Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Guido Trentalancia <guido@trentalancia.com>
To: Eric Paris <eparis@parisplace.org>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
Date: Fri, 23 Sep 2011 23:12:18 +0200	[thread overview]
Message-ID: <1316812338.2487.77.camel@vortex> (raw)
In-Reply-To: <CACLa4pvtTeTq3LdY7vgFexDXXxk8ZYU5yBQRQexTyghkoL7B1w@mail.gmail.com>

On Fri, 2011-09-23 at 16:45 -0400, Eric Paris wrote:
> On Fri, Sep 23, 2011 at 3:09 PM, Guido Trentalancia
> <guido@trentalancia.com> wrote:
> > On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote:
> 
> > Yes, very good. At the end, a very polite message is not the first
> > priority in such as situation...
> >
> > But unfortunately this is not the case for the upstream bits.
> >
> > Ideally should be tackled in the SELinux kernel code. Did RHEL and
> > Fedora patch the kernel then to achieve that ?
> 
> No we consider init to be part of the trusted base required to load
> policy.  The Fedora init (systemd not, but it's been old init, some
> scripts in the initramfs, and who know what else) tries to load policy
> and if it can't and it was supposed to be enforcing will either print
> and error and halt for a really long time and then exit, or exit
> directly.  init exiting is enough to make the kernel panic and thus
> shut down the box.
> 
> The tool that is trusted to load the policy is what needs to make this check.

What really confuses me at this point is the fact that within this
specific thread, Justin said that he was using Fedora (F15 as far as I
remember).

Anyway, apart from the specific case, it remains the fact that the
upstream SELinux + reference policy combo does allow the system to keep
running (in the wrong context, i.e. kernel_t or insmod_t) despite init
has not transitioned to its context after initial stage. I am not
particularly keen on this behavior.

You seem to suggest that load_policy -i (and not the kernel) should make
sure that init has transitioned to its designated context... So then,
getting back to the specific case at hand, my question becomes: "did
Fedora and RHEL patch the upstream load_policy tool to achieve this
halt-on-init-failure behavior ?". In any case, how comes this check
didn't work on Justin's system ?

Regards,

Guido

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2011-09-23 21:12 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-16  3:40 [refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned Justin Mattock
2011-09-16 14:59 ` Daniel J Walsh
2011-09-16 14:59   ` Daniel J Walsh
2011-09-16 15:22   ` Justin P. Mattock
2011-09-16 15:58     ` Daniel J Walsh
2011-09-16 15:58       ` Daniel J Walsh
2011-09-16 16:11       ` Guido Trentalancia
2011-09-16 16:11         ` Guido Trentalancia
2011-09-16 16:11       ` Justin P. Mattock
2011-09-23 16:30       ` Guido Trentalancia
2011-09-23 17:38         ` Daniel J Walsh
2011-09-23 19:09           ` Guido Trentalancia
2011-09-23 20:45             ` Eric Paris
2011-09-23 21:12               ` Guido Trentalancia [this message]
2011-09-23 21:17                 ` Eric Paris
2011-09-23 22:38                   ` Guido Trentalancia
2011-09-23 23:12                     ` Eric Paris
2011-09-26 13:38                       ` Daniel J Walsh
2011-09-27 12:46                       ` Stephen Smalley
2011-09-27 16:40                         ` Guido Trentalancia
2011-09-27 18:00                           ` Daniel J Walsh
2011-09-16 16:02     ` Guido Trentalancia
2011-09-16 16:02       ` Guido Trentalancia
2011-09-16 16:18       ` Justin P. Mattock
2011-09-16 16:27         ` Guido Trentalancia
2011-09-16 16:27           ` Guido Trentalancia
2011-09-16 16:33           ` Justin P. Mattock
2011-09-16 16:24       ` Justin P. Mattock
2011-09-16 16:30         ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1316812338.2487.77.camel@vortex \
    --to=guido@trentalancia.com \
    --cc=eparis@parisplace.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.