[DSE-Dev] Bug#740682: marked as forwarded (avc: denied { getattr } for /sbin/setfiles (virtual filesystem roots))

Tue, 04 Mar 2014 08:16:28 -0800 

Your message dated Tue, 4 Mar 2014 17:12:37 +0100
with message-id <[email protected]>
has caused the   report #740682,
regarding avc: denied { getattr } for /sbin/setfiles (virtual filesystem roots)
to be marked as having been forwarded to the upstream software
author(s) [email protected]

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
740682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Hi,

Currently if you are running restorecon/fixfiles on a pseudo
filesystem (sysfs_t, device_t, tmpfs_t) we are getting the following
kind of AVC:

type=AVC msg=audit(1393898218.762:236): avc:  denied  { getattr } for  pid=3902 
comm="setfiles" name="/" dev=tmpfs ino=5056 
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1393898218.762:236): arch=c000003e syscall=137 
success=yes exit=0 a0=7f74fdd8d296 a1=7fffe0d11a70 a2=7f74fdd8d296 
a3=6f6d2c6b38323032 items=0 ppid=3900 pid=3902 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 
comm="setfiles" exe="/sbin/setfiles" 
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

This is happening because these file systems are not of the type fs_t.
However these pseudo fs are supporting xattrs. 

Talking a bit with Dominick, he proposed to create a new
"xattrfs" attribute attach it to all the filesystems and then use it
instead of fs_t in the allow rules. This should probably also
simplify/fix situations where files are moved around these pseudo-fs
and real fs.

Does anybody have comments on this?

Cheers,

Laurent Bigonville

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682

--- End Message ---
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Reply via email to