On Mar 6, 2008, at 1:04 PM, Stephen Smalley wrote:
On Thu, 2008-03-06 at 12:36 -0600, Joe Nall wrote:On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs in /var/log/messages on boot Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5): avc: denied { unmount } for pid=1 comm="init" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6): avc: denied { unmount } for pid=1 comm="init" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7): avc: denied { unmount } for pid=1 comm="init" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem is adding allow kernel_t proc_t:filesystem unmount; allow kernel_t sysfs_t:filesystem unmount; allow kernel_t tmpfs_t:filesystem unmount; to kernel.te the correct fix for this?fs_unmount_all_fs(kernel_t)fs_mount_all_fs(kernel_t) is slready in kernel.te. After further experimentation, I think it is a constraint issue (s15:c0.c1023 unmounting s0).Well, I know that fs_mount_all_fs() is already there - but we are talking about unmount, not mount.
correct
And it may also involve constraints, in which case kernel_t might needmls_file_write_all_levels(). Which I would think would be needed anywayfor e.g. nfsd operation.
Thanks for the pointer. All three of the following were required. I added them one at a time to the policy and rebooted each time. Patch against selinux-policy-3.3.1-11 attached.
fs_unmount_all_fs(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t)
Attachment:
kernel.te.patch
Description: Binary data
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
