Re: How should I run genfscon in my module?

[Joshua Brindle <jbrindle@xxxxxxxxxx>]

Dawid Gajownik wrote:
> Hi!
>     I wanted to help resolving bug 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211767
>
> During some investigation I found that after mounting ntfs partition 
> files have context set to unlabeled_t. I downloaded 
> selinux-policy.srpm and found in policy/modules/kernel/filesystem.te 
> these lines:
>
> #
> # dosfs_t is the type for fat and vfat
> # filesystems and their files.
> #
> type dosfs_t;
> fs_noxattr_type(dosfs_t)
> allow dosfs_t fs_t:filesystem associate;
> genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
> genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
> genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
> genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
>
> I thought "Great, I need similar entry in my module!". I prepared this 
> file:
> [root@X ~]# cat ntfs3g.te
> module ntfs3g 1.0;
>
> require {
>         class chr_file { getattr read write };
>         class file execute_no_trans;
>         type device_t;
>         type dosfs_t;
>         type mount_exec_t;
>         type mount_t;
>         role system_r;
> };
>
> genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
> allow mount_t device_t:chr_file { getattr read write };
> allow mount_t mount_exec_t:file execute_no_trans;
> [root@X ~]#
>
> As you can guess it does not compile ;-)
>
> [root@X ~]# checkmodule -M -m -o ntfs3g.mod ntfs3g.te
> checkmodule:  loading policy configuration from ntfs3g.te
> (unknown source)::ERROR 'syntax error' at token 'genfscon' on line 13:
>
> genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
> checkmodule:  error(s) encountered while parsing configuration
> [root@X ~]#
>
> What I have done wrong?
>
> (FC6, selinux-policy-targeted-2.4.1-3.fc6)
Modules do not allow genfscon statements, the grammar of modules is a 
subset of the base policy grammar. unfortunately you will have to add 
this entry to the base policy. Refpolicy's concept of module may be a 
little misleading, it doesn't convert to each one being able to compile 
as a policy module, there are several modules that are required to be 
part of base.

However, is this filesystem slated for upstream kernel? If so it should 
be added to refpolicy anyway, it would get the nfs_t type though, 
instead of dosfs_t

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list