On Fri, May 13 2016, Laurent Bigonville <bi...@debian.org> wrote: > libselinux mounts /proc, check is the machine supports SELinux and then > unmounts it. This is supposed to happen at early boot.
I don't understand what selinux is trying to solve here. It's not the job of a library to mount filesystems. If you want to ensure that /proc exists, mount it before. The lazy unmount performed by selinuxfs_exists and selinux_init_load_policy is racy. Processes, run in parallel, *will* cause /proc to disappear right between the mount call and the subsequent fopen call, so the code does not function as upstream intends it to in any case. > I would be interested to know what this behavior is breaking. My main issue is within containers and chroots. I have my own initialization process for these containers, I don't use selinux, but at some point /proc gets mounted before I expect it to. Even if the fix is simply the removal of the mountpoint, I consider the solution broken by design. > As I said on the other bugreport, please bring this upstream if you want > this to change. I'd like to know why, early at boot, this behavior is needed at all, where it could be handled /without/ races. For me this represents a regression in *all* binaries linked with libselinux where selinux is disabled.