2011-09-04 12:21:14

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations

In order for mount to work with all file locations, it needs
relabelfrom privileges as well (next to the relabelto ones).

The same patch is also already present in fedora's repository.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/mount.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 57d7294..429596f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
--
1.7.3.4


2011-09-06 18:36:52

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations

On 09/04/11 08:21, Sven Vermeulen wrote:
> In order for mount to work with all file locations, it needs
> relabelfrom privileges as well (next to the relabelto ones).
>
> The same patch is also already present in fedora's repository.

I don't understand this, can you explain further? This rule is for context mounts, in which it would be relabeling from any filesystem type to a file type. When would it relabel from a file type?

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/mount.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 57d7294..429596f 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
> files_mounton_all_mountpoints(mount_t)
> files_unmount_rootfs(mount_t)
> # These rules need to be generalized. Only admin, initrc should have it:
> -files_relabelto_all_file_type_fs(mount_t)
> +files_relabel_all_file_type_fs(mount_t)
> files_mount_all_file_type_fs(mount_t)
> files_unmount_all_file_type_fs(mount_t)
> # for when /etc/mtab loses its type


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-09-07 19:23:22

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations

On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 08:21, Sven Vermeulen wrote:
> > In order for mount to work with all file locations, it needs
> > relabelfrom privileges as well (next to the relabelto ones).
> >
> > The same patch is also already present in fedora's repository.
>
> I don't understand this, can you explain further? This rule is for
> context mounts, in which it would be relabeling from any filesystem
> type to a file type. When would it relabel from a file type?

It is indeed with a context mount that we encountered the issue (see
https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)

It can be easily reproduced even on non-NFS:

build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
mount: block device tmpfs is write-protected, mounting read-only
mount: cannot mount block device tmpfs read-only

build log # cat avc.log
Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
comm="mount" scontext=root:sysadm_r:mount_t
tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem

With the relabelfrom privilege the mount works as expected.

Wkr,
Sven Vermeulen

2011-09-08 17:12:28

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations

On 9/7/2011 3:23 PM, Sven Vermeulen wrote:
> On Tue, Sep 06, 2011 at 02:36:52PM -0400, Christopher J. PeBenito wrote:
>> On 09/04/11 08:21, Sven Vermeulen wrote:
>>> In order for mount to work with all file locations, it needs
>>> relabelfrom privileges as well (next to the relabelto ones).
>>>
>>> The same patch is also already present in fedora's repository.
>>
>> I don't understand this, can you explain further? This rule is for
>> context mounts, in which it would be relabeling from any filesystem
>> type to a file type. When would it relabel from a file type?
>
> It is indeed with a context mount that we encountered the issue (see
> https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
>
> It can be easily reproduced even on non-NFS:
>
> build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
> mount: block device tmpfs is write-protected, mounting read-only
> mount: cannot mount block device tmpfs read-only
>
> build log # cat avc.log
> Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
> audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
> audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
> comm="mount" scontext=root:sysadm_r:mount_t
> tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
>
> With the relabelfrom privilege the mount works as expected.

This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-12-26 11:05:13

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file locations

On Thu, Sep 08, 2011 at 01:12:28PM -0400, Christopher J. PeBenito wrote:
> > It is indeed with a context mount that we encountered the issue (see
> > https://bugs.gentoo.org/show_bug.cgi?id=373673#c4)
> >
> > It can be easily reproduced even on non-NFS:
> >
> > build log # mount -t tmpfs -o context=system_u:object_r:portage_ebuild_t tmpfs /mnt
> > mount: block device tmpfs is write-protected, mounting read-only
> > mount: cannot mount block device tmpfs read-only
> >
> > build log # cat avc.log
> > Sep 7 21:22:17 build kernel: [ 3814.028379] type=1400
> > audit(1315423337.025:106): avc: denied { relabelfrom } for pid=3736
> > comm="mount" scontext=root:sysadm_r:mount_t
> > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> > Sep 7 21:22:17 build kernel: [ 3814.036543] type=1400
> > audit(1315423337.034:107): avc: denied { relabelfrom } for pid=3736
> > comm="mount" scontext=root:sysadm_r:mount_t
> > tcontext=system_u:object_r:portage_ebuild_t tclass=filesystem
> >
> > With the relabelfrom privilege the mount works as expected.
>
> This looks like a bug. I'd expect the relabelfrom tcontext to be tmpfs_t. I've asked Eric Paris to look into this.

Any feedback on this?

Wkr,
Sven Vermeulen