From: Andrew Morton <akpm@osdl.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH -mm 0/8] user ns: Introduction
Date: Thu, 4 Jan 2007 20:03:23 -0800 [thread overview]
Message-ID: <20070104200323.3b09f81a.akpm@osdl.org> (raw)
In-Reply-To: <20070104180635.GA11377@sergelap.austin.ibm.com>
On Thu, 4 Jan 2007 12:06:35 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:
> This patchset adds a user namespace, which allows a process to
> unshare its user_struct table, allowing for separate accounting
> per user namespace.
With these patches applied and with CONFIG_USER_NS=n, my selinux-enabled
standard FC5 machine throws a complete fit:
[ 12.323958] EDAC MC: Ver: 2.0.1 Jan 4 2007
[ 12.357476] TCP cubic registered
[ 12.360784] NET: Registered protocol family 1
[ 12.364125] NET: Registered protocol family 17
[ 12.367761] speedstep-centrino with X86_SPEEDSTEP_CENTRINO_ACPI config is deprecated.
[ 12.367763] Use X86_ACPI_CPUFREQ (acpi-cpufreq) instead.
[ 12.374666] Using IPI Shortcut mode
[ 12.378222] Time: tsc clocksource has been installed.
[ 12.381987] Time: acpi_pm clocksource has been installed.
[ 12.386522] ACPI: (supports S0 S3 S4 S5)
[ 6.344000] Freeing unused kernel memory: 184k freed
[ 6.560000] input: PS/2 Mouse as /class/input/input1
[ 6.580000] input: AlpsPS/2 ALPS GlidePoint as /class/input/input2
[ 6.760000] Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
[ 6.764000] ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
[ 6.824000] EXT3-fs: INFO: recovery required on readonly filesystem.
[ 6.824000] EXT3-fs: write access will be enabled during recovery.
[ 10.832000] kjournald starting. Commit interval 5 seconds
[ 10.836000] EXT3-fs: recovery complete.
[ 10.840000] EXT3-fs: mounted filesystem with ordered data mode.
[ 11.852000] audit(1167940353.844:2): enforcing=1 old_enforcing=0 auid=4294967295
[ 11.948000] security: 3 users, 6 roles, 1417 types, 151 bools, 1 sens, 256 cats
[ 11.952000] security: 57 classes, 41080 rules
[ 11.956000] security: class key not defined in policy
[ 11.956000] security: class context not defined in policy
[ 11.960000] security: class dccp_socket not defined in policy
[ 11.964000] security: permission dccp_recv in class node not defined in policy
[ 11.964000] security: permission dccp_send in class node not defined in policy
[ 11.968000] security: permission dccp_recv in class netif not defined in policy
[ 11.972000] security: permission dccp_send in class netif not defined in policy
[ 11.972000] security: permission setkeycreate in class process not defined in policy
[ 11.976000] security: permission setsockcreate in class process not defined in policy
[ 11.980000] security: permission polmatch in class association not defined in policy
[ 11.980000] SELinux: Completing initialization.
[ 11.984000] SELinux: Setting up existing superblocks.
[ 12.004000] SELinux: initialized (dev sda6, type ext3), uses xattr
[ 12.204000] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[ 12.208000] SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
[ 12.208000] SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
[ 12.212000] SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
[ 12.216000] SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
[ 12.216000] SELinux: initialized (dev devpts, type devpts), uses transition SIDs
[ 12.220000] SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
[ 12.224000] SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
[ 12.224000] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
[ 12.228000] SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
[ 12.232000] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
[ 12.232000] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
[ 12.236000] SELinux: initialized (dev proc, type proc), uses genfs_contexts
[ 12.240000] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
[ 12.240000] SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
[ 12.244000] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
[ 12.260000] audit(1167940354.256:3): policy loaded auid=4294967295
[ 12.944000] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
[ 15.376000] audit(1167969158.994:4): avc: denied { audit_write } for pid=386 comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=capability
[ 33.936000] audit(1167969177.567:2292): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.940000] audit(1167969177.579:2293): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.952000] audit(1167969177.591:2294): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.956000] audit(1167969177.607:2295): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.960000] audit(1167969177.615:2296): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.964000] audit(1167969177.627:2297): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.968000] audit(1167969177.639:2298): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.972000] audit(1167969177.651:2299): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.976000] audit(1167969177.667:2300): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.980000] audit(1167969177.679:2301): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 33.984000] audit(1167969177.695:2302): avc: denied { search } for pid=2141 comm="klogd" name="/" dev=tmpfs ino=1225 scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
<ad infinitum>
Setting CONFIG_USER_NS=y fixes this.
next prev parent reply other threads:[~2007-01-05 4:04 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-04 18:06 [PATCH -mm 0/8] user ns: Introduction Serge E. Hallyn
2007-01-04 18:10 ` [PATCH -mm 1/8] nsproxy: externalizes exit_task_namespaces Serge E. Hallyn
2007-01-04 18:11 ` [PATCH -mm 2/8] user namespace: add the framework Serge E. Hallyn
2007-01-04 21:16 ` Serge E. Hallyn
2007-01-04 18:11 ` [PATCH -mm 3/8] user ns: add user_namespace ptr to vfsmount Serge E. Hallyn
2007-01-04 18:11 ` [PATCH -mm 4/8] user ns: hook permission Serge E. Hallyn
2007-01-04 18:12 ` [PATCH -mm 5/8] user ns: prepare copy_tree, copy_mnt, and their callers to handle errs Serge E. Hallyn
2007-01-04 19:00 ` Frederik Deweerdt
2007-01-04 19:35 ` Serge E. Hallyn
2007-01-04 18:12 ` [PATCH -mm 6/8] user ns: implement shared mounts Serge E. Hallyn
2007-01-04 18:12 ` [PATCH -mm 7/8] user_ns: handle file sigio Serge E. Hallyn
2007-01-12 5:20 ` Andrew Morton
2007-01-15 7:26 ` Serge E. Hallyn
2007-01-15 15:03 ` Cedric Le Goater
2007-01-15 15:28 ` Serge E. Hallyn
2007-01-15 17:35 ` Cedric Le Goater
2007-01-16 11:04 ` [PATCH -mm] user_ns: remove CONFIG_USER_NS Cedric Le Goater
2007-01-16 14:53 ` Serge E. Hallyn
2007-01-04 18:13 ` [PATCH -mm 8/8] user ns: implement user ns unshare Serge E. Hallyn
2007-01-04 19:07 ` Frederik Deweerdt
2007-01-04 19:43 ` Serge E. Hallyn
2007-01-04 22:03 ` Andrew Morton
2007-01-04 22:07 ` Andrew Morton
2007-01-04 22:23 ` Valdis.Kletnieks
2007-01-04 22:52 ` Serge E. Hallyn
2007-01-05 2:02 ` Valdis.Kletnieks
2007-01-05 4:35 ` Serge E. Hallyn
2007-01-05 4:03 ` Andrew Morton [this message]
2007-01-05 5:43 ` [PATCH -mm 0/8] user ns: Introduction Serge E. Hallyn
2007-01-05 7:00 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070104200323.3b09f81a.akpm@osdl.org \
--to=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.