From patchwork Fri Apr 14 19:43:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Nicolas Iooss <nicolas.iooss@m4x.org>
X-Patchwork-Id: 9681735
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D943A601E7 for <patchwork-selinux@patchwork.kernel.org>;
	Fri, 14 Apr 2017 19:44:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4E75286BA
	for <patchwork-selinux@patchwork.kernel.org>;
	Fri, 14 Apr 2017 19:44:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B800E286C6; Fri, 14 Apr 2017 19:44:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.7 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EA1BF286BA
	for <patchwork-selinux@patchwork.kernel.org>;
	Fri, 14 Apr 2017 19:44:22 +0000 (UTC)
X-Attachment-Exists: TRUE
X-IronPort-AV: E=Sophos;i="5.37,200,1488844800";
	d="scan'208,223";a="4914658"
IronPort-PHdr: =?us-ascii?q?9a23=3ARo/BWRPK+9WOstIJOOAl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0LPjzpcbcNUDSrc9gkEXOFd2CrakV1ayM6+u5BTVIyK3CmUhKSIZLWR4BhJ?=
	=?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?=
	=?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbJ/IA+ooQnNucUanIRvJrsswRbVv3VEfP?=
	=?us-ascii?q?hby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnD?=
	=?us-ascii?q?UBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulS?=
	=?us-ascii?q?wKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcWCJbAoO4?=
	=?us-ascii?q?coABEewPM+hFpIX5vlcDrB6yCA+xD+3t1zBInGf70q800+ohHw/I3xEuEcwSv3?=
	=?us-ascii?q?TMrtj5KakfXv6uzKTTyDXPc+lb1C3h5ITUcB0sp+yHU7JqccrWzEkiDxvLjlSM?=
	=?us-ascii?q?poziOzOazP8NuHWY4epnUuKvkHUnoBx2rzipx8cjlo7JhoYPxVDf7yl5wYE1Jd?=
	=?us-ascii?q?qjSE5getOkFZRdti6AO4txWMMiTHhltSAnwbMIvp67eTIFyJUhxxPHb/yHcpaI?=
	=?us-ascii?q?7QzhVOaWPDd4nnRld6i7hxqo7Uegzej8WtG70FZLsipFksTMuWsX2xPP7ciHT+?=
	=?us-ascii?q?Nx/0em2TaSywDT9/pLLl4umaXHLJ4hx7g9nYcQv0TbBiL6hUr7gaCMekgk5+Sk?=
	=?us-ascii?q?8frrb7r4qpOGKoN4kh/yPrgql8ClAuk1MhICU3aF9eigzrHv4Ez0TbFMg/YriK?=
	=?us-ascii?q?fWqoraKt4epqOhBg9V1Zss5AinAje91dQYgWEHLFVYeBKbl4TpO0/BIPT/Dfqn?=
	=?us-ascii?q?n1Sjii1rx/HbPr36GJnNMnjCn6vhfbZ68UJczhY8zctD6J5OD7EBIfbzVlfwtN?=
	=?us-ascii?q?zeEBA5LxS5z/voBdhyzI8TWX+DDrWHPK7dr1OE/P8jL/GJZIAPuTb9L/Yl5+Tp?=
	=?us-ascii?q?jX88gVIdZrem3Z8WaHC+A/RnLFyVbmHrgtccF2cFohQxTPfxhV2eUT9ce3ayX6?=
	=?us-ascii?q?Um6jE9E4KpF53PRo+qgLyfxCu7BIFZZnhaClCQFnflb4eEW/AKaC2IPs9hkiYL?=
	=?us-ascii?q?Vb66Ro8j0hGusgr6xKB8LurI5CIYr4nj2MJy5+3JmhE47SZ0ANiF02GRU2F0mX?=
	=?us-ascii?q?sFRz003K9lvUN9yUyD0a9+g/xZC9xe/P1JUgMnNZ/T1ON6FtbyWh7cftuTT1am?=
	=?us-ascii?q?WNqmCykrTt0t298Of1p9G9K6gxDbwSWlGKEal7qKBJwo9aLRxHnxKNhjxHnYzq?=
	=?us-ascii?q?UhiEMmQsRXP228mqF/7xTTB5LOk0iBiqmqcqIc3CjQ+2idyWqOvVpVXxRuXqXf?=
	=?us-ascii?q?WnATfEzWrc725knaVb+hFawnMhddyc6FMqZFd8Hpgk9cRPr4JNveZGexlHuqCh?=
	=?us-ascii?q?aT2rOAdozqdHsB3C/FEkgLjxgT/WqaNQg5HiqhomTeDCBwGlLrfUzs9PdxqG+h?=
	=?us-ascii?q?Tk401AyKaFVh2KSz+h4Qn/OcSvcT0akDuCYusTl0G0y9393OAdqauwVhZLlcYc?=
	=?us-ascii?q?864Fpf1WPYtgt9Ppq7IqBngl4SagV3v0X02xVxEIpAi8sqrHI0zAVsM66Y1k1O?=
	=?us-ascii?q?dy+A15DqJrLXMnXy/Ayoa6POxF7eyMyZ+r0O6PQjsFjjpBumFlAj83V8y9lV12?=
	=?us-ascii?q?GT6YnUAwYIVpLxSEk3/QBgp77Geik9+5/U1Xp0PKi6sz/C39cpC/U/yhu7cddQ?=
	=?us-ascii?q?Lr6LFAjoE8IAH8iuMusqm1q3YR0YIOBe7qk0P9mpd/Gewq6kIP5gnC66jWRA+I?=
	=?us-ascii?q?193FiM+DB6SuHU3pYF2OqV3g6fVzf9lVuhqc72mZteaTEVBGq/xjDuBJRNaa1q?=
	=?us-ascii?q?YYYLFWCuLtW0xtpkhJ7tXGNY+UWgB1wc28+pfgeSY0b63Q1K2kQduWanljegzz?=
	=?us-ascii?q?xojzEpqbKS0zbTzOT4dRoIJHRLSXJ4gljwJIi4ldcaXFKnbwIxjhuq+V76x7RH?=
	=?us-ascii?q?pKR4N2TcXV1HfyzoIGF5Tquxtr2CbtVU6Jw0sCVYTuK8YUybSrHnuRca1T3sH3?=
	=?us-ascii?q?dGzjAhaz6qoon5nwB9iG+FN3ZzomDZecZrxRfD/9HcXvhR3j0IRSl9kzbXAEKw?=
	=?us-ascii?q?P9+38tWIj53DqPyxV3q9Vp1Pdinm1Y2BuzG/5W12HxK/heuzl8b5EQckyy/0zM?=
	=?us-ascii?q?RqVSDSoBb7eInr2LywMfh7cUlwGF/89816F5likoQtmZ4Q2GIVhpGO8HUblmfz?=
	=?us-ascii?q?NMlU1rjlbHoRXzILxcDa4BT90k15Mn2J3575VmmawsZ5Ydm6Y2cW2iYj4MBRE6?=
	=?us-ascii?q?qb9qJLnTFyolaiqgLRe/d9lC8HyfQy8H4an/0JuA01wyWDA7AdAVVYPSv2lxiS?=
	=?us-ascii?q?89++rKJXZGCgcbWr0Ep+nNahA6uYogFbQnr5fY0iHSBo5MVlLF3MyGHz6p3jeN?=
	=?us-ascii?q?TIadITtwaUkwvZg+hONp0xkvsKhSx6OWPypnAl0PY7jR1o3ZG7oIeHMH9h/KSn?=
	=?us-ascii?q?DR5ELjf1fd8c+inxjaZCmcabx5qvHpJlGjUPQpToV+6nEDUctPn8LAaODSEzqm?=
	=?us-ascii?q?yBFbrYBw+f519sr2jTHJCzK3GXOH4ZwM16RBaHOUxfhBoYUy8gkpEiEQCqwNDh?=
	=?us-ascii?q?cEB/5j0K4170th1MyuV0OBXlVGfQuhuoYC8uSJeDNBpW8h1C50DNPMyd8O1zGT?=
	=?us-ascii?q?pY84airAOTLGybfAJIAn8VWkCeAFDjJLau78Ha8+eEHuq+M+fOYbKWpOxGTfiI?=
	=?us-ascii?q?2Jav3ZV+/zmWMMWPImdtD+cg10peRnB2Bd7Zmy4VRywMkCLNctSbqwui9S15qc?=
	=?us-ascii?q?C/6vvrVxz16YuJFbRSLc1l+wqqjqebK+6QmCF5JC5G1pMK2HDF06Yf3FgPhCFu?=
	=?us-ascii?q?bTWtF6oPtTLVRqLKhqBXFwIbaz90NMZQ96IzxBRNOcrAh9zp1754kv40B05LVV?=
	=?us-ascii?q?P7nMGlf8sKI3uyNFnfHkaEKKyGJSHXw8Hwea68Sr1RjOFKuBCrvDabFEHjPjqd?=
	=?us-ascii?q?mDn1SxCvMeZMjCSFMxBEvoGybAptA3D5TN36ch27LMN3jTouzL06nHzKM3IcMT?=
	=?us-ascii?q?95c05WoL2f8z5XgvJlG2Nb9nplN+6EmySH4ObENpYaq/xrAj57l+hC+nQ116NV?=
	=?us-ascii?q?7D1YRPxygCbds9hurEu9n+aSzDpoSgBCqjFRhIKEpU9iI7nW9oFcWXbY+xIA9X?=
	=?us-ascii?q?+QBAkXqNZ+Bd3vvq9RxsLJlK3tNDdI68jU8tcEB8jINMKHN2IsMQDzFD/aFgcF?=
	=?us-ascii?q?SCSkNWXYh01di/yd7GGarp0gppjrgpoORadRVEYpGfMCFkRlANsCLY95XjM+j7?=
	=?us-ascii?q?GUkdUI6mC4rBnNQ8VapYvKWeiODvXqMjqZiqNEZxQQy7PiMYsTLpH721BlalRi?=
	=?us-ascii?q?moTKAVDfXchVoiB6YA80oV9N8GNiTm092kLlbBmi4HkPGv61hBE2jhFyYeM39D?=
	=?us-ascii?q?fj+103PEbFpDMskEktntXomS2ecCXvI6iqUoFWETD7t1YqP5PgWQl1bhCynVZ+?=
	=?us-ascii?q?OzveQ7JRkr1genpxiAPFpZtPHv1cTK1DYBMKw/GYeeko20xGqiq73U9H+ffFCZ?=
	=?us-ascii?q?x6mQQxcJ6soHVA2wR4YdEoO6PfP6tJwUJWhq6UuS+ozO8xyhcEJ0kR6GOSZDII?=
	=?us-ascii?q?uEsQO7Y8KCqn5PJs5hKZljtEYGgDSfwqovdw+UM8P+SP1CXg0rFZJkC2LeyfIL?=
	=?us-ascii?q?uTu3Lcms6QXlMwykQImlFZ/bhx1McvaVCUV0cuzbSPERQGLtDCKQZLYMpR73Xc?=
	=?us-ascii?q?YSGOseDRzp1vJIW9CvrkTemQu6YImkikBhomH5wQ7sQdGZmhyEfYItn9I74B0h?=
	=?us-ascii?q?gt5wPrJE6ZDPtTfhKLizQHo8ClwJ9xw4ZdOikXAX9hPiWv+rbXuggqjeKZXNgo?=
	=?us-ascii?q?eXcVQJELNmgqV826gCNWpHVADCOq3eIexgiC9yX8qTrQDTXmadpseuuUbwt2CN?=
	=?us-ascii?q?6q4TU/77S2iVnP/5rDPW76K9VitcLU6e4BvZmHEelUTb5zskfHhYZXW2GqU3TO?=
	=?us-ascii?q?Ed6pJ5n8cY8sYsLoCnyiSFywlyo1T9vtPNaqNqWIhQboRZxKv4md3TEjMtSwFj?=
	=?us-ascii?q?4YGxdtve0D47h8ZQIbaZohfRHorxg+N7C4IAqAydWhXWKtKTpQT/lCwuS3fKBY?=
	=?us-ascii?q?zy0pbuCm0nQgVY06w/Ox8UETWJEAlgveyuq7Z4lCTSjzHWRQdBjTqio8kGhhMP?=
	=?us-ascii?q?oyzvokzRPWr1YcKTGLde1uaGxCpd08A02dIWluAGoiW1CclZbD4hKr370K/Ctd?=
	=?us-ascii?q?hdZV3vdDsHjivp/Sez2sWKuzqZrJqSYga8Ypo7FpO4z5PsSGrI/eniDYTJTIrg?=
	=?us-ascii?q?2FUSu6F/1GmthQICNVW+RHmWAlOMMcooVN80wxWdkiJ7ZXEqkjuqiqaSZ4DS4V?=
	=?us-ascii?q?1SIZWJmA0yYEguegwLbalxCQcZokMBwYsJVNnNodUyhqYiwAvq+vTYPWmHGYSm?=
	=?us-ascii?q?ITOgcc8RxM5B4clo93Zu3q+o7ITJ5QxDFIu/10VyvKFp9v91v9UG6bmkP3SPS7?=
	=?us-ascii?q?nOyvxA5Swu/s3sMdWBFhFUhX3/xWmVcwKLFrN6kQuZbHvSSWekP8p2/i0vapJE?=
	=?us-ascii?q?dPxs3ObF33FpDFtGrmXi0b430USpdFyGvDGpQKjwp5dKErqU1WIICge0bx+zwk?=
	=?us-ascii?q?x4NtH7mjTc6l3ksro2waSimtCNdOF+ZmsFfLVzJ/eJCrtI/pO5NMTW9M4JedsU?=
	=?us-ascii?q?tWkF1xMy6lzppRM91C4jwWUzdTujiSoNyySMlH2c93EZAMOMt/tGnhF6NEIpSR?=
	=?us-ascii?q?pGc2urP3wH/D5z88qEu6xCm0G6KgVeJW5XceGgIyKGmFtkkvFfEj8nnM/VDJs1?=
	=?us-ascii?q?B0+ehbBryOjUV+oDZ9Ap5OCSxT1XCgNVhzSmdJs/lCIqTPb8NcW+UyZQOoOxEm?=
	=?us-ascii?q?G/8qxVCG/UF1nXf8Yix9rAha9jvcXwYqSyYanK3hmToEqsGoITUaUY5HbS09by?=
	=?us-ascii?q?fZLAKWgThXvBFba05wQZAYDNFF+7UV3YZP+8rCTkGsKTobUxN+LAI41uFflVVC?=
	=?us-ascii?q?sEWediDRFw2odezAshdvZ8eesNapLOjl/AdAko7oqvo497gFR3G8mg2gWtHer4?=
	=?us-ascii?q?79tt2WrUSCbqH4PPOgYXXZVjjDkQiwhas4D5nN5yXTLA1bK5xhxHo4fZThDHXE?=
	=?us-ascii?q?MQ5AJ60FO0pRTbp6ZsleouBGe89kf74E+a93CRKdXBzvHJGgoeJbIVnNXTTeNz?=
	=?us-ascii?q?uO8uihroLJ97DdTvLgZsOUzXbdX613Jot66SX8G7ry049e/VT51+xw+UxkUljJ?=
	=?us-ascii?q?LTqBrMj/KQwW/sWicFXtvoExFzPMHJhwiGbtxl1Hd8cPWCKq/ogXxI9b5XrtR+?=
	=?us-ascii?q?91yVT8sOpX97Z484Y3+Kxpxd2yJajMNfRQqVVnDQSMBgV26pUtB3ByR3pPbeAM?=
	=?us-ascii?q?KPfeZ7gZgNvqq+DwCawY9gOZ9PBeadTaOU7NgM+/BS+ASRZchgcOtSYaLheA1/?=
	=?us-ascii?q?6Cg6J0Ud2lpfTj1U0w/1izNQUGzLdw5Yee5qWHuunXbwfLzbceXqjmXMTzrq4j?=
	=?us-ascii?q?u0mK//0riKYOenBpYw2gCOUdStQdyXn+wq831i8sDsfDH676+PFZSXI5nzXgm5?=
	=?us-ascii?q?RjEFUKAP8UGqCL/YtGlGcih+PZLsEWcrxFmmuXEB6rCLsCyXq15CuLPGlqmAvB?=
	=?us-ascii?q?3gr2QWyt8F/2tjN3TjHUz9j9iEZVUKe4BVtKVSqzJUB4qC+PPBbvtNfvu6Q69l?=
	=?us-ascii?q?s2Mmv/tNKJjmShJqhaH8jiJNyYPSk0pU4YjJwrSdypwoAXA929IM0e8HtmdPvR?=
	=?us-ascii?q?93urkzNdo6dAn4fe4Nua+vPZHXm6iK2VtquCyStEynciu1E/8degOuvI59KUX/?=
	=?us-ascii?q?Siz3wRQDtnuwvdQx61raTWr18JOUyK1EfLnJIFPtRC0HYlyE7p/+kjT8g19AlE?=
	=?us-ascii?q?EYbAffwCryjpODTo2Vaff843Vi6G3jtRGlL4Clh4GK452G7qvcLJk3nQ+0cySY?=
	=?us-ascii?q?lra0znnwF3AJkkKUIw8lgY3DAPEQ8XaRCUFLuoH1jqLZMYVUgfbhSKxL26eqAx?=
	=?us-ascii?q?3U1vzbOg+vTebel9B6UXMPZSkBKOnVZcGpIMsq0eW6hwe1lD+67LvgLiEZToX+?=
	=?us-ascii?q?D6lXosMv24WsRa8dsct3Yi+Qu/SQSv5opE77YBkp+IbrREYZ/OvM9i80hn+SQD?=
	=?us-ascii?q?ditXgBhwlxm5S/wTpPj/4tjHt5ql8v2uW7wzR+oN+Bg7GX9+goDrgF85v9HYze?=
	=?us-ascii?q?hcRZPOiYjl9gBCPWKKsp7A0xZgMeoON56rfLF4+nUFJigeImkDPd+IZPg8/SBt?=
	=?us-ascii?q?KjTT51pNAs8WY9MXItbNkxhOikL1QLFT6tbbGliABodydsEn9XD4xywu/JsnTO?=
	=?us-ascii?q?ng9CG5KozF41FKJfNDgz1mlMjeq+gN3frSFC8X7GGCZBh02SODxYOCC/Tx/eWQ?=
	=?us-ascii?q?0NHbTU4GHiotXohBIzqN5BKoSfColJXzVQOU8NX8jIg5dEKKSXy7hL4FvbpUEe?=
	=?us-ascii?q?5cliX72SBTFpjviPKJr9Ws6GVWtlpdEIZw9BHFA7tQPpF6ORT+i8mqSVNxBjPl?=
	=?us-ascii?q?d8HIahUuuOSXxuAW4+V9LUf+ZpEUIggCy73k7XpZVAxuSKT5vlyBR+IeeMNmSO?=
	=?us-ascii?q?/YrnBS8Y9gN7UPM0aZpJPwqDdHtks7DxIoaL8/rzxaalPBnBZPVKbupb4MkA0c?=
	=?us-ascii?q?XsBluUVUA2K/JHo+5ybbVaRSlKSRB+Ya8i+NQawSU0VlKSd+QxKp2Jpwe7umh+?=
	=?us-ascii?q?1HsnhckiN7vvcqzyRsRAGgti30u6INxTUg9am3tDofv3xFUuKekyDPBVVY0vsK?=
	=?us-ascii?q?iaYcC3D/6V2ze3QDaJX94KNnJMv674Uh5WowYQk7dS0cQeugEz3wj7+PAoGXtt?=
	=?us-ascii?q?JchQKCuMLKbbCpNigeLLU9yRXkR3hmyQjThxNo/WQEQzm6698kPoq9M94/xiW0?=
	=?us-ascii?q?AWjbaEoM4qRRvcv+qVELV/A2ZUp8zmts1MaHRysNRNHAGmsugQgkbH9LcJRd5h?=
	=?us-ascii?q?MAEKkomDmItLFc/g4IeDfUDpil+o7IkMfK3nk9TdFqynjKqa2FgpMqzWBqmtJ1?=
	=?us-ascii?q?7i6Io3QSdO3YXtRyAnjyyIdQ0+j+aOissuwdTotp1qihWucYMsa/4Wu2xIlqWk?=
	=?us-ascii?q?i9y7QfAVq2KukDy6zfUye4VGKYWOOLc3OWkzY+KE7y6gGiLkcrZ8dSs089LuzC?=
	=?us-ascii?q?i4ZelwL/X7N0SCGQqETVzWM5N+MVaR42tJ2hewMUUO4bf/KcKvQ2wP0iFFsMaG?=
	=?us-ascii?q?fEHSRyC++xv1+igox7O3F77EXhZuTt9AHmP8eIFhkCD4HasoZ7+eamSWKZJX9g?=
	=?us-ascii?q?0BpyMVF29+ffF1Uxruhcc5KQndjMmdt2yusFd/ZxMS0npNEfgIVj6ZOb0M2Sax?=
	=?us-ascii?q?He0o7yJc3JovifG/Df00UqemRBX7oFYAP6+4Y6McA9W7HJG7tWowgcD7AgQJM9?=
	=?us-ascii?q?L2fx6L10LARrfw7UZbS0gcrqpuWQa5tWvXDW7VUwLCHCtB0F0PC0SxJ0b4yyjX?=
	=?us-ascii?q?XoPJ8wXi5Br8FqChZ+B4RABcUArxa8Dp6PnKG7jMOx+19ku+AUrKX8EPfK1M62?=
	=?us-ascii?q?349pRZhV+VSLPCrNBKlsmkllgPq9gvPB0pnpF8zvYtIFVOl+Qm7AdLDGBIG/JS?=
	=?us-ascii?q?yUNsL7YU5G/KaW0KhlXRWJeCD5Q62GuTWqNfV8+0U7y5B3c/TIwTwo7rHbxMHy?=
	=?us-ascii?q?aH9Bqiekt36JO4NV7EbWCuzGQxJUVf2F/X5iHa0Tc4T57/8OMdg4z9iH/wlz7S?=
	=?us-ascii?q?hN0NefI6e/sEDAwER7eozHLEHxwSY2RZEKIAijMUsrmWLZrnXdAXJBLsmrMMVt?=
	=?us-ascii?q?hNeVDgfx50lqgmwtZ3ROGmzvRduLPmgbwc2+bhWQ9A1XF9YDg/K3eUkgu62pV+?=
	=?us-ascii?q?ZoPpRFmeO3tLQIltpnJD3PRMhEMCHKMrB2JiBeA/7MpFc2eB4EtaY6WoMuapiT?=
	=?us-ascii?q?L0MLKkCAyTn9zQHay037a8Ss1LqVICYR6nhHyqjK3iRMpwm4v/aZhdbuUK7YbJ?=
	=?us-ascii?q?HwQvHSNCslVjeHRTU9C0qp/k2ku/UctvqCPWgfukwUYj6VCAMLpKBgt9vQDmjI?=
	=?us-ascii?q?luB4YZ0KguyaWyD3SC1lm6oyBjpLuVqKQ/UdCQncd2Xhj3ZEuAy+Ov9M+mroYK?=
	=?us-ascii?q?aDyaZSX+wWA5BMcuGCQ9fCYvBROSsnmi8COOmie93crrA50k/HTGYCD6bJ9Eee?=
	=?us-ascii?q?TFONQvCGyTPkR5kVv5Mzuiou4N7QmTV3E6vQNbaFuzGu6pK4jDqfueDGWWkieV?=
	=?us-ascii?q?c6gPgDAGafxBlNM38EC9UPt0H2Q66AelxA1HQ3huJywxUMYhh8UmVy0n1Km/aw?=
	=?us-ascii?q?As9ZSVsTjGO0Wv0GbUt3ASg2/UCQ5w39f90AtdrUR29E+bsGUZAdI+Uw6InLJK?=
	=?us-ascii?q?sQx+4k3ClooCw/ryqQDlBQgxmb86XOBqJ8x7xD5W4+//1sWEGAXS/feHDdyoW6?=
	=?us-ascii?q?E8JP2TtuoXf82srWueBtMr9aqpp8AFgUHC12KNfd/SpdXm7qwgeyuQi0HCjNaA?=
	=?us-ascii?q?4etS0GIS0Da/Y9m/R2tBfOa8bp9VKbt6VnrlCiTwmMFOzwkKdXB9np2APwUixC?=
	=?us-ascii?q?dTGmBtgisfpWvMoDaqMgI46lChbOKRaoSkq0siYN+RyigPyUBM5Rwi1KnrolLM?=
	=?us-ascii?q?rpd5MHAdnQwHdzxHMegNIjymiQBNLUZdXW8c12GTlaOpC2D371bYjTPjn/nP8G?=
	=?us-ascii?q?25YqUU2VbbNJEnhctssQl2zta1qzsab3+TSWZvW+dDe+PMgVdpWvjHJVqqOdJs?=
	=?us-ascii?q?Xp/fMUWilPxrQ1lc6V7SOWkT+be9viOyamnBg=3D?=
X-IPAS-Result: =?us-ascii?q?A2GkCwAWJfFY/wHyM5BcGgEBAQECAQEBAQgBAQEBFAEBAQE?=
	=?us-ascii?q?BAQEBAQEBBwEBAQEBgn8pYYELB4NfiwiQaYgciEcghic3CCUNgkCCbBA1AwKDe?=
	=?us-ascii?q?gdXAQEBAQEBAQECAQJoKIIzIgEIBEYnAi8BAQEBAQEBAQEBAQEBAQEBAQEBAQE?=
	=?us-ascii?q?BAQEBAQEBAQEBAQkCDT8eAQEBAQMBAiArIA4DCQEBCAILAgQDAQIBJgQCAgIBA?=
	=?us-ascii?q?R0BDwMBBQELCQgGAQcLBQMVBIgsgTIDFQUJi16RGj+MBIImJgKHAw2DWAEKAQE?=
	=?us-ascii?q?BARQPhlKBXYMXglFHgRERATyCZoJfAQSPdIxoO4IIgXaDBoMrg3EBhESBf1WEW?=
	=?us-ascii?q?4NRDIY6iweHOxQfgRVYWCUIJh0tSRgGhEQcgWVzAQEDhwYCDRcEA4IQAQEB?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 14 Apr 2017 19:44:21 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3EJi06Y006553;
	Fri, 14 Apr 2017 15:44:09 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v3EJhwOi152456 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Fri, 14 Apr 2017 15:43:58 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v3EJhuxc006545;
	Fri, 14 Apr 2017 15:43:57 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CXAgDcJfFYZiIeaIFcGgEBAQECAQEBAQgBAQEBgyopYYELB4Nfm3GIHIhHIIcYgkCCbBA6g3oHVwECAQEBAQECEw0LCQiFbAEBBSNmCQILBgMBAgEqAgICHwESAQUBFAgGARIIiEWBMgMVBQmLXpEaP4wEgiaHKw2DZAEWD4ZSgV2DF4JRR4FfgmaCXwEEj3SMaDuCCIF2gwaDK4NyhESBf1WEW4NdhjqLB4c7FB+BFYEvLSYdLWEGhEQcgWVzAQEDhwYCJAQDghABAQE
X-IPAS-Result: 
 A1CXAgDcJfFYZiIeaIFcGgEBAQECAQEBAQgBAQEBgyopYYELB4Nfm3GIHIhHIIcYgkCCbBA6g3oHVwECAQEBAQECEw0LCQiFbAEBBSNmCQILBgMBAgEqAgICHwESAQUBFAgGARIIiEWBMgMVBQmLXpEaP4wEgiaHKw2DZAEWD4ZSgV2DF4JRR4FfgmaCXwEEj3SMaDuCCIF2gwaDK4NyhESBf1WEW4NdhjqLB4c7FB+BFYEvLSYdLWEGhEQcgWVzAQEDhwYCJAQDghABAQE
X-IronPort-AV: E=Sophos; i="5.37,200,1488862800"; d="scan'208,223";
	a="6017556"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 14 Apr 2017 15:43:55 -0400
X-Attachment-Exists: TRUE
IronPort-PHdr: =?us-ascii?q?9a23=3A9I3n/Ben2s3IeZAO5+O3RODTlGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxc27ZBCN2/xhgRfzUJnB7Loc0qyN4v6mAzRLuMrY+Fk5M7V0Hycfjs?=
	=?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?=
	=?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG3oAnLqMUanYRuJrs+xxfUv3BFZ/?=
	=?us-ascii?q?lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbD?=
	=?us-ascii?q?SxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lC?=
	=?us-ascii?q?sKMSMy/XrJgcJskq1UvBOhpwR+w4HKZoGVKOF+db7Zcd8DWGZNQtpdWylHD4ih?=
	=?us-ascii?q?bYUAEvABMP5aoInzp1UAoxiwCxSyCuzz0TJIg2P60Lcg3ug9DQ3L3gotFM8Ovn?=
	=?us-ascii?q?TOq9X1Mb8fX/i0zKbUyjXDa+lZ2Szg44bLdRAhpuqMXaltesfWz0kvFh/KjlKU?=
	=?us-ascii?q?qYP/JDOZzOUNs2+c7+p7TuKikGsnpg5+ozS1wccskIbJi5sTx1vZ+yt5x4M1Ks?=
	=?us-ascii?q?e5SE59edOkFJpQtz+EOIt0RcMiXntouCAgxb0Co5K0YC8KyJE/yx7QavyHb4iI?=
	=?us-ascii?q?4g/4W+qLPTh4g3dldKq/hha17Eig1vD8WdKq31pQsiVFldzMu3YQ3BLQ8siKUu?=
	=?us-ascii?q?Zx8lml1DqVygzf9u5JLVo6mKbHMZIszLE9moINvUjfGiL6gkb7ga+Mekk65OSk?=
	=?us-ascii?q?9/7rbqjnq5KYMYJ/lxvwPb40msOlBOQ1KggOUHaf+eS7zLDj+EL4TKhQgv0ula?=
	=?us-ascii?q?nZtJDbJdgFqaGlAw9V1Icj6w+iDzi4ytgYmmMHLF1ddBKGiYjmJU3OLejlAfuh?=
	=?us-ascii?q?h1mgiipny+zJM7H7DJjBMmLPnbnucLpl7k5T0gszzdRR55JODbEBJer+VFLtut?=
	=?us-ascii?q?LFEhM0Kxa0z+HlBtt8zo4TV2KAD7ecMK7dvl6E/OUvI/ODZIINvjb9KuQq5/nq?=
	=?us-ascii?q?jXAjgl8RZ6ip3ZwQaHCjBfRrOF6WYX3xgtcHDWgFoBE+QPbviFCNXj9ffXGyX7?=
	=?us-ascii?q?gz5j0jEoKpEZ/DRpyxgLyGxCq7BYBZZntdB1CQEXbna4WEW/AWZCKUOc9uiCYI?=
	=?us-ascii?q?VbemS48/zRuurhP1y6J7LurI/S0VrYnj28Zx5+3SkxEy6DN1At+B02CNU250nm?=
	=?us-ascii?q?QISyUw3KBku0Nx0FiD0a9mg68QKdsG/P5NUwEnJdaI1OF+CtbvSirdb9yJTxCg?=
	=?us-ascii?q?WdzgDjYvGJZ5+MMDe0ZwHZ2ZixnH2ye7S+sOm6ejGI0/8qWa2WP4Ycl61SCCnI?=
	=?us-ascii?q?UoiVgrRoNtfVKvgrV/v1zfGIfNiEWxjaumda0AmiXK8THHhUaJuUBeUQVzGYrf?=
	=?us-ascii?q?XH4DLh/apN+/4V3PVaWvBbkPPQ5IyMrEIaxPPI7Hl1JDEdHiM9Paann5umC3Hg?=
	=?us-ascii?q?3AkrWNZ43ucn5b3SLaE1MsllwDu3GcOl5tVW+av2vCAWk2RhrUaET2/Lw78Svj?=
	=?us-ascii?q?Qw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FeAwAWJfFYZiIeaIFcGgEBAQECAQEBA?=
	=?us-ascii?q?QgBAQEBFQEBAQECAQEBAQgBAQEBgn8pYYELB4Nfm3GIHIhHIIYncYJAgmwQOoN?=
	=?us-ascii?q?6B1cBAQEBAQEBAQIBAhANCwkIJTKCMyIBCARGJwIvAQEBAQEBAQEBAQEBAQEBA?=
	=?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEJAg0/HgEBBSNmCQILBgMBAgEqAgICHwESAQUBFAg?=
	=?us-ascii?q?GARIIiEWBMgMVBQmLXpEaP4wEgiaHKw2DZAEWD4ZSgV2DF4JRR4FfgmaCXwEEj?=
	=?us-ascii?q?3SMaDuCCIF2gwaDK4NyhESBf1WEW4NdhjqLB4c7FB+BFYEwLSYdLWEGhEQcgWV?=
	=?us-ascii?q?zAQEDhwYCJAQDghABAQE?=
X-IPAS-Result: =?us-ascii?q?A0FeAwAWJfFYZiIeaIFcGgEBAQECAQEBAQgBAQEBFQEBAQE?=
	=?us-ascii?q?CAQEBAQgBAQEBgn8pYYELB4Nfm3GIHIhHIIYncYJAgmwQOoN6B1cBAQEBAQEBA?=
	=?us-ascii?q?QIBAhANCwkIJTKCMyIBCARGJwIvAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE?=
	=?us-ascii?q?BAQEBAQEJAg0/HgEBBSNmCQILBgMBAgEqAgICHwESAQUBFAgGARIIiEWBMgMVB?=
	=?us-ascii?q?QmLXpEaP4wEgiaHKw2DZAEWD4ZSgV2DF4JRR4FfgmaCXwEEj3SMaDuCCIF2gwa?=
	=?us-ascii?q?DK4NyhESBf1WEW4NdhjqLB4c7FB+BFYEwLSYdLWEGhEQcgWVzAQEDhwYCJAQDg?=
	=?us-ascii?q?hABAQE?=
X-IronPort-AV: E=Sophos; i="5.37,200,1488844800"; d="scan'208,223";
	a="4914649"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from mx1.polytechnique.org ([129.104.30.34])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	14 Apr 2017 19:43:53 +0000
Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com
	[209.85.220.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ssl.polytechnique.org (Postfix) with ESMTPSA id 26A4D564606;
	Fri, 14 Apr 2017 21:43:51 +0200 (CEST)
Received: by mail-qk0-f169.google.com with SMTP id d131so73499757qkc.3;
	Fri, 14 Apr 2017 12:43:51 -0700 (PDT)
X-Gm-Message-State: AN3rC/7uEWylMDxLoIVJhATcgLcNaFCdiey5RW3MMlBjlRYi6dyL6efz
	31rD76v//0JnU8rpvKOQ+aouPsaoUQ==
X-Received: by 10.55.92.71 with SMTP id q68mr8073114qkb.219.1492199030041;
	Fri, 14 Apr 2017 12:43:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.38.152 with HTTP; Fri, 14 Apr 2017 12:43:49 -0700 (PDT)
In-Reply-To: <20170414184946.GB16153@markus>
References: <20170414145759.GA7980@markus>
	<1492184005.26072.3.camel@tycho.nsa.gov>
	<fdcf2bd0-6a5a-aead-ef31-59b9b2235afe@redhat.com>
	<1492192590.26072.5.camel@tycho.nsa.gov>
	<20170414184946.GB16153@markus>
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 14 Apr 2017 21:43:49 +0200
X-Gmail-Original-Message-ID: 
 <CAJfZ7==rsOexenE+76YX0fbgX9_eXGjygmNzaHL1G8azKk8EMw@mail.gmail.com>
Message-ID: 
 <CAJfZ7==rsOexenE+76YX0fbgX9_eXGjygmNzaHL1G8azKk8EMw@mail.gmail.com>
Subject: Re: let's revert e3cab998b48ab293a9962faf9779d70ca339c65d
To: selinux <selinux@tycho.nsa.gov>, Stephen Smalley <sds@tycho.nsa.gov>,
	Daniel J Walsh <dwalsh@redhat.com>,
	Dominick Grift <dac.override@gmail.com>
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Fri Apr 14
	21:43:51 2017 +0200 (CEST))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

On Fri, Apr 14, 2017 at 8:49 PM, Dominick Grift <dac.override@gmail.com> wrote:
> On Fri, Apr 14, 2017 at 01:56:30PM -0400, Stephen Smalley wrote:
>> On Fri, 2017-04-14 at 13:47 -0400, Daniel Walsh wrote:
>> > On 04/14/2017 11:33 AM, Stephen Smalley wrote:
>> > > On Fri, 2017-04-14 at 16:57 +0200, Dominick Grift wrote:
>> > > > Bear with me please, because i might not fully grasp the issue (i
>> > > > received help with diagnosing this issue):
>> > > >
>> > > > This commit causes issues (and is, i think, a lousy hack):
>> > > > e3cab998b48ab293a9962faf9779d70ca339c65d
>> > > >
>> > > > The commit causes entities to "think" that SELinux is disabled
>> > > > after
>> > > > "mount -o remount,ro /sys/fs/selinux
>> > > >
>> > > > It is "neat" to be able to make processes "think" that selinux is
>> > > > disabled on a selinux enabled system but not if it break anything
>> > > >
>> > > > The above results in the following:
>> > > >
>> > > > Systemd services that have ProtectKernelTunables=yes set in their
>> > > > respective service units, think that SELinux is disabled.
>> > > >
>> > > > However we have found that some of these services actually rely
>> > > > on
>> > > > SELinux to ensure proper labeling.
>> > > >
>> > > > So we have the option to make people aware that if you set
>> > > > ProtectKernelTunables=yes that then the process cannot be
>> > > > SELinux-
>> > > > aware properly, or we can just get rid of the commit above and
>> > > > just
>> > > > accept that process know that SELinux is enabled.
>> > > >
>> > > > Actual bug that caused me to look into this: systemd-localed
>> > > > selinux
>> > > > awareness is broken due it having ProtectKernelTunables=yes in
>> > > > its
>> > > > service unit
>> > >
>> > > If selinuxfs is mounted read-only, then they can't use most of the
>> > > selinuxfs interfaces, including even the ability to validate or
>> > > canonicalize security contexts.  That will break most SELinux-aware
>> > > services if we tell them that SELinux is enabled.  Are you sure
>> > > systemd-localed would actually work if you told it SELinux was
>> > > enabled
>> > > when selinuxfs was mounted read-only?  What SELinux interfaces is
>> > > it
>> > > using?
>> > >
>> > > The other question is whether ProtectKernelTunables ought to be
>> > > mounting selinuxfs read-only.  SELinux already controls the ability
>> > > to
>> > > use its interfaces, including limiting even root, so it is unclear
>> > > what
>> > > benefit we derive from having systemd add a further restriction on
>> > > top.
>> > >
>> >
>> > Why is selinuxfs mounted readonly in this case?
>>
>> I don't actually see this in upstream systemd unless I am just missing
>> it.
>>
>> systemd/src/core/namespace.c:
>> /* ProtectKernelTunables= option and the related filesystem APIs */
>> static const MountEntry protect_kernel_tunables_table[] = {
>>         { "/proc/sys",           READONLY,     false },
>>         { "/proc/sysrq-trigger", READONLY,     true  },
>>         { "/proc/latency_stats", READONLY,     true  },
>>         { "/proc/mtrr",          READONLY,     true  },
>>         { "/proc/apm",           READONLY,     true  }, /* Obsolete
>> API, there's no point in permitting access to this, ever */
>>         { "/proc/acpi",          READONLY,     true  },
>>         { "/proc/timer_stats",   READONLY,     true  },
>>         { "/proc/asound",        READONLY,     true  },
>>         { "/proc/bus",           READONLY,     true  },
>>         { "/proc/fs",            READONLY,     true  },
>>         { "/proc/irq",           READONLY,     true  },
>>         { "/sys",                READONLY,     false },
>>         { "/sys/kernel/debug",   READONLY,     true  },
>>         { "/sys/kernel/tracing", READONLY,     true  },
>>         { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is
>> set by ProtectControlGroups= option */
>> };
>>
>> No mention of selinuxfs at all.  Maybe it is a Fedora patch?
>>
>> > The reason we want this is so that processes inside of containers do
>> > not
>> > attempt to do SELinux stuff.
>> >
>> > http://danwalsh.livejournal.com/73099.html
>
> Before one dismisses my concern (8 minute proof):
>
> https://www.youtube.com/watch?v=YqiM1MlOG0w

Hello,
I see this on Arch Linux as well, where there is no
distribution-specific patch which is applied to systemd (the only
patches which are applied are backported commits). A simple way to see
that the selinuxfs is mounted read-only is the following command:
"localectl && findmnt --task $(pgrep systemd-localed)". It will
display the mountpoints of systemd-localed.service, which (with
systemd 232 [1]) contains:

├─/sys                           sys                      sysfs
ro,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/firmware/efi/efivars    efivarfs                 efivarfs
ro,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security         securityfs               securityfs
ro,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/selinux              selinuxfs                selinuxfs
ro,relatime
│ ├─/sys/fs/cgroup               tmpfs                    tmpfs
ro,nosuid,nodev,noexec,seclabel,mode=755
│ │ ├─/sys/fs/cgroup/systemd     cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=
│ │ ├─/sys/fs/cgroup/net_cls     cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,net_cls
│ │ ├─/sys/fs/cgroup/perf_event  cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,perf_event
│ │ ├─/sys/fs/cgroup/pids        cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/blkio       cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/freezer     cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/cpuset      cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,cpuset
│ │ ├─/sys/fs/cgroup/devices     cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,devices
│ │ └─/sys/fs/cgroup/memory      cgroup                   cgroup
ro,nosuid,nodev,noexec,relatime,memory
│ ├─/sys/fs/pstore               pstore                   pstore
ro,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/kernel/debug            debugfs                  debugfs
ro,relatime,seclabel
│ ├─/sys/kernel/config           configfs                 configfs
ro,relatime
│ └─/sys/fs/fuse/connections     fusectl                  fusectl
ro,relatime

/sys/fs/selinux is mounted read-only. Moreover when I run "strace -f
-p 1 -e mount" while starting systemd-localed.service, I get:

3401  mount(NULL, "/sys/fs/cgroup/perf_event", NULL,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
3401  mount(NULL, "/sys/fs/cgroup/blkio", NULL,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
3401  mount(NULL, "/sys/fs/cgroup/pids", NULL,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
3401  mount(NULL, "/sys/fs/selinux", NULL,
MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
3401  mount(NULL, "/sys/fs/cgroup", NULL,
MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
3401  mount(NULL, "/sys/kernel/debug", NULL,
MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
...

So /sys/fs/selinux *is* remounted read-only by systemd. When I remove
"ProtectKernelTunables=yes" from the unit file, /sys/fs/selinux is not
remounted and is kept RW in the namespace of the service.

About containers, in http://danwalsh.livejournal.com/73099.html there
is: "In containers we don't mount these file systems by default or we
mount it read/only causing libselinux to report that it is disabled.".
Why does /sys/fs/selinux need to be mounted read-only instead of not
been mounted at all?


About systemd-localed, its use of namespaces makes it "look like" a
container, but it needs to be SELinux-aware in order to use
/proc/thread-self/attr/fscreate. The use-case is to atomically create
files like /etc/vconsole.conf with the right context. In order to do
so, the service:
* loads the file context database,
* requests the expected context of /etc/vconsole.conf (selabel_lookup_raw),
* configures the fscreate context (setfscreatecon_raw)
* creates a temporary file with this context named for example
"/etc/.#vconsole.confiYiPml",
* writes data to it and closes it,
* and finally renames it to /etc/vconsole.conf (with the rename syscall)

I am not aware of a way of making /etc/vconsole.conf have the right
file context in the end without making the program use libselinux's
API (named type_transition does not support patterns suitable for
temporary files). Did I miss something?


Anyway, there is a bug in vanilla code (it is not specific to Fedora)
and it is not clear whether it is a bug in libselinux code or in
systemd's one. Is it's libselinux, I have prepared a patch for it
(attached). Otherwise, what does systemd did wrong in its use of the
SELinux API?

Nicolas

[1] ProtectKernelTunables=yes has actually been introduced in systemd
232 with https://github.com/systemd/systemd/commit/0c28d51ac84973904e5f780b024adf8108e69fa1

From 92688d49f16a28875034c95827fbe0d20e221d7b Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 14 Apr 2017 21:27:42 +0200
Subject: [PATCH 1/1] libselinux: detect that SELinux is enabled when
 /sys/fs/selinux is mounted read-only

systemd service units can use "ProtectKernelTunables=yes" in order to
mount some file systems read-only (the documentation is available at
https://www.freedesktop.org/software/systemd/man/systemd.exec.html).
This makes /sys/fs/selinux read-only too.

Services using such a configuration option sees SELinux as disabled
because of the behavior described in commit e3cab998b48a ("libselinux
mountpoint changing patch."):

    NOTE:  We added the check for RO, to allow tools like mock to be
    able to tell a chroot that SELinux is disabled while enforcing it
    outside the chroot.

However this changes the behavior of some systemd services in unexpected
ways. For example systemd-localed uses libselinux in order to create
/etc/locale.conf, /etc/vconsole.conf... with the right file context
while using a temporary file (using setfscreatecon_raw() with the label
of /etc/vconsole.conf). With ProtectKernelTunables=yes, systemd-localed
sees SELinux as being disabled (because /sys/fs/selinux is mounted
read-only) and creates files in /etc with a wrong label.

Fix this issue by making verify_selinuxmnt() use read-only mount-points
too.

Reported-by: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libselinux/src/init.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 814c7e6a9964..4fca2b9c6ecd 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -42,9 +42,7 @@ static int verify_selinuxmnt(const char *mnt)
 			struct statvfs vfsbuf;
 			rc = statvfs(mnt, &vfsbuf);
 			if (rc == 0) {
-				if (!(vfsbuf.f_flag & ST_RDONLY)) {
-					set_selinuxmnt(mnt);
-				}
+				set_selinuxmnt(mnt);
 				return 0;
 			}
 		}
-- 
2.12.0