Bug 181782
| Summary: | mkswap should automatically add selinux label to swapfile | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
| Component: | util-linux | Assignee: | Karel Zak <kzak> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-03-08 17:08:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 150222 | ||
|
Description
Daniel Walsh
2006-02-16 15:38:40 UTC
Actually it is not enough. After labeling the problem remains:
root@kepler ~]# ls -Z /swapfile
-rw-r--r-- root root system_u:object_r:swapfile_t /swapfile
the warning in dmesg is still there:
audit(1140109455.801:6): avc: denied { read } for pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
audit(1140109455.810:7): avc: denied { write } for pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
Fixed policy errors in 2.2.19-2, but still need mkswap to label correctly. # ls -Z ~/swapfile -rw-r--r-- root root /root/swapfile # ./mkswap ~/swapfile Setting up swapspace version 1, size = 67104 kB # ls -Z ~/swapfile -rw-r--r-- root root swapfile_t /root/swapfile The patch will be available in the util-linux >= 2.13-0.16 package. This patch is broken. If selinux is disabled, it still tries to label. I'd suggest adding "&& is_selinux_enabled()" to the if statement doing the S_ISREG(). I also get an error saying "unable to relabel file to swap_t: invalid argument". Still looking into where this is coming from. You might look at newrole or fixfiles for example relabeling code. I have a suspicion that simply feeding it the type is not enough, a full context has to be computed. The patch also needs #ifdef HAVE_LIBSELINUX added around the selinux pieces. It works and it should be works if selinux is disabled (my box with selinux=0 in grub.conf): # ./mkswap ~/swapfile Setting up swapspace version 1, size = 67104 kB # ls -Z ~/swapfile -rw-r--r-- root root swapfile_t /root/swapfile # getenforce Disabled I think set label (xattr) to file is independent on selinux mode. The patch is based on code from setfiles and restorecon from policycoreutils where all is done by lsetfilecon(). I have no idea if we need something like security_compute_relabel(). Daniel? This is on my system: [root ~]# !dd dd if=/dev/zero of=fs/swap bs=1024 count=8192 8192+0 records in 8192+0 records out 8388608 bytes (8.4 MB) copied, 0.191322 seconds, 43.8 MB/s [root ~]# mkswap fs/swap Setting up swapspace version 1, size = 8384 kB mkswap: unable to relabel fs/swap to swapfile_t: Invalid argument [root ~]# rpm -q util-linux util-linux-2.13-0.16 ah.. I probably found a solution in the chcon command code. I have to compute the context and swapfile_t should be only "type" part ot the context. Steve thanks! Thanks for looking at this. Adding to FC5 blocker since installer may need this. Fixed (util-linux-2.13-0.17). $ ls -Z /tmp/swapfile -rw-rw-r-- kzak kzak user_u:object_r:tmp_t /tmp/swapfile $ ./mkswap /tmp/swapfile Setting up swapspace version 1, size = 6705 kB $ ls -Z /tmp/swapfile -rw-rw-r-- kzak kzak user_u:object_r:swapfile_t /tmp/swapfile OK, I just checked it and it works much better. One last question...in the fprintf() error messages, do you need to add the _( ) stuff for internationalization? Thanks for fixing this! |