* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
@ 2011-09-04 12:21 Sven Vermeulen
2011-09-06 18:36 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2011-09-04 12:21 UTC (permalink / raw)
To: refpolicy
In order for mount to work with all file locations, it needs
relabelfrom privileges as well (next to the relabelto ones).
The same patch is also already present in fedora's repository.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/mount.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 57d7294..429596f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
2011-09-04 12:21 [refpolicy] [PATCH 1/1] Allow mount to work on all file locations Sven Vermeulen
@ 2011-09-06 18:36 ` Christopher J. PeBenito
2011-09-07 19:23 ` Sven Vermeulen
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2011-09-06 18:36 UTC (permalink / raw)
To: refpolicy
On 09/04/11 08:21, Sven Vermeulen wrote:
> In order for mount to work with all file locations, it needs
> relabelfrom privileges as well (next to the relabelto ones).
>
> The same patch is also already present in fedora's repository.
I don't understand this, can you explain further? This rule is for context mounts, in which it would be relabeling from any filesystem type to a file type. When would it relabel from a file type?
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/system/mount.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 57d7294..429596f 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
> files_mounton_all_mountpoints(mount_t)
> files_unmount_rootfs(mount_t)
> # These rules need to be generalized. Only admin, initrc should have it:
> -files_relabelto_all_file_type_fs(mount_t)
> +files_relabel_all_file_type_fs(mount_t)
> files_mount_all_file_type_fs(mount_t)
> files_unmount_all_file_type_fs(mount_t)
> # for when /etc/mtab loses its type
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
2011-09-06 18:36 ` Christopher J. PeBenito
@ 2011-09-07 19:23 ` Sven Vermeulen
2011-09-08 17:12 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2011-09-07 19:23 UTC (permalink / raw)
To: refpolicy
On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 08:21, Sven Vermeulen wrote:
> > In order for mount to work with all file locations, it needs
> > relabelfrom privileges as well (next to the relabelto ones).
> >
> > The same patch is also already present in fedora's repository.
>
> I don't understand this, can you explain further? This rule is for
> context mounts, in which it would be relabeling from any filesystem
> type to a file type. When would it relabel from a file type?
It is indeed with a context mount that we encountered the issue (see
https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
It can be easily reproduced even on non-NFS:
build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
mount: block device tmpfs is write-protected, mounting read-only
mount: cannot mount block device tmpfs read-only
build log # cat avc.log
Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
With the relabelfrom privilege the mount works as expected.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
2011-09-07 19:23 ` Sven Vermeulen
@ 2011-09-08 17:12 ` Christopher J. PeBenito
2011-12-26 11:05 ` Sven Vermeulen
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2011-09-08 17:12 UTC (permalink / raw)
To: refpolicy
On 9/7/2011 3:23 PM, Sven Vermeulen wrote:
> On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
>> On 09/04/11 08:21, Sven Vermeulen wrote:
>>> In order for mount to work with all file locations, it needs
>>> relabelfrom privileges as well (next to the relabelto ones).
>>>
>>> The same patch is also already present in fedora's repository.
>>
>> I don't understand this, can you explain further? This rule is for
>> context mounts, in which it would be relabeling from any filesystem
>> type to a file type. When would it relabel from a file type?
>
> It is indeed with a context mount that we encountered the issue (see
> https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
>
> It can be easily reproduced even on non-NFS:
>
> build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
> mount: block device tmpfs is write-protected, mounting read-only
> mount: cannot mount block device tmpfs read-only
>
> build log # cat avc.log
> Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
> audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
> audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
>
> With the relabelfrom privilege the mount works as expected.
This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
2011-09-08 17:12 ` Christopher J. PeBenito
@ 2011-12-26 11:05 ` Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-12-26 11:05 UTC (permalink / raw)
To: refpolicy
On Thu, Sep 08, 2011 at 01:12:28PM -0400, Christopher J. PeBenito wrote:
> > It is indeed with a context mount that we encountered the issue (see
> > https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
> >
> > It can be easily reproduced even on non-NFS:
> >
> > build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
> > mount: block device tmpfs is write-protected, mounting read-only
> > mount: cannot mount block device tmpfs read-only
> >
> > build log # cat avc.log
> > Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
> > audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
> > comm="mount" scontext=root:sysadm_r:mount_t
> > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> > Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
> > audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
> > comm="mount" scontext=root:sysadm_r:mount_t
> > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> >
> > With the relabelfrom privilege the mount works as expected.
>
> This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this.
Any feedback on this?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/1] Allow mount to work on all file locations
@ 2011-07-20 17:18 Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:18 UTC (permalink / raw)
To: refpolicy
In order for mount to work with all file locations, it needs relabelfrom
privileges as well (next to the relabelto ones).
The same patch is also already present in fedora's repository.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/mount.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 57d7294..429596f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-12-26 11:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-04 12:21 [refpolicy] [PATCH 1/1] Allow mount to work on all file locations Sven Vermeulen
2011-09-06 18:36 ` Christopher J. PeBenito
2011-09-07 19:23 ` Sven Vermeulen
2011-09-08 17:12 ` Christopher J. PeBenito
2011-12-26 11:05 ` Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2011-07-20 17:18 Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.