[9fans] if you're looking for some fun, check out selinux ...

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: Ronald G Minnich <rminnich@lanl.gov>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: [9fans] if you're looking for some fun, check out selinux ...
Date: Tue, 18 Jul 2006 13:01:06 -0600	[thread overview]
Message-ID: <44BD2FF2.9050703@lanl.gov> (raw)

so, on FC5 I did a standard mount -o loop xyz /mnt
cd /mnt/lib64
rm *
rsync -av /lib64/* .

rsync fails, you get kernel messages like this:

system_u:object_r:unlabeled_t:s0 tclass=dir
audit(1153270163.378:19): avc:  denied  { read } for  pid=19059
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270198.018:20): avc:  denied  { read } for  pid=19065
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270211.628:21): avc:  denied  { read } for  pid=19067
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1153270220.558:22): avc:  denied  { read } for  pid=19068
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file

ah, what's it all mean?

Well, there's an easy way to find out!You can see the necessary allow
rules by running audit2why with this audit message as input.

lots of barf like this:
audit(1153270220.558:22): avc:  denied  { read } for  pid=19068
comm="python" name="urandom" dev=tmpfs ino=1654
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=file
         Was caused by:
                 Missing or disabled TE allow rule.
                 Allow rules may exist but be disabled by boolean
settings; check boolean settings.

yee ha!
OF course, it is easy to fix! dmesg | audit2allow
allow mount_t unlabeled_t:filesystem { mount unmount };
allow semanage_t device_t:file read;
allow semanage_t unlabeled_t:dir search;
allow unlabeled_t fs_t:filesystem associate;

and where does that go? well, that's a great question, thanks for asking!

in /etc/selinux there is a bunch of stuff. The one you care about is this:
/etc/linux/config, and before I got much further I noticed this:

SELINUX=enforcing
is in there, easy to fix, turn all this shit OFF!

But, wow! Is this where we're all headed? I think I'm more and more
motivated to move everything I can to plan 9 .... this selinux is less
fun than a trip to the dentist. Plus, can you image the permutations of
those rule sets over time? many and varied subtleties shall appear. It's
really quite incredible.

ron

next             reply	other threads:[~2006-07-18 19:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-18 19:01 Ronald G Minnich [this message]
2006-07-18 20:11 ` David Leimbach
2006-07-18 20:16   ` Ronald G Minnich
2006-07-18 20:31     ` David Leimbach
2006-07-18 23:18       ` LiteStar numnums
2006-07-19  0:29         ` David Leimbach
2006-07-19  0:34           ` LiteStar numnums
2006-07-19  1:21             ` Re: Re: [9fans] if you're looking for some fun, Brantley Coile
2006-07-19  1:36               ` LiteStar numnums
2006-07-19  2:37               ` Skip Tavakkolian
2006-07-19  4:37               ` cej
2006-07-19 15:50                 ` LiteStar numnums
2006-07-18 20:21   ` [9fans] if you're looking for some fun, check out selinux jmk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44BD2FF2.9050703@lanl.gov \
    --to=rminnich@lanl.gov \
    --cc=9fans@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).