Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   tar xvf --xattrs warning/error in MLS enforcing (http://www.linux-archive.org/fedora-selinux-support/364334-tar-xvf-tar-file-xattrs-warning-error-mls-enforcing.html)

Xavier Toth 04-30-2010 08:38 PM

tar xvf --xattrs warning/error in MLS enforcing
 
I'm going to simplify this because a lot of the detail isn't import to
the issue I'm working through. I'm taring some files, one of which
happens to be labeled SystemHigh and the rest SystemLow. An init
script, running SystemLow-SystemHigh, is later run on a different
system which untars the file. tar generates a warning message about
setfilecon failing for the file labeled SystemHigh and I see a
SELINUX_ERR message in the audit log (security_validate_transition:
denied for oldcontext=system_u:object_r:selinux_config_t:s0
newcontext=system_u:object_r:selinux_config_t:s15: c0-c1023
taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
am using run_init to run test this init script. What I'm confused
about is that there are no AVCs (I did an semnodule -DB just to see if
there were any dontaudits) and why there even is a failure as initrc_t
uses the mls_file_write_all_levels marco. Also does anyone know of a
way to see the contexts stored in the tar file?

Ted
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Xavier Toth 04-30-2010 09:42 PM

tar xvf --xattrs warning/error in MLS enforcing
 
On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth@gmail.com> wrote:
> I'm going to simplify this because a lot of the detail isn't import to
> the issue I'm working through. I'm taring some files, one of which
> happens to be labeled SystemHigh and the rest SystemLow. An init
> script, running SystemLow-SystemHigh, is later run on a different
> system which untars the file. tar generates a warning message about
> setfilecon failing for the file labeled SystemHigh and I see a
> SELINUX_ERR message in the audit log (security_validate_transition:
> denied for oldcontext=system_u:object_r:selinux_config_t:s0
> newcontext=system_u:object_r:selinux_config_t:s15: c0-c1023
> taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> am using run_init to run test this init script. What I'm confused
> about is that there are no AVCs (I did an semnodule -DB just to see if
> there were any dontaudits) and why there even is a failure as initrc_t
> uses the mls_file_write_all_levels marco. Also does anyone know of a
> way to see the contexts stored in the tar file?
>
> Ted
>

I see now, initrc_t policy doesn't use mls_file_upgrade but I still
don't like the no AVC bit.

Ted
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Stephen Smalley 05-03-2010 03:01 PM

tar xvf --xattrs warning/error in MLS enforcing
 
On Fri, 2010-04-30 at 16:42 -0500, Xavier Toth wrote:
> On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth@gmail.com> wrote:
> > I'm going to simplify this because a lot of the detail isn't import to
> > the issue I'm working through. I'm taring some files, one of which
> > happens to be labeled SystemHigh and the rest SystemLow. An init
> > script, running SystemLow-SystemHigh, is later run on a different
> > system which untars the file. tar generates a warning message about
> > setfilecon failing for the file labeled SystemHigh and I see a
> > SELINUX_ERR message in the audit log (security_validate_transition:
> > denied for oldcontext=system_u:object_r:selinux_config_t:s0
> > newcontext=system_u:object_r:selinux_config_t:s15: c0-c1023
> > taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I
> > am using run_init to run test this init script. What I'm confused
> > about is that there are no AVCs (I did an semnodule -DB just to see if
> > there were any dontaudits) and why there even is a failure as initrc_t
> > uses the mls_file_write_all_levels marco. Also does anyone know of a
> > way to see the contexts stored in the tar file?
> >
> > Ted
> >
>
> I see now, initrc_t policy doesn't use mls_file_upgrade but I still
> don't like the no AVC bit.

The AVC isn't involved in that check. security_validate_transition()
and the mlsvalidatetrans constraints were introduced to enable a check
to be applied based on all 3 security contexts (old file context, new
file context, process context) simultaneously, which wasn't possible via
the pairwise AVC checks. selinux_inode_setxattr() invokes
security_validate_transition() after applying the AVC permission checks
during file relabeling.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 10:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.