[CentOS] External ext3 USB Hard drive and selinux

Thu Nov 6 18:14:34 UTC 2008
Al Freundorfer <freund at queensu.ca>

Ok I did as you suggested and my output after a

sealert -a /var/log/audit/audit.log > /root/mylogfile.txt

was
____________________________________________________________________________
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------


Summary:

SELinux is preventing cp from creating a file with a context of unlabeled_t on 
a
filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing cp from creating a file with a context of unlabeled_t on 
a
filesystem. Usually this happens when you ask the cp command to maintain the
context of a file when copying between file systems, "cp -a" for example. Not
all file contexts should be maintained between the file systems. For example, 
a
read-only file type like iso9660_t should not be placed on a r/w 
system. "cp -P"
might be a better solution, as this will adopt the default file context for 
the
destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                user_u:object_r:unlabeled_t
Target Context                system_u:object_r:fs_t
Target Objects                test.txt [ filesystem ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           coreutils-5.97-14.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   filesystem_associate
Host Name                     the-rat.xxxx.ca
Platform                      Linux the-rat.xxxxx.ca 2.6.18-92.1.13.el5 #1
                              SMP Wed Sep 24 19:33:52 EDT 2008 i686 i686
Alert Count                   5
First Seen                    Thu Oct 16 13:11:30 2008
Last Seen                     Wed Nov  5 10:59:39 2008
Local ID                      70942f5b-18a0xxxxxxxc86b
Line Numbers                  5, 6, 1227, 1228, 1703, 1704, 2766, 2767, 3066,
                              3067

Raw Audit Messages            

type=AVC msg=audit(1225900779.959:311): avc:  denied  { associate } for  
pid=14890 comm="cp" name="test.txt" scontext=user_u:object_r:unlabeled_t:s0 
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

type=SYSCALL msg=audit(1225900779.959:311): arch=40000003 syscall=5 
success=yes exit=4 a0=9a720d0 a1=8041 a2=81b4 a3=8041 items=0 ppid=14864 
pid=14890 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 
egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=1 comm="cp" exe="/bin/cp" 
subj=user_u:system_r:unconfined_t:s0 key=(null)



--------------------------------------------------------------------------------
_____________________________________________________________________________

But

[freund at the-rat ~]$ ls -Z test.txt
-rw-rw-r--  freund freund user_u:object_r:user_home_t      test.txt

so I am wondering where the unlabeled_t is coming from.



On Saturday 01 November 2008 4:24:27 pm Nifty Cluster Mitch wrote:
> On Wed, Oct 29, 2008 at 11:23:28AM -0400, Al Freundorfer wrote:
> > I was directed to post this on the mailing list. See the following forum
> > post as a reference.
> >
> > http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16710&forum=42
> >
> > I formatted my external ext3 372GB USB hard drive in ubuntu and now want
> > to use it
> > in Centos. I made sure that my group/user numbers were the same. I was
> > not able to write to the mounted USB hard drive (HD). I suspected selinux
> > and shut it of and I was able to copy the file! I set selinux back to
> > enforce and rebooted. I like the security features of selinux.
> >
> > I tried:
> > 1) chcon -v
> > 2) restorecon -Rv /media/disk
> > 3) cp -P
> >
> > and still am not able to write to the USB HD. The sad part is I can
> > delete files from the USB HD. See forum post for details.
> >
> > I tried it in fedora 9 and it is able to write to the USB HD
> >
> > I tried an 32GB USB memory stick in Centos 5.2 and it worked!
> > I am wondering why it doesn't work for my USB HD? The only difference is
> > the the size.
>
> Try rebooting in permissive mode then inspect the avc messages.
>
> Double check the permissions of the mount point before and
> after mounting the device.


-- 
A.P. Freundorfer, P.Eng.
Department of Electrical and Computer Engineering
Queens University
Kingston, Ontario, CANADA K7L 3N6

Phone: (613)533-2943     fax:(613)533-6615
http://www.ece.queensu.ca/directory/laboratories/highspeedcircuits.html