[redhat-lspp] mqueue filesystem labeling

Stephen Smalley sds at tycho.nsa.gov
Mon Nov 20 17:53:09 UTC 2006 

On Wed, 2006-11-15 at 00:19 -0200, Thiago Jung Bauermann wrote:
> Hi folks,
> 
> I am having some trouble with POSIX message queues in enforcing mode. I
> hope someone can shed some light into this...
> 
> The POSIX message queue implementation uses an internal virtual
> filesystem called mqueue, so processes wanting to perform operations on
> POSIX message queues must have access to that filesystem.
> 
> The problem is that for some reason the mqueue filesystem is labeled at
> SystemHigh, so only processes at that level are able to create message
> queues.

This kind of question belongs on selinux list (cc'd above), as it is not
LSPP-specific.

With regard to your question, I believe that this is a characteristic of
fs_use_trans that has come up previously for other fs_use_trans
filesystems - the root inode is deriving its label from the kernel's
SID, and is thus inheriting SystemHigh as its level.  For devpts, this
was worked around via a restorecon /dev/pts in rc.sysinit, but the
policy now supports range_transition statements on object classes, so it
should be possible to define such a transition to label these pseudo
filesystems with a correct level.

> I don't think this is breaking any functionality, so... do we care?
> 
> 
> 
> The only line I could find in the SELinux policy about this is:
> 
> fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
> 
> The above says that the mqueue fs should be at SystemLow.
> This is how the kernel initializes it:
> 
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> 
> Even if I explicitly set a SystemLow context for the filesystem when
> mounting it, it is still mounted as SystemHigh:
> 
> [root at alex mls]# mount -t mqueue mqueue /mnt
> [root at alex mls]# ls -Zd /mnt
> drwxrwxrwt  root root system_u:object_r:tmpfs_t:SystemHigh /mnt
> [root at alex mls]# umount /mnt
> 
> [root at alex mls]# mount -o fscontext=system_u:object_r:tmpfs_t:s0 -t
> mqueue mqueue /mnt
> [root at alex mls]# ls -Zd /mnt
> drwxrwxrwt  root root system_u:object_r:tmpfs_t:SystemHigh /mnt
> [root at alex mls]# umount /mnt
> 
> [root at alex mls]# mount -o context=system_u:object_r:tmpfs_t:s0 -t mqueue
> mqueue /mnt
> [root at alex mls]# ls -Zd /mnt
> drwxrwxrwt  root root system_u:object_r:tmpfs_t:SystemHigh /mnt
> 
> 
> 
> And here's the audit record generated when trying to create a message
> queue in enforcing mode:
> 
> ----
> type=PATH msg=audit(10/31/2006 17:00:00.603:752) : item=0 name=myqueue
> obj=system_u:object_r:root_t:s0
> type=CWD msg=audit(10/31/2006 17:00:00.603:752) : cwd=/tmp/tests
> 
> type=MQ_OPEN msg=audit(10/31/2006 17:00:00.603:752) :
> oflag=0xc2 mode=777 mq_flags=0x6d8730 mq_maxmsg=16 mq_msgsize=1
> mq_curmsgs=0
> 
> type=SYSCALL msg=audit(10/31/2006 17:00:00.603:752) : arch=x86_64
> syscall=mq_open success=no exit=-13(Permission denied) a0=2aaaaab1f94d
> a1=c2 a2=1ff a3=7fffac4d8550 items=1 ppid=2581 pid=2608 auid=ealuser
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts0 comm=queuetest exe=/tmp/tests/queuetest
> subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
>  ----
> 
> I got the above record by adding an audit rule for the mq_open()
> syscall. I find it odd that it doesn't include an AVC message. I thought
> every denial record had one...
> 
> And here's an audit record obtained in permissive mode:
> 
> ----
> type=PATH msg=audit(10/31/2006 17:01:12.307:764) : item=2 name=(null)
> inode=418 dev=00:0d mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmpfs_t:s15:c0.c1023
> 
> type=PATH msg=audit(10/31/2006 17:01:12.307:764) : item=1 name=(null)
> inode=12076 dev=00:0d mode=file,755 ouid=root ogid=root rdev=00:00
> obj=staff_u:object_r:sysadm_tmpfs_t:s0
> 
> type=PATH msg=audit(10/31/2006 17:01:12.307:764) : item=0 name=myqueue
> obj=system_u:object_r:root_t:s0
> 
> type=CWD msg=audit(10/31/2006 17:01:12.307:764) :
> cwd=/tmp/tests
> 
> type=MQ_OPEN msg=audit(10/31/2006 17:01:12.307:764) : oflag=0xc2
> mode=777 mq_flags=0x6d8730 mq_maxmsg=16 mq_msgsize=1 mq_curmsgs=0
> 
> type=SYSCALL msg=audit(10/31/2006 17:01:12.307:764) : arch=x86_64
> syscall=mq_open success=yes exit=4 a0=2aaaaab1f94d a1=c2 a2=1
> ff a3=7fffac4d8550 items=3 ppid=2581 pid=2608 auid=ealuser uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root
>  fsgid=root tty=pts0 comm=queuetest exe=/tmp/tests/queuetest
> subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
> 
>  type=AVC msg=audit(10/31/2006 17:01:12.307:764) : avc:  denied
> { add_name } for  pid=2608 comm=queuetest name=myqueue scontext=
>  staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=dir
> 
>  type=AVC msg=audit(10/31/2006 17:01:12.307:764) : avc:  denied
> { write } for  pid=2608 comm=queuetest name=/ dev=mqueue ino=418 s
>  context=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=dir
>  ----
> 
> 
> -- 
> []'s
> Thiago Jung Bauermann
> Software Engineer
> IBM Linux Technology Center
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list