Bug #4241
closedSELinux fails because it can't set xattrs
0%
Description
Here I change the label on a random file in /tmp # strace chcon --reference=test afile <snip> And here I try the same on cephfs filesystem # strace chcon --reference=test afile execve("/usr/bin/chcon", ["chcon", "--reference=test", "afile"], [/* 30 vars */]) = 0 brk(0) = 0x24a4000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913992000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=107608, ...}) = 0 mmap(NULL, 107608, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4913977000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pa o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=136440, ...}) = 0 mmap(0x3b6f200000, 2234408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f200000 mprotect(0x3b6f21f000, 2093056, PROT_NONE) = 0 mmap(0x3b6f41e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x3b6f41e000 mmap(0x3b6f420000, 6184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b6f420000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\33\302\0257\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2071376, ...}) = 0 mmap(0x3715c00000, 3896312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3715c00000 mprotect(0x3715dad000, 2097152, PROT_NONE) = 0 mmap(0x3715fad000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x3715fad000 mmap(0x3715fb3000, 17400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3715fb3000 close(3) = 0 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\35`o;\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=388152, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913976000 mmap(0x3b6f600000, 2478664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b6f600000 mprotect(0x3b6f65c000, 2097152, PROT_NONE) = 0 mmap(0x3b6f85c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5c000) = 0x3b6f85c000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0267\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=22440, ...}) = 0 mmap(0x3716000000, 2109736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3716000000 mprotect(0x3716003000, 2093056, PROT_NONE) = 0 mmap(0x3716202000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3716202000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913975000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913973000 arch_prctl(ARCH_SET_FS, 0x7f49139737c0) = 0 mprotect(0x60d000, 4096, PROT_READ) = 0 mprotect(0x3b6f41e000, 4096, PROT_READ) = 0 mprotect(0x3715fad000, 16384, PROT_READ) = 0 mprotect(0x3b6f85c000, 4096, PROT_READ) = 0 mprotect(0x3716202000, 4096, PROT_READ) = 0 mprotect(0x3715a20000, 4096, PROT_READ) = 0 munmap(0x7f4913977000, 107608) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 brk(0) = 0x24a4000 brk(0x24c5000) = 0x24c5000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=104789808, ...}) = 0 mmap(NULL, 104789808, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f490d583000 close(3) = 0 getxattr("test", "security.selinux", "system_u:object_r:unlabeled_t:s0", 255) = 33 open("/sys/fs/selinux/mls", O_RDONLY) = 3 read(3, "1", 19) = 1 close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 newfstatat(AT_FDCWD, "afile", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_FILE, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 setxattr("afile", "security.selinux", "system_u:object_r:unlabeled_t:s0", 33, 0) = -1 EOPNOTSUPP (Operation not supported) open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2444, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4913991000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2444 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f4913991000, 4096) = 0 open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) write(2, "chcon: ", 7chcon: ) = 7 write(2, "failed to change context of \342\200\230a"..., 81failed to change context of ‘afile’ to ‘system_u:object_r:unlabeled_t:s0’) = 81 open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, ": Operation not supported", 25: Operation not supported) = 25 write(2, "\n", 1 ) = 1 close(1) = 0 close(2) = 0 exit_group(1) = ? +++ exited with 1 +++
Note the return of EOPNOTSUPP from the xattr call. I've been through the ceph xattr code and it looks right to me; the security namespace is allowed through on the checks that return EOPNOTSUPP, and it sure looks like the functions are wired up correctly. But I haven't tried reproducing at any level.
Updated by Zheng Yan about 11 years ago
- Status changed from New to Duplicate
This is the same problem as #1878 (ceph_symlink_iops doesn't have setattr method)
Updated by Carl-Johan Schenström almost 11 years ago
Are you sure about that? ceph_file_iops hasn't been changed since 2009, and the methods are there. The problem still occurs with ceph.ko from master as of two days ago. Same strace as above, both in enforcing and permissive mode.
As I understand it, Ceph must be added to the base policy for SELinux to work. Full xattr support would be nice, but genfs would suffice. Unfortunately, passing the context option to mount, or even adding a genfscon to filesystem.te, doesn't seem to work. With the context option, I get the following error:
SELinux: security_context_to_sid(system_u:object_r:nfs_t,s0) failed for (dev ceph, type ceph) errno=-22