Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Russell Coker <russell@coker.com.au>
To: Stephen Smalley <stephen.smalley.work@gmail.com>,
	selinux-refpolicy@vger.kernel.org,
	Chris PeBenito <pebenito@ieee.org>
Cc: paul@paul-moore.com, omosnace@redhat.com
Subject: Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts
Date: Mon, 03 Nov 2025 14:55:22 +1100	[thread overview]
Message-ID: <3968491.VqM8IeB0Os@dojacat> (raw)
In-Reply-To: <7788525.18pcnM708K@dojacat>

On Monday, 3 November 2025 12:07:08 AEDT Russell Coker wrote:
> On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> > The above is what apparently used to be the policy so it looks like node_t
> > is being changed to sysctl_t.
> 
> allow sshd_t sysctl_t:tcp_socket node_bind;
> 
> I also tried rebooting a VM running that policy (previously I had loaded it
> on a running system) and got the same result with TCP as an additional
> issue.
> 
> Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie
> the latest stable release).

When I apply the following patch it works correctly, without this I get the 
problem of mislabelling described previously.

Index: refpolicy-2.20251102/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20251102.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20251102/policy/modules/kernel/kernel.te
@@ -220,6 +220,7 @@ neverallow * unlabeled_t:file entrypoint
 
 # Default socket label if no kernel sock is available
 sid any_socket		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
 
 # Label for userspace tasks surviving from early boot if
 # userspace_initial_context policycap is defined.


The below is the only patch that I have for kernel.te.

Index: refpolicy-2.20250903/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20250903.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20250903/policy/modules/kernel/kernel.te
@@ -37,6 +37,9 @@ role sysadm_r;
 role staff_r;
 role user_r;
 
+# until build issue is fixed
+role unconfined_r;
+
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;

When I don't have that patch I get the following errors on build, two errors 
for MLS and MCS builds.

/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
Compiling default base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on 
line 699886:

	user unconfined_u roles { unconfined_r system_r } level s0 range s0 - 
s15:c0.c1023;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[2]: *** [Rules.modular:116: tmp/base.mod] Error 1
make[2]: Leaving directory '/home/etbe/se/ref-git/refpolicy-2.20251102/debian/
build-mls'
make[1]: *** [debian/rules:114: build-mls-policy] Error 2
make[1]: *** Waiting for unfinished jobs....
support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on 
line 695868:
	user unconfined_u roles { unconfined_r system_r } level s0 range s0 - 
s0:c0.c1023;

/usr/bin/checkmodule:  error(s) encountered while parsing configuration

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

next prev parent reply	other threads:[~2025-11-03  3:55 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-30 20:07 [PATCH refpolicy] kernel: remove some unused initial SID contexts Stephen Smalley
2025-10-31 15:40 ` Chris PeBenito
2025-11-02  1:28   ` Russell Coker
2025-11-03  1:07     ` Russell Coker
2025-11-03  3:55       ` Russell Coker [this message]
2025-11-03 13:33       ` Stephen Smalley
2025-11-03 14:23         ` Stephen Smalley
2025-11-03 16:40           ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3968491.VqM8IeB0Os@dojacat \
    --to=russell@coker.com.au \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.