From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] two fixups for mount_t: uses mount.tmpfs and manage lock files
Date: Mon, 10 Jan 2011 09:10:22 -0500 [thread overview]
Message-ID: <4D2B134E.8010502@tresys.com> (raw)
In-Reply-To: <SNT139-w2581860337E8BCD21F00CAB1A0@phx.gbl>
On 12/20/10 22:16, HarryCiao wrote:
> 1. Since the mount program would make use of the shell script of mount.tmpfs
> to preserve the mountpoint's security context across mounting if it ever
> makes sense, the mount domain should have been able to execute the shell
> and rw its fifo files.
>
> type=1400 audit(1292851031.156:19): avc: denied { execute } for pid=513
> comm="mount" name="bash" dev=sda ino=98324
> scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> type=1400 audit(1288069794.081:6): avc: denied { getattr } for pid=92
> comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.085:7): avc: denied { write } for pid=92
> comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.149:8): avc: denied { read } for pid=93
> comm="grep" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.225:9): avc: denied { ioctl } for pid=95
> comm="ls" path="pipe:[2446]" dev=pipefs ino=2446
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
This makes me wonder if we should make a mount_helper_exec_t for these
mount.* helper programs. I'd rather not allow mount to execute
shell_exec_t.
> 2. While the mount program writes into /etc/mtab, it needs to create
> a lock file under /var/lock/, otherwise the /etc/mtab would be empty.
>
> type=1400 audit(1287984885.601:19): avc: denied { write } for pid=471
> comm="mount" name="lock" dev=sda ino=114693
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lock_t
> tclass=dir
> can't create lock file /var/lock/mtab~471: Permission denied (use -n
> flag to override)
Which distro is this on?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-01-10 14:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-21 3:16 [refpolicy] two fixups for mount_t: uses mount.tmpfs and manage lock files HarryCiao
2011-01-10 14:10 ` Christopher J. PeBenito [this message]
2011-01-11 3:46 ` HarryCiao
2011-01-17 11:06 ` HarryCiao
2011-01-17 14:07 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D2B134E.8010502@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.