All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: dE <de.techno@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: Default context with context mount option.
Date: Tue, 10 Jun 2014 08:05:09 -0400	[thread overview]
Message-ID: <5396F475.9030601@tycho.nsa.gov> (raw)
In-Reply-To: <5396BEC4.3000801@gmail.com>

On 06/10/2014 04:16 AM, dE wrote:
> On 06/09/14 19:04, Stephen Smalley wrote:
>> On 06/08/2014 10:48 AM, dE wrote:
>>> When a new file is created on a FS which supports security namespace but
>>> the FS is mounted using context= option, then what will be the context
>>> of the newly created file on the FS?
>>>
>>> I did exactly this, and next, umount and then mount the FS readonly to
>>> get the getfattr dump to realize the security namespace is not empty
>>> (this came as a surprise).
>>>
>>> So, can someone explain what exactly happens in this case?
>> The kernel lies to you ;)
>>
>> If SELinux (or another security module that implements the
>> inode_getsecurity and inode_listsecurity hooks) is enabled, then the
>> security module gets to report its view of the security.* attributes to
>> userspace instead of whatever may or may not be stored by the
>> filesystem.  That allows SELinux to handle such requests even for
>> filesystems that do not natively support the security.* namespace as
>> well as remap attribute values as needed to deal with removed types or
>> conversion from non-MLS to MLS policies or various other situations.
> 
> Yes, if I mount vfat for e.g. check the xattr using getfattr, there does
> exist a security attribute. But these FSs are defined by genfscon.
> 
> But about FSs which do support the security namespace (like XFS), and so
> do not have a genfscon statement associated to them they but still have
> a security namespace value (as reported by the kernel, which lies to
> userspace).
> 
> Question is -- are these values actually written to the FS or are they
> just empty? Things get more confusing cause I get permission denied when
> trying to delete the security namespace values.

It shouldn't be written to the filesystem.  You can check by booting
with SELinux disabled (selinux=0 on the kernel command-line or
/etc/selinux/config SELINUX=disabled) and then running getfattr; then
the kernel will just call down to the filesystem code to fetch the
attribute without any interference by the security module.  However,
note that this will trigger an automatic filesystem relabel upon reboot
into SELinux to ensure that all files are labeled, which can take some time.

With regard to removing the security.selinux attributes, SELinux also
prohibits that entirely; see
security/selinux/hooks.c:selinux_inode_removexattr() in the kernel.  So
again, to do that, you'd have to boot with SELinux disabled, but it
shouldn't be necessary.

  reply	other threads:[~2014-06-10 12:05 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-08 14:48 Default context with context mount option dE
2014-06-08 17:46 ` Christian Evans
2014-06-09  5:30   ` dE
2014-06-09 13:34 ` Stephen Smalley
2014-06-10  8:16   ` dE
2014-06-10 12:05     ` Stephen Smalley [this message]
2014-06-10 15:41       ` David Caplan
2014-06-10 17:25         ` Stephen Smalley
2014-06-11  7:12         ` dE
2014-06-11  7:08       ` dE
2014-06-11  7:29       ` dE
2014-06-11 12:33         ` Stephen Smalley
2014-06-12  1:15           ` dE
2014-06-11 12:38         ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5396F475.9030601@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=de.techno@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.