All of lore.kernel.org
 help / color / mirror / Atom feed
From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Which labelling for namespace filesystem?
Date: Wed, 6 Jan 2016 20:47:23 +0100	[thread overview]
Message-ID: <20160106194722.GA1863@x250> (raw)
In-Reply-To: <568D6E2D.5030003@m4x.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jan 06, 2016 at 08:42:37PM +0100, Nicolas Iooss wrote:
> On 01/06/2016 07:44 PM, Dominick Grift wrote:
> > On Wed, Jan 06, 2016 at 07:37:10PM +0100, Nicolas Iooss wrote:
> >> Hello,
> > 
> >> On the system I'm using to get refpolicy working with Arch Linux, I have
> >> these lines in audit.log:
> > 
> >>   type=AVC msg=audit(1451041210.334:794): avc:  denied  { read } for
> >>   pid=28829 comm="(ostnamed)" dev="nsfs" ino=4026532544
> >>   scontext=system_u:system_r:init_t
> >>   tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
> > 
> >>   type=AVC msg=audit(1451041210.334:794): avc:  denied  { open } for
> >>   pid=28829 comm="(ostnamed)" path="net:[4026532544]" dev="nsfs"
> >>   ino=4026532544 scontext=system_u:system_r:init_t
> >>   tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
> > 
> >> These accesses are caused by open("/proc/self/ns/net"...) in systemd
> >> setup_netns() function [1].  Indeed /proc/PID/ns/* symlinks target a
> >> special filesystem named nsfs which is used for setns() syscall [2].  As
> >> this filesystem is not defined in refpolicy, its files are currently
> >> unlabeled, which explains the audit records.
> > 
> >> To fix this, I see two options:
> > 
> >> * "fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0);", so that
> >> programs already allowed to access the /proc/PID tree of a process can
> >> also open /proc/PID/ns/* files.
> > 
> >> * "genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0))", with a
> >> new fs type.  Programs using setns() will then need to be granted
> >> opening and reading nsfs_t files, in addition to be allowed using
> >> /proc/PID/ files of the target process.
> > 
> > Have you tried this option? I recall having tried it, and not getting
> > this to work.
> 
> Yes, in permissive mode only though.  I first added this to
> kernel/filesystem.te:
> 
>   type nsfs_t;
>   fs_type(nsfs_t)
>   genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
> 
> Then (after rebooting) audit.log showed:
> 
>   type=AVC msg=audit(1452106332.300:1811): avc:  denied  { read } for
>   pid=11125 comm="(ostnamed)" dev="nsfs" ino=4026532618
>   scontext=system_u:system_r:init_t tcontext=system_u:object_r:nsfs_t
>   tclass=file permissive=1
>   type=AVC msg=audit(1452106332.300:1811): avc:  denied  { open } for
>   pid=11125 comm="(ostnamed)" path="net:[4026532618]" dev="nsfs"
>   ino=4026532618 scontext=system_u:system_r:init_t
>   tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
> 
> Adding the following lines to system/init.te in the
> ifdef(`init_systemd') block made these messages disappear when running
> "systemctl restart systemd-hostnamed.service":
> 
> 	optional_policy(`
> 		gen_require(`
> 			type nsfs_t;
> 		')
> 		allow init_t nsfs_t:file read_file_perms;
> 	')
> 
> Could you please describe the problem you had, so that I can see if I
> also have it?

The problem i had was that i was not seeing these "read" file
events. The AVC denials above prove me wrong. I must have overlooked
something.

> 
> Nicolas
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJWjW9GAAoJECV0jlU3+UdpJ0oL/38K4OOud8bj7zyK9kdtUFMS
G49q0KKdxsmorEEuC02vG0UGuc0oPgdsykpKFSOiMIMh9Z0SdVbdch6T2AchzmGW
4fU7a+fI4vlD+lvjCrnpI7qFOprct/z/mCH9Lq9yDrwte6qwOEbK6j+La0t+tTqj
MX++e1x+Zr6nAZIZjqFEzyXAe+E40Zi3kHcQs8NxM02f6Tzf/6u3jvGa1iF9o/rY
wuomSb7t5w1YoSpi54v2JKGNspfi9h6P2IW4hjeZfclrhmEOa2w28UDnevCCP7a8
mo3V4u+MNdZs79n1tjwV7UAFbvjyxgZwl3X2qyHpgQua90Xq6LQS1ZRGRmcQ0kvW
D1ORBjWaNeYVgjWnA1dTYdeDqEUu0xPd6fnotTwooHsBIcrPt4sHCcidi22xgbBd
hptD04iPXM92ypLSZs1wDSqdQ48voOmY25s6zATcx+nhdMnYCHVHz/0etDNiWEWZ
4g4zEVKuOCXlBHOjUTmGgauIXjGpLsHbf/D75RLLUw==
=hM8E
-----END PGP SIGNATURE-----

  reply	other threads:[~2016-01-06 19:47 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-06 18:37 [refpolicy] Which labelling for namespace filesystem? Nicolas Iooss
2016-01-06 18:44 ` Dominick Grift
2016-01-06 18:47   ` Dominick Grift
2016-01-06 19:42   ` Nicolas Iooss
2016-01-06 19:47     ` Dominick Grift [this message]
2016-01-06 20:00       ` Dominick Grift
2016-01-06 19:55     ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160106194722.GA1863@x250 \
    --to=dac.override@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.