Problem with SELinux and glusterfs when trying to allow memprotect/mmap_zero

Problem with SELinux and glusterfs when trying to allow memprotect/mmap_zero

[Ioannis Aslanidis]

[-- Attachment #1.1: Type: text/plain, Size: 923 bytes --]

Hello,

I am trying to allow the following audit message through, but it says
that there is a violation. Can anyone explain what exactly is going on?

Thank you,

Ioannis

# cat messages.audit
May 27 01:51:13 streamer012 kernel: audit(1243381873.876:60): avc:
denied  { mmap_zero } for  pid=3155 comm="glusterfs2"
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=memprotect


# cat selinuxglusterfs.te

module selinuxglusterfs 1.0;

require {
	type mount_t;
	class memprotect mmap_zero;
}

#============= mount_t ==============
allow mount_t self:memprotect mmap_zero;


#  semodule -i selinuxglusterfs.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
mount_t mount_t:memprotect { mmap_zero };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

[-- Attachment #1.2: iaslanidis.vcf --]
[-- Type: text/x-vcard, Size: 513 bytes --]

begin:vcard
fn:Ioannis Aslanidis
n:Aslanidis;Ioannis
org:Flumotion Services S.A.;Infrastructure Department
adr:Edifici Nord Planta 2;;World Trade Center;Barcelona;Barcelona;08039;Spain
email;internet:iaslanidis@flumotion.com
title:System and Network Administrator
tel;work:+34935086359
tel;cell:+34672204575
note;quoted-printable:PGP Key: 0xBEAC0800 (pgp.rediris.es)=0D=0A=
	Key fingerprint =3D 73FE B836 D116 1EF1 D580  C06E 16AF BCC3 BEAC 0800
url:http://www.flumotion.com
version:2.1
end:vcard


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: Problem with SELinux and glusterfs when trying to allow memprotect/mmap_zero

[Daniel J Walsh]

On 05/27/2009 06:06 AM, Ioannis Aslanidis wrote:
> Hello,
>
> I am trying to allow the following audit message through, but it says
> that there is a violation. Can anyone explain what exactly is going on?
>
> Thank you,
>
> Ioannis
>
> # cat messages.audit
> May 27 01:51:13 streamer012 kernel: audit(1243381873.876:60): avc:
> denied  { mmap_zero } for  pid=3155 comm="glusterfs2"
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:mount_t:s0 tclass=memprotect
>
>
> # cat selinuxglusterfs.te
>
> module selinuxglusterfs 1.0;
>
> require {
> 	type mount_t;
> 	class memprotect mmap_zero;
> }
>
> #============= mount_t ==============
> allow mount_t self:memprotect mmap_zero;
>
Add
domain_mmap_low_type(mount_t)
Will make this problem go away.  But I don't beleieve glusetfs should be 
causing the mount command to need to mmap_zero.  Seems like a kernerl 
problem.
>
> #  semodule -i selinuxglusterfs.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> mount_t mount_t:memprotect { mmap_zero };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with SELinux and glusterfs when trying to allow memprotect/mmap_zero

[Eric Paris]

On Wed, May 27, 2009 at 7:28 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 05/27/2009 06:06 AM, Ioannis Aslanidis wrote:
>>
>> Hello,
>>
>> I am trying to allow the following audit message through, but it says
>> that there is a violation. Can anyone explain what exactly is going on?
>>
>> Thank you,
>>
>> Ioannis
>>
>> # cat messages.audit
>> May 27 01:51:13 streamer012 kernel: audit(1243381873.876:60): avc:
>> denied  { mmap_zero } for  pid=3155 comm="glusterfs2"
>> scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:system_r:mount_t:s0 tclass=memprotect
>>
>>
>> # cat selinuxglusterfs.te
>>
>> module selinuxglusterfs 1.0;
>>
>> require {
>>        type mount_t;
>>        class memprotect mmap_zero;
>> }
>>
>> #============= mount_t ==============
>> allow mount_t self:memprotect mmap_zero;
>>
> Add
> domain_mmap_low_type(mount_t)
> Will make this problem go away.  But I don't beleieve glusetfs should be
> causing the mount command to need to mmap_zero.  Seems like a kernerl
> problem.

Come on now, don't blame the kernel for enforcing things.

If I had to guess the mount command is calling a helper application
which is stupidly doing

mmap(NULL, MAP_FIXED ....)

And it is this mount helper program that should be fixed.  Do you have
an /sbin/mount.glusetfs ?

You very very very likely don't need this permission, you need to fix
the app....

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.