Re: AVC for unlabeled_t on cgroup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>________________________________
> From: Stephen Smalley <sds@xxxxxxxxxxxxx>
>To: Andy Ruch <adruch2002@xxxxxxxxx> 
>Cc: SELinux ML <selinux@xxxxxxxxxxxxx> 
>Sent: Thursday, July 11, 2013 1:06 PM
>Subject: Re: AVC for unlabeled_t on cgroup
> 
>
>On 07/11/2013 02:38 PM, Andy Ruch wrote:
>> Hello,
>>
>> I'm implementing a restrictive policy for RHEL 6.3 based on CLIP. I've enabled the cgroup module but I'm still seeing the AVC below. This is just one of a dozen similar AVC's for different inodes. When I look at the /cgroup after the system boots, everything has a cgroup_t label. Where would the unlabeled_t be coming from?
>>
>>
>>
>> type=SYSCALL msg=audit(07/11/2013 17:25:38.885:7) : arch=x86_64 syscall=mount success=yes exit=0 a0=7f57846ac4c1 a1=7f57848b03c0 a2=7f57846ac4c1 a3=0 items=0 ppid=1177 pid=1178 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cgconfigparser exe=/sbin/cgconfigparser subj=system_u:system_r:cgconfig_t:s0 key=(null)
>>
>> type=AVC msg=audit(07/11/2013 17:25:38.885:7) : avc:  denied  { search } for  pid=1178 comm=cgconfigparser name=/ dev=cgroup ino=12518 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
>That's likely a kernel-internal lookup during creation of a cgroup 
>inode.  cgroup has some code to switch to the kernel credential when 
>performing such lookups to avoid permission denials IIRC, which presumes 
>then that you allow this in your policy. Doesn't show up in typical 
>policies as they allow kernel_t all access since it can do anything it 
>wants anyway.
>
>
>


Since this is beyond my expertise, any recommendations for handling it? Do I ignore it? Allowing kernel_t all access doesn't seem like a good option for a secure system. We're not really using cgroups, but it's required for libvirt.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux