selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Linux 2.6.13.4 --> 2.6.14.3 & security contexts
@ 2005-11-29 20:45 Sami Farin
  2005-11-30 15:52 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Sami Farin @ 2005-11-29 20:45 UTC (permalink / raw)
  To: SELinux Mailing List

After "upgrading" from 2.6.13.4 to 2.6.14.3, selinux
stopped working as expected.
Security context is not created for new files.

For example, when I do "touch ~/hirvi ; ls -lZ ~/hirvi"
I get
-rw-rw----  safari   safari                                    /home/safari/hirvi

and after "useradd -M foobar" I have to do
"restorecon /etc/shadow* /etc/passwd* /etc/group* /etc/gshadow*"
or I can't add more users.  And "restorecon /etc/ld.so.c*"
needed after running ldconfig.

With 2.6.13.4 I used fedora's selinux-policy-targeted-1*, and
with 2.6.14.3 the same one.  When I noticed all is not fine,
I "upgraded" to serefpolicy 2.0.5.
After disabling execmem globally, it seemed to work except
that security context is not created for new files.

So, all I would like to know is how to get 2.6.13.4 behavior back
(_and_ while running 2.6.14.3) with smallest possible amount of sweat
and blood.

$ id
uid=500(safari) gid=500(safari) groups=37(rpm),500(safari),509(xuser),546(sound) context=user_u:system_r:unconfined_t:s0-s0:c0.c255

-- 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Linux 2.6.13.4 --> 2.6.14.3 & security contexts
  2005-11-29 20:45 Linux 2.6.13.4 --> 2.6.14.3 & security contexts Sami Farin
@ 2005-11-30 15:52 ` Stephen Smalley
       [not found]   ` <20051130154955.GE29869@m.safari.iki.fi>
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2005-11-30 15:52 UTC (permalink / raw)
  To: Sami Farin; +Cc: SELinux Mailing List

On Tue, 2005-11-29 at 22:45 +0200, Sami Farin wrote:
> After "upgrading" from 2.6.13.4 to 2.6.14.3, selinux
> stopped working as expected.
> Security context is not created for new files.
> 
> For example, when I do "touch ~/hirvi ; ls -lZ ~/hirvi"
> I get
> -rw-rw----  safari   safari                                    /home/safari/hirvi
> 
> and after "useradd -M foobar" I have to do
> "restorecon /etc/shadow* /etc/passwd* /etc/group* /etc/gshadow*"
> or I can't add more users.  And "restorecon /etc/ld.so.c*"
> needed after running ldconfig.
> 
> With 2.6.13.4 I used fedora's selinux-policy-targeted-1*, and
> with 2.6.14.3 the same one.  When I noticed all is not fine,
> I "upgraded" to serefpolicy 2.0.5.
> After disabling execmem globally, it seemed to work except
> that security context is not created for new files.
> 
> So, all I would like to know is how to get 2.6.13.4 behavior back
> (_and_ while running 2.6.14.3) with smallest possible amount of sweat
> and blood.
> 
> $ id
> uid=500(safari) gid=500(safari) groups=37(rpm),500(safari),509(xuser),546(sound) context=user_u:system_r:unconfined_t:s0-s0:c0.c255

What filesystem type are you using?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Linux 2.6.13.4 --> 2.6.14.3 & security contexts
       [not found]     ` <1133366596.26593.345.camel@moss-spartans.epoch.ncsc.mil>
@ 2005-11-30 16:09       ` Stephen Smalley
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2005-11-30 16:09 UTC (permalink / raw)
  To: Sami Farin; +Cc: selinux

On Wed, 2005-11-30 at 11:03 -0500, Stephen Smalley wrote:
> On Wed, 2005-11-30 at 17:49 +0200, Sami Farin wrote:
> > All are XFS.
> > 
> > /dev/root / xfs rw,noatime 0 0
> > /dev/hdc7 /var xfs rw,noatime 0 0
> > /dev/hdc8 /usr xfs rw,noatime 0 0
> > /dev/hdc9 /wrk xfs rw,noatime 0 0
> > /dev/loop0 /mnt/aes xfs rw,noatime,nosuid,nodev 0 0
> 
> Therein lies the problem.  As of 2.6.14, xfs is not supported with
> SELinux until such a time as the xfs developers update their filesystem
> to call the security_inode_init_security() hook and set the attribute on
> newly created inodes.  Please nag the xfs developers about this.  See:
> http://marc.theaimsgroup.com/?l=selinux&m=112653995

Re-sending with the list cc'd this time, as you dropped the list from
your reply and thus my reply also didn't include the list.  I think this
is of general interest; we are likely to receive more such reports in
the future, so I wanted it archived.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-11-30 16:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-11-29 20:45 Linux 2.6.13.4 --> 2.6.14.3 & security contexts Sami Farin
2005-11-30 15:52 ` Stephen Smalley
     [not found]   ` <20051130154955.GE29869@m.safari.iki.fi>
     [not found]     ` <1133366596.26593.345.camel@moss-spartans.epoch.ncsc.mil>
2005-11-30 16:09       ` Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).