Bug 1135683 - RFE: AVC's for unlabeled_t objects should show the bad label if it exists
Summary: RFE: AVC's for unlabeled_t objects should show the bad label if it exists
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ondrej Mosnacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-30 10:05 UTC by Daniel Walsh
Modified: 2019-01-30 13:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1670039 (view as bug list)
Environment:
Last Closed: 2019-01-26 08:21:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Daniel Walsh 2014-08-30 10:05:32 UTC 
When we get an AVC about a unlabeled_t file, we don't know if it is a file without a label or a file with a bad label, it would be great if the kernel would actually tells what the bad security context is.  Then we might
have a clue what is going on.
W
ould it be a huge problem to add a field to the AVC that indicated what the label was in addition to unlabeled_t.

We are seeing some random unlabeled_t errors ,and we can't really
diagnose what is going on because we don't know what the undefined label
is.  Of if there is no label at all.

ucon=""  or ucon="system_u:object_r:nolonger_exists_t:s0"
Comment 2 Ondrej Mosnacek 2019-01-18 10:09:16 UTC 
Posted a patch to add this enhancement upstream:

https://lore.kernel.org/selinux/20190118100429.11703-1-omosnace@redhat.com/T/
Comment 3 Ondrej Mosnacek 2019-01-26 08:21:07 UTC 
After a few respins, the patch is now staged in selinux-next for kernel v5.1:

https://github.com/SELinuxProject/selinux-kernel/commit/fede148324c34360ce8c30a9a5bdfac5574b2a59
Note You need to log in before you can comment on or make changes to this bug.