From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C2191B3937 for ; Sun, 2 Nov 2025 01:36:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762047383; cv=none; b=TvwtVShV6ibxdWiFPVln2Fi4NMx9qpHrfuZKD101+7mToORBQ90tJ3eBz0lcCfrL/WMmlYHV5jrNq3q4CUv2hv9D88N7VrFmTtNKeNaoXhCJitGS8kjJb3MJvk3pV7gkftFA9knGTSxVm5KGX7ocIQgUXkAhz+0Y6cHEQq+QVYA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762047383; c=relaxed/simple; bh=JAnOsThxVhNkHPLAWtq1K6qhYAivGTuLHP2Ng90Cs3Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=urHeWwrHkc8Wmqi1HSsHZBwnBkPN7PUrX4cj/XPT3nFhKZxQsSmVf5WMz4nHbtV3i3DMtrgbMxlOC8AHj/60AHKCvshJ766p3SI2BH+JVGqGp2xehNISaZokEEW/yic8xj3uv6h1n4AhoreCHCFDzIWIMmLAUD4Sz08WNu+fRwc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=BFeyEWTJ; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="BFeyEWTJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1762046908; bh=+m38M0obfk5ptMiMmSEhdZ5/2cjOrbxbVgpB+D575lU=; l=6011; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=BFeyEWTJPWDE/WsDKmu8r/1sk8loT2yGu2hv2ttQ2UsL7nNlzT1IajByAzDIjYWrL +slZ9k5syVzvz1VeqB8qH2q1yCAGSv6UxEv9zmVAGnVKCa54GbtTNiLuW7AI+zfk2r dS55/hrFNRyyNExXS9W5wZOfmHurjCEdGOQJ3rDY= Received: from xev.localnet (unknown [115.129.115.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 7D54F15FA3; Sun, 02 Nov 2025 12:28:26 +1100 (AEDT) From: Russell Coker To: Stephen Smalley , selinux-refpolicy@vger.kernel.org, Chris PeBenito Reply-To: russell@coker.com.au Cc: paul@paul-moore.com, omosnace@redhat.com Subject: Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts Date: Sun, 02 Nov 2025 12:28:21 +1100 Message-ID: <4706985.LvFx2qVVIh@xev> In-Reply-To: <9e69696a-cbee-4bc5-8679-5e5407490c3d@ieee.org> References: <20251030200720.18719-2-stephen.smalley.work@gmail.com> <9e69696a-cbee-4bc5-8679-5e5407490c3d@ieee.org> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" After upgrading the policy on my workstation from a git version of 20251017 a37b0c2fadea600429ac91ed58910859c5a6ea3f to the latest git version dda7660c7903a021553b98d941137213669d1ea0 I get the following: type=AVC msg=audit(1762045404.084:3676985): avc: denied { node_bind } for pid=2364 comm="named" src=40910 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=udp_socket permissive=0 type=AVC msg=audit(1762045606.407:3800560): avc: denied { node_bind } for pid=33214 comm="Chrome_ChildIOT" src=6877 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_t:s0 tclass=udp_socket permissive=0 The above are just a sample of the many messages. This prevents unconfined_t from talking to the DNS cache and the DNS cache from talking to the outside world. # sesearch -A -s named_t -c udp_socket -p node_bind allow named_t node_t:udp_socket node_bind; The above is what apparently used to be the policy so it looks like node_t is being changed to sysctl_t. I'm using kernel 6.16.12+deb14+1-amd64 (the Debian/Unstable packaging of upstream 6.16.12) with the 3.9 userspace. The comments on this say that kernel 5.7 and userspace 3.1 will work with this change but that doesn't seem to be the case for me. Am I missing some update? On Saturday, 1 November 2025 02:40:48 AEDT Chris PeBenito wrote: > On 10/30/2025 4:07 PM, Stephen Smalley wrote: > > Remove some unused initial SID contexts that can be safely removed > > without compatibility issues. This does not remove any initial SID > > declarations, only the corresponding initial SID context assignment. > > > > Linux kernel commit e3e0b582c321ae ("selinux: remove unused initial > > SIDs and improve handling"), merged in Linux v5.7, removed unused > > initial SIDs from the kernel and improved the handling to support > > safely reclaiming and reusing of many of the initial SIDs without > > compatibility issues as well as enabling future addition of new > > initial SIDs. > > > > SELinux userspace commit 8677ce5e8f5929 ("libsepol,checkpolicy: > > support omitting unused initial sid contexts"), merged in userspace > > release 3.1 (20200710), supported omitting unused initial SID contexts > > from the kernel binary policy. Previously this was treated as an error > > at policy compilation/linking time. > > > > Since refpolicy already specifies a minimum SELinux userspace of 3.2, > > we can finally remove the unused initial SID contexts from the > > refpolicy kernel module. This does not depend on the kernel commit; it > > will work with kernels before and after that commit. > > > > This change retains the initial SID contexts for the init SID and the > > any_socket SID. Kernel use of the init SID was restored by Linux > > kernel commit ae254858ce0745 ("selinux: introduce an initial SID for > > early boot processes") although this is transparently remapped to the > > kernel SID context unless the "userspace_initial_context" policy > > capability is enabled. Since this policy capability is not currently > > enabled by default in refpolicy, we leave the init SID with the > > unlabeled context for now but it should be assigned some other context > > if this policy capability is ever enabled. Kernel use of the > > any_socket SID was reintroduced by Linux kernel commit d28d1e080132f28 > > ("[LSM-IPSec]: Per-packet access control.") to provide a default > > socket label for use in checks when no socket is available. > > > > This change also retains the initial SID contexts for the fs and > > sysctl initial SIDs for backward compatibility until such a time as > > refpolicy increases its minimum supported kernel version to one that > > includes the aforementioned Linux kernel commit. > > > > Signed-off-by: Stephen Smalley > > --- > > > > policy/modules/kernel/kernel.te | 19 ++++--------------- > > 1 file changed, 4 insertions(+), 15 deletions(-) > > > > diff --git a/policy/modules/kernel/kernel.te > > b/policy/modules/kernel/kernel.te index 26578a26d..6e7302bf5 100644 > > --- a/policy/modules/kernel/kernel.te > > +++ b/policy/modules/kernel/kernel.te > > @@ -215,23 +215,12 @@ sid file > > gen_context(system_u:object_r:unlabeled_t,s0)> > > sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > neverallow * unlabeled_t:file entrypoint; > > > > -# These initial sids are no longer used, and can be removed: > > +# Default socket label if no kernel sock is available > > > > sid > > any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > > > -sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) > > -sid > > icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > -sid > > igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > + > > +# Label for userspace tasks surviving from early boot if > > +# userspace_initial_context policycap is defined. > > > > sid init gen_context(system_u:object_r:unlabeled_t,s0) > > > > -sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > -sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > -sid > > scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > -sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0) > > -sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0) > > -sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > > Merged. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/