[DSE-Dev] [martin at martinorr.name: /selinux getattr messages]

[Václav Ovsík]

Hello,
I'm trying to stabilize refpolicy-20070928 on Debian Etch.

Repository with some updated selinux packages will be available soon.
I took packages from Sid and updated these with 20070928 upstream
releases.

I'm SELinux beginer, but my intention is to understand the SELinux
finally :) and run targeted and possibly strict policies in production
environment on Debian.

Currently I'm booting Xen DomU Debian Etch in permissive mode.

There are two audit messages, and I found solution (attached) in
selinux-devel at lists.alioth.debian.org.

audit(1195215260.590:3): avc:  denied  { getattr } for  pid=760
comm="mount" name="/" dev=selinuxfs ino=475
scontext=system_u:system_r:mo
unt_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem

audit(1195215263.626:6): avc:  denied  { getattr } for  pid=1017
comm="swapon" name="/" dev=selinuxfs ino=475 scontext=system_u:system_r:
fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem


So after insertion

selinux_get_fs_mount(fsadm_t)
-> ./policy/modules/system/fstools.te

selinux_get_fs_mount(mount_t)
-> ./policy/modules/system/mount.te

both messages dismiss.

Is such solution ok and acceptable upstream (conditionaly for
Debian distro or so)?

Regards
-- 
Zito
-------------- next part --------------
An embedded message was scrubbed...
From: Martin Orr <martin at martinorr.name>
Subject: [DSE-Dev] /selinux getattr messages
Date: Sat, 23 Jun 2007 12:39:11 +0100
Size: 7453
Url: http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20071116/99d347cb/attachment.eml