Hi Junjiro,
> "jon bird":
>> See below for info:
>
> Thanx.
>
>
>> As described above. You obviously need an SELinux enabled system, with
>> the
>> policy tools. I have a very basic security policy which I can supply for
>> testing with this if necessary.
>
> Would you describe more about the very basic security policy?
> Does it support aufs? How is your "seinfo --fs_use"?
>
Apologies, meant to answer that question yesterday. Our system is an
embedded, highly cut down build of Linux and whilst we have the core
policy tools deployed, seinfo is part of the SETools suite which we don't
have available. It's possible I may be able to look at deploying it if we
think it would be useful. However from the manual pages it sounds very
much like it would dump out the file system information similar to the
following which is generated by the kernel during boot:
SELinux: Setting up existing superblocks.
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for
labeling
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev anon_inodefs, type anon_inodefs), not configured
for labeling
SELinux: initialized (dev aio, type aio), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev sdb2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev sdb3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
SELinux: initialized (dev sda2, type fuseblk), not configured for labeling
As you can see, most of them support labelling via some mechanism.
Regarding the basic security policy, of itself it doesn't really do much
at all other than allow everything to run "unconfined" ie. no restrictions
on anything, runs as per a normal Linux system. I've then been creating a
simple test application and attempting to get my head around applying a
simple policy for it. The point is that you need a policy to start with,
even if like mine it doesn't do anything in order to start using the
SELinux tools. The basic approach I've adopted is:
1. Copy the policy to /etc/selinux/targeted
2. Load the policy:
load_policy
3. Re-label the file systems eg.
restorecon -R /
At this point doing an 'ls -Z' you can see the labels that have been
applied to the file system - examples of that in my earlier post. My
belief is that if the file attributes show up as "unlabelled" then this
labelling has not been applied or is not supported on the file system.
Under those circumstances, SELinux will then deny access to it if any kind
of restricted policy is applied. This is what I see with aufs mounts - I'm
also seeing it with device files (under /dev) which from my earlier
listing you'll see is also showing as not configured for labeling. I'm
currently investigating that one.
Rgs,
Jon.
