No default labels, is it intentional?
Dominick Grift
dominick.grift at gmail.com
Tue Jan 15 15:03:01 UTC 2013
On Tue, 2013-01-15 at 09:58 -0500, Daniel J Walsh wrote:
> On 01/15/2013 09:15 AM, Dominick Grift wrote:
> > On Tue, 2013-01-15 at 14:11 +0100, Göran Uddeborg wrote:
> >> I'm running a "restorecon -n -R -v /" from cron once a month, just to be
> >> careful and know what is happening. Last night when it ran, I got a lot
> >> of error messages like these:
> >>
> >> restorecon: Warning no default label for /dev/pts/3
> >>
> >> and
> >>
> >> restorecon: Warning no default label for /tmp/efs0YYVa79.html
> >>
> >> There were a couple for things in /dev, and lots of them for things in
> >> /tmp.
> >>
> >> I have lately been upgrading bit by bit to Fedora 18 (the beta, strictly
> >> speaking, since the final release isn't officially out at the time of
> >> this writing), so I assume the new message is related to these upgrades.
> >> But why? When I list file contexts, I see rules like this:
> >>
> >> /dev/pts(/.*)? all files
> >> <<None>>
> >>
> >> So I guess it is not a simple mistake. But what is the reason? Why
> >> don't some /dev entries, and almost the entire /tmp directory, have any
> >> default context any more?
> >
> > It has to do with some optional security models like mcs, mls and ubac and
> > the nature of their security attributes i believe
> >
> > For example if you create a file in /tmp with a compartment of s0:c23 then
> > you do not want a relabel to reset it because that would declassify the
> > file back to s0
> >
> > SELinux cannot determine that the file should be labeled s0:c23 because a
> > unprivileged user with access to the compartment decided that
> >
> > So by ignoring the context altogether you can be sure that the file will
> > not get declassified by restorecon/fixfiles
> >
> > So you will see this in public places like /tmp etc.
> >
> > There is a similar issue with types. Users may have some discretion over
> > select types to relabel to and from. SELinux cannot determine that a user
> > decided to label from example file ~/bla type httpd_user_content_t.
> >
> > So with types there is a different approach: some types are declared
> > customizable types. If a file has a customizable type then SELinux will not
> > try to relabel it (so that it wont get unintentionally declassified) unless
> > you use the -F flag.
> >
> > The identity field by default does not get reset unless one uses restorecon
> > with the -F flag
> >
> > With MLS security models processes are forced to operate on specified
> > security levels for the sake of enforcing confidentiality. Files that may
> > be affected and are in public places are not flagged to be reset with the
> > <<None>>
> >
> > Disclaimer: this is my understanding of the issue but i might be wrong
> >
> >
> >
> >> -- selinux mailing list selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> Yes the basic idea is in certain directories like mnt_t, tmp_t, tmpfs_t we do
> not have a standard definition of content in these directories. So <<none>>
> says any content could be here, so don't change the labels. For example a
> user does cp -a ~/.ssh /tmp Would move ssh_home_t content to /tmp, if you ran
> restorecon on it and we had default label of tmp_t or user_tmp_t, then all
> apps could read tmp_t could not read the content.
>
> Modern restorecon in RHEL7 and Latest Fedoras does not change any components
> of the security context other then the type field. unless you specify force.
> This is something we want avoid as we move forward with MCS labeling and MLS
> Labeling. If you use containers or static labeling for virtual machines, you
> do not want restorecon changing the MLS/MCS field.
>
> The reason you are noticing this is we added an error check to restorecon to
> tell the user that restorecon /mnt/foobar did not do anything.
>
> restorecon -R /mnt
>
> Will not output the error, since we wanted to quiet the noise, but if you get
> verbose, you will get the noise. I guess we could add a -vv for realy
> verbose, if the message is aggravating.
By the way, we probably want to not relabel content
in /var/lib/libvirt/filesystems.
I did a relabel and all my container contexts were reset
More information about the selinux
mailing list