Bug 1135683

Summary: RFE: AVC's for unlabeled_t objects should show the bad label if it exists
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: kernelAssignee: Ondrej Mosnacek <omosnace>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, mmalik
Target Milestone: ---Keywords: FastFix, FutureFeature, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1670039 (view as bug list) Environment:
Last Closed: 2019-01-26 08:21:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Walsh 2014-08-30 10:05:32 UTC 
When we get an AVC about a unlabeled_t file, we don't know if it is a file without a label or a file with a bad label, it would be great if the kernel would actually tells what the bad security context is.  Then we might
have a clue what is going on.
W
ould it be a huge problem to add a field to the AVC that indicated what the label was in addition to unlabeled_t.

We are seeing some random unlabeled_t errors ,and we can't really
diagnose what is going on because we don't know what the undefined label
is.  Of if there is no label at all.

ucon=""  or ucon="system_u:object_r:nolonger_exists_t:s0"
Comment 2 Ondrej Mosnacek 2019-01-18 10:09:16 UTC 
Posted a patch to add this enhancement upstream:

https://lore.kernel.org/selinux/20190118100429.11703-1-omosnace@redhat.com/T/
Comment 3 Ondrej Mosnacek 2019-01-26 08:21:07 UTC 
After a few respins, the patch is now staged in selinux-next for kernel v5.1:

https://github.com/SELinuxProject/selinux-kernel/commit/fede148324c34360ce8c30a9a5bdfac5574b2a59