Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 535986 - Access to configfs for kernel module tunables
Summary: Access to configfs for kernel module tunables
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r4
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-08 03:42 UTC by Eric Gisse
Modified: 2015-04-16 19:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2015-01-08 03:42:06 UTC 
One of my internal tools is a small script to setup the linux netconsole module.

This requires creating the directory /sys/kernel/config/netconsole/target and writing to some things in there. SELinux does not approve.

Jan  7 21:32:15 testbed kernel: [13824.009932] audit: type=1400 audit(1420687935.213:629): avc:  denied  { search } for  pid=26655 comm="mkdir" name="/" dev="configfs" ino=46 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1
Jan  7 21:32:15 testbed kernel: [13824.009959] audit: type=1400 audit(1420687935.213:630): avc:  denied  { write } for  pid=26655 comm="mkdir" name="netconsole" dev="configfs" ino=47 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1
Jan  7 21:32:15 testbed kernel: [13824.009974] audit: type=1400 audit(1420687935.213:631): avc:  denied  { add_name } for  pid=26655 comm="mkdir" name="target" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=dir permissive=1
Jan  7 21:32:15 testbed kernel: [13824.010110] audit: type=1400 audit(1420687935.213:632): avc:  denied  { create } for  pid=26655 comm="mkdir" name="target" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:configfs_t tclass=dir permissive=1
Jan  7 21:32:15 testbed kernel: [13824.010718] audit: type=1400 audit(1420687935.214:633): avc:  denied  { write } for  pid=26654 comm="bash" name="dev_name" dev="configfs" ino=5616452 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=file permissive=1
Jan  7 21:32:15 testbed kernel: [13824.010745] audit: type=1400 audit(1420687935.214:634): avc:  denied  { open } for  pid=26654 comm="bash" path="/sys/kernel/config/netconsole/target/dev_name" dev="configfs" ino=5616452 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:configfs_t tclass=file permissive=1

Is there reason to keep sysadm_t away from configfs? 

If not, the problem should be solved by the following:

fs_manage_configfs_dirs(sysadm_t)
fs_manage_configfs_files(sysadm_t)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-02-15 18:28:44 UTC 
I think that configfs_t probably just needs to be marked as a files_type().
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2015-02-15 18:37:18 UTC 
I added in files_mountpoint(configfs_t) which should allow for sysadm_t to manipulate it.

Will be in policy release r4
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2015-03-22 13:52:22 UTC 
Now in repo, ~arch
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 19:20:58 UTC 
r4 is stable