On Thu, 2006-12-14 at 11:17 -0200, Klaus Heinrich Kiwi wrote:
> Em Thu, 14 Dec 2006 07:49:20 -0500, Stephen Smalley escreveu:
>
> > On Thu, 2006-12-14 at 09:49 -0200, Klaus Heinrich Kiwi wrote:
> >> Em Wed, 13 Dec 2006 18:17:02 -0500, Daniel J Walsh escreveu:
> >>
> >> > Any avc messages?
> >>
> >> None!
> >>
> >> Only this error message (which also is echoed at the machine's console):
> >>
> >> SELinux:
> >> security_context_to_sid("system_u:object_r:tmp_t:s0-s15:c0.c1023") failed
> >> for (dev hdc, type iso9660) errno=-22
> >>
> >> (erro -22 = EINVAL iirc)
> >>
> >> Any special audit rule that may help?
> >
> > It isn't a permission denial, just an invalid context error from
> > security_context_to_sid(). If you try using the same context in e.g. a
> > chcon command, does it also report Invalid argument? If so, then it is
> > a policy problem - the context is illegal under the policy, e.g. one of
> > the components isn't defined by the policy or the combination of them is
> > not authorized by the policy.
>
> That's what I initially thought: I'm just using an invalid context (if
> this was/is the case, the error message could be a little more helpful
> then, couldn't it?)
>
> Have tried with several different context since them - without success.
>
> And about the test with chcon: yes, the same context that I can
> successfully label a directory is failing when I try to use-it with mount:
>
> ---------------------------
> [EMAIL PROTECTED] mnt]# chcon system_u:object_r:tmp_t:SystemLow-SystemHigh
> cdrom/
> [EMAIL PROTECTED] mnt]# echo $?; ls -lZd cdrom/
> 0
> drwxr-xr-x root root system_u:object_r:tmp_t:SystemLow-SystemHigh cdrom/
>
> [EMAIL PROTECTED] mnt]# mount -o
> context=system_u:object_r:tmp_t:SystemLow-SystemHigh /dev/cdrom /mnt/cdrom/
> mount: block device /dev/cdrom is write-protected, mounting read-only
> SELinux: security_context_to_sid("system_u:object_r:tmp_t:s0-s15:c0.c1023")
> failed for (dev hdc, type iso9660) errno=-22
> mount: wrong fs type, bad option, bad superblock on /dev/cdrom,
> missing codepage or other error
> In some cases useful info is found in syslog - try
> dmesg | tail or so
>
> [EMAIL PROTECTED] mnt]#
> --------------------------
>
> Also tried mount with 'fscontext' with the same results.
>
> Should I open a bug report for this (seems like a ship issue to me)
Yes. File it against the kernel since the same context was accepted
from chcon (->setxattr) but not as a mount context option. Not sure if
it is an issue in how the context is being passed by mount or in the
kernel processing itself (possibly there is an extra NUL at the end of
the string?).
Seems to work fine on FC6 with targeted policy, e.g.
# mount -o context=system_u:object_r:tmp_t:s0-s0:c0.c1023 /dev/cdrom /mnt/cdrom
works fine (had to reduce the high to s0 since targeted policy doesn't
know about other sensitivities).
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
