On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:
> On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
>
> >
> > On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
> >> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs in /
> >> var/log/messages on boot
> >>
> >> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
> >> avc: denied { unmount } for pid=1 comm="init"
> >> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
> >> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
> >> avc: denied { unmount } for pid=1 comm="init"
> >> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> >> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
> >> avc: denied { unmount } for pid=1 comm="init"
> >> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> >> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
> >>
> >> is adding
> >>
> >> allow kernel_t proc_t:filesystem unmount;
> >> allow kernel_t sysfs_t:filesystem unmount;
> >> allow kernel_t tmpfs_t:filesystem unmount;
> >>
> >> to kernel.te the correct fix for this?
> >
> > fs_unmount_all_fs(kernel_t)
>
> fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
> experimentation, I think it is a constraint issue (s15:c0.c1023
> unmounting s0).
Well, I know that fs_mount_all_fs() is already there - but we are
talking about unmount, not mount.
And it may also involve constraints, in which case kernel_t might need
mls_file_write_all_levels(). Which I would think would be needed anyway
for e.g. nfsd operation.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
