On Fri, 2008-12-12 at 20:26 +1100, James Morris wrote:
> On Fri, 12 Dec 2008, Alexey Dobriyan wrote:
>
> > Yes, please, someone test it.
>
> Still getting avc denials:
>
> avc: denied { mount } for pid=2308 comm="dhclient" name="/"
> dev=proc/net ino=4026531842
> scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> type=SYSCALL msg=audit(1229073699.174:53): arch=c000003e syscall=2
> success=no exit=-2 a0=45bef7 a1=80000 a2=1b6 a3=7f296
> e71c6f0 items=0 ppid=2259 pid=2308 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="
> dhclient" exe="/sbin/dhclient"
> subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>
> It seems the problem is that the /proc/net mountpoint is now labeled as
> proc_t.
No, that's a check against the filesystem (superblock) label, not the
mountpoint directory.
proc_net_follow_link() creates a new mount, so we end up hitting
security_sb_kern_mount() => selinux_sb_kern_mount() and triggering this
permission check in the context of the current process on what is
supposed to be a kernel-internal mount of /proc/net.
Maybe pass flags down to security_sb_kern_mount() and skip the check in
the MS_KERNMOUNT case?
--
Stephen Smalley
National Security Agency
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
