namespace: keep selinuxfs mounted read-write with ProtectKernelTunables (#5741)

When a service unit uses "ProtectKernelTunables=yes", it currently
remounts /sys/fs/selinux read-only. This makes libselinux report SELinux
state as "disabled", because most SELinux features are not usable. For
example it is not possible to validate security contexts (with
security_check_context_raw() or /sys/fs/selinux/context). This behavior
of libselinux has been described in
http://danwalsh.livejournal.com/73099.html and confirmed in a recent
email, https://marc.info/?l=selinux&m=149220233032594&w=2 .

Since commit 0c28d51ac849 ("units: further lock down our long-running
services"), systemd-localed unit uses ProtectKernelTunables=yes.
Nevertheless this service needs to use libselinux API in order to create
/etc/vconsole.conf, /etc/locale.conf... with the right SELinux contexts.
This is broken when /sys/fs/selinux is mounted read-only in the mount
namespace of the service.

Make SELinux-aware systemd services work again when they are using
ProtectKernelTunables=yes by keeping selinuxfs mounted read-write.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 05175e9..3eb171c 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -100,6 +100,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
         { "/sys/kernel/debug",   READONLY,     true  },
         { "/sys/kernel/tracing", READONLY,     true  },
         { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
+        { "/sys/fs/selinux",     READWRITE,    true  },
 };
 
 /* ProtectKernelModules= option */