From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CB351339B1 for ; Mon, 3 Nov 2025 03:55:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762142140; cv=none; b=dxgTXPmsymERnBC7AtuNSSPuErwEgph017g+TgjgdJo8IXQN1etSSfAAEZTGnXQVhckfg91L0VjgESO57sb7/Mqoja8Xrsu4Lq3H5ZjiiKHbsc11IOq2+wOrMFXhzVRdSg/1vzPiVCa2wfg2Gz5fWCPoOesSNLPpeLv99CmMK5M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762142140; c=relaxed/simple; bh=cADlu7lFeB4L6SwPmBQ6JOr3/lph8dQVKgZDpMADdv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=sJDHYpU5mLEyPxPlDuCiar5L+bjhYGfzqRAODrLkNPDvHLPOY/SeTHmiVvvjbz9VyVlsZfORqiUq5ZB0zdZjpIR8Dg+Qp6GwKw9fNQEBTRBoAG2VrF7AVpnehlytoBnkW7QjNX+bQ7Nq0eyLE2pcJpMROnp1KBE+4pM8UGcfEFU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=HZTp8G6a; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="HZTp8G6a" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1762142130; bh=qmlXgbgs7I/WGP6VcPN2XakB3r9eMTun+L5RE/s+lts=; l=2922; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HZTp8G6akd6yxfrwczdjZVP2qwtFkuiVRZGltAW3Jb6Ws+ADIj8AAWsnaryxEMxdB stGTvkv3peH42fVgSdNxLsbAwFlfx7diD7YFp2BZF5tSJy6FB9wOi2RlWRobpn2Jw1 6Qmdoz+BzwulJhwqjydcpDzV5pbVLJ+dwf4PmbPc= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:6305:6300:e8ad:611c:86d3:80a5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 8EFBA15FA4; Mon, 03 Nov 2025 14:55:27 +1100 (AEDT) From: Russell Coker To: Stephen Smalley , selinux-refpolicy@vger.kernel.org, Chris PeBenito Cc: paul@paul-moore.com, omosnace@redhat.com Subject: Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts Date: Mon, 03 Nov 2025 14:55:22 +1100 Message-ID: <3968491.VqM8IeB0Os@dojacat> In-Reply-To: <7788525.18pcnM708K@dojacat> References: <20251030200720.18719-2-stephen.smalley.work@gmail.com> <4706985.LvFx2qVVIh@xev> <7788525.18pcnM708K@dojacat> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" On Monday, 3 November 2025 12:07:08 AEDT Russell Coker wrote: > On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote: > > The above is what apparently used to be the policy so it looks like node_t > > is being changed to sysctl_t. > > allow sshd_t sysctl_t:tcp_socket node_bind; > > I also tried rebooting a VM running that policy (previously I had loaded it > on a running system) and got the same result with TCP as an additional > issue. > > Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie > the latest stable release). When I apply the following patch it works correctly, without this I get the problem of mislabelling described previously. Index: refpolicy-2.20251102/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-2.20251102.orig/policy/modules/kernel/kernel.te +++ refpolicy-2.20251102/policy/modules/kernel/kernel.te @@ -220,6 +220,7 @@ neverallow * unlabeled_t:file entrypoint # Default socket label if no kernel sock is available sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) # Label for userspace tasks surviving from early boot if # userspace_initial_context policycap is defined. The below is the only patch that I have for kernel.te. Index: refpolicy-2.20250903/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-2.20250903.orig/policy/modules/kernel/kernel.te +++ refpolicy-2.20250903/policy/modules/kernel/kernel.te @@ -37,6 +37,9 @@ role sysadm_r; role staff_r; role user_r; +# until build issue is fixed +role unconfined_r; + ifdef(`enable_mls',` role secadm_r; role auditadm_r; When I don't have that patch I get the following errors on build, two errors for MLS and MCS builds. /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod Compiling default base module /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on line 699886: user unconfined_u roles { unconfined_r system_r } level s0 range s0 - s15:c0.c1023; /usr/bin/checkmodule: error(s) encountered while parsing configuration make[2]: *** [Rules.modular:116: tmp/base.mod] Error 1 make[2]: Leaving directory '/home/etbe/se/ref-git/refpolicy-2.20251102/debian/ build-mls' make[1]: *** [debian/rules:114: build-mls-policy] Error 2 make[1]: *** Waiting for unfinished jobs.... support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on line 695868: user unconfined_u roles { unconfined_r system_r } level s0 range s0 - s0:c0.c1023; /usr/bin/checkmodule: error(s) encountered while parsing configuration -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/