Rawhide mls avcs on boot

Stephen Smalley sds at tycho.nsa.gov
Thu Mar 6 20:24:46 UTC 2008 

On Thu, 2008-03-06 at 14:17 -0600, Joe Nall wrote:
> On Mar 6, 2008, at 1:04 PM, Stephen Smalley wrote:
> 
> >
> > On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:
> >> On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
> >>
> >>>
> >>> On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
> >>>> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs  
> >>>> in /
> >>>> var/log/messages on boot
> >>>>
> >>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
> >>>> avc:  denied  { unmount } for  pid=1 comm="init"
> >>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >>>> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
> >>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
> >>>> avc:  denied  { unmount } for  pid=1 comm="init"
> >>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >>>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> >>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
> >>>> avc:  denied  { unmount } for  pid=1 comm="init"
> >>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >>>> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
> >>>>
> >>>> is adding
> >>>>
> >>>> allow kernel_t proc_t:filesystem unmount;
> >>>> allow kernel_t sysfs_t:filesystem unmount;
> >>>> allow kernel_t tmpfs_t:filesystem unmount;
> >>>>
> >>>> to kernel.te the correct fix for this?
> >>>
> >>> fs_unmount_all_fs(kernel_t)
> >>
> >> fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
> >> experimentation, I think it is a constraint issue (s15:c0.c1023
> >> unmounting s0).
> >
> > Well, I know that fs_mount_all_fs() is already there - but we are
> > talking about unmount, not mount.
> 
> correct
> 
> > And it may also involve constraints, in which case kernel_t might need
> > mls_file_write_all_levels().  Which I would think would be needed  
> > anyway
> > for e.g. nfsd operation.
> 
> Thanks for the pointer. All three of the following were required. I  
> added them one at a time to the policy and rebooted each time.  Patch  
> against selinux-policy-3.3.1-11 attached.
> 
> fs_unmount_all_fs(kernel_t)
> mls_file_write_all_levels(kernel_t)
> mls_file_read_all_levels(kernel_t)

Needs to go to Dan for Fedora, and to Chris for upstream.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list