[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

[Laurent Bigonville]

Hi,

Currently if you are running restorecon/fixfiles on a pseudo
filesystem (sysfs_t, device_t, tmpfs_t) we are getting the following
kind of AVC:

type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

This is happening because these file systems are not of the type fs_t.
However these pseudo fs are supporting xattrs. 

Talking a bit with Dominick, he proposed to create a new
"xattrfs" attribute attach it to all the filesystems and then use it
instead of fs_t in the allow rules. This should probably also
simplify/fix situations where files are moved around these pseudo-fs
and real fs.

Does anybody have comments on this?

Cheers,

Laurent Bigonville

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682

[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

[Christopher J. PeBenito]

On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
> Currently if you are running restorecon/fixfiles on a pseudo
> filesystem (sysfs_t, device_t, tmpfs_t) we are getting the following
> kind of AVC:
> 
> type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
> type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
> 
> This is happening because these file systems are not of the type fs_t.
> However these pseudo fs are supporting xattrs. 
> 
> Talking a bit with Dominick, he proposed to create a new
> "xattrfs" attribute attach it to all the filesystems and then use it
> instead of fs_t in the allow rules. This should probably also
> simplify/fix situations where files are moved around these pseudo-fs
> and real fs.

It sounds reasonable to me, now that fs_t is not the only xattr fs.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

[Laurent Bigonville]

Le Tue, 4 Mar 2014 11:31:28 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
[...]
> > Talking a bit with Dominick, he proposed to create a new
> > "xattrfs" attribute attach it to all the filesystems and then use it
> > instead of fs_t in the allow rules. This should probably also
> > simplify/fix situations where files are moved around these pseudo-fs
> > and real fs.
> 
> It sounds reasonable to me, now that fs_t is not the only xattr fs.

Do you know if we can assume that all the fs that currently don't have
the noxattrfs attribute are actually supporting the xattrs?

[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

[Christopher J. PeBenito]

On 03/04/2014 06:28 PM, Laurent Bigonville wrote:
> Le Tue, 4 Mar 2014 11:31:28 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ??crit :
> 
>> On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
> [...]
>>> Talking a bit with Dominick, he proposed to create a new
>>> "xattrfs" attribute attach it to all the filesystems and then use it
>>> instead of fs_t in the allow rules. This should probably also
>>> simplify/fix situations where files are moved around these pseudo-fs
>>> and real fs.
>>
>> It sounds reasonable to me, now that fs_t is not the only xattr fs.
> 
> Do you know if we can assume that all the fs that currently don't have
> the noxattrfs attribute are actually supporting the xattrs?
 
No, we can't.  The noxattrfs attribute was originally intended for regular filesystems that don't support extended attributes, such as vfat, so it doesn't include non-xattr pseudo filesystems.  We should probably look at restructuring the rules so we can make the set noxattrfs and xattrfs have no intersection, but the union of the two equal to the set of all filesystem types.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com