From: Alexander Wetzel <alexander@wetzel-home.de>
To: selinux@vger.kernel.org
Cc: acgoide@tycho.nsa.gov, paul@paul-moore.com
Subject: "watch" - Problem when using kernel >= 5.4
Date: Sat, 14 Dec 2019 17:40:51 +0100 [thread overview]
Message-ID: <9d54debb-7031-4d93-38b7-62c853289512@wetzel-home.de> (raw)
Hello,
I've a strange problem with selinux when switching a kernel >= 5.4.0 and
since this could be an unintended regression I want to report it here, too.
There are two threads in the Gentoo forum with more details:
https://forums.gentoo.org/viewtopic-t-1105128.html (started by me)
https://forums.gentoo.org/viewtopic-t-1104916.html (looks like the same
underlying issue)
In a nutshell commit ac5656d8a4cd ("fanotify, inotify, dnotify,
security: add security hook for fs notifications") added new hooks for
fs notifications which also seem to requite updated user space and
policies which seem to be unavailable as for now.
So when updating the kernel to >= 5.4.0 all processes trying to register
for file notifications will be blocked. And at least I was unable to
add rules for the new permission "watch", even after updating all
selinux tools/libraries and policies to the upstream git versions - as
provided by Gentoo's -9999 version of the packages.
Dec 8 14:49:01 web kernel: audit: type=1400 audit(1575812941.870:2069):
avc: denied { watch } for pid=2826 comm="crond"
path="/var/spool/cron/crontabs" dev="sda3" ino=2539899
scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:cron_spool_t tclass=dir permissive=0
I ended up reverting commit ac5656d8a4cd ("fanotify, inotify, dnotify,
security: add security hook for fs notifications") and asked in the
gentoo forum - so far without success (link above) - how that should
work properly.
If there is a way to use an unmodified kernel >= 5.4.0 with older (so
far all current) selinux tools and policies I did miss it.
Do you have a pointer how I can keep the commit ac5656d8a4cd in a
selinux enabled system in enforcing mode without breaking all file
change notifications?
Alexander
next reply other threads:[~2019-12-14 20:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-14 16:40 Alexander Wetzel [this message]
2019-12-14 20:30 ` "watch" - Problem when using kernel >= 5.4 Dominick Grift
2019-12-16 11:31 ` Alexander Wetzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9d54debb-7031-4d93-38b7-62c853289512@wetzel-home.de \
--to=alexander@wetzel-home.de \
--cc=acgoide@tycho.nsa.gov \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).