New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 887217 link

Starred by 1 user
Status: Fixed
Owner:
kroot@chromium.org
Closed: Oct 4
Cc:
f...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug

Blocking:
issue 887859



Sign in to add a comment

cryptohome init tries to copy SELinux label from tmpfs

Project Member Reported by kroot@chromium.org, Sep 20 
In cryptohome's init file, there is a part where it copies the pre-encrypted-mount log file from /tmp/mount-encrypted.log to /var/log. It tries to copy the label from tmpfs to the labeledfs. However "tmpfs" is not allowed to associate with labeledfs, so there was a rule added to allow this association.

This association rule can probably be removed by using the "cp -Z" flag.

Comment 1 by kroot@chromium.org, Sep 21

Blocking: 887859
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 26 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/tast-tests/+/b57c019591e21e8538b264f7714da433de75ecc3

commit b57c019591e21e8538b264f7714da433de75ecc3
Author: Kenny Root <kroot@chromium.org>
Date: Wed Sep 26 17:32:26 2018

tast-tests: check mount-encrypted.log label

This file was slipping by with tmpfs label since cp -Z was not used. Check
to make sure we do not regress this file to be labeled with the wrong
SELinux label since it is used for debugging.

TEST=tast run DUT security.SELinuxFileLabel
BUG= chromium:887217 
CQ-DEPEND=CL:1237736

Change-Id: I058a27f5f350f43b41ac61d63307ce0b08226bdc
Reviewed-on: https://chromium-review.googlesource.com/1237699
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Kenny Root <kroot@google.com>
Reviewed-by: Dan Erat <derat@chromium.org>
Reviewed-by: Qijiang Fan <fqj@google.com>

[modify] https://crrev.com/b57c019591e21e8538b264f7714da433de75ecc3/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label.go
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 26 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/d4c67a812564b5795695f72a79c5b2b094cc322b

commit d4c67a812564b5795695f72a79c5b2b094cc322b
Author: Kenny Root <kroot@google.com>
Date: Wed Sep 26 17:32:20 2018

cryptohome: do not retain SELinux label on log

When copying the log from before encrypted partition is mounted,
do not try to retain the SELinux label. It causes the "tmpfs" label
to want to be written to the filesystem which is invalid for
labeled filesystems.

BUG= chromium:887217 
TEST=ls -lZ /dev/log/mount-encrypted.log

Change-Id: I1b9894e893fd5dccca9b823d0ff9419b454e4fc5
Reviewed-on: https://chromium-review.googlesource.com/1237736
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Kenny Root <kroot@google.com>
Reviewed-by: Qijiang Fan <fqj@google.com>

[modify] https://crrev.com/d4c67a812564b5795695f72a79c5b2b094cc322b/cryptohome/init/mount-encrypted.conf
[modify] https://crrev.com/d4c67a812564b5795695f72a79c5b2b094cc322b/cryptohome/init/mount-encrypted.service

Comment 4 by zalcorn@chromium.org, Sep 28 

Triage nag: This Chrome OS bug has an owner but no component. Please add a component so that this can be tracked by the relevant team.

Comment 5 by kroot@chromium.org, Oct 4

Status: Fixed (was: Unconfirmed)

Sign in to add a comment