs (even with allow_mount_anyfile boolean set to on). Most of them are because scontext is "system_u:system_r:mount_t:s0". In the following example, it should be systemd_tmpfiles_t: audit[240]: AVC avc: denied { relabelfrom } for pid=240 comm="systemd-tmpfile" name="dbus" dev="tmpfs" ino=31 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=1
"rootcontext" mount option (added by https://github.com/yoctoproject/poky/commit/e325390b91da7d3b43e78ad840a9fe5cd14a9ab7) seems to not have impact. If volatile-binds variable "AVOID_OVERLAYFS" is equal to 1 (bind is used instead of overlay), we do not have these errors. In read-write rootfs, we seem to have the same behavior with overlays (scontext equal to mount_t). I see that some options have been added in the mount-copybind script for selinux support, but I got denials. What is missing to not have these denied logs? Best regards, Sebastien
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61432): https://lists.yoctoproject.org/g/yocto/message/61432 Mute This Topic: https://lists.yoctoproject.org/mt/102080334/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-