We have been recently seeing some denials related to one of our files I ramfs
The audit2allow shows as follows
allow mount_t unlabeled_t:filesystem relabelfrom; Our product is based on RHEL6 . We did not see this in the RHEL5 version of our product.
Why would there be files of type unlabeled_t on the system with the move to RHEL6?
Thanks, Anamitra
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/18/2012 01:08 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
We have been recently seeing some denials related to one of our files I ramfs
The audit2allow shows as follows
allow mount_t unlabeled_t:filesystem relabelfrom; Our product is based on RHEL6 . We did not see this in the RHEL5 version of our product.
Why would there be files of type unlabeled_t on the system with the move to RHEL6?
Thanks, Anamitra
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Could be a label that the RHEL6 policy does not understand.
unlabeled_t means a file/device has a label that the kernel does not understand.
Running restorecon on the object should fix it.
On 10/18/2012 01:08 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
We have been recently seeing some denials related to one of our files I ramfs
The audit2allow shows as follows
allow mount_t unlabeled_t:filesystem relabelfrom; Our product is based on RHEL6 . We did not see this in the RHEL5 version of our product.
Why would there be files of type unlabeled_t on the system with the move to RHEL6?
Note that the class was "filesystem", not "file". So this is a denial upon an attempt to mount a filesystem with a context= or fscontext= mount option. The fact that it was originally unlabeled_t means that the policy had no entry for the filesystem type in its fs_use or genfs_contexts configuration. You should have gotten another message from SELinux (with a SELinux: prefix) when it was first mounted about it not being configured for labeling.
Hi Stephen,
Here is the AVC message from the audit logs
type=AVC msg=audit(1350688637.763:50803): avc: denied { relabelfrom } for pid=32717 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1350688637.763:50803): arch=c000003e syscall=165 success=yes exit=0 a0=7facda9323f0 a1=7facda9322f0 a2=7facda932410 a3=ffffffffc0ed0000 items=1 ppid=32716 pid=32717 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=CWD msg=audit(1350688637.763:50803): cwd="/" type=PATH msg=audit(1350688637.763:50803): item=0 name="/var/log/ramfs/cm/trace/ccm/sdi" inode=3154284 dev=08:02 mode=040755 ouid=513 ogid=506 rdev=00:00 obj=system_u:object_r:var_log_t:s0
Thanks, Anamitra
On 10/18/12 10:59 AM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 01:08 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
We have been recently seeing some denials related to one of our files I ramfs
The audit2allow shows as follows
allow mount_t unlabeled_t:filesystem relabelfrom; Our product is based on RHEL6 . We did not see this in the RHEL5 version of our product.
Why would there be files of type unlabeled_t on the system with the move to RHEL6?
Note that the class was "filesystem", not "file". So this is a denial upon an attempt to mount a filesystem with a context= or fscontext= mount option. The fact that it was originally unlabeled_t means that the policy had no entry for the filesystem type in its fs_use or genfs_contexts configuration. You should have gotten another message from SELinux (with a SELinux: prefix) when it was first mounted about it not being configured for labeling.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 10/18/2012 03:27 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Here is the AVC message from the audit logs
type=AVC msg=audit(1350688637.763:50803): avc: denied { relabelfrom } for pid=32717 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1350688637.763:50803): arch=c000003e syscall=165 success=yes exit=0 a0=7facda9323f0 a1=7facda9322f0 a2=7facda932410 a3=ffffffffc0ed0000 items=1 ppid=32716 pid=32717 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=CWD msg=audit(1350688637.763:50803): cwd="/" type=PATH msg=audit(1350688637.763:50803): item=0 name="/var/log/ramfs/cm/trace/ccm/sdi" inode=3154284 dev=08:02 mode=040755 ouid=513 ogid=506 rdev=00:00 obj=system_u:object_r:var_log_t:s0
Look for SELinux: messages in dmesg output or /var/log/messages that say "not configured for labeling". Or tell us what filesystem type you have mounted on /var/log/ramfs. Do you have a context= or fscontext= mount option in your /etc/fstab or wherever you specify the filesystem mount information?
Hi Stephen,
In the dmesg output we see the following selinux messages.
SELinux: Initializing. SELinux: Starting in permissive mode SELinux: Registering netfilter hooks dracut: Loading SELinux policy SELinux: 2048 avtab hash slots, 374087 rules. SELinux: 2048 avtab hash slots, 374087 rules. SELinux: 11 users, 12 roles, 3762 types, 180 bools, 1 sens, 1024 cats SELinux: 81 classes, 374087 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev sda2, type ext4), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev sda1, type ext4), uses xattr SELinux: initialized (dev sda6, type ext4), uses xattr SELinux: initialized (dev sda3, type ext4), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
Thanks, Anamitra
On 10/18/12 12:31 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:27 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Here is the AVC message from the audit logs
type=AVC msg=audit(1350688637.763:50803): avc: denied { relabelfrom } for pid=32717 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1350688637.763:50803): arch=c000003e syscall=165 success=yes exit=0 a0=7facda9323f0 a1=7facda9322f0 a2=7facda932410 a3=ffffffffc0ed0000 items=1 ppid=32716 pid=32717 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=CWD msg=audit(1350688637.763:50803): cwd="/" type=PATH msg=audit(1350688637.763:50803): item=0 name="/var/log/ramfs/cm/trace/ccm/sdi" inode=3154284 dev=08:02 mode=040755 ouid=513 ogid=506 rdev=00:00 obj=system_u:object_r:var_log_t:s0
Look for SELinux: messages in dmesg output or /var/log/messages that say "not configured for labeling". Or tell us what filesystem type you have mounted on /var/log/ramfs. Do you have a context= or fscontext= mount option in your /etc/fstab or wherever you specify the filesystem mount information?
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip>
SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
Thanks, Anamitra
On 10/18/12 12:44 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip> > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
That would require a modified policy, to define a labeling behavior for dbcfs via a genfscon statement in policy/modules/kernel/filesystem.te. But that has to be built into the base policy module; you can't add it via a non-base policy module. Likely simpler to just allow mount_t to do this.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
Thanks, Anamitra
On 10/18/12 12:44 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip> > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added
allow mount_t unlabeled_t:filesystem relabelfrom;
To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
Hi Dan,
Thanks for including this into the base policy. How can we track the back port to RHEL6. And do you have a timeframe as to when it will get back ported to RHEL6.
Thanks, Anamitra
On 10/19/12 3:45 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
Thanks, Anamitra
On 10/18/12 12:44 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip> > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint >labeling > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added
allow mount_t unlabeled_t:filesystem relabelfrom;
To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCBL2cACgkQrlYvE4MpobOgTwCg6uHLbb2vAECUNzZ0w3cUXxOH iyoAn2XTMuAGWk2rNVKo3eZgFXnT0U+H =9LVr -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2012 12:13 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Dan,
Thanks for including this into the base policy. How can we track the back port to RHEL6. And do you have a timeframe as to when it will get back ported to RHEL6.
Thanks, Anamitra
It will be in RHEL6.4
It is in selinux-policy-3.7.19-174.el6
Preview is available on
http://people.redhat.com/dwalsh/SELinux/noarch
On 10/19/12 3:45 AM, "Daniel J Walsh" dwalsh@redhat.com wrote:
On 10/18/2012 03:49 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
Alternatively can we set the filesystem type to start with? So that the initial label is not unlabeled_t. If so where can we do this?
Thanks, Anamitra
On 10/18/12 12:44 PM, "Stephen Smalley" sds@tycho.nsa.gov wrote:
On 10/18/2012 03:36 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
Hi Stephen,
In the dmesg output we see the following selinux messages.
<snip> > SELinux: initialized (dev dbcfs, type dbcfs), uses mountpoint > labeling SELinux: initialized (dev dbcfs, type dbcfs), uses > mountpoint labeling SELinux: initialized (dev dbcfs, type dbcfs), > uses mountpoint labeling SELinux: initialized (dev dbcfs, type > dbcfs), uses mountpoint labeling SELinux: initialized (dev dbcfs, > type dbcfs), uses mountpoint labeling SELinux: initialized (dev > dbcfs, type dbcfs), uses mountpoint labeling SELinux: initialized > (dev dbcfs, type dbcfs), uses mountpoint labeling
I assume that dbcfs is the relevant filesystem? So you are using mountpoint labeling, i.e. passing context= to the mount command with a specific security context to use, and the policy doesn't know anything about this filesystem type. So its initial label is unlabeled_t, and by passing a context= option, you are triggering a relabelfrom check to see if the mount program is authorized to set the context. You can just allow it in your policy. Should have been present even in RHEL5, I think.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added
allow mount_t unlabeled_t:filesystem relabelfrom;
To Fedora 18. Having Miroslav back port to RHEL6 and RHEL5.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org