Rawhide mls avcs on boot
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 6 20:51:19 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Thu, 2008-03-06 at 14:17 -0600, Joe Nall wrote:
>> On Mar 6, 2008, at 1:04 PM, Stephen Smalley wrote:
>>
>>> On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:
>>>> On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
>>>>
>>>>> On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
>>>>>> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs
>>>>>> in /
>>>>>> var/log/messages on boot
>>>>>>
>>>>>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
>>>>>> avc: denied { unmount } for pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
>>>>>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
>>>>>> avc: denied { unmount } for pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
>>>>>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
>>>>>> avc: denied { unmount } for pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
>>>>>>
>>>>>> is adding
>>>>>>
>>>>>> allow kernel_t proc_t:filesystem unmount;
>>>>>> allow kernel_t sysfs_t:filesystem unmount;
>>>>>> allow kernel_t tmpfs_t:filesystem unmount;
>>>>>>
>>>>>> to kernel.te the correct fix for this?
>>>>> fs_unmount_all_fs(kernel_t)
>>>> fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
>>>> experimentation, I think it is a constraint issue (s15:c0.c1023
>>>> unmounting s0).
>>> Well, I know that fs_mount_all_fs() is already there - but we are
>>> talking about unmount, not mount.
>> correct
>>
>>> And it may also involve constraints, in which case kernel_t might need
>>> mls_file_write_all_levels(). Which I would think would be needed
>>> anyway
>>> for e.g. nfsd operation.
>> Thanks for the pointer. All three of the following were required. I
>> added them one at a time to the policy and rebooted each time. Patch
>> against selinux-policy-3.3.1-11 attached.
>>
>> fs_unmount_all_fs(kernel_t)
>> mls_file_write_all_levels(kernel_t)
>> mls_file_read_all_levels(kernel_t)
>
> Needs to go to Dan for Fedora, and to Chris for upstream.
>
Added to -12
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfQWUEACgkQrlYvE4MpobOEhwCglVDdZOrdtfvAvHxqTrlur1hr
gusAnjD93SizUhq+FK+g4VB8s6DhV2Fe
=7lnX
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list