Bug 390691 - mount should check selinux context on mount, and warn on file_t.
mount should check selinux context on mount, and warn on file_t.
Product: Fedora
Classification: Fedora
Component: util-linux-ng (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Karel Zak
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-19 12:07 EST by Daniel Walsh
Modified: 2008-07-01 09:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-01 09:12:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed upstream patch (1.95 KB, patch)
2008-06-23 07:08 EDT, Karel Zak
no flags Details | Diff
patch v2 (1.92 KB, patch)
2008-06-25 10:49 EDT, Karel Zak
no flags Details | Diff

  None (edit)
Description Daniel Walsh 2007-11-19 12:07:00 EST
Description of problem:

Currently if I mount a file system without labels, it works fine, but later or
SELinux will start printing denials and stopping certain applications from
working. It would be nice if the mount command checked it selinux mode.

if is_selinux_enabled() > 0
    if getfscon(ROOT) == file_t
          print "Warning: You just mounted an file system that supports labels
which does not contain labels, onto an SELinux box.  It is likely that confined
applications will generate AVC messages and not be allowed access to this file
system.  You can add labels to this file system by executing restorecon
MOUNTPOINT.  If you do not want to add labels to this file system, you should
mount the file system using one of the "context" options.
Comment 1 Karel Zak 2008-03-19 07:34:48 EDT
"getfscon" -- I can't found this function. Do you mean "getfilecon"?
Comment 2 Daniel Walsh 2008-03-19 08:28:04 EDT
Yes I mean getfilecon.

Comment 3 Bug Zapper 2008-05-13 23:56:20 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 4 Karel Zak 2008-06-23 07:08:28 EDT
Created attachment 310018 [details]
proposed upstream patch

Dan, review this patch, please.
Comment 5 Daniel Walsh 2008-06-23 07:13:26 EDT
Steve, Eric?  Is there a better way to check if a file that supports extended
attributes/file_context is unlabeled, other then hard coding file_t check?
Comment 6 Stephen Smalley 2008-06-23 08:10:39 EDT
We shouldn't hardcode the type in the code.
You should be able to call security_get_initial_context("file", &fcon) to obtain
the default file context in fcan in the absence of an xattr, and then strcmp
against fcon.  Might also want to compare against ucon returned by
security_get_initial_context("unlabeled", &ucon) to test for filesystem type
that doesn't support labeling.

Comment 7 Karel Zak 2008-06-25 10:49:08 EDT
Created attachment 310274 [details]
patch v2

The security_get_initial_context() based solution seems better. Stephen, Dan,
review a new version of the patch. Thanks.
Comment 8 Stephen Smalley 2008-06-30 10:39:30 EDT
I think you want the is_selinux_enabled() test to be > 0 so that it will fall
back on the non-SELinux code path if it cannot determine whether SELinux is
enabled, and I think you want the security_get_initial_context() test to be == 0
rather than > 0; I believe it returns only 0 or -1 for success/fail rather than
the actual length, unlike getfilecon.
Comment 9 Karel Zak 2008-07-01 07:55:38 EDT
:(In reply to comment #8)
> I think you want the is_selinux_enabled() test to be > 0 so that it will
> fall

Uf... according to the libselinux source code you are right. This is pretty
strange behavior. The name of the function is  "is_" -- it means true/false

I guess many applications use "if (is_selinux_enabled())" only.

Dan, can you fix the is_selinux_enabled.3 man page or the function to return
0/1 only? Thanks.

[Stephen, thanks for your review. I'm going to commit a fixed version to
upstream repository.]

Note You need to log in before you can comment on or make changes to this bug.