[DSE-Dev] [martin at martinorr.name: /selinux getattr messages]

Christopher J. PeBenito cpebenito at tresys.com
Mon Nov 19 14:25:26 UTC 2007


On Fri, 2007-11-16 at 13:59 +0100, Václav Ovsík wrote:
> Hello,
> I'm trying to stabilize refpolicy-20070928 on Debian Etch.
> 
> Repository with some updated selinux packages will be available soon.
> I took packages from Sid and updated these with 20070928 upstream
> releases.
> 
> I'm SELinux beginer, but my intention is to understand the SELinux
> finally :) and run targeted and possibly strict policies in production
> environment on Debian.
> 
> Currently I'm booting Xen DomU Debian Etch in permissive mode.
> 
> There are two audit messages, and I found solution (attached) in
> selinux-devel at lists.alioth.debian.org.
> 
> audit(1195215260.590:3): avc:  denied  { getattr } for  pid=760
> comm="mount" name="/" dev=selinuxfs ino=475
> scontext=system_u:system_r:mo
> unt_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> 
> audit(1195215263.626:6): avc:  denied  { getattr } for  pid=1017
> comm="swapon" name="/" dev=selinuxfs ino=475 scontext=system_u:system_r:
> fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> 
> 
> So after insertion
> 
> selinux_get_fs_mount(fsadm_t)
> -> ./policy/modules/system/fstools.te
> 
> selinux_get_fs_mount(mount_t)
> -> ./policy/modules/system/mount.te
> 
> both messages dismiss.
> 
> Is such solution ok and acceptable upstream (conditionaly for
> Debian distro or so)?

I have added a selinuxutil interface for libselinux-linked domains
(seutil_libselinux_linked()).  That way its clear why the access is
needed, and we can change it if the constructor changes.

The mount change could be for all, as I also see the libblkid linkage on
my Gentoo system too.  However, I don't see it in Gentoo iptables
(1.3.8).


> email message attachment
> > -------- Forwarded Message --------
> > From: Martin Orr <martin at martinorr.name>
> > To: selinux-devel at lists.alioth.debian.org
> > Subject: [DSE-Dev] /selinux getattr messages
> > Date: Sat, 23 Jun 2007 12:39:11 +0100
> > 
> > I am using the targeted policy in permissive mode.  During boot I
> > get the
> > following messages:
> > audit(1182511335.252:36): avc:  denied  { getattr } for  pid=1249
> > comm="mount" name="/" dev=selinuxfs ino=318
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> > audit(1182511346.457:47): avc:  denied  { getattr } for  pid=1503
> > comm="swapon" name="/" dev=selinuxfs ino=318
> > scontext=system_u:system_r:fsadm_t:s0
> > tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> > audit(1182511347.644:48): avc:  denied  { getattr } for  pid=1570
> > comm="iptables" name="/" dev=selinuxfs ino=318
> > scontext=system_u:system_r:iptables_t:s0
> > tcontext=system_u:object_r:security_t:s0 tclass=filesystem
> > 
> > These come because libblkid and iptables are both linked against
> > libselinux,
> > which locates the selinux mount point in a constructor.  When this
> > was
> > introduced in libselinux, the selinux_get_fs_mount interface was
> > added to
> > the reference policy to allow this.  So mount.te should gain
> > selinux_get_fs_mount(mount_t)
> > and fstools.te should gain
> > selinux_get_fs_mount(fsadm_t)
> > 
> > So far as I can see iptables has no need to be linked against
> > libselinux,
> > but I will check further.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150




More information about the SELinux-devel mailing list