From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 4 Mar 2014 11:31:28 -0500
Subject: [refpolicy] resotorecon/setfiles generating avc: denied {
 getattr } on pseudo filesystems
In-Reply-To: <20140304171237.41758378@soldur.bigon.be>
References: <20140304171237.41758378@soldur.bigon.be>
Message-ID: <5315FFE0.7010009@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
> Currently if you are running restorecon/fixfiles on a pseudo
> filesystem (sysfs_t, device_t, tmpfs_t) we are getting the following
> kind of AVC:
> 
> type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 comm="setfiles" name="/" dev=tmpfs ino=5056 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
> type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
> 
> This is happening because these file systems are not of the type fs_t.
> However these pseudo fs are supporting xattrs. 
> 
> Talking a bit with Dominick, he proposed to create a new
> "xattrfs" attribute attach it to all the filesystems and then use it
> instead of fs_t in the allow rules. This should probably also
> simplify/fix situations where files are moved around these pseudo-fs
> and real fs.

It sounds reasonable to me, now that fs_t is not the only xattr fs.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com