Re: ext4_has_free_blocks always checks cap_sys_resource and makes SELinux unhappy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2008-10-24 at 11:05 -0400, Eric Paris wrote:
> I'm running an ext4 root filesystem and regularly get SELinux denials
> like:
> 
> Oct 16 08:32:55 localhost kernel: type=1400 audit(1224160369.076:5):
> avc: denied  { sys_resource } for  pid=1624 comm="dbus-daemon"
> capability=24 scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=467216
> 
> Since this doesn't happen with people who have ext3 filesystems but
> everything else the same it lead me to look at ext4.  I see that
> ext?_has_free_blocks() has changed since ext3 and now we always check
> for capable(CAP_SYS_RESOUCE).  If a process actually has the capability
> in pE (as many root processes would) but doesn't have the capability in
> SELinux policy we will get a denial.
> 
> I can think of a couple ways to fix this:
> 
> the first (and one I like) is to change ext4 to stop checking
> CAP_SYS_RESOURCE all the time.  It's not really 'pretty' but I think you
> would actually get a better performing function.  Just always calculate
> root_blocks and if we don't have enough room then then do the whole
> check to see if are root and recalculate without root_blocks.  I'd guess
> that a great majority of the time operations will succeed even with a
> non-zero root_blocks and I would guess that most process aren't going to
> be root processes and so we would be calculating root_blocks anyway.
> This would (like ext3) only cause these denials when it was filled up.
> We've been living with that forever, so I don't see a problem there...
> 
> The second way would be a new lsm hook.  Instead of calling capable(),
> ext4 could call something like a new capable_noaudit() which would
> return the same result but would tell the lsm that this isn't a security
> decision and shouldn't be audited.  The LSM doesn't currently have any
> kind of syntax or representation like this exposed to the main kernel,
> so I'm a little skeptical how the LSM community at large would respond
> to exposing such a thing...
> 
> Another would be a new specific LSM call to just check cap_sys_resource
> which also doesn't get audited.
> 
> Do others have thoughts?

Seems similar to the vm_enough_memory() case, where we likewise
introduced a separate security hook that internally checks without
auditing.

The OOM killer likewise ought to be using a non-auditing form of
capability checks.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux