[Fwd: Unable to create files when using "context"option for NFS]

[Fwd: Unable to create files when using "context"option for NFS]

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 299 bytes --]

What is the best way to handle this? 

If I add a rule

allow file_type self:filesystem associate;

Will that cause and explosion in rules?  Will this open a security risk?

We tell people to use the mount -o context flags but policy can not 
handle most of them without the above rule.

Dan

-- 



[-- Attachment #2: Unable to create files when using "context"option for NFS --]
[-- Type: message/rfc822, Size: 5646 bytes --]

From: Robert Bottomley <bob@mail.cert.ucr.edu>
To: fedora-selinux-list@redhat.com
Subject: Unable to create files when using "context"option for NFS
Date: Wed, 01 Jun 2005 14:43:44 -0700
Message-ID: <429E2C10.7060501@cert.ucr.edu>

In FC3 (running kernel 2.6.11-1.27_FC3smp and 
selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use 
by Apache. In /etc/fstab, I have:

ozone:/usr/local/svn /svn nfs 
rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192 
0 0

Any attempts to create a file in /svn are met with (here I was attempting a 
"touch x"):

audit(1117233333.027:0): avc: denied { associate } for pid=12795 
exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t 
tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem

It does not matter what context I specify, I cannot create a file -- even 
though my shell is running as unconfined_t. (If a file already exists, I can 
edit it.)

So the questions are:

1. Is this a bug? Should I not be able to create a file when running in the 
unconfined_t context?

2. Audit2allow tells me that I need to add:

allow httpd_sys_script_rw_t self:filesystem associate;

but if unconfined_t context cannot write, then will something in 
httpd_sys_script_rw_t be able to?

sestatus
========

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           inactive
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

-- 
Robert Bottomley         | E-mail: bob@cert.ucr.edu
System Administrator     | Tel: 951-781-5788
College of Engineering   |                 It is dangerous to be right
Center for Environmental | CE-CERT         when the government is wrong.
Research and Technology  | UC Riverside                       --Voltaire


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: [Fwd: Unable to create files when using "context"option for NFS]

[Stephen Smalley]

On Wed, 2005-06-08 at 10:48 -0400, Daniel J Walsh wrote:
> What is the best way to handle this? 
> 
> If I add a rule
> 
> allow file_type self:filesystem associate;
> 
> Will that cause and explosion in rules?  Will this open a security risk?
> 
> We tell people to use the mount -o context flags but policy can not 
> handle most of them without the above rule.

If possible, it would be preferable to enumerate the specific cases
where we want to allow such associations.  The above rule won't cause an
"explosion", as it is a self-rule and we already have various rules
involving file_type, but it isn't ideal to allow arbitrary associations
if possible.  We ultimately want to make it easy for people to be able
to separate what data types can exist on individual file systems using
this control.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: Unable to create files when using "context"option for NFS]

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2005-06-08 at 10:48 -0400, Daniel J Walsh wrote:
>  
>
>>What is the best way to handle this? 
>>
>>If I add a rule
>>
>>allow file_type self:filesystem associate;
>>
>>Will that cause and explosion in rules?  Will this open a security risk?
>>
>>We tell people to use the mount -o context flags but policy can not 
>>handle most of them without the above rule. 
>>    
>>
>
>If possible, it would be preferable to enumerate the specific cases
>where we want to allow such associations.  The above rule won't cause an
>"explosion", as it is a self-rule and we already have various rules
>involving file_type, but it isn't ideal to allow arbitrary associations
>if possible.  We ultimately want to make it easy for people to be able
>to separate what data types can exist on individual file systems using
>this control.
>
>  
>
How about if we start with customizable tiypes.

allow custonmizable self:filesystem associate;

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.