See below for info:
>
>
>> That said, I did start having a bit of an explore as to where the
>> message
>> "not configured for labeling" was coming from. As best I can fathom it's
>> from within security/selinux/hooks.c and there is a block of code which
>> is
>> as follows:
>>
>> if (!sbsec->behavior) {
> :::
>> The message itself is emitted based on the value of 'sbsec->behavior'
>> which I think should (may?) be SECURITY_FS_USE_XATTR.
>
> Ok, then when and who should set a correct value to sbsec->behavior?
> More info about your system will be necessary for furthur investigation.
> Next time you post, please include these info.
>
> ----------------------------------------
> (from aufs README file)
> - /proc/mounts (instead of the output of mount(8))/dev/root / ext3 rw,seclabel,relatime,barrier=1,data=ordered 0 0 devtmpfs /dev devtmpfs rw,relatime,size=511576k,nr_inodes=127894,mode=755 0 0 none /proc proc rw,relatime 0 0 none /tmp tmpfs rw,seclabel,relatime,size=20480k 0 0 none /sys sysfs rw,seclabel,relatime 0 0 none /sys/fs/selinux selinuxfs rw,relatime 0 0 none /run tmpfs rw,seclabel,relatime,size=1024k,mode=755 0 0 etc /etc tmpfs rw,seclabel,relatime 0 0 var /var tmpfs rw,seclabel,relatime 0 0 devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0 /dev/sdb3 /opt2 ext3 rw,seclabel,noatime,errors=continue,user_xattr,barrier=1,data=ordered 0 0 none /tmp/cores tmpfs rw,seclabel,relatime 0 0 none /proc/fs/nfsd nfsd rw,relatime 0 0 /dev/sda2 /recorder fuseblk rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096 0 0 unionfs /mnt aufs rw,relatime,si=c6a71fb6 0 0 > - /sys/module/aufs/* --w------- 1 root root 4096 May 6 08:00 /sys/module/aufs/uevent -r--r--r-- 1 root root 4096 May 6 08:00 /sys/module/aufs/version /sys/module/aufs/parameters: drwxr-xr-x 2 root root 0 May 6 08:00 . drwxr-xr-x 3 root root 0 May 6 08:00 .. -r--r--r-- 1 root root 4096 May 6 08:00 allow_userns -r--r--r-- 1 root root 4096 May 6 08:00 brs > - /sys/fs/aufs/* (if you have them) drwxr-xr-x 2 root root 0 May 6 08:02 . drwxr-xr-x 3 root root 0 May 6 08:02 .. -r--r--r-- 1 root root 4096 May 6 08:02 br0 -r--r--r-- 1 root root 4096 May 6 08:02 br1 -r--r--r-- 1 root root 4096 May 6 08:02 brid0 -r--r--r-- 1 root root 4096 May 6 08:02 brid1 -r--r--r-- 1 root root 4096 May 6 08:02 xi_path > - /debug/aufs/* (if you have them) I don't have this. > - linux kernel version Linux sdr 3.16.57 #2 SMP PREEMPT 2016-04-01 i686 GNU/Linux > if your kernel is not plain, for example modified by distributor, > the url where i can download its source is necessary too. Vanilla version from kernel.org > - aufs version which was printed at loading the module or booting the > system, instead of the date you downloaded. aufs 3.16-20150928 > - configuration (define/undefine CONFIG_AUFS_xxx) CONFIG_AUFS_FS=y CONFIG_AUFS_BRANCH_MAX_127=y # CONFIG_AUFS_BRANCH_MAX_511 is not set # CONFIG_AUFS_BRANCH_MAX_1023 is not set # CONFIG_AUFS_BRANCH_MAX_32767 is not set CONFIG_AUFS_SBILIST=y # CONFIG_AUFS_HNOTIFY is not set # CONFIG_AUFS_EXPORT is not set CONFIG_AUFS_XATTR=y # CONFIG_AUFS_FHSM is not set # CONFIG_AUFS_RDU is not set # CONFIG_AUFS_SHWH is not set CONFIG_AUFS_BR_RAMFS=y # CONFIG_AUFS_BR_FUSE is not set CONFIG_AUFS_BDEV_LOOP=y # CONFIG_AUFS_DEBUG is not set > - kernel configuration or /proc/config.gz (if you have it) Attached > - LSM (linux security module, if you are using) SELINUX > - behaviour which you think to be incorrect As per original email, in the aufs mount, the security label does not appear to be copied up from the underlying branch everything in the mount is listed as "unlabeled". In addition eg. mount -t aufs -o rw,dirs=/tmp/test=rw:/bin=ro unionfs /mnt root@sdr:/tmp ls -Z /bin -rwxr-xr-x system_u:object_r:bin_t ash -rwxr-xr-x system_u:object_r:bin_t base64 -rwxr-xr-x system_u:object_r:bin_t cat -rwxr-xr-x system_u:object_r:bin_t chattr -rwxr-xr-x system_u:object_r:bin_t chgrp ... root@sdr:/tmp ls -Z /mnt -rwxr-xr-x system_u:object_r:unlabeled_t ash -rwxr-xr-x system_u:object_r:unlabeled_t base64 -rwxr-xr-x system_u:object_r:unlabeled_t cat -rwxr-xr-x system_u:object_r:unlabeled_t chattr -rwxr-xr-x system_u:object_r:unlabeled_t chgrp -rwxr-xr-x system_u:object_r:unlabeled_t chmod I would expect (I think!) that the type should be "bin_t" rather than "unlabeled_t". In addition, when the mount is performed the following is logged by the kernel: SELinux: initialized (dev aufs, type aufs), not configured for labeling Which again may or not be relevant. > - actual operation, reproducible one is better As described above. You obviously need an SELinux enabled system, with the policy tools. I have a very basic security policy which I can supply for testing with this if necessary. Rgs, Jon.
kernelconfig-3.16.57.gz
Description: application/gzip
