unionfs, tmpfs, and xattrs
by Bill Nottingham
So, I'm playing some with unionfs (http://www.fsl.cs.sunysb.edu/project-unionfs.html),
which works fine with SELinux as long as the underlying filesystems that you're
using in the union all support xattrs.
Which brings us to tmpfs.
The way xattrs appear to work on tmpfs is that the VFS tries the getxattr
op of tmpfs (which fails, as it doesn't exist), and then does an end-run
around in the selinux code to get an attribute, as long as you're only
looking for the security xattr.
This means that anything on tmpfs can have a xattr retrieved from userspace
just fine with getxattr(2), but if you try and get it in the kernel via
'normal' means (such as the inode's getxattr method), it will fail. This
breaks tmpfs as part of a unionfs branch pretty badly.
Why was xattrs-on-tmpfs done this way? It seems somewhat hackish.
I could theoretically patch unionfs to call the vfs method, but... ew.
Bill
18 years, 2 months
Re: [kay.sievers@vrfy.org]
by Bill Nottingham
Kay Sievers (kay.sievers(a)vrfy.org) said:
> Heh, yeah, that looks fine, but I asked for more :)
>
> o What about other media than ide? How is that different?
> (I don't have a single box left with old ide drivers)
For SCSI, etc., the media type is easily determined from the
device name - for IDE it's not. (At least, I presume that's
the reason.)
Bill
18 years, 2 months
Re: [kay.sievers@vrfy.org]
by Daniel J Walsh
Kay Sievers wrote:
> On Mon, Feb 06, 2006 at 01:35:35PM -0500, Stephen Smalley wrote:
>
>> On Mon, 2006-02-06 at 13:15 -0500, Daniel J Walsh wrote:
>>
>>> How about if we changed the call to
>>> if ( mode & S_IFBLK ) {
>>> media = get_media(devname, mode);
>>> if (media) {
>>> ret = matchmediacon(media, &scontext);
>>> free(media);
>>> }
>>> }
>>>
>> You already have a test of (mode & S_IFBLK) on entry to get_media, so I
>> don't see what that buys you. Still limited to ide devices by get_media
>> only checking /proc/ide. I don't think her concern with the media
>> support was performance, just generality and use of sysfs. Performance
>> concern was with selinux_init.
>>
>> On the performance overhead issue, only real improvement would be to
>> move all matchpathcon_init+matchpathcon processing into the daemon and
>> have the daemon pass the required contexts to the event commands on the
>> command line or via pipe.
>>
>
> The udev event processes, the ones that actually create the device node
> are just clones of the main daemon, they run the same code, the same
> memory as the main daemon, they don't exec() anything. So everything that
> is available in the main daemon before the event process is forked, will
> also be available in the event process itself while it is creating the
> node.
>
> That's the reason I was asking, cause it sounds like the current selinux
> integration could be optimized. Seems there is no need for any pipe or other
> ipc, if selinux is fine with the inherited state from the daemon.
>
> Thanks,
> Kay
>
Yes I think it would should work fine.
I think a patch like the following should also be added to udev_selinux.
- media = get_media(devname, mode);
- if (media) {
- ret = matchmediacon(media, &scontext);
- free(media);
+ if ( mode & S_IFBLK ) {
+ media = get_media(devname, mode);
+ if (media) {
+ ret = matchmediacon(media, &scontext);
+ free(media);
+ }
}
18 years, 2 months
crond execheap
by Tom London
Running latest rawhide, targeted/enforcing.
I notice this in audit.log:
----
type=SYSCALL msg=audit(02/05/2006 10:32:52.810:590) : arch=i386
syscall=mprotect success=no exit=-13(Permission denied) a0=4b25000
a1=6f000 a2=5 a3=bfd4d600 items=0 pid=7034 auid=unknown(4294967295)
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root comm=ld-linux.so.2 exe=/lib/ld-2.3.90.so
type=AVC msg=audit(02/05/2006 10:32:52.810:590) : avc: denied {
execheap } for pid=7034 comm=ld-linux.so.2
scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process
----
Not sure how to track this down further....
tom
--
Tom London
18 years, 2 months
Re: [kay.sievers@vrfy.org]
by Stephen Smalley
On Tue, 2006-02-07 at 02:18 +0100, Kay Sievers wrote:
> The udev event processes, the ones that actually create the device node
> are just clones of the main daemon, they run the same code, the same
> memory as the main daemon, they don't exec() anything. So everything that
> is available in the main daemon before the event process is forked, will
> also be available in the event process itself while it is creating the
> node.
>
> That's the reason I was asking, cause it sounds like the current selinux
> integration could be optimized. Seems there is no need for any pipe or other
> ipc, if selinux is fine with the inherited state from the daemon.
Yes, in that case, performing the matchpathcon_init_prefix call once in
the main daemon would likely be fine.
--
Stephen Smalley
National Security Agency
18 years, 2 months
selinux causes a problem with cdrom mounting on Fedora Core 3
by pine oil
I've just installed FC3 onto my machine because FC4 refused to install
complaining it could could not configure my graphic card (Matrox Millennium
P750).
CD does not get mounted properly apparently due to SELinux as indicated in
the /etc/fstab as below. I edited the file to eliminated the entry made by
SELinux. On reboot, the same entry appears again. What do I do now?
Your suggesion will be appreciated very much.
pine
======================== /etc/fstab ======================
# This file is edited by fstab-sync - see 'man fstab-sync' for details
LABEL=/ / ext3 defaults 1 1
LABEL=/boot1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
LABEL=SWAP-hda3 swap swap defaults 0 0
/dev/hdc /media/cdrom auto
pamconsole,fscontext=system_u:object_r:removable_t,ro,exec,noauto,managed 0
0
============================================================
18 years, 2 months
AVCs denied from latest FC4 kernel startup
by Matthew Saltzman
After installing kernel-2.6.15-1.1830_FC4 (or any of the 2.6.15 kernels),
I get the following on startup. Startup appears to complete normally and
the system seems functional (at least for what I've tried so far).
audit(1139113698.796:2): avc: denied { search } for pid=578
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.804:3): avc: denied { search } for pid=579
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.808:4): avc: denied { search } for pid=572
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.816:5): avc: denied { search } for pid=580
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.824:6): avc: denied { search } for pid=567
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.832:7): avc: denied { search } for pid=581
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.844:8): avc: denied { search } for pid=568
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.852:9): avc: denied { search } for pid=582
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.860:10): avc: denied { search } for pid=569
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.872:11): avc: denied { search } for pid=583
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.880:12): avc: denied { search } for pid=571
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.892:13): avc: denied { search } for pid=584
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.900:14): avc: denied { search } for pid=574
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.912:15): avc: denied { search } for pid=575
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.924:16): avc: denied { search } for pid=576
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.936:17): avc: denied { search } for pid=587
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.948:18): avc: denied { search } for pid=577
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.960:19): avc: denied { search } for pid=586
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.976:20): avc: denied { search } for pid=570
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1139113698.988:21): avc: denied { search } for pid=573
comm="hotplug" name="proc" dev=dm-0 ino=851969
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
18 years, 2 months
SELinux Symposium Final Agenda: Case studies, WIPS, and BOFs
by Frank Mayer
The final agenda for the SELinux Symposium has been posted to the symposium
web site (www.selinux-symposium.org). In particular we have now included two
case studies, seven work-in-progress presentations, and two
birds-of-a-feather session to the agenda.
For those planning to attend, early (discounted) registration ends this
Friday (February 10), so don't delay registering. See you there, Frank
18 years, 2 months
[kay.sievers@vrfy.org]
by Bill Nottingham
Some questions from the upstream udev maintainer... from reading
it, the media stuff is because CDROMs, etc. have a different file
type, and the defaultfile context needs set in everything that
creates devices. Is that correct?
Bill
----- Forwarded message from Kay Sievers <kay.sievers(a)vrfy.org> -----
Date: Sat, 4 Feb 2006 05:10:04 +0100
From: Kay Sievers <kay.sievers(a)vrfy.org>
To: Bill Nottingham <notting(a)redhat.com>
...
Can't we move the selinux_init() called from every event process
to the single main daemon init? I don't know how expensive that is,
nor do I know if selinux is fine with that, but if we can make that
faster it would be better...
And the get_media() in udev_selinux.c for every block device seems
a bit weird. Do you know if this really needed? What about scsi then?
I've added the IDE stuff to sysfs in 2.6.15, so we should at least
use the file there...
Care to ask one of your selinux guys or forward the questions?
Cheers,
Kay
----- End forwarded message -----
18 years, 2 months
Problem with interbase (firebird-1.5) on FC4 box, httpd-2.0.54, php-interbase-5.0.4-10.5
by Daniel Paul
Hello there,
because I need interbase (firebird) support in php, I recompiled the actual
php-5.0.4-10.5 package with interbase support (--with-interbase=shared). When
I start httpd there is the following message in error_log:
PHP Warning: PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/interbase.so' - object requires: cannot enable
executable stack as shared object requires: Permission denied in Unknown on
line 0
phpinfo() shows that php has read the interbase.ini file which contains a
reference to the interbase.so module, but interbase support is disabled
(nothing shows up regarding interbase). With selinux set to permissive mode
(instead of enforcing), there is no such message and phpinfo() shows me, that
interbase support is enabled.
audit.log shows the following:
type=AVC msg=audit(1138630853.033:10): avc: denied { execstack } for
pid=1886 comm="httpd" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_t tclass=process
type=SYSCALL msg=audit(1138630853.033:10): arch=40000003 syscall=125
success=no exit=-13 a0=bf8a3000 a1=1000 a2=1000007 a3=d5a000 items=0 pid=1886
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd"
exe="/usr/sbin/httpd"
Any help would be truly appreciated.
Thanks in advance,
Daniel
18 years, 2 months