From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: Andy Ruch <adruch2002@yahoo.com>
Cc: SELinux ML <selinux@tycho.nsa.gov>
Subject: Re: AVC for unlabeled_t on cgroup
Date: Sat, 13 Jul 2013 19:48:03 +0200 [thread overview]
Message-ID: <20130713174723.GA5347@siphos.be> (raw)
In-Reply-To: <1373567937.10428.YahooMailNeo@web163406.mail.gq1.yahoo.com>
On Thu, Jul 11, 2013 at 11:38:57AM -0700, Andy Ruch wrote:
> I'm implementing a restrictive policy for RHEL 6.3 based on CLIP. I've enabled the cgroup module but I'm still seeing the AVC below. This is just one of a dozen similar AVC's for different inodes. When I look at the /cgroup after the system boots, everything has a cgroup_t label. Where would the unlabeled_t be coming from?
>
>
>
> type=SYSCALL msg=audit(07/11/2013 17:25:38.885:7) : arch=x86_64 syscall=mount success=yes exit=0 a0=7f57846ac4c1 a1=7f57848b03c0 a2=7f57846ac4c1 a3=0 items=0 ppid=1177 pid=1178 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cgconfigparser exe=/sbin/cgconfigparser subj=system_u:system_r:cgconfig_t:s0 key=(null)
>
> type=AVC msg=audit(07/11/2013 17:25:38.885:7) : avc: denied { search } for pid=1178 comm=cgconfigparser name=/ dev=cgroup ino=12518 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
The cgroup_t label might be put on it afterwards (check your udev rules and
scripts to see if they don't relabel files), but my guess is that the
directory is marked as unlabeled_t and that cgroup file system is mounted on
top of it later. Once it is mounted, you see the context of the files (and
directories) in the mounted file system, which is cgroup_t.
Try bindmounting root elsewhere and see what the label is of the directory.
Also, the process cgconfigparser is running as kernel_t, which we probably
don't want. The kernel is probably configured to trigger that script
somewhere (or through another script) and because there is no transition
defined, the script remains running as kernel_t.
For instance, in Gentoo, we have a script that is called after the last task
is removed from a control group; we mark that script as a specific exec
script (openrc_cgroup_release_exec_t here) and have a transition from
kernel_t to openrc_cgroup_release_t upon execution.
This is through cgroup's notify_on_release implementation (release agent).
Perhaps the cgconfigparser is also executed through a cgroup feature by the
kernel?
Wkr,
Sven Vermeulen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-07-13 17:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 18:38 AVC for unlabeled_t on cgroup Andy Ruch
2013-07-11 19:06 ` Stephen Smalley
2013-07-11 19:24 ` Andy Ruch
2013-07-11 19:38 ` Stephen Smalley
2013-07-13 17:48 ` Sven Vermeulen [this message]
2013-07-15 13:07 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130713174723.GA5347@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=adruch2002@yahoo.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.