Hi! I wanted to help resolving bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211767
During some investigation I found that after mounting ntfs partition files have context set to unlabeled_t. I downloaded selinux-policy.srpm and found in policy/modules/kernel/filesystem.te these lines:
# # dosfs_t is the type for fat and vfat # filesystems and their files. # type dosfs_t; fs_noxattr_type(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
I thought "Great, I need similar entry in my module!". I prepared this file: [root@X ~]# cat ntfs3g.te module ntfs3g 1.0;
require { class chr_file { getattr read write }; class file execute_no_trans; type device_t; type dosfs_t; type mount_exec_t; type mount_t; role system_r; };
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) allow mount_t device_t:chr_file { getattr read write }; allow mount_t mount_exec_t:file execute_no_trans; [root@X ~]#
As you can guess it does not compile ;-)
[root@X ~]# checkmodule -M -m -o ntfs3g.mod ntfs3g.te checkmodule: loading policy configuration from ntfs3g.te (unknown source)::ERROR 'syntax error' at token 'genfscon' on line 13:
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) checkmodule: error(s) encountered while parsing configuration [root@X ~]#
What I have done wrong?
(FC6, selinux-policy-targeted-2.4.1-3.fc6)
Regards, Dawid
Dawid Gajownik wrote:
Hi! I wanted to help resolving bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211767
During some investigation I found that after mounting ntfs partition files have context set to unlabeled_t. I downloaded selinux-policy.srpm and found in policy/modules/kernel/filesystem.te these lines:
# # dosfs_t is the type for fat and vfat # filesystems and their files. # type dosfs_t; fs_noxattr_type(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
I thought "Great, I need similar entry in my module!". I prepared this file: [root@X ~]# cat ntfs3g.te module ntfs3g 1.0;
require { class chr_file { getattr read write }; class file execute_no_trans; type device_t; type dosfs_t; type mount_exec_t; type mount_t; role system_r; };
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) allow mount_t device_t:chr_file { getattr read write }; allow mount_t mount_exec_t:file execute_no_trans; [root@X ~]#
As you can guess it does not compile ;-)
[root@X ~]# checkmodule -M -m -o ntfs3g.mod ntfs3g.te checkmodule: loading policy configuration from ntfs3g.te (unknown source)::ERROR 'syntax error' at token 'genfscon' on line 13:
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) checkmodule: error(s) encountered while parsing configuration [root@X ~]#
What I have done wrong?
(FC6, selinux-policy-targeted-2.4.1-3.fc6)
Modules do not allow genfscon statements, the grammar of modules is a subset of the base policy grammar. unfortunately you will have to add this entry to the base policy. Refpolicy's concept of module may be a little misleading, it doesn't convert to each one being able to compile as a policy module, there are several modules that are required to be part of base.
However, is this filesystem slated for upstream kernel? If so it should be added to refpolicy anyway, it would get the nfs_t type though, instead of dosfs_t
Dnia 10/29/2006 05:16 PM, Użytkownik Joshua Brindle napisał:
Modules do not allow genfscon statements, the grammar of modules is a subset of the base policy grammar.
Thanks for the clarification. I'll need to modify policy-selinux SRPM then.
However, is this filesystem slated for upstream kernel?
From what I read on upstream project page¹, it will be merged into ntfsprogs package. I don't know what will happen then with ntfs module included in kernel.
If so it should be added to refpolicy anyway, it would get the nfs_t type though, instead of dosfs_t
nfs_t? Well, in current policy ntfs filesystem type is marked as dosfs_t type so I don't see a reason to mark ntfs-3g in a different way. ntfs-3g is "just" a ntfs with write access² ;-)
Regards, Dawid
¹ http://www.linux-ntfs.org/ ² http://wiki.linux-ntfs.org/doku.php?id=ntfs-3g
Dnia 10/29/2006 05:37 PM, Użytkownik Dawid Gajownik napisał:
Modules do not allow genfscon statements, the grammar of modules is a subset of the base policy grammar.
Thanks for the clarification. I'll need to modify policy-selinux SRPM then.
Ugh, I must have found some weird bug or something. Applying attached patch makes compilation fail with this message:
Compiling targeted base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/services/xserver.te:740:ERROR 'syntax error' at token 'ntfs-3g' on line 1002121: genfscon ntfs / system_u:object_r:dosfs_t:s0 genfscon ntfs-3g / system_u:object_r:dosfs_t:s0 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.45484 (%install)
RPM build errors: Bad exit status from /var/tmp/rpm-tmp.45484 (%install) [rpm-build@X selinux-policy-2.4.1]$
I've been modifying selinux-policy-2.4.1-3.fc6.src.rpm package. It looks like checkmodule does not like dash, because after removing this character from the patch (that means s/ntfs-3g/ntfs3g/) compilation finishes cleanly.
What now? I would like to fix bug 211767 ASAP, because users start to turn off SELinux :(
Regards, Dawid
From: Dawid Gajownik [mailto:gajownik@gmail.com]
Dnia 10/29/2006 05:37 PM, Użytkownik Dawid Gajownik napisał:
RPM build errors: Bad exit status from /var/tmp/rpm-tmp.45484 (%install) [rpm-build@X selinux-policy-2.4.1]$
I've been modifying selinux-policy-2.4.1-3.fc6.src.rpm package. It looks like checkmodule does not like dash, because after removing this character from the patch (that means s/ntfs-3g/ntfs3g/) compilation finishes cleanly.
What now? I would like to fix bug 211767 ASAP, because users start to turn off SELinux :(
Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges.. Why are they putting a dash in a filesystem name anyway?
Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges..
Oh, that's really bad :( Without that line files on ntfs-3g filesystem have unlabeled_t type and I would need to give to many privileges to mount_t domain.
So there is no hope to fix it in the clean way?
Why are they putting a dash in a filesystem name anyway?
I don't know -- I'm not the creator of ntfs-3g ;-)
On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges..
Oh, that's really bad :( Without that line files on ntfs-3g filesystem have unlabeled_t type and I would need to give to many privileges to mount_t domain.
So there is no hope to fix it in the clean way?
File it as a bug against checkpolicy.
Why are they putting a dash in a filesystem name anyway?
I don't know -- I'm not the creator of ntfs-3g ;-)
On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote:
On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges..
Oh, that's really bad :( Without that line files on ntfs-3g filesystem have unlabeled_t type and I would need to give to many privileges to mount_t domain.
So there is no hope to fix it in the clean way?
File it as a bug against checkpolicy.
I looked at fixing this by changing genfscon to use user_identifier instead of identifier (they are the same except user_identifier includes "-"). This made checkpolicy generate a syntax error for all genfscon statements - haven't tracked down what the problem is. The grammer still seems to be unambiguous.
I'll try to get back to it soon, but thought I would post this in case someone knows what the issue is off the top of their head.
Karl
On Tue, 2006-10-31 at 16:48 -0500, Karl MacMillan wrote:
On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote:
On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges..
Oh, that's really bad :( Without that line files on ntfs-3g filesystem have unlabeled_t type and I would need to give to many privileges to mount_t domain.
So there is no hope to fix it in the clean way?
File it as a bug against checkpolicy.
I looked at fixing this by changing genfscon to use user_identifier instead of identifier (they are the same except user_identifier includes "-"). This made checkpolicy generate a syntax error for all genfscon statements - haven't tracked down what the problem is. The grammer still seems to be unambiguous.
Use "user_id" instead. Otherwise, you'll get a syntax error when the token is classified as an IDENTIFIER (first match) and the grammar says that it must be a USER_IDENTIFIER.
I'll try to get back to it soon, but thought I would post this in case someone knows what the issue is off the top of their head.
Karl
Dnia 10/31/2006 06:49 PM, Użytkownik Stephen Smalley napisał:
So there is no hope to fix it in the clean way?
File it as a bug against checkpolicy.
d1 :-) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213339
selinux@lists.fedoraproject.org