Bug 190001

Summary: changes needed for Stateless Linux
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: davej, dwalsh, eparis, jbaron, jmorris, markmc, rvokal, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-13 15:47:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 193995    

Description Bill Nottingham 2006-04-26 15:34:42 UTC 
From mail from SDS:
...
In the short term, I think you are just blocking on a policy change to
allow you to fix the root inode label via restorecon after mounting the
fs with the fscontext= option.  In the long term, I think we want some
changes/extensions to context mount options and their handling in the
kernel to allow things like:
- rootcontext= option for specifying root inode label separate from
fscontext label for fs_use_trans filesystems (like tmpfs), and
- combined use of context= and fscontext= options (requested separately
by Russell Coker).

And then separately there are issues like the devpts root and its MLS
label, which requires range_transition support on objects.
...

It's a blocker at least for the short term fix, and that seems like something
better suited to base policy than a module.
Comment 2 Mark McLoughlin 2006-06-14 06:15:49 UTC 
For reference, the thread this came from:

http://www.redhat.com/archives/fedora-selinux-list/2006-April/thread.html#00200
Comment 3 Eric Paris 2006-06-23 20:28:40 UTC 
> My best vague and uneducated guess is
> 
> rootcontext=context of the root inode on the fs to be mounted.

Correct.  This option doesn't exist yet, unlike the others.

> fscontext=the type of filesystem it is.  in this case tells it is to
> label it tmpfs

Security context of the superblock object.  Does not affect labeling
behavior for inodes.  Currently incompatible with context= option (since
it also currently sets the superblock context, and then inherits from
it), but this could be changed.

> context=the context of every file on that fs.

Correct (and the superblock object too presently).  This alters the
labeling behavior of the fs to what is called "mountpoint labeling",
where the specified context takes precedence over any xattr value or any
other behavior specified by fs_use.  The context is applied to the
superblock object, and then inherited by all inodes from it.  

There is also:
defcontext= default file context to apply to files that lack an xattr
value when using xattrs as the labeling behavior. 

> would I ever want all 3 together?

Possibly; they don't necessarily have to conflict.
context=A fscontext=B rootcontext=C would mean "label the superblock B,
the root directory inode C, and all other inodes A".

>   And I'm still not to smart on the
> associate permission.  Which of those 3 would affect associate?  What
> was it that Russel wanted done with these things?

Anything that alters the superblock context affects associate checks
(which are between the file contexts and the superblock context, e.g. so
that policy can say that partition with type A can only hold data of
type A and partition with type B can only hold data of type B, or
replace types with levels or whatever).
Comment 4 Eric Paris 2006-07-05 18:00:49 UTC 
Posted the nsa selinux list.  on try 3 hopefully i fixed all the problems...
Comment 5 Eric Paris 2006-07-11 13:50:16 UTC 
committed in 2.6.18 (but after rc1).  Will post a follow up to correct security
checks today.
Comment 6 Bill Nottingham 2006-07-11 16:57:04 UTC 
Do you know what -gitX (and therefore what built kernel) has these fixes?
Comment 7 Eric Paris 2006-07-11 17:09:49 UTC 
patch-2.6.18-rc1-git4.bz2 is where it first appears.
Comment 8 Bill Nottingham 2006-07-13 15:47:17 UTC 
Seems to work for me with -2380.