Configuring kernel module for labeling ...

Configuring kernel module for labeling ...

[Jaspreet Singh]

Hi,

could anybody explain me the following msg ...

SELinux: initialized (dev overlay_fs, type overlay_fs), not configured
for labeling

I am writing an overlayfs module which is not able to set/getxattrs of
the underlying etx3 dentries properly ???

any clues ...
Jaspreet


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Luke Kenneth Casson Leighton]

On Tue, Nov 02, 2004 at 02:15:55PM +0530, Jaspreet Singh wrote:
> Hi,
> 
> could anybody explain me the following msg ...

 in a roundabout way that i _hope_ will demonstrate a methodolgy and
 guess-work that will enhance your own ability to track these issues
 down, yes, i think so.

 [i had to go through the same process with adding fuse, but had help
 from stephen in the fs_use bit iirc]

> SELinux: initialized (dev overlay_fs, type overlay_fs), not configured
> for labeling
 
 okay, grep "not configured for label" in security/*/*.c, gives
 selinux/hooks.c an array of labeling behaviours - entry with index 4 is
 "not configured for labeling".

 sbsec->behaviour indexes that array (line 593) and looking at locations
 where it's used, you have #defines SECURITY_FS_USE_XATTR -->
 SECURITY_FS_USE_MNTPOINT in selinux/include/security.h

 i think i know where this is leading, especially with the
 Opt_defcontent and stuff.

 okay, jaspreet: did you add overlay_fs to /etc/selinux/src/fs_use?

 because i _think_ the fs_use file contains wordy versions of the
 SECURITY_FS_USE #defines.

 and the default is "not configured".

 so you will need to specify, in /etc/selinux/src/fs_use, a line
 fs_use_xattr overlay system_u:object_r:fs_t;

 [just like i had to do with fuse].

 the name (overlay) MUST match the name of your module in your overlay
 kernel source code.

 l.

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Russell Coker]

On Tue, 2 Nov 2004 19:45, Jaspreet Singh <jsingh@ensim.com> wrote:
> I am writing an overlayfs module which is not able to set/getxattrs of
> the underlying etx3 dentries properly ???

Luke answered the base part of the question correctly, you need to modify 
fs_use.

However I am concerned about your above paragraph, it is unclear and I can 
interpret it in two ways - which require different policies.  Please describe 
this problem in much more detail and I'll tell you the best answer.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Jaspreet Singh]

Hi, 

thanx for the mails ,... i really needed them ...

On Tue, 2004-11-02 at 21:53, Russell Coker wrote:
> On Tue, 2 Nov 2004 19:45, Jaspreet Singh <jsingh@ensim.com> wrote:
> > I am writing an overlayfs module which is not able to set/getxattrs of
> > the underlying etx3 dentries properly ???

> However I am concerned about your above paragraph, it is unclear and I can 
> interpret it in two ways - which require different policies.  Please describe 
> this problem in much more detail and I'll tell you the best answer.

ok so, the code base i am using is mini_fo curretly maintained at 
http://projects.programmers.ch/project/showfiles.php?group_id=14&release_id=41
I preferred using name as overlay_fs as it was more symbolic.

Itz a fanout file-system with gives Copy-On-Write when a RW storage is
mounted on RO base directory. The results are very satisfactory .. and i
am able to easily set/getxatts on the mount-point both using setfiles
and my own-simple C code.

The mini-fo sets/getattrs from the underlying lower-level file-systems
like ext2 and etx3 ... In case of a setxattr on the mount-file it
duplicates the file in storage and applies xattrs there.

> What is the entry in /proc/filesystems for that file system?

The proc-sys entry for this is "nodev mini_fo".

> Your problem is that the filesystem has type unlabeled_t.

How can i change that ???

> Stephen Smalley: Any interesting details prior to these avc's ..
One interesting thing was .. whenever i used to change xattrs of a
directory of the underlying filesys directly using
dentry->d_inode->i_op->setxattr the selinux used to refuse any
type_transitions for any file creating in that changed directory.
Although the xattrs of the dir used to be perfect.


> SELinux sets the security class when the dentry is instantiated for >
the inode based on the inode mode.

How can i check if the inode is exposing itself correctly or not ..
given the fact .. everything appears to be fine with unconfined_t and
problematic with httpd_t :-(

Hope this information helps ...

Thanx a lot for suggestions anyways ...
Jaspreet


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Stephen Smalley]

On Tue, 2004-11-02 at 12:45, Jaspreet Singh wrote:
> > Your problem is that the filesystem has type unlabeled_t.
> 
> How can i change that ???

I think you already handled that problem by defining a fs_use entry for
the filesystem type.

> One interesting thing was .. whenever i used to change xattrs of a
> directory of the underlying filesys directly using
> dentry->d_inode->i_op->setxattr the selinux used to refuse any
> type_transitions for any file creating in that changed directory.
> Although the xattrs of the dir used to be perfect.

Yes, this makes sense.  SELinux gets the xattr when the inode is
attached to a dentry, maps it to a SID, and caches that SID in the
incore inode.  Note that fs/xattr.c:setxattr() calls a
security_inode_post_setxattr() hook function upon successful setting of
the attribute to tell SELinux to update its incore inode SID as well. 
You need to do likewise.

> How can i check if the inode is exposing itself correctly or not ..
> given the fact .. everything appears to be fine with unconfined_t and
> problematic with httpd_t :-(

Possibly a permissions problem, e.g. if your stacked filesystem calls
VFS functions that internally trigger security hook calls, it may run
afoul of a SELinux permission check (which will be performed against the
current process context) and possibly denied to httpd_t while allowed to
unconfined_t, thereby preventing further progress in setting up the
state.

Also, stacked filesystems might be a problem in general, as SELinux is
initializing the inode security state upon d_instantiate.  Natural
question is when does it perform the d_instantiate upon the underlying
inode vs. the virtual one?  And when does it copy state like the mode
from the underlying inode to the virtual one?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Stephen Smalley]

On Tue, 2004-11-02 at 13:28, Stephen Smalley wrote:
> Also, stacked filesystems might be a problem in general, as SELinux is
> initializing the inode security state upon d_instantiate.  Natural
> question is when does it perform the d_instantiate upon the underlying
> inode vs. the virtual one?  And when does it copy state like the mode
> from the underlying inode to the virtual one?

Looking at mini_fo/main.c, I see that it doesn't copy the inode
attributes (e.g. mode) until after the d_instantiate.  Not good for
SELinux, as we want the mode at that time to determine the security
class.  Might want to try the patch below.

--- mini_fo/main.c.orig	2004-11-02 13:37:33.582234520 -0500
+++ mini_fo/main.c	2004-11-02 13:38:26.116248136 -0500
@@ -154,6 +154,9 @@
 		inode->i_mapping->a_ops = master_inode->i_mapping->a_ops;
 	}
 
+	/* all well, copy inode attributes */
+	fist_copy_attr_all(inode, master_inode);
+
 	/* only (our) lookup wants to do a d_add */
 	if (flag)
 		d_add(dentry, inode);
@@ -162,10 +165,6 @@
 
 
 	ASSERT(DENTRY_TO_PRIVATE(dentry) != NULL);
-
-	/* all well, copy inode attributes */
-	fist_copy_attr_all(inode, master_inode);
-
  out:
 	print_exit_status(err);
 	return err;
@@ -246,6 +245,9 @@
 		inode->i_mapping->a_ops = lower_inode->i_mapping->a_ops;
 	}
 
+	/* all well, copy inode attributes */
+	fist_copy_attr_all(inode, lower_inode);
+
 	/* only (our) lookup wants to do a d_add */
 	if (flag)
 		d_add(dentry, inode);
@@ -253,10 +255,6 @@
 		d_instantiate(dentry, inode);
 
 	ASSERT(DENTRY_TO_PRIVATE(dentry) != NULL);
-
-	/* all well, copy inode attributes */
-	fist_copy_attr_all(inode, lower_inode);
-
 out:
 	print_exit_status(err);
 	return err;

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Jaspreet Singh]

Hi,

this can't be real ... or is it the matrix ... I have been trying these
things for the past 7 days .. and you solved them . in just two mails.

Thanx a lot sir...

On Wed, 2004-11-03 at 00:12, Stephen Smalley wrote:

> Looking at mini_fo/main.c, I see that it doesn't copy the inode
> attributes (e.g. mode) until after the d_instantiate.  Not good for
> SELinux, as we want the mode at that time to determine the security
> class.  Might want to try the patch below.
> 
It worked .. and i have tested it now.
> Note that fs/xattr.c:setxattr() calls a security_inode_post_setxattr()
> hook function upon successful setting of the attribute to tell 
> SELinux to update its incore inode SID as well. You need to do 

Ok... i got it now. Yups I have seen the code ... I thought something on
the same lines .. I will try to figure it out my-self and bother you
only if i can't do it.

Can you provide me with some documents/links .. so that i can learn
these things ... with details.

Thanx a lot...
Jaspreet Singh.

-- 
:: don't walk as if you own the world 
	 walk as if you dont damn who owns it ::




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Configuring kernel module for labeling ...

[Stephen Smalley]

On Tue, 2004-11-02 at 15:33, Jaspreet Singh wrote:
> Can you provide me with some documents/links .. so that i can learn
> these things ... with details.

Documentation on SELinux kernel internals is rather out-of-date, I'm
afraid.  Need to update the SELinux module technical report
(http://www.nsa.gov/selinux/papers/module-abs.cfm, sources included in
the selinux-doc tarball) to reflect the current implementation, which
has changed a lot since it was written.  It would also be nice to have
an equivalent to http://www.nsa.gov/selinux/papers/slinux-abs.cfm for
the current implementation; that report was written for the original
SELinux kernel patch prior to LSM.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.