From: dac.override@gmail.com (Dominick Grift) Date: Wed, 6 Jan 2016 20:47:23 +0100 Subject: [refpolicy] Which labelling for namespace filesystem? In-Reply-To: <568D6E2D.5030003@m4x.org> References: <568D5ED6.5040709@m4x.org> <20160106184428.GB15916@x250> <568D6E2D.5030003@m4x.org> Message-ID: <20160106194722.GA1863@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, Jan 06, 2016 at 08:42:37PM +0100, Nicolas Iooss wrote: > On 01/06/2016 07:44 PM, Dominick Grift wrote: > > On Wed, Jan 06, 2016 at 07:37:10PM +0100, Nicolas Iooss wrote: > >> Hello, > > > >> On the system I'm using to get refpolicy working with Arch Linux, I have > >> these lines in audit.log: > > > >> type=AVC msg=audit(1451041210.334:794): avc: denied { read } for > >> pid=28829 comm="(ostnamed)" dev="nsfs" ino=4026532544 > >> scontext=system_u:system_r:init_t > >> tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 > > > >> type=AVC msg=audit(1451041210.334:794): avc: denied { open } for > >> pid=28829 comm="(ostnamed)" path="net:[4026532544]" dev="nsfs" > >> ino=4026532544 scontext=system_u:system_r:init_t > >> tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 > > > >> These accesses are caused by open("/proc/self/ns/net"...) in systemd > >> setup_netns() function [1]. Indeed /proc/PID/ns/* symlinks target a > >> special filesystem named nsfs which is used for setns() syscall [2]. As > >> this filesystem is not defined in refpolicy, its files are currently > >> unlabeled, which explains the audit records. > > > >> To fix this, I see two options: > > > >> * "fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0);", so that > >> programs already allowed to access the /proc/PID tree of a process can > >> also open /proc/PID/ns/* files. > > > >> * "genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0))", with a > >> new fs type. Programs using setns() will then need to be granted > >> opening and reading nsfs_t files, in addition to be allowed using > >> /proc/PID/ files of the target process. > > > > Have you tried this option? I recall having tried it, and not getting > > this to work. > > Yes, in permissive mode only though. I first added this to > kernel/filesystem.te: > > type nsfs_t; > fs_type(nsfs_t) > genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) > > Then (after rebooting) audit.log showed: > > type=AVC msg=audit(1452106332.300:1811): avc: denied { read } for > pid=11125 comm="(ostnamed)" dev="nsfs" ino=4026532618 > scontext=system_u:system_r:init_t tcontext=system_u:object_r:nsfs_t > tclass=file permissive=1 > type=AVC msg=audit(1452106332.300:1811): avc: denied { open } for > pid=11125 comm="(ostnamed)" path="net:[4026532618]" dev="nsfs" > ino=4026532618 scontext=system_u:system_r:init_t > tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 > > Adding the following lines to system/init.te in the > ifdef(`init_systemd') block made these messages disappear when running > "systemctl restart systemd-hostnamed.service": > > optional_policy(` > gen_require(` > type nsfs_t; > ') > allow init_t nsfs_t:file read_file_perms; > ') > > Could you please describe the problem you had, so that I can see if I > also have it? The problem i had was that i was not seeing these "read" file events. The AVC denials above prove me wrong. I must have overlooked something. > > Nicolas > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJWjW9GAAoJECV0jlU3+UdpJ0oL/38K4OOud8bj7zyK9kdtUFMS G49q0KKdxsmorEEuC02vG0UGuc0oPgdsykpKFSOiMIMh9Z0SdVbdch6T2AchzmGW 4fU7a+fI4vlD+lvjCrnpI7qFOprct/z/mCH9Lq9yDrwte6qwOEbK6j+La0t+tTqj MX++e1x+Zr6nAZIZjqFEzyXAe+E40Zi3kHcQs8NxM02f6Tzf/6u3jvGa1iF9o/rY wuomSb7t5w1YoSpi54v2JKGNspfi9h6P2IW4hjeZfclrhmEOa2w28UDnevCCP7a8 mo3V4u+MNdZs79n1tjwV7UAFbvjyxgZwl3X2qyHpgQua90Xq6LQS1ZRGRmcQ0kvW D1ORBjWaNeYVgjWnA1dTYdeDqEUu0xPd6fnotTwooHsBIcrPt4sHCcidi22xgbBd hptD04iPXM92ypLSZs1wDSqdQ48voOmY25s6zATcx+nhdMnYCHVHz/0etDNiWEWZ 4g4zEVKuOCXlBHOjUTmGgauIXjGpLsHbf/D75RLLUw== =hM8E -----END PGP SIGNATURE-----