Re: filesystem mount AVC denial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2009-02-02 at 14:02 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Smalley wrote:
> > On Fri, 2009-01-30 at 15:45 -0800, Clarkson, Mike R (US SSA) wrote:
> >> I got the following AVC denial in the audit logs and I'm wondering what
> >> would cause this:
> >>
> >> type=AVC msg=audit(1232734163.528:997720):avc: denied { mount } for
> >> pid=28016 comm="find" name="/" dev=0:1c ino=0
> >> scontext=root:staff_r:libstart_t:s0-s4:c0.c255
> >> tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem
> >>
> >> The program running in the libstart_t domain is using the "find" cmd,
> >> and find is requiring the "mount" permission. Could this be caused by
> >> "find" traversing into an automounted (NFS) directory? But in that case
> >> I would expect the automount daemon, which is running in the automount_t
> >> domain, to do the mounting.
> > 
> > Could be a nfs submount, triggered upon traversing the boundary?
> > 
> We had this happen on another bug report, and I think it is just wrong.
> 
> Since automounter could mount any file system or any file for that
> matter, this means in order to make this work, any confined domain that
> could traverse a directory that is automounted could fail with an AVC
> like the above.
> 
> guest_t cd to /mynfs Would fail????
> 
> automount is doing the mount so the kernel should say automount not
> libstart_t.
> 
> I think this is a bug in the kernel.

Yes, it is similar to the recent proc/self/net problem.

Eric?  James?  The fundamental issue is that we are performing a
permission check in a core function that gets used internally by the
kernel for mounts, not just when userspace initiates a mount.  In the
proc case we could use MS_KERNMOUNT as a discriminator, but not in this
case, at least at present.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux