Rawhide mls avcs on boot

Joe Nall joe at nall.com
Thu Mar 6 20:17:51 UTC 2008 

On Mar 6, 2008, at 1:04 PM, Stephen Smalley wrote:

>
> On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:
>> On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
>>
>>>
>>> On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
>>>> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs  
>>>> in /
>>>> var/log/messages on boot
>>>>
>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
>>>>
>>>> is adding
>>>>
>>>> allow kernel_t proc_t:filesystem unmount;
>>>> allow kernel_t sysfs_t:filesystem unmount;
>>>> allow kernel_t tmpfs_t:filesystem unmount;
>>>>
>>>> to kernel.te the correct fix for this?
>>>
>>> fs_unmount_all_fs(kernel_t)
>>
>> fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
>> experimentation, I think it is a constraint issue (s15:c0.c1023
>> unmounting s0).
>
> Well, I know that fs_mount_all_fs() is already there - but we are
> talking about unmount, not mount.

correct

> And it may also involve constraints, in which case kernel_t might need
> mls_file_write_all_levels().  Which I would think would be needed  
> anyway
> for e.g. nfsd operation.

Thanks for the pointer. All three of the following were required. I  
added them one at a time to the policy and rebooted each time.  Patch  
against selinux-policy-3.3.1-11 attached.

fs_unmount_all_fs(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: kernel.te.patch
Type: application/octet-stream
Size: 501 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080306/4ae12a2d/attachment.obj>
-------------- next part --------------

More information about the fedora-selinux-list mailing list