Rawhide mls avcs on boot

Daniel J Walsh dwalsh at redhat.com
Thu Mar 6 20:51:19 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2008-03-06 at 14:17 -0600, Joe Nall wrote:
>> On Mar 6, 2008, at 1:04 PM, Stephen Smalley wrote:
>>
>>> On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:
>>>> On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
>>>>
>>>>> On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
>>>>>> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs  
>>>>>> in /
>>>>>> var/log/messages on boot
>>>>>>
>>>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
>>>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
>>>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
>>>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
>>>>>> Mar  6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
>>>>>> avc:  denied  { unmount } for  pid=1 comm="init"
>>>>>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>>>>>> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
>>>>>>
>>>>>> is adding
>>>>>>
>>>>>> allow kernel_t proc_t:filesystem unmount;
>>>>>> allow kernel_t sysfs_t:filesystem unmount;
>>>>>> allow kernel_t tmpfs_t:filesystem unmount;
>>>>>>
>>>>>> to kernel.te the correct fix for this?
>>>>> fs_unmount_all_fs(kernel_t)
>>>> fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
>>>> experimentation, I think it is a constraint issue (s15:c0.c1023
>>>> unmounting s0).
>>> Well, I know that fs_mount_all_fs() is already there - but we are
>>> talking about unmount, not mount.
>> correct
>>
>>> And it may also involve constraints, in which case kernel_t might need
>>> mls_file_write_all_levels().  Which I would think would be needed  
>>> anyway
>>> for e.g. nfsd operation.
>> Thanks for the pointer. All three of the following were required. I  
>> added them one at a time to the policy and rebooted each time.  Patch  
>> against selinux-policy-3.3.1-11 attached.
>>
>> fs_unmount_all_fs(kernel_t)
>> mls_file_write_all_levels(kernel_t)
>> mls_file_read_all_levels(kernel_t)
> 
> Needs to go to Dan for Fedora, and to Chris for upstream.
> 
Added to -12
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfQWUEACgkQrlYvE4MpobOEhwCglVDdZOrdtfvAvHxqTrlur1hr
gusAnjD93SizUhq+FK+g4VB8s6DhV2Fe
=7lnX
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list