avc: denied with kernel module

avc: denied with kernel module

[Jaspreet Singh]

Hi,

I am using a overlay-fs module .. and tried setting security context on
files and got this message ....

 avc:  denied  { associate } for  pid=1530 exe=/usr/sbin/setfiles
name=public_html dev=overlay_fs ino=42
scontext=site1-admin:object_r:httpd_site1_content_t
tcontext=system_u:object_r:unlabeled_t tclass=filesystem

setenforce 0 .. allows it (obviously ;-)

I understand the message .. but don't know the steps to avoid it.

Jaspreet




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied with kernel module

[Jaspreet Singh]

Hi,

sorry it was foolish of me to ask this question in the mailing list .. i
didn't know about audit2allow ...

Jaspreet

On Tue, 2004-11-02 at 03:42, Jaspreet Singh wrote:
> Hi,
> 
> I am using a overlay-fs module .. and tried setting security context on
> files and got this message ....
> 
>  avc:  denied  { associate } for  pid=1530 exe=/usr/sbin/setfiles
> name=public_html dev=overlay_fs ino=42
> scontext=site1-admin:object_r:httpd_site1_content_t
> tcontext=system_u:object_r:unlabeled_t tclass=filesystem
> 
> setenforce 0 .. allows it (obviously ;-)
> 
> I understand the message .. but don't know the steps to avoid it.
> 
> Jaspreet
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: set/getxattrs - I am badly struck ..

[Luke Kenneth Casson Leighton]

jaspreet, hi,

it sounds like you're endeavouring to do _exactly_ what i have been
trying to do: making a filesystem simultaneously available at a second
location.

realistically, you will need to examine types/files.fc and modify
genhomedircon.

i recommend you cut/paste genhomedircon's use of HOME_ROOT and HOME_DIR
to create a second set of macro substitutions VIRTUAL_HOME_ROOT and
VIRTUAL_HOME_DIR.

then, cut/paste the three or so lines in types/files.fc that use
HOME_ROOT and HOME_DIR, prepending VIRTUAL_ in the right places.

and you make sure that genhomedircon prepends /var/ whereever the new
substitutions VIRTUAL_ are used.

in this way, you will end up with a file_contexts that has
double-entries for /home and /var/home.

alternatively, ignore the above and hack genhomedircon to double-output
its lines: outputting both a line for /home and also an identical context
line for /var/home.


what _i_ did was restrict the system to only having one user: therefore
i can get away with using fusexmp to proxy mount /home/sez to
/Documents.

therefore, in the file contexts, i can get away without having to hack
genhomedircon, i can just add a hacked-up entry like this
files/misc/hack.sez.fc:

			/Documents 		sez:object_r:user_t.

l.

On Tue, Nov 02, 2004 at 12:21:45PM +0530, Jaspreet Singh wrote:
> Hi,
> 
> Thanx for the mail .. i have corrected the problem using audit2allow ..
> basically the domain needed permissions to access file-system.
> 
> Could you please help in this case .. I am struck in kernel space
> get/setxattrs (FC3-2.6.8-541 fs=etx3)
> 
> Should there be a difference between using user-space and kernel-space
> get/setxattrs to get/set file xattrs ...
> 
> 
> I have some trouble with using inode->i_op->get/setxattrs ...
> 
> i getxattr from /home and set it to /var/home using inode operations and
> get this -
> 
> ls -Zd /home /var/home
> drwxr-xr-x+ root     root  system_u:object_r:home_root_t    /home/
> drwxr-xr-x+ root     root  system_u:object_r:home_root_t    /var/home/
> 
> perfect till now .. but now when i try and create files inside /var/home
> they get the "root:object_r:var_t" unlike /home where i get
> "root:object_r:user_home_dir_t"  :-(
> 
> and on the contrary if i create /var/home and tag with "home_root_t"
> using setfiles it works perfectly fine ... any clues 
> 
> I cant use user-space get/setxattr coz I am writing a overlay
> file-system ... so ....
> 
> Does selinux intercept (and probably note down ) get/setxattrs syscalls
> or any of the type_tranistions.
> 
> any suggestions ....
> 
> Jaspreet Singh
> 

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: set/getxattrs - I am badly struck ..

[Luke Kenneth Casson Leighton]

On Tue, Nov 02, 2004 at 09:17:11AM +0000, Luke Kenneth Casson Leighton wrote:
> what _i_ did was restrict the system to only having one user: therefore
> i can get away with using fusexmp to proxy mount /home/sez to
> /Documents.
> 
> therefore, in the file contexts, i can get away without having to hack
> genhomedircon, i can just add a hacked-up entry like this
> files/misc/hack.sez.fc:
> 
> 			/Documents 		sez:object_r:user_t.
 
 correction: user_home_t.  or thereabouts.  can't remember now.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied with kernel module .. someone help !!!

[Jaspreet Singh]

Hi ,

Sir. Stephen Smalley ... i think i badly need your help here :-(
coz this may be .. one of my last mails to selinux community ...

thanx for the mail ... Luke 

I tried what you said ... 

overlay_fs is a layer ... on top of other file-systems ... which does a
BSD unionfs kind of thing. It exposes methods to get/setxattrs and
depends upon the underlying file-systems for it. So i am successfully
able to use 'setfiles' on top of it ...

I am using it with target policies ....

I added the following line in fs_use (thanx for luke kenneth )
fs_use_xattr mini_fo system_u:object_r:fs_t;

It works fine for the unconfined_t and gives very positive results while
working as root doing normal file operations. But gives hell lot of
problems while working with apache ...

apache at-random starts considering all files and dirs as fifo_file and
start giving blank denials like -

 avc:  denied  { } for  pid=1687 exe=/usr/sbin/httpd name=home
dev=overlay_fs ino=109 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:home_root_t tclass=fifo_file

on re-mounts some of the avc's disappear ..and this is random.

I can't make sense out of it .. please help..... :-((

I have come very far .. with selinux but seems like loosing all ...

help would be highly appreciated ...
Jaspreet :-(


On Tue, 2004-11-02 at 06:09, Luke Kenneth Casson Leighton wrote:
> jaspreet, hi,
> 
> is your "overlay" filesystem a proxy view of other parts of the
> filesystem?
> 
> in other words, is it a bit like doing a hard link to a directory?
> [which i know if you try to do a hard link on a directory using
> "ln" it fails]
> 
> l.
> 
> On Tue, Nov 02, 2004 at 03:49:51AM +0530, Jaspreet Singh wrote:
> > Hi,
> > 
> > sorry it was foolish of me to ask this question in the mailing list .. i
> > didn't know about audit2allow ...
> > 
> > Jaspreet
> > 
> > On Tue, 2004-11-02 at 03:42, Jaspreet Singh wrote:
> > > Hi,
> > > 
> > > I am using a overlay-fs module .. and tried setting security context on
> > > files and got this message ....
> > > 
> > >  avc:  denied  { associate } for  pid=1530 exe=/usr/sbin/setfiles
> > > name=public_html dev=overlay_fs ino=42
> > > scontext=site1-admin:object_r:httpd_site1_content_t
> > > tcontext=system_u:object_r:unlabeled_t tclass=filesystem
> > > 
> > > setenforce 0 .. allows it (obviously ;-)
> > > 
> > > I understand the message .. but don't know the steps to avoid it.
> > > 
> > > Jaspreet
> > > 
> > > 
> > 
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied with kernel module .. someone help !!!

[Stephen Smalley]

On Tue, 2004-11-02 at 10:23, Jaspreet Singh wrote:
> overlay_fs is a layer ... on top of other file-systems ... which does a
> BSD unionfs kind of thing. It exposes methods to get/setxattrs and
> depends upon the underlying file-systems for it. So i am successfully
> able to use 'setfiles' on top of it ...

The code for this filesystem is available where?

> apache at-random starts considering all files and dirs as fifo_file and
> start giving blank denials like -
> 
>  avc:  denied  { } for  pid=1687 exe=/usr/sbin/httpd name=home
> dev=overlay_fs ino=109 scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:home_root_t tclass=fifo_file
> 
> on re-mounts some of the avc's disappear ..and this is random.

Any interesting output related to your overlay_fs prior to these
denials?  The blank denial is because the permission being checked isn't
defined for that security class. Most likely this is a "search" check on
a directory, but since SELinux thinks it is a fifo, it fails to map the
permission.  SELinux sets the security class when the dentry is
instantiated for the inode based on the inode mode.  If the filesystem
isn't setting the inode mode correctly, then there isn't much we can do.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied with kernel module .. someone help !!!

[Luke Kenneth Casson Leighton]

On Tue, Nov 02, 2004 at 08:53:20PM +0530, Jaspreet Singh wrote:
> Hi ,
> 
> Sir. Stephen Smalley ... i think i badly need your help here :-(
> coz this may be .. one of my last mails to selinux community ...
> 
> thanx for the mail ... Luke 
 
 so adding to fs_use worked?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied with kernel module

[Russell Coker]

On Tue, 2 Nov 2004 09:12, Jaspreet Singh <jsingh@ensim.com> wrote:
> I am using a overlay-fs module .. and tried setting security context on
> files and got this message ....

What is the entry in /proc/filesystems for that file system?

>  avc:  denied  { associate } for  pid=1530 exe=/usr/sbin/setfiles
> name=public_html dev=overlay_fs ino=42
> scontext=site1-admin:object_r:httpd_site1_content_t
> tcontext=system_u:object_r:unlabeled_t tclass=filesystem

Your problem is that the filesystem has type unlabeled_t.

Does this overlay-fs support xattrs?  If so then something like the following 
in the policy should work:

fs_use_xattr XXX system_u:object_r:fs_t;

Replace XXX with the file system name from /proc/filesystems.


PS  audit2allow generates really bad policy if you use it without 
understanding the policy.  Any time you use audit2allow because you don't 
understand what else to do the result will probably be wrong.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.