tar xvf <tar file> --xattrs warning/error in MLS enforcing

[Stephen Smalley]

On Fri, 2010-04-30 at 16:42 -0500, Xavier Toth wrote:
> On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth at gmail.com> wrote:
> > I'm going to simplify this because a lot of the detail isn't import to
> > the issue I'm working through. I'm taring some files, one of which
> > happens to be labeled SystemHigh and the rest SystemLow. An init
> > script, running SystemLow-SystemHigh, is later run on a different
> > system which untars the file. tar generates a warning message about
> > setfilecon failing for the file labeled SystemHigh and I see a
> > SELINUX_ERR message in the audit log (security_validate_transition:
> > denied for oldcontext=system_u:object_r:selinux_config_t:s0
> > newcontext=system_u:object_r:selinux_config_t:s15:c0-c1023
> > taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> > am using run_init to run test this init script. What I'm confused
> > about is that there are no AVCs (I did an semnodule -DB just to see if
> > there were any dontaudits) and why there even is a failure as initrc_t
> > uses the mls_file_write_all_levels marco. Also does anyone know of a
> > way to see the contexts stored in the tar file?
> >
> > Ted
> >
> 
> I see now, initrc_t policy doesn't use mls_file_upgrade but I still
> don't like the no AVC bit.

The AVC isn't involved in that check.  security_validate_transition()
and the mlsvalidatetrans constraints were introduced to enable a check
to be applied based on all 3 security contexts (old file context, new
file context, process context) simultaneously, which wasn't possible via
the pairwise AVC checks.  selinux_inode_setxattr() invokes
security_validate_transition() after applying the AVC permission checks
during file relabeling.

-- 
Stephen Smalley
National Security Agency