Bug 390691 - mount should check selinux context on mount, and warn on file_t.
Summary: mount should check selinux context on mount, and warn on file_t.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux-ng
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-19 17:07 UTC by Daniel Walsh
Modified: 2008-07-01 13:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-01 13:12:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
proposed upstream patch (1.95 KB, patch)
2008-06-23 11:08 UTC, Karel Zak
no flags Details | Diff
patch v2 (1.92 KB, patch)
2008-06-25 14:49 UTC, Karel Zak
no flags Details | Diff

Description Daniel Walsh 2007-11-19 17:07:00 UTC
Description of problem:

Currently if I mount a file system without labels, it works fine, but later or
SELinux will start printing denials and stopping certain applications from
working. It would be nice if the mount command checked it selinux mode.

if is_selinux_enabled() > 0
    if getfscon(ROOT) == file_t
          print "Warning: You just mounted an file system that supports labels
which does not contain labels, onto an SELinux box.  It is likely that confined
applications will generate AVC messages and not be allowed access to this file
system.  You can add labels to this file system by executing restorecon
MOUNTPOINT.  If you do not want to add labels to this file system, you should
mount the file system using one of the "context" options.

Comment 1 Karel Zak 2008-03-19 11:34:48 UTC
"getfscon" -- I can't found this function. Do you mean "getfilecon"?

Comment 2 Daniel Walsh 2008-03-19 12:28:04 UTC
Yes I mean getfilecon.



Comment 3 Bug Zapper 2008-05-14 03:56:20 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Karel Zak 2008-06-23 11:08:28 UTC
Created attachment 310018 [details]
proposed upstream patch

Dan, review this patch, please.

Comment 5 Daniel Walsh 2008-06-23 11:13:26 UTC
Steve, Eric?  Is there a better way to check if a file that supports extended
attributes/file_context is unlabeled, other then hard coding file_t check?

Comment 6 Stephen Smalley 2008-06-23 12:10:39 UTC
We shouldn't hardcode the type in the code.
You should be able to call security_get_initial_context("file", &fcon) to obtain
the default file context in fcan in the absence of an xattr, and then strcmp
against fcon.  Might also want to compare against ucon returned by
security_get_initial_context("unlabeled", &ucon) to test for filesystem type
that doesn't support labeling.




Comment 7 Karel Zak 2008-06-25 14:49:08 UTC
Created attachment 310274 [details]
patch v2

The security_get_initial_context() based solution seems better. Stephen, Dan,
review a new version of the patch. Thanks.

Comment 8 Stephen Smalley 2008-06-30 14:39:30 UTC
I think you want the is_selinux_enabled() test to be > 0 so that it will fall
back on the non-SELinux code path if it cannot determine whether SELinux is
enabled, and I think you want the security_get_initial_context() test to be == 0
rather than > 0; I believe it returns only 0 or -1 for success/fail rather than
the actual length, unlike getfilecon.


Comment 9 Karel Zak 2008-07-01 11:55:38 UTC
:(In reply to comment #8)
> I think you want the is_selinux_enabled() test to be > 0 so that it will
> fall

Uf... according to the libselinux source code you are right. This is pretty
strange behavior. The name of the function is  "is_" -- it means true/false
test.

I guess many applications use "if (is_selinux_enabled())" only.

Dan, can you fix the is_selinux_enabled.3 man page or the function to return
0/1 only? Thanks.

[Stephen, thanks for your review. I'm going to commit a fixed version to
upstream repository.]



Note You need to log in before you can comment on or make changes to this bug.