SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: pipefs issue This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Thu, 31 May 2007 10:25:45 -0400 On Wed, 2007-05-30 at 18:23 -0700, Clarkson, Mike R (US SSA) wrote: > I've got a java process running in the datalabeler_t domain at the s2 > mls level, which kicks off a c++ executable in the import_t domain. > > There appears to be some inter-process communication being set up using > pipefs between the parent and child process which is causing mls > constraint issues. I'm not familiar with pipefs and I'm not explicitly > creating this communication, either linux or java is implicitly creating > it for me. That is just a pipe between the parent and child, likely to feed input to the child and/or to collect the output of the child. > Is this configurable so that I can prevent the pipefs from being > created? > > Alternatively, can I satisfy the below AVC denial messages without > giving the import_t domain mlsfilereadup privilege? I don't mind giving > the datalabeler_t domain extra privileges like writedown or readup, but > I don't want to give the import_t domain those kind of mls privileges. > > type=AVC msg=audit(1180552217.128:260021): avc: denied { read } for > pid=2585 comm="SimulatedImport" name="[4155253]" dev=pipefs ino=4155253 > scontext=m2_u:system_r:import_t:s1 > tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file > > type=AVC msg=audit(1180552217.128:260021): avc: denied { write } for > pid=2585 comm="SimulatedImport" name="[4155252]" dev=pipefs ino=4155252 > scontext=m2_u:system_r:import_t:s1 > tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file > > type=AVC msg=audit(1180552217.128:260021): avc: denied { write } for > pid=2585 comm="SimulatedImport" name="[4155254]" dev=pipefs ino=4155254 > scontext=m2_u:system_r:import_t:s1 > tcontext=m2_u:system_r:datalabeler_t:s2-s15:c0.c255 tclass=fifo_file I assume you are using some interface to spawn the child, and that interface includes the creation of a pipe for the parent-child communication. Are you sure you don't need that communication to provide input to the child or to collect the output of it? If so, then use a different interface, or dontaudit the denial. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 31 May 2007 - 10:25:48 EDT This message: [ Message body ] Next message: Stephen Smalley: "Re: [PATCH] SELinux protection for exploiting null dereference using mmap" Previous message: Stephen Smalley: "Re: [PATCH] libselinux: reindent selinux.h" In reply to: Clarkson, Mike R \(US SSA\): "pipefs issue" Next in thread: Chad Sellers: "Re: pipefs issue" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom