On Mon, 06 Oct 2008 10:05:00 -0400, Daniel J Walsh wrote:
> I don't know what vmshared is> It is beling labeled as a unlabeled_t
> which means the kernel policy does not know what this file system is.

Yes, vmshared is a special filesystem provided by the VirtualBox. It
gets compiled and installed as a kernel module when you install the
VirtualBox tools on the client machine. It allows one folder/directory
of the host machine to be seen as a filesystem on the client, allowing
file sharing.

> If you run restorecon -R -v ~/
>
> Does it change the context on this file system?

No

I tried mounting it under /mnt, but the results are the same. I did
not try to mount it through dolphin or other GUI. I have no idea what
the GUI does that a simple command-line mount does not.

Cheers,
Christian

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Christian Iseli wrote:
> On Mon, 06 Oct 2008 10:05:00 -0400, Daniel J Walsh wrote:
>> I don't know what vmshared is> It is beling labeled as a unlabeled_t
>> which means the kernel policy does not know what this file system is.
>
> Yes, vmshared is a special filesystem provided by the VirtualBox. It
> gets compiled and installed as a kernel module when you install the
> VirtualBox tools on the client machine. It allows one folder/directory
> of the host machine to be seen as a filesystem on the client, allowing
> file sharing.
>
>> If you run restorecon -R -v ~/
>>
>> Does it change the context on this file system?
>
> No
>
> I tried mounting it under /mnt, but the results are the same. I did
> not try to mount it through dolphin or other GUI. I have no idea what
> the GUI does that a simple command-line mount does not.
>
> Cheers,
> Christian
>
I think if you mount it with a context option it would work.

mount -o context="system_ubject_r:vmblock:s0" -t vboxsf VMShared /mnt

Does this fix it?


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Daniel J Walsh wrote:

Jon Masters wrote:

On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:


$ mount -o loop Fedora-9-i386-DVD.iso /mnt

And then one might legitimately expect to be able to copy the content
of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
suppose that one is running SELinux in enforcing mode, then this will
fail because the contexts differ in this operation. Then, one will
likely quickly become severely annoyed and frustrated with SELinux,
simply setting it permissive for the duration of the operation...


I've seen this...


Why would the copy fail? cp should just work and set the files to the
context of the destination directory. If this fails it is a bug.

Ok, so there's a bug there then. Copying files from within an ISO image
was kind of the last straw in my willingness to keep SELinux enabled. It
hinders me at almost every turn from doing useful things with a Linux
desktop - I'm constantly amazed that Fedora persists in defaulting it
enabled, but that's a whole other rant.

Jon.


What avc messages I should say?



Here is a sample:

################
Summary:

SELinux is preventing cp from creating a file with a context of
iso9660_t on a

filesystem.

Detailed Description:

SELinux is preventing cp from creating a file with a context of
iso9660_t on a

filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for
example. Not
all file contexts should be maintained between the file systems. For
example, a
read-only file type like iso9660_t should not be placed on a r/w system.
"cp -P"
might be a better solution, as this will adopt the default file context
for the

destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux
context.


Additional Information:

Source Context system_ubject_r:iso9660_t:s0
Target Context system_ubject_r:fs_t:s0
Target Objects fedora.css [ filesystem ]
Source cp
Source Path /bin/cp
Port <Unknown>
Host schoolserver
Source RPM Packages coreutils-6.10-30.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-84.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name schoolserver
Platform Linux schoolserver 2.6.25.14-108.fc9.i686
#1 SMP

Mon Aug 4 14:08:11 EDT 2008 i686 i686
Alert Count 21
First Seen Fri 12 Sep 2008 07:27:12 PM CDT
Last Seen Fri 12 Sep 2008 11:18:01 PM CDT
Local ID 90f4d968-0a9b-42df-9982-fd0bdf284859
Line Numbers

Raw Audit Messages

host=schoolserver type=AVC msg=audit(1221279481.164:576): avc: denied {
associate } for pid=12289 comm="cp" name="fedora.css" dev=dm-0
ino=1835383 scontext=system_ubject_r:iso9660_t:s0
tcontext=system_ubject_r:fs_t:s0 tclass=filesystem


host=schoolserver type=SYSCALL msg=audit(1221279481.164:576):
arch=40000003 syscall=228 success=no exit=-13 a0=4 a1=df435d a2=9d566f0
a3=1f items=0 ppid=12279 pid=12289 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="cp" exe="/bin/cp"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


#######

Hope it helps,

Jerry

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote:
> Daniel J Walsh wrote:
> > Jon Masters wrote:
> >> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
> >>
> >>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
> >>>>
> >>>> And then one might legitimately expect to be able to copy the content
> >>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
> >>>> suppose that one is running SELinux in enforcing mode, then this will
> >>>> fail because the contexts differ in this operation. Then, one will
> >>>> likely quickly become severely annoyed and frustrated with SELinux,
> >>>> simply setting it permissive for the duration of the operation...
>
> I've seen this...

Indeed. I have too, one too many times.

> SELinux is preventing cp from creating a file with a context of
> iso9660_t on a
> filesystem.

Ah yes, I probably used the standard "cp -ax blah /blah" command. I
guess I'll need to learn not to use such standard commands in future and
adapt everything around SELinux. Because that's very non-obtrusive, and
won't cause regular users any anguish at all.

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Sat, Oct 4, 2008 at 3:25 AM, Jon Masters <jonathan@jonmasters.org> wrote:
> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
>
>> > $ mount -o loop Fedora-9-i386-DVD.iso /mnt
>> >
>> > And then one might legitimately expect to be able to copy the content
>> > of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
>> > suppose that one is running SELinux in enforcing mode, then this will
>> > fail because the contexts differ in this operation. Then, one will
>> > likely quickly become severely annoyed and frustrated with SELinux,
>> > simply setting it permissive for the duration of the operation...
>
>> Why would the copy fail? cp should just work and set the files to the
>> context of the destination directory. If this fails it is a bug.
>
> Ok, so there's a bug there then. Copying files from within an ISO image
> was kind of the last straw in my willingness to keep SELinux enabled. It
> hinders me at almost every turn from doing useful things with a Linux
> desktop - I'm constantly amazed that Fedora persists in defaulting it
> enabled, but that's a whole other rant.


You can copy files from within an ISO mount. You cannot serve the
files directly in the mount from HTTPd though.

But copying definitely works.

--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Mon, 06 Oct 2008 14:16:50 -0400, Daniel J Walsh wrote:
> mount -o context="system_ubject_r:vmblock:s0" -t vboxsf
> VMShared /mnt
>
> Does this fix it?

Hmm, despite what is said in the manpage of mount, the option context=
appears to not be accepted in this case:
# mount -o context=system_ubject_r:vmblock:s0 -t vboxsf VMShared /mnt
unknown mount option `context="system_ubject_r:vmblock:s0"'
valid options:
rw mount read write (default)
ro mount read only
uid =<arg> default file owner user id
gid =<arg> default file owner group id
ttl =<arg> time to live for dentry
iocharset =<arg> i/o charset (default utf8)
convertcp =<arg> convert share name from given charset to utf8
dmode =<arg> mode of all directories
fmode =<arg> mode of all regular files
umask =<arg> umask of directories and regular files
dmask =<arg> umask of directories
fmask =<arg> umask of regular files

I suppose this is a problem of the mount.vboxfs utility rather than of
mount itself ? In this case, I guess I'll look into filing a bug
report.

Cheers,
Christian

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Christian Iseli wrote:

On Mon, 06 Oct 2008 14:16:50 -0400, Daniel J Walsh wrote:

mount -o context="system_ubject_r:vmblock:s0" -t vboxsf
VMShared /mnt

Does this fix it?


Hmm, despite what is said in the manpage of mount, the option context=
appears to not be accepted in this case:
# mount -o context=system_ubject_r:vmblock:s0 -t vboxsf VMShared /mnt
unknown mount option `context="system_ubject_r:vmblock:s0"'
valid options:
rw mount read write (default)
ro mount read only
uid =<arg> default file owner user id
gid =<arg> default file owner group id
ttl =<arg> time to live for dentry
iocharset =<arg> i/o charset (default utf8)
convertcp =<arg> convert share name from given charset to utf8
dmode =<arg> mode of all directories
fmode =<arg> mode of all regular files
umask =<arg> umask of directories and regular files
dmask =<arg> umask of directories
fmask =<arg> umask of regular files

I suppose this is a problem of the mount.vboxfs utility rather than of
mount itself ? In this case, I guess I'll look into filing a bug
report.


You want a context of system_ubject_r:vmblock_t:s0 rather than
system_ubject_r:vmblock:s0 methinks.


Paul.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote:
> Ah yes, I probably used the standard "cp -ax blah /blah" command. I
> guess I'll need to learn not to use such standard commands in future and
> adapt everything around SELinux. Because that's very non-obtrusive, and
> won't cause regular users any anguish at all.

If I understand correctly, the root of the problem here is you're using
kernel modules that we do not ship and are not merged upstream. You
chose to play with fire, and you got burned. I think it is very unfair
to solely blame SELinux for this one.
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-10-07 at 12:24 -0500, Callum Lerwick wrote:
> If I understand correctly, the root of the problem here is you're using
> kernel modules that we do not ship and are not merged upstream. You
> chose to play with fire, and you got burned. I think it is very unfair
> to solely blame SELinux for this one.

Pardon? What module is he using here that we don't ship? He mounted
the iso, and copied files. Where is he using a 3rd party module?

Somebody else jumped on the thread and steered the conversation toward a
virtualbox problem, which somewhat related to Jon's issue, it's not the
same issue.

--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote:
> On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote:
> > Daniel J Walsh wrote:
> > > Jon Masters wrote:
> > >> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
> > >>
> > >>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
> > >>>>
> > >>>> And then one might legitimately expect to be able to copy the content
> > >>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
> > >>>> suppose that one is running SELinux in enforcing mode, then this will
> > >>>> fail because the contexts differ in this operation. Then, one will
> > >>>> likely quickly become severely annoyed and frustrated with SELinux,
> > >>>> simply setting it permissive for the duration of the operation...
> >
> > I've seen this...
>
> Indeed. I have too, one too many times.
>
> > SELinux is preventing cp from creating a file with a context of
> > iso9660_t on a
> > filesystem.
>
> Ah yes, I probably used the standard "cp -ax blah /blah" command. I
> guess I'll need to learn not to use such standard commands in future and
> adapt everything around SELinux. Because that's very non-obtrusive, and
> won't cause regular users any anguish at all.
>
> Jon.
>
>

I think the main question here is should archive try to retain the
SELinux context. From what I've heard from people here, initially the
idea was to try to preserve the context and if that failed fall back to
labeling based on the parent. That doesn't seem to be what cp is trying
to do. If we removed the retain the context part from the archive switch
of cp you would get labeling based on the parent but then you would be
required to explicitly specify preserve the context when you wanted to
archive that as well.

It doesn't seem like anyone is actually depending on the associate
permission so it might be worth someone looking into removing it if no
one is really using it. It has its applications but I don't believe Red
Hat is using it at this time.

Dave

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list