Closed pcmoore closed 5 years ago
stephensmalley
commented
7 years ago FWIW, privileged userspace can already fetch the actual on-disk label; a process with CAP_MAC_ADMIN and SELinux mac_admin permission will get the actual on-disk label upon getfilecon()/getxattr() calls. Not sure you need it in the audit log per se since it wasn't the basis for the denial.
pcmoore
commented
7 years ago This is something that the policy folks request on a somewhat regular basis.
stephensmalley
commented
7 years ago Did they ever file a bugzilla or otherwise provide info on why they need it? As I said, they could just run getfilecon /path/to/file using the path from the audit record in a root shell in a domain that is allowed mac_admin permission in policy (e.g. setfiles_mac_t).
pcmoore
commented
7 years ago I would have to go digging, despite my comment above, it has been several months (?) since I heard a request for this. I believe the problem was for systems that the policy developers couldn't access, e.g. users reporting problems via bugzilla.
pcmoore
commented
5 years ago This should be resolved in fede148324c34360ce8c30a9a5bdfac5574b2a59, marking as closed.
If a file's on-disk SELinux label can not be represented it is mapped to the unlabeled initial SID which generally causes a access denials due to policy prohibiting access to unlabeled resources. When this happens, add the on-disk SELinux label to the AVC audit records to help diagnose the problem.