* [refpolicy] file contexts for /proc/sys/* missing
@ 2010-12-29 18:56 Sven Vermeulen
2010-12-29 19:32 ` Chris Richards
0 siblings, 1 reply; 4+ messages in thread
From: Sven Vermeulen @ 2010-12-29 18:56 UTC (permalink / raw)
To: refpolicy
Hi all,
My system seems to be unable to give proper security contexts to the "files"
in /proc/sys/*:
hpl sys # ls -laZ /proc/sys/
total 0
dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 debug
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 kernel
dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 sunrpc
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
It seems that kernel.te should generate the necessary contexts, and for some
other locations (like /proc/net) it does:
dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 arp
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 connector
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev_mcast
[...]
How do I go about to debug this? I was hoping to put some debugging
statements along the line of the genfscon macro, but can't find its
definition anywhere.
Wkr,
Sven Vermeulen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101229/7c65a386/attachment.bin
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] file contexts for /proc/sys/* missing
2010-12-29 18:56 [refpolicy] file contexts for /proc/sys/* missing Sven Vermeulen
@ 2010-12-29 19:32 ` Chris Richards
2011-01-03 21:32 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: Chris Richards @ 2010-12-29 19:32 UTC (permalink / raw)
To: refpolicy
On 12/29/2010 12:56 PM, Sven Vermeulen wrote:
> Hi all,
>
> My system seems to be unable to give proper security contexts to the "files"
> in /proc/sys/*:
>
> hpl sys # ls -laZ /proc/sys/
> total 0
> dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
> dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 debug
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
> dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 kernel
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 sunrpc
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
>
Interesting, I have the same behavior here, both on Fedora and my
Gentoo system.
matchpathcon /proc/sys says 'No such file or directory' which suggests
that no contexts are defined for that part of the tree. Interestingly
enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the
contents. This suggests that those files may be labeled by a domtrans
or filetrans.
Someone who knows more than me will have to comment further.
> It seems that kernel.te should generate the necessary contexts, and for some
> other locations (like /proc/net) it does:
>
> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
> dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 arp
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 connector
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev_mcast
> [...]
>
> How do I go about to debug this? I was hoping to put some debugging
> statements along the line of the genfscon macro, but can't find its
> definition anywhere.
>
> Wkr,
> Sven Vermeulen
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101229/057e6219/attachment.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] file contexts for /proc/sys/* missing
2010-12-29 19:32 ` Chris Richards
@ 2011-01-03 21:32 ` Daniel J Walsh
2011-01-03 23:22 ` Sven Vermeulen
0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2011-01-03 21:32 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/29/2010 02:32 PM, Chris Richards wrote:
> On 12/29/2010 12:56 PM, Sven Vermeulen wrote:
>> Hi all,
>>
>> My system seems to be unable to give proper security contexts to the
>> "files"
>> in /proc/sys/*:
>>
>> hpl sys # ls -laZ /proc/sys/
>> total 0
>> dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
>> dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> debug
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
>> dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> kernel
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> sunrpc
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
>>
> Interesting, I have the same behavior here, both on Fedora and my
> Gentoo system.
>
> matchpathcon /proc/sys says 'No such file or directory' which suggests
> that no contexts are defined for that part of the tree. Interestingly
> enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the
> contents. This suggests that those files may be labeled by a domtrans
> or filetrans.
>
> Someone who knows more than me will have to comment further.
>
>> It seems that kernel.te should generate the necessary contexts, and
>> for some
>> other locations (like /proc/net) it does:
>>
>> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
>> dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> arp
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> connector
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> dev
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> dev_mcast
>> [...]
>>
>> How do I go about to debug this? I was hoping to put some debugging
>> statements along the line of the genfscon macro, but can't find its
>> definition anywhere.
>>
>> Wkr,
>> Sven Vermeulen
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Since these are not real files and the context is being generated by the
kernel. we do not specify file context. There is a construct in base
policy to say how they should be labelled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0iQIcACgkQrlYvE4MpobOSXgCffF8jg78nZuGAVqFDgA9C1ELF
TcEAoJWPMXUWsEs2hs/eWrWOUEfrqVDf
=9LCh
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] file contexts for /proc/sys/* missing
2011-01-03 21:32 ` Daniel J Walsh
@ 2011-01-03 23:22 ` Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-01-03 23:22 UTC (permalink / raw)
To: refpolicy
On Mon, Jan 03, 2011 at 04:32:55PM -0500, Daniel J Walsh wrote:
> Since these are not real files and the context is being generated by the
> kernel. we do not specify file context. There is a construct in base
> policy to say how they should be labelled.
Yes, those genfscon statements. The weird thing is, the genfscon statements
within kernel.te for the /proc file system partially work. For instance,
those for /proc/sys itself works (it gets sysctl_t) and for /proc/sys/net
doesn't.
seinfo --genfscon shows all statements (including those for /proc/sys/net).
Wkr,
Sven Vermeulen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110104/578d7c28/attachment.bin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-01-03 23:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-29 18:56 [refpolicy] file contexts for /proc/sys/* missing Sven Vermeulen
2010-12-29 19:32 ` Chris Richards
2011-01-03 21:32 ` Daniel J Walsh
2011-01-03 23:22 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.