Bug 181782 - mkswap should automatically add selinux label to swapfile
mkswap should automatically add selinux label to swapfile
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: util-linux (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks: FC5Blocker
  Show dependency treegraph
 
Reported: 2006-02-16 10:38 EST by Daniel Walsh
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-08 12:08:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2006-02-16 10:38:40 EST
Description of problem:
When selinux is enabled using a swap file will fail unless the file is labeled
swapfile_t.
Comment 1 Fabio Comolli 2006-02-16 12:52:13 EST
Actually it is not enough. After labeling the problem remains:

root@kepler ~]# ls -Z /swapfile
-rw-r--r--  root     root     system_u:object_r:swapfile_t     /swapfile

the warning in dmesg is still there:

audit(1140109455.801:6): avc:  denied  { read } for  pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
audit(1140109455.810:7): avc:  denied  { write } for  pid=2165 comm="swapon"
name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:swapfile_t:s0 tclass=file
Comment 2 Daniel Walsh 2006-02-21 18:38:49 EST
Fixed policy errors in 2.2.19-2, but still need mkswap to label correctly.
Comment 3 Karel Zak 2006-02-22 09:38:10 EST
# ls -Z ~/swapfile
-rw-r--r--  root     root                                      /root/swapfile

# ./mkswap ~/swapfile
Setting up swapspace version 1, size = 67104 kB

# ls -Z ~/swapfile
-rw-r--r--  root     root     swapfile_t                       /root/swapfile

The patch will be available in the util-linux >= 2.13-0.16 package.
Comment 4 Steve Grubb 2006-03-07 17:41:37 EST
This patch is broken. If selinux is disabled, it still tries to label. I'd
suggest adding "&& is_selinux_enabled()" to the if statement doing the S_ISREG().

I also get an error saying "unable to relabel file to swap_t: invalid argument".
Still looking into where this is coming from. You might look at newrole or
fixfiles for example relabeling code. I have a suspicion that simply feeding it
the type is not enough, a full context has to be computed.

The patch also needs #ifdef HAVE_LIBSELINUX added around the selinux pieces.
Comment 5 Karel Zak 2006-03-07 18:31:07 EST
It works and it should be works if selinux is disabled (my box with selinux=0 in
grub.conf):

# ./mkswap ~/swapfile
Setting up swapspace version 1, size = 67104 kB

# ls -Z ~/swapfile
-rw-r--r--  root     root     swapfile_t                       /root/swapfile

# getenforce
Disabled

I think set label (xattr) to file is independent on selinux mode. The patch is
based on code from setfiles and restorecon from policycoreutils where all is
done by lsetfilecon().

I have no idea if we need something like security_compute_relabel(). Daniel?
Comment 6 Steve Grubb 2006-03-07 18:39:28 EST
This is on my system:

[root ~]# !dd
dd if=/dev/zero of=fs/swap bs=1024 count=8192
8192+0 records in
8192+0 records out
8388608 bytes (8.4 MB) copied, 0.191322 seconds, 43.8 MB/s
[root ~]# mkswap fs/swap
Setting up swapspace version 1, size = 8384 kB
mkswap: unable to relabel fs/swap to swapfile_t: Invalid argument
[root ~]# rpm -q util-linux
util-linux-2.13-0.16
Comment 7 Karel Zak 2006-03-07 19:07:45 EST
ah.. I probably found a solution in the chcon command code. I have to compute
the context and swapfile_t should be only "type" part ot the context. Steve thanks!
Comment 8 Steve Grubb 2006-03-08 08:52:27 EST
Thanks for looking at this. Adding to FC5 blocker since installer may need this.
Comment 9 Karel Zak 2006-03-08 12:08:44 EST
Fixed (util-linux-2.13-0.17).

$ ls -Z /tmp/swapfile
-rw-rw-r--  kzak     kzak     user_u:object_r:tmp_t            /tmp/swapfile
$ ./mkswap /tmp/swapfile
Setting up swapspace version 1, size = 6705 kB
$ ls -Z /tmp/swapfile
-rw-rw-r--  kzak     kzak     user_u:object_r:swapfile_t       /tmp/swapfile
Comment 10 Steve Grubb 2006-03-08 12:52:53 EST
OK, I just checked it and it works much better. One last question...in the
fprintf() error messages, do you need to add the _( ) stuff for
internationalization?

Thanks for fixing this!

Note You need to log in before you can comment on or make changes to this bug.