Problem with domain transition on a nfs_t mount

Stephen Smalley sds at tycho.nsa.gov
Wed Aug 8 18:19:55 UTC 2007 

On Thu, 2007-08-02 at 23:14 -0400, David-Alexandre Davidson wrote:
> On fedora 7, lastest selinux strict policy.
> 
> I have written a selinux module which go through a domain transition 
> when executing a file on a nfs mount (labeled nfs_t)
> However the transition never occurs. and I get a  : denied  
> execute_no_trans  on nfs_t files .
> 
> In order to find the source of the problem I have taken a file with the 
> exact same context outside of the nfs mount and the transition work fine.
> 
> Here is the related part of my module:
> 
> domain_auto_trans(custom_trans_t,nfs_t,i_custom_t);
> allow custom_trans_t nfs_t:file rx_file_perms;
> allow custom_trans_t nfs_t:dir r_dir_perms;
> 
> 
> Here are the details on the nfs share:
> 
>     file executed:
>     -rwxrwxr-x  vu20003 vg20003 system_u:object_r:nfs_t          
> /home/usera/var/bin/testphp.app
> 
>     result:
>     type=AVC msg=audit(1186108700.494:230294): avc:  denied  { 
> execute_no_trans } for  pid=5969 comm="custom-app" name="testphp.app" 
> dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0 
> tcontext=system_u:object_r:nfs_t:s0 tclass=file
> 
> 
> Running the same program and executing an identical file outside the nfs 
> share:  (I labelled manually to match)
> 
>     file executed:
>     -rwxrwxr-x  vu20003 vg20003 system_u:object_r:nfs_t          
> /testphp.app
> 
>     result:
>     transition is made to context  i_custom_t  , nothing is audited
>     
> 
> Any idea what can cause this difference ?  I don't believe this behavior 
> is normal. By the way, if I allow the execute_no_trans on nfs_t, the 
> file gets executed just fine but without the expected transition...
> 
> Any help would be much appreciated !

If the filesystem is mounted nosuid, then SELinux domain transitions on
it are also disabled.  Not as flexible as we might like, but a
conservative approach.  Rationale is that if you didn't trust the
filesystem in the first place for suid binaries, then you likely don't
trust it for domain entrypoints either.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list