ReiserFS chicken and egg
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 31 13:15:48 UTC 2006
On Thu, 2006-03-30 at 15:32 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Wed, 2006-03-29 at 13:34 -0600, Ian Pilcher wrote:
> >
> >> Sorry about the delay...jury duty.
> >>
> >> Just tried again to be sure:
> >>
> >> mkfs.reiserfs /dev/md9
> >>
> >> /etc/fstab contains:
> >>
> >> /dev/md9 /mnt/tmp reiserfs context=system_u:object_r:file_t:s0 0 2
> >>
> >> Rebooted and the mount failed. dmesg | grep md9 shows:
> >>
> >> audit(1143660461.416:15): avc: denied { search } for pid=1714
> >> comm="mount" name="/" dev=md9 ino=2
> >> scontext=system_u:system_r:mount_t:s0
> >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> >> ReiserFS: md9: warning: xattrs/ACLs enabled and couldn't find/create
> >> .reiserfs_priv. Failing mount.
> >>
> >> It doesn't look like the context option had any affect at all.
> >>
> >
> > I think we are encountering the denial before we reach the processing of
> > the context option. The setup of the superblock security data and the
> > root directory security data happens upon security_sb_kern_mount, but
> > this is called after the filesystem returns from its get_sb method.
> > Unfortunately, reiserfs apparently tries to access the xattr directory
> > during get_sb, so there is an attempted lookup before SELinux has
> > initialized the security state on the root directory, and we get a
> > denial on unlabeled_t. I guess you need to allow mount_t
> > unlabeled_t:dir search; to workaround it.
> >
> >
> Should we allow this in policy?
Unclear - it can easily be added by a module on the end systems, and it
is a definite corner case that is not usually required.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list