[Fwd: cups AVC...]

[Fwd: cups AVC...]

[Daniel J Walsh]

Kernel problem?

-------- Original Message --------
Subject: 	cups AVC...
Date: 	Fri, 20 Jul 2007 07:04:08 -0700
From: 	Tom London <selinux@gmail.com>
To: 	fedora-selinux <fedora-selinux-list@redhat.com>



Seem to be getting this one from cups.  Haven't seen 'anon_inodefs' before....

Printing to HP5MP seems to work however....

tom

type=AVC msg=audit(1184938825.408:32): avc:  denied  { ioctl } for
pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54
success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0
ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1184938825.408:32):  path="anon_inode:[eventpoll]"
type=LABEL_LEVEL_CHANGE msg=audit(1184938825.408:33): user pid=5296
uid=0 auid=500 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0
banners=none,none range=unknown: exe="/usr/sbin/cupsd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=?
res=success)'

-- 
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Stephen Smalley]

On Fri, 2007-07-20 at 10:20 -0400, Daniel J Walsh wrote:
> Kernel problem?

Yet another pseudo filesystem type, with no entry in policy to configure
labeling for it.  Looks like it allocates exactly one inode that is
shared for all instances, to be used by things like eventpoll, eventfd,
signalfd, and timerfd.  Replaces eventpollfs.

Given that there is a single shared inode, I guess you want a genfscon
statement rather than fs_use_task, and then allow access everywhere that
access was given for e.g. eventpollfs.

Yuck.  We need a better way to handle these things, to avoid having to
touch policy configuration each time a new pseudo fs type is introduced.
Possibly the file_system_type structure could also specify labeling
behavior for security modules.

> -------- Original Message --------
> Subject: 	cups AVC...
> Date: 	Fri, 20 Jul 2007 07:04:08 -0700
> From: 	Tom London <selinux@gmail.com>
> To: 	fedora-selinux <fedora-selinux-list@redhat.com>
> 
> 
> 
> Seem to be getting this one from cups.  Haven't seen 'anon_inodefs' before....
> 
> Printing to HP5MP seems to work however....
> 
> tom
> 
> type=AVC msg=audit(1184938825.408:32): avc:  denied  { ioctl } for
> pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
> type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54
> success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0
> ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
> type=AVC_PATH msg=audit(1184938825.408:32):  path="anon_inode:[eventpoll]"
> type=LABEL_LEVEL_CHANGE msg=audit(1184938825.408:33): user pid=5296
> uid=0 auid=500 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0
> banners=none,none range=unknown: exe="/usr/sbin/cupsd"
> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=?
> res=success)'
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[James Morris]

On Fri, 20 Jul 2007, Stephen Smalley wrote:

> Yuck.  We need a better way to handle these things, to avoid having to
> touch policy configuration each time a new pseudo fs type is introduced.
> Possibly the file_system_type structure could also specify labeling
> behavior for security modules.

What about some way of recognising that there is no policy at all for the 
fstype, and just allowing the access (with a warning) ?


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Stephen Smalley]

On Fri, 2007-07-20 at 10:46 -0400, James Morris wrote:
> On Fri, 20 Jul 2007, Stephen Smalley wrote:
> 
> > Yuck.  We need a better way to handle these things, to avoid having to
> > touch policy configuration each time a new pseudo fs type is introduced.
> > Possibly the file_system_type structure could also specify labeling
> > behavior for security modules.
> 
> What about some way of recognising that there is no policy at all for the 
> fstype, and just allowing the access (with a warning) ?

What, fail open?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[James Morris]

On Fri, 20 Jul 2007, Stephen Smalley wrote:

> > > Yuck.  We need a better way to handle these things, to avoid having to
> > > touch policy configuration each time a new pseudo fs type is introduced.
> > > Possibly the file_system_type structure could also specify labeling
> > > behavior for security modules.
> > 
> > What about some way of recognising that there is no policy at all for the 
> > fstype, and just allowing the access (with a warning) ?
> 
> What, fail open?

Only in the case where the kernel has been updated to a development 
version and policy has not.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-07-20 at 10:20 -0400, Daniel J Walsh wrote:
>   
>> Kernel problem?
>>     
>
> Yet another pseudo filesystem type, with no entry in policy to configure
> labeling for it.  Looks like it allocates exactly one inode that is
> shared for all instances, to be used by things like eventpoll, eventfd,
> signalfd, and timerfd.  Replaces eventpollfs.
>
> Given that there is a single shared inode, I guess you want a genfscon
> statement rather than fs_use_task, and then allow access everywhere that
> access was given for e.g. eventpollfs.
>
> Yuck.  We need a better way to handle these things, to avoid having to
> touch policy configuration each time a new pseudo fs type is introduced.
> Possibly the file_system_type structure could also specify labeling
> behavior for security modules.
>
>   
>> -------- Original Message --------
>> Subject: 	cups AVC...
>> Date: 	Fri, 20 Jul 2007 07:04:08 -0700
>> From: 	Tom London <selinux@gmail.com>
>> To: 	fedora-selinux <fedora-selinux-list@redhat.com>
>>
>>
>>
>> Seem to be getting this one from cups.  Haven't seen 'anon_inodefs' before....
>>
>> Printing to HP5MP seems to work however....
>>
>> tom
>>
>> type=AVC msg=audit(1184938825.408:32): avc:  denied  { ioctl } for
>> pid=5296 comm="cupsd" name="[eventpoll]" dev=anon_inodefs ino=385
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>> type=SYSCALL msg=audit(1184938825.408:32): arch=40000003 syscall=54
>> success=no exit=-13 a0=1 a1=5401 a2=bfda72ac a3=bfda73cc items=0
>> ppid=5295 pid=5296 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
>> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>> type=AVC_PATH msg=audit(1184938825.408:32):  path="anon_inode:[eventpoll]"
>> type=LABEL_LEVEL_CHANGE msg=audit(1184938825.408:33): user pid=5296
>> uid=0 auid=500 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>> msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0
>> banners=none,none range=unknown: exe="/usr/sbin/cupsd"
>> (hostname=localhost.localdomain, addr=127.0.0.1, terminal=?
>> res=success)'
>>
>>     
I am just adding:

genfscon anon_inodefs / gen_context(system_u:object_r:eventpollfs_t,s0)

Does that look ok?

 I also notice in /proc/filesystem that there is a securityfs which we 
do not define in policy.
Any idea what this is for?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Stephen Smalley]

On Fri, 2007-07-20 at 11:21 -0400, James Morris wrote:
> On Fri, 20 Jul 2007, Stephen Smalley wrote:
> 
> > > > Yuck.  We need a better way to handle these things, to avoid having to
> > > > touch policy configuration each time a new pseudo fs type is introduced.
> > > > Possibly the file_system_type structure could also specify labeling
> > > > behavior for security modules.
> > > 
> > > What about some way of recognising that there is no policy at all for the 
> > > fstype, and just allowing the access (with a warning) ?
> > 
> > What, fail open?
> 
> Only in the case where the kernel has been updated to a development 
> version and policy has not.

Well, we can't tell that in the kernel code; all we know is that a
filesystem type is being registered that we don't know how to handle,
and we don't want to give access by default (at least not without some
further policy option, akin to the one for Eric's patches for allowing
unknown permissions by default - if those patches ever materialize).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Eric Paris]

On Fri, 2007-07-20 at 13:00 -0400, Stephen Smalley wrote:
> if those patches ever materialize).

It's actually the number one thing on my list!  I wanted to be working
on it today, but i'm having some systems troubles.   (one machine I
think glibc is screwed up and another machine I can't boot git kernels,
they panic almost on startup)

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[Stephen Smalley]

On Fri, 2007-07-20 at 11:40 -0400, Daniel J Walsh wrote:
> I am just adding:
> 
> genfscon anon_inodefs / gen_context(system_u:object_r:eventpollfs_t,s0)
> 
> Does that look ok?
> 
>  I also notice in /proc/filesystem that there is a securityfs which we 
> do not define in policy.
> Any idea what this is for?

Calling it eventpollfs might be misleading given that it can also be
used for other purposes now.  I suppose you could make eventpollfs_t a
typealias to a new anon_inodefs_t type.

Greg KH created securityfs in 2005 to avoid having every security module
introduce their own pseudo filesystem and mount point. Motivated by
AppArmor, I think, and only used by it so far AFAIK.  In theory, we
should replace selinuxfs with nodes in securityfs, but doing so would be
rather disruptive to userspace and provide us with no real gain in
functionality.

http://marc.info/?l=git-commits-head&m=112663824224465&w=2

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: cups AVC...]

[James Morris]

On Fri, 20 Jul 2007, Stephen Smalley wrote:

> and we don't want to give access by default (at least not without some
> further policy option, akin to the one for Eric's patches for allowing
> unknown permissions by default - if those patches ever materialize).

That was the line of thinking.



- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.