[9fans] if you're looking for some fun, check out selinux ...

Tue, 18 Jul 2006 12:03:08 -0700 


so, on FC5 I did a standard mount -o loop xyz /mnt
cd /mnt/lib64
rm *
rsync -av /lib64/* .

rsync fails, you get kernel messages like this:

system_u:object_r:unlabeled_t:s0 tclass=dir
audit(1153270163.378:19): avc: denied { read } for pid=19059 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270198.018:20): avc: denied { read } for pid=19065 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270211.628:21): avc: denied { read } for pid=19067 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270220.558:22): avc: denied { read } for pid=19068 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file 

ah, what's it all mean?
Well, there's an easy way to find out!You can see the necessary allow rules by running audit2why with this audit message as input. 

lots of barf like this:
audit(1153270220.558:22): avc: denied { read } for pid=19068 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file 
        Was caused by:
                Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings. 

yee ha!
OF course, it is easy to fix! dmesg | audit2allow
allow mount_t unlabeled_t:filesystem { mount unmount };
allow semanage_t device_t:file read;
allow semanage_t unlabeled_t:dir search;
allow unlabeled_t fs_t:filesystem associate;

and where does that go? well, that's a great question, thanks for asking!

in /etc/selinux there is a bunch of stuff. The one you care about is this:
/etc/linux/config, and before I got much further I noticed this:

SELINUX=enforcing
is in there, easy to fix, turn all this shit OFF!
But, wow! Is this where we're all headed? I think I'm more and more motivated to move everything I can to plan 9 .... this selinux is less fun than a trip to the dentist. Plus, can you image the permutations of those rule sets over time? many and varied subtleties shall appear. It's really quite incredible. 

ron

Reply via email to