[OpenAFS-devel] SELinux biting OpenAFS [Cache manager using the wrong SELinux context]
David Howells
dhowells@redhat.com
Thu, 03 Apr 2008 14:52:24 +0100
Hi Derrick, Hans,
I have some Linux kernel patches that might let you deal with the SELinux
problem in:
http://www.openafs.org/pipermail/openafs-devel/2008-April/015890.html
The problem, I suspect, is that you are trying to access your cache files from
within the context of the process that issued the access() syscall, but the
security context of that process won't necessarily grant you rights appropriate
to accessing the cache.
I found over the exact same problem when writing my generic caching code
(FS-Cache and CacheFiles) for NFS, AFS or whatever.
The patches, 09-14 in the following tarball:
http://people.redhat.com/~dhowells/fscache/patches/nfs+fscache-35.tar.bz2
break the association between the subjective security of a task (what this task
uses to access another object), and the objective security (what other tasks
use to access this one).
The objective security is what appears in /proc, and what userspace can
manipulate through setuid(), setgid(), etc..
The subjective security normally follows the objective security, but it can be
transparently overridden within the kernel by such things as cache managers,
NFSd, etc. without being visible from userspace.
As the kernel currently stands, it is not possible to simply change the current
security context, do your stuff and change it back as this might affect signals
being sent to this task, ptrace operations upon it and its appearance through
/proc based accesses (eg: ps).
I'm currently trying to get my patches upstream, though I haven't managed
yet:-/ However, the problem you're seeing seems to be one I have a solution
for.
David