On Thu, 2007-08-02 at 23:14 -0400, David-Alexandre Davidson wrote:
On fedora 7, lastest selinux strict policy.
I have written a selinux module which go through a domain transition
when executing a file on a nfs mount (labeled nfs_t)
However the transition never occurs. and I get a : denied
execute_no_trans on nfs_t files .
In order to find the source of the problem I have taken a file with the
exact same context outside of the nfs mount and the transition work fine.
Here is the related part of my module:
domain_auto_trans(custom_trans_t,nfs_t,i_custom_t);
allow custom_trans_t nfs_t:file rx_file_perms;
allow custom_trans_t nfs_t:dir r_dir_perms;
Here are the details on the nfs share:
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/home/usera/var/bin/testphp.app
result:
type=AVC msg=audit(1186108700.494:230294): avc: denied {
execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app"
dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
Running the same program and executing an identical file outside the nfs
share: (I labelled manually to match)
file executed:
-rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t
/testphp.app
result:
transition is made to context i_custom_t , nothing is audited
Any idea what can cause this difference ? I don't believe this behavior
is normal. By the way, if I allow the execute_no_trans on nfs_t, the
file gets executed just fine but without the expected transition...
Any help would be much appreciated !
If the filesystem is mounted nosuid, then SELinux domain transitions on
it are also disabled. Not as flexible as we might like, but a
conservative approach. Rationale is that if you didn't trust the
filesystem in the first place for suid binaries, then you likely don't
trust it for domain entrypoints either.
Yes that's the case, my filesystem is mounted nosuid.