Package: selinux-basics Version: 0.5.2 Severity: normal The selinux-basic init script fails, with little info:
# invoke-rc.d selinux-basics start [....] Checking SELinux contexts: selinux-basics invoke-rc.d: initscript selinux-basics, action "start" failed. I pinned the problem down to the function 'relabel_minimal', specifically line 45: /sbin/restorecon -R /dev /etc/mtab 2>/dev/null The behavior of restorecon is odd here. Running # /sbin/restorecon -R /dev /etc/mtab ; echo $? 1 gives exit status 1, but running # /sbin/restorecon -R /dev ; echo $? 0 # /sbin/restorecon -R /etc/mtab ; echo $? 0 # /sbin/restorecon -R /etc/mtab /dev ; echo $? 0 all give exit status 0. For a while now, /etc/mtab has been a symlink to /proc/mounts, which I'd guess is a crucial part of the problem since the restorecon man page says it doesn't operate on symlinks. Anyway, relabeling /etc/mtab -> /proc/mounts seems to not do anything on my system. The first run of restorecon after a reboot gives: # ls -Z /etc/mtab /proc/mounts system_u:object_r:etc_t:SystemLow /etc/mtab system_u:object_r:proc_t:SystemLow /proc/mounts # restorecon -R -v /etc/mtab # ls -Z /etc/mtab /proc/mounts system_u:object_r:etc_t:SystemLow /etc/mtab system_u:object_r:proc_t:SystemLow /proc/mounts Attached is a patch that removes the relabeling of /etc/mtab. Thanks. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.11-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-basics depends on: ii checkpolicy 2.1.12-1 ii policycoreutils 2.1.13-2+b1 pn python:any <none> ii selinux-utils 2.1.13-3 Versions of packages selinux-basics recommends: ii selinux-policy-default 2:2.20110726-13 ii setools 3.3.8-1 Versions of packages selinux-basics suggests: ii logcheck 1.3.15 pn syslog-summary <none> -- no debconf information
--- selinux-basics.orig 2013-10-23 12:32:39.866014812 -0700 +++ selinux-basics 2013-10-23 14:52:25.886330625 -0700 @@ -37,11 +37,11 @@ fi fi -# Relabel /dev and /etc/mtab +# Relabel /dev relabel_minimal() { # when selinux is enabled, relabel /dev if [ -n "$selinuxenabled" -a -x /sbin/restorecon ]; then - /sbin/restorecon -R /dev /etc/mtab 2>/dev/null + /sbin/restorecon -R /dev 2>/dev/null fi }