From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <44BD2FF2.9050703@lanl.gov> Date: Tue, 18 Jul 2006 13:01:06 -0600 From: Ronald G Minnich User-Agent: Mozilla Thunderbird 1.0.8-1.1.fc4 (X11/20060501) MIME-Version: 1.0 To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [9fans] if you're looking for some fun, check out selinux ... Topicbox-Message-UUID: 82db5f72-ead1-11e9-9d60-3106f5b1d025 so, on FC5 I did a standard mount -o loop xyz /mnt cd /mnt/lib64 rm * rsync -av /lib64/* . rsync fails, you get kernel messages like this: system_u:object_r:unlabeled_t:s0 tclass=dir audit(1153270163.378:19): avc: denied { read } for pid=19059 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270198.018:20): avc: denied { read } for pid=19065 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270211.628:21): avc: denied { read } for pid=19067 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file audit(1153270220.558:22): avc: denied { read } for pid=19068 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file ah, what's it all mean? Well, there's an easy way to find out!You can see the necessary allow rules by running audit2why with this audit message as input. lots of barf like this: audit(1153270220.558:22): avc: denied { read } for pid=19068 comm="python" name="urandom" dev=tmpfs ino=1654 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. yee ha! OF course, it is easy to fix! dmesg | audit2allow allow mount_t unlabeled_t:filesystem { mount unmount }; allow semanage_t device_t:file read; allow semanage_t unlabeled_t:dir search; allow unlabeled_t fs_t:filesystem associate; and where does that go? well, that's a great question, thanks for asking! in /etc/selinux there is a bunch of stuff. The one you care about is this: /etc/linux/config, and before I got much further I noticed this: SELINUX=enforcing is in there, easy to fix, turn all this shit OFF! But, wow! Is this where we're all headed? I think I'm more and more motivated to move everything I can to plan 9 .... this selinux is less fun than a trip to the dentist. Plus, can you image the permutations of those rule sets over time? many and varied subtleties shall appear. It's really quite incredible. ron