selinux services wrong context [Solved]

[Cheesyjuggler64]

Currently my system service files are being given the wrong context now I'm quite certain this is because I'am mounting the selinux filesystem within my dinit script after my initramfs has run. I believe that I need to mount the sytem before changing to /sbin/init
this is my current init script

Code: Select all

#!/bin/busybox sh

rescue_shell() (
    echo "$@"
    echo "Something went wrong. Dropping you to a shell."
    /bin/busybox --install -s
    exec /bin/sh
}

busybox mount -t devtmpfs none /dev || rescue_shell "Error"
busybox mount -t proc none /proc || rescue_shell "Error"
busybox mount -t sysfs none /sys || rescue_shell "Error"

cryptsetup luksOpen /dev/nvme0n1p2 cryptroot || rescue_shell "Failed to decrypt"
wait
mount -o rw,noatime,compress-force=zstd:3,ssd,space_cache=v2,subvol=/@ /dev/mapper/cryptroot /mnt/root || rescue_shell "Error root mount failed"
umount /proc
mount -o move /dev /mnt/root/dev
exec switch_root /mnt/root /sbin/init

how and where could I mount the selinuxfs (i.e mount -t selinuxfs selinuxfs /sys/fs/selinux)
Help appreciated

[zen_desu]

Currently my system service files are being given the wrong context now I'm quite certain this is because I'am mounting the selinux filesystem within my dinit script after my initramfs has run. I believe that I need to mount the sytem before changing to /sbin/init
this is my current init script

Code: Select all

#!/bin/busybox sh

rescue_shell() (
    echo "$@"
    echo "Something went wrong. Dropping you to a shell."
    /bin/busybox --install -s
    exec /bin/sh
}

busybox mount -t devtmpfs none /dev || rescue_shell "Error"
busybox mount -t proc none /proc || rescue_shell "Error"
busybox mount -t sysfs none /sys || rescue_shell "Error"

cryptsetup luksOpen /dev/nvme0n1p2 cryptroot || rescue_shell "Failed to decrypt"
wait
mount -o rw,noatime,compress-force=zstd:3,ssd,space_cache=v2,subvol=/@ /dev/mapper/cryptroot /mnt/root || rescue_shell "Error root mount failed"
umount /proc
mount -o move /dev /mnt/root/dev
exec switch_root /mnt/root /sbin/init

how and where could I mount the selinuxfs (i.e mount -t selinuxfs selinuxfs /sys/fs/selinux)
Help appreciated

I don't think selinux stuff is typically handled within the initramfs because it won't be able to reasonably load a policy, and the initramfs itself won't have any selinux contexts.

[Cheesyjuggler64]

But how does the init recieve the right context than because until that file system is mounted I don't think the selinux is enabled, if I boot without mounting it it comes up as disabled, so how then would the init system recive the right context if it can't properly communcate?, after further research its only used to communcate with the userspace so it should'nt be needed why then are all my services being spaawned under kernel_t instead of init_t domain, I've changed the context of the init (/sbin/dinit) to init_exec_t so when its loaded by the kernel it should transition into the init_t domain but its not?

help appreciated

[Cheesyjuggler64]

Okay so from more reading the selinuxfs is used to communicate with the userspace, what I didn't realise was that the sepolicy needs to be loaded by the initramfs in order for the init and the rest of the services to be loaded, from reading the sourcecode for dracut and its selinux module
https://github.com/dracutdevs/dracut/b ... policy.sh
specifically amending this to my initramfs init was all it needed,

Code: Select all

mount -o bind /sys "$NEWROOT"/sys
out=$(LANG=C chroot "$NEWROOT" /sbin/load_policy -i 2>&1)
ret=$?
echo "$out"

now they are recieveing the correct context, i will amend the title to solved