On Tue, 2010-04-20 at 11:05 -0400, Eric Paris wrote:
> It does look like you are right, we might never hit the
> cap_inode_setsecurity, but I'm trying to run down exactly how this is
> happening....
>
> -Eric
>
> On Tue, Apr 20, 2010 at 11:00 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 04/20/2010 10:45 AM, Stephen Smalley wrote:
> >> On Tue, 2010-04-20 at 10:21 -0400, Daniel J Walsh wrote:
> >>> Currently the kernel is blocking the setting of labels on a disabled
> >>> SELinux box.
> >>>
> >>> We have made changes to livecd to be able to build a livecd image on a
> >>> disabled SELinux box, but the kernel is preventing the placing of labels.
> >>>
> >>> We want this functionality so that Fedora Build machines can be allowed
> >>> to create different kinds of images and do not want to require all
> >>> machines to enable SELinux.
> >>>
> >>> Currently these images are being built with SELinux disabled because of
> >>> this.
> >>>
> >>> strace shows
> >>>
> >>> lsetxattr("/root/whatever/", "security.selinux",
> >>> "system_u:object_r:root_t:s0", 28, 0) = -1 EOPNOTSUPP (Operation not
> >>> supported)
> >>>
> >>>
> >>> eparis says this code is causing the problem.
> >>>
> >>> static int cap_inode_setsecurity(struct inode *inode, const char *name,
> >>> const void *value, size_t size, int flags)
> >>> {
> >>> return -EOPNOTSUPP;
> >>> }
> >>>
> >>> I think we should allow this if you have a capability like sys_admin or
> >>> dac_override.
> >>
> >> Perhaps I don't understand, but inode_setsecurity() is only called if
> >> the filesystem does not support xattrs; otherwise it gets handled via
> >> the filesytem's ->setxattr handler, and that should work regardless of
> >> SELinux-disabled (and always has in the past).
> >>
> >> I think we need more details, like kernel version, filesystem type, etc.
> >>
> >
> > 2.6.32.11-99.fc12.x86_64; ext4
Oh, this is the dracut bug that isn't really disabling SELinux (just
leaving it permissive with no policy loaded). Ala FC2 days. Didn't
that get fixed?
grep selinuxfs /proc/filesystems
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
