Bug 181782 - mkswap should automatically add selinux label to swapfile
Summary: mkswap should automatically add selinux label to swapfile
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: FC5Blocker
TreeView+ depends on / blocked
 
Reported: 2006-02-16 15:38 UTC by Daniel Walsh
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-08 17:08:44 UTC
Type: ---


Attachments (Terms of Use)

Description Daniel Walsh 2006-02-16 15:38:40 UTC
Description of problem:
When selinux is enabled using a swap file will fail unless the file is labeled
swapfile_t.

Comment 1 Fabio Comolli 2006-02-16 17:52:13 UTC
Actually it is not enough. After labeling the problem remains:

root@kepler ~]# ls -Z /swapfile
-rw-r--r--  root     root     system_u:object_r:swapfile_t     /swapfile

the warning in dmesg is still there:

audit(1140109455.801:6): avc:  denied  { read } for  pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
audit(1140109455.810:7): avc:  denied  { write } for  pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file


Comment 2 Daniel Walsh 2006-02-21 23:38:49 UTC
Fixed policy errors in 2.2.19-2, but still need mkswap to label correctly.

Comment 3 Karel Zak 2006-02-22 14:38:10 UTC
# ls -Z ~/swapfile
-rw-r--r--  root     root                                      /root/swapfile

# ./mkswap ~/swapfile
Setting up swapspace version 1, size = 67104 kB

# ls -Z ~/swapfile
-rw-r--r--  root     root     swapfile_t                       /root/swapfile

The patch will be available in the util-linux >= 2.13-0.16 package.

Comment 4 Steve Grubb 2006-03-07 22:41:37 UTC
This patch is broken. If selinux is disabled, it still tries to label. I'd
suggest adding "&& is_selinux_enabled()" to the if statement doing the S_ISREG().

I also get an error saying "unable to relabel file to swap_t: invalid argument".
Still looking into where this is coming from. You might look at newrole or
fixfiles for example relabeling code. I have a suspicion that simply feeding it
the type is not enough, a full context has to be computed.

The patch also needs #ifdef HAVE_LIBSELINUX added around the selinux pieces.

Comment 5 Karel Zak 2006-03-07 23:31:07 UTC
It works and it should be works if selinux is disabled (my box with selinux=0 in
grub.conf):

# ./mkswap ~/swapfile
Setting up swapspace version 1, size = 67104 kB

# ls -Z ~/swapfile
-rw-r--r--  root     root     swapfile_t                       /root/swapfile

# getenforce
Disabled

I think set label (xattr) to file is independent on selinux mode. The patch is
based on code from setfiles and restorecon from policycoreutils where all is
done by lsetfilecon().

I have no idea if we need something like security_compute_relabel(). Daniel?


Comment 6 Steve Grubb 2006-03-07 23:39:28 UTC
This is on my system:

[root ~]# !dd
dd if=/dev/zero of=fs/swap bs=1024 count=8192
8192+0 records in
8192+0 records out
8388608 bytes (8.4 MB) copied, 0.191322 seconds, 43.8 MB/s
[root ~]# mkswap fs/swap
Setting up swapspace version 1, size = 8384 kB
mkswap: unable to relabel fs/swap to swapfile_t: Invalid argument
[root ~]# rpm -q util-linux
util-linux-2.13-0.16


Comment 7 Karel Zak 2006-03-08 00:07:45 UTC
ah.. I probably found a solution in the chcon command code. I have to compute
the context and swapfile_t should be only "type" part ot the context. Steve thanks!

Comment 8 Steve Grubb 2006-03-08 13:52:27 UTC
Thanks for looking at this. Adding to FC5 blocker since installer may need this.

Comment 9 Karel Zak 2006-03-08 17:08:44 UTC
Fixed (util-linux-2.13-0.17).

$ ls -Z /tmp/swapfile
-rw-rw-r--  kzak     kzak     user_u:object_r:tmp_t            /tmp/swapfile
$ ./mkswap /tmp/swapfile
Setting up swapspace version 1, size = 6705 kB
$ ls -Z /tmp/swapfile
-rw-rw-r--  kzak     kzak     user_u:object_r:swapfile_t       /tmp/swapfile


Comment 10 Steve Grubb 2006-03-08 17:52:53 UTC
OK, I just checked it and it works much better. One last question...in the
fprintf() error messages, do you need to add the _( ) stuff for
internationalization?

Thanks for fixing this!


Note You need to log in before you can comment on or make changes to this bug.