| Message ID | 20220614102029.13006-3-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/4] support Dash as default shell | expand |
On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied > filesystem/ext4/test .. 71/83 > filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83. > filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100) > > type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu > type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests > type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 Does this happen on Debian only? Do you know why it isn't/hasn't been happening on Fedora/RHEL? > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > policy/test_filesystem.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > index 4e27134..46e3f1a 100644 > --- a/policy/test_filesystem.te > +++ b/policy/test_filesystem.te > @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g > > # For testing rootcontext= Set mountpoint to unlabeled first > allow test_filesystem_context_t test_file_t:dir { relabelfrom }; > -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto }; > +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto }; > > # > ####################### Rules for nfs_filesystem/test ################### > -- > 2.36.1 >
On Tue, 14 Jun 2022 at 15:21, Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied > > filesystem/ext4/test .. 71/83 > > filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83. > > filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100) > > > > type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu > > type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 > > type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests > > type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 > > Does this happen on Debian only? Do you know why it isn't/hasn't been > happening on Fedora/RHEL? In fefora-policy unlabeled_t is associated with the attribute file_type and thus the common rule allow test_filesystem_context_t file_type:dir { getattr open search }; grants the permission in question. > > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > --- > > policy/test_filesystem.te | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > > index 4e27134..46e3f1a 100644 > > --- a/policy/test_filesystem.te > > +++ b/policy/test_filesystem.te > > @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g > > > > # For testing rootcontext= Set mountpoint to unlabeled first > > allow test_filesystem_context_t test_file_t:dir { relabelfrom }; > > -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto }; > > +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto }; > > > > # > > ####################### Rules for nfs_filesystem/test ################### > > -- > > 2.36.1 > > > > -- > Ondrej Mosnacek > Software Engineer, Linux Security - SELinux kernel > Red Hat, Inc. >
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 4e27134..46e3f1a 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -382,7 +382,7 @@ allow test_filesystem_fscontext_t test_filesystem_context_file_t:file { create g # For testing rootcontext= Set mountpoint to unlabeled first allow test_filesystem_context_t test_file_t:dir { relabelfrom }; -allow test_filesystem_context_t unlabeled_t:dir { mounton relabelto }; +allow test_filesystem_context_t unlabeled_t:dir { getattr mounton relabelto }; # ####################### Rules for nfs_filesystem/test ###################
filesystem/ext4/test .. 67/83 getfilecon(3) Failed: Permission denied filesystem/ext4/test .. 71/83 filesystem/ext4/test .. 75/83 # Looks like you failed 1 test of 83. filesystem/ext4/test .. Dubious, test returned 1 (wstat 256, 0x100) type=PROCTITLE msg=audit(02/05/22 11:47:03.170:7047) : proctitle=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/check_mount_context -r -m /root/workspace/selinux/selinux-testsu type=PATH msg=audit(02/05/22 11:47:03.170:7047) : item=0 name=/root/workspace/selinux/selinux-testsuite/tests/filesystem/ext4/mntpoint/mp1 inode=390506 dev=fe:01 mode=dir,750 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/05/22 11:47:03.170:7047) : cwd=/root/workspace/selinux/selinux-testsuite/tests type=SYSCALL msg=audit(02/05/22 11:47:03.170:7047) : arch=x86_64 syscall=getxattr success=no exit=EACCES(Permission denied) a0=0x7ffcd27c5651 a1=0x7fec8529078d a2=0x645b39a13550 a3=0xff items=1 ppid=76535 pid=77228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=check_mount_con exe=/root/workspace/selinux/selinux-testsuite/tests/filesystem/check_mount_context subj=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/05/22 11:47:03.170:7047) : avc: denied { getattr } for pid=77228 comm=check_mount_con name=mp1 dev="vda1" ino=390506 scontext=unconfined_u:unconfined_r:test_filesystem_context_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- policy/test_filesystem.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)