Hi all,
My system seems to be unable to give proper security contexts to the "files"
in /proc/sys/*:
hpl sys # ls -laZ /proc/sys/
total 0
dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 debug
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 kernel
dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 sunrpc
dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
It seems that kernel.te should generate the necessary contexts, and for some
other locations (like /proc/net) it does:
dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 arp
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 connector
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev
-r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev_mcast
[...]
How do I go about to debug this? I was hoping to put some debugging
statements along the line of the genfscon macro, but can't find its
definition anywhere.
Wkr,
Sven Vermeulen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101229/7c65a386/attachment.bin
On 12/29/2010 12:56 PM, Sven Vermeulen wrote:
> Hi all,
>
> My system seems to be unable to give proper security contexts to the "files"
> in /proc/sys/*:
>
> hpl sys # ls -laZ /proc/sys/
> total 0
> dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
> dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 debug
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
> dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 kernel
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 sunrpc
> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
>
Interesting, I have the same behavior here, both on Fedora and my
Gentoo system.
matchpathcon /proc/sys says 'No such file or directory' which suggests
that no contexts are defined for that part of the tree. Interestingly
enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the
contents. This suggests that those files may be labeled by a domtrans
or filetrans.
Someone who knows more than me will have to comment further.
> It seems that kernel.te should generate the necessary contexts, and for some
> other locations (like /proc/net) it does:
>
> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
> dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 arp
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 connector
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 dev_mcast
> [...]
>
> How do I go about to debug this? I was hoping to put some debugging
> statements along the line of the genfscon macro, but can't find its
> definition anywhere.
>
> Wkr,
> Sven Vermeulen
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101229/057e6219/attachment.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/29/2010 02:32 PM, Chris Richards wrote:
> On 12/29/2010 12:56 PM, Sven Vermeulen wrote:
>> Hi all,
>>
>> My system seems to be unable to give proper security contexts to the
>> "files"
>> in /proc/sys/*:
>>
>> hpl sys # ls -laZ /proc/sys/
>> total 0
>> dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
>> dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 ..
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> debug
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev
>> dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> kernel
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31
>> sunrpc
>> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm
>>
> Interesting, I have the same behavior here, both on Fedora and my
> Gentoo system.
>
> matchpathcon /proc/sys says 'No such file or directory' which suggests
> that no contexts are defined for that part of the tree. Interestingly
> enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the
> contents. This suggests that those files may be labeled by a domtrans
> or filetrans.
>
> Someone who knows more than me will have to comment further.
>
>> It seems that kernel.te should generate the necessary contexts, and
>> for some
>> other locations (like /proc/net) it does:
>>
>> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .
>> dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 ..
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> arp
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> connector
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> dev
>> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52
>> dev_mcast
>> [...]
>>
>> How do I go about to debug this? I was hoping to put some debugging
>> statements along the line of the genfscon macro, but can't find its
>> definition anywhere.
>>
>> Wkr,
>> Sven Vermeulen
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Since these are not real files and the context is being generated by the
kernel. we do not specify file context. There is a construct in base
policy to say how they should be labelled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0iQIcACgkQrlYvE4MpobOSXgCffF8jg78nZuGAVqFDgA9C1ELF
TcEAoJWPMXUWsEs2hs/eWrWOUEfrqVDf
=9LCh
-----END PGP SIGNATURE-----
On Mon, Jan 03, 2011 at 04:32:55PM -0500, Daniel J Walsh wrote:
> Since these are not real files and the context is being generated by the
> kernel. we do not specify file context. There is a construct in base
> policy to say how they should be labelled.
Yes, those genfscon statements. The weird thing is, the genfscon statements
within kernel.te for the /proc file system partially work. For instance,
those for /proc/sys itself works (it gets sysctl_t) and for /proc/sys/net
doesn't.
seinfo --genfscon shows all statements (including those for /proc/sys/net).
Wkr,
Sven Vermeulen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110104/578d7c28/attachment.bin