* Linux 2.6.13.4 --> 2.6.14.3 & security contexts
@ 2005-11-29 20:45 Sami Farin
2005-11-30 15:52 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Sami Farin @ 2005-11-29 20:45 UTC (permalink / raw)
To: SELinux Mailing List
After "upgrading" from 2.6.13.4 to 2.6.14.3, selinux
stopped working as expected.
Security context is not created for new files.
For example, when I do "touch ~/hirvi ; ls -lZ ~/hirvi"
I get
-rw-rw---- safari safari /home/safari/hirvi
and after "useradd -M foobar" I have to do
"restorecon /etc/shadow* /etc/passwd* /etc/group* /etc/gshadow*"
or I can't add more users. And "restorecon /etc/ld.so.c*"
needed after running ldconfig.
With 2.6.13.4 I used fedora's selinux-policy-targeted-1*, and
with 2.6.14.3 the same one. When I noticed all is not fine,
I "upgraded" to serefpolicy 2.0.5.
After disabling execmem globally, it seemed to work except
that security context is not created for new files.
So, all I would like to know is how to get 2.6.13.4 behavior back
(_and_ while running 2.6.14.3) with smallest possible amount of sweat
and blood.
$ id
uid=500(safari) gid=500(safari) groups=37(rpm),500(safari),509(xuser),546(sound) context=user_u:system_r:unconfined_t:s0-s0:c0.c255
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Linux 2.6.13.4 --> 2.6.14.3 & security contexts
2005-11-29 20:45 Linux 2.6.13.4 --> 2.6.14.3 & security contexts Sami Farin
@ 2005-11-30 15:52 ` Stephen Smalley
[not found] ` <20051130154955.GE29869@m.safari.iki.fi>
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2005-11-30 15:52 UTC (permalink / raw)
To: Sami Farin; +Cc: SELinux Mailing List
On Tue, 2005-11-29 at 22:45 +0200, Sami Farin wrote:
> After "upgrading" from 2.6.13.4 to 2.6.14.3, selinux
> stopped working as expected.
> Security context is not created for new files.
>
> For example, when I do "touch ~/hirvi ; ls -lZ ~/hirvi"
> I get
> -rw-rw---- safari safari /home/safari/hirvi
>
> and after "useradd -M foobar" I have to do
> "restorecon /etc/shadow* /etc/passwd* /etc/group* /etc/gshadow*"
> or I can't add more users. And "restorecon /etc/ld.so.c*"
> needed after running ldconfig.
>
> With 2.6.13.4 I used fedora's selinux-policy-targeted-1*, and
> with 2.6.14.3 the same one. When I noticed all is not fine,
> I "upgraded" to serefpolicy 2.0.5.
> After disabling execmem globally, it seemed to work except
> that security context is not created for new files.
>
> So, all I would like to know is how to get 2.6.13.4 behavior back
> (_and_ while running 2.6.14.3) with smallest possible amount of sweat
> and blood.
>
> $ id
> uid=500(safari) gid=500(safari) groups=37(rpm),500(safari),509(xuser),546(sound) context=user_u:system_r:unconfined_t:s0-s0:c0.c255
What filesystem type are you using?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Linux 2.6.13.4 --> 2.6.14.3 & security contexts
[not found] ` <1133366596.26593.345.camel@moss-spartans.epoch.ncsc.mil>
@ 2005-11-30 16:09 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2005-11-30 16:09 UTC (permalink / raw)
To: Sami Farin; +Cc: selinux
On Wed, 2005-11-30 at 11:03 -0500, Stephen Smalley wrote:
> On Wed, 2005-11-30 at 17:49 +0200, Sami Farin wrote:
> > All are XFS.
> >
> > /dev/root / xfs rw,noatime 0 0
> > /dev/hdc7 /var xfs rw,noatime 0 0
> > /dev/hdc8 /usr xfs rw,noatime 0 0
> > /dev/hdc9 /wrk xfs rw,noatime 0 0
> > /dev/loop0 /mnt/aes xfs rw,noatime,nosuid,nodev 0 0
>
> Therein lies the problem. As of 2.6.14, xfs is not supported with
> SELinux until such a time as the xfs developers update their filesystem
> to call the security_inode_init_security() hook and set the attribute on
> newly created inodes. Please nag the xfs developers about this. See:
> http://marc.theaimsgroup.com/?l=selinux&m=112653995
Re-sending with the list cc'd this time, as you dropped the list from
your reply and thus my reply also didn't include the list. I think this
is of general interest; we are likely to receive more such reports in
the future, so I wanted it archived.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-11-30 16:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-11-29 20:45 Linux 2.6.13.4 --> 2.6.14.3 & security contexts Sami Farin
2005-11-30 15:52 ` Stephen Smalley
[not found] ` <20051130154955.GE29869@m.safari.iki.fi>
[not found] ` <1133366596.26593.345.camel@moss-spartans.epoch.ncsc.mil>
2005-11-30 16:09 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).