kernel/kernel.* diffs

kernel/kernel.* diffs

[Daniel J Walsh]

Mainly adding additional dontaudits for permissive domains.



http://people.fedoraproject.org/~dwalsh/SELinux/Policy/kernel_kernel.patch

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: kernel/kernel.* diffs

[Christopher J. PeBenito]

On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote:
> Mainly adding additional dontaudits for permissive domains.

> Subject: [PATCH] refpolicy: kernel_kernel changes
> --text follows this line--
> --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-05-23 09:15:06.224337000 -0400
> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if	2008-05-23 10:29:05.107838000 -0400
> @@ -1198,6 +1198,7 @@
>  	')
>  
>  	dontaudit $1 proc_type:dir list_dir_perms;
> +	dontaudit $1 proc_type:file getattr;
>  ')
>  
>  ########################################
> @@ -1768,6 +1769,7 @@
>  	')
>  
>  	dontaudit $1 sysctl_type:dir list_dir_perms;
> +	dontaudit $1 sysctl_type:file read_file_perms;
>  ')
>  
>  ########################################

These two violate the intention of the interface.

> --- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-05-23 09:15:06.211350000 -0400
> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te	2008-05-23 10:27:34.127426000 -0400
> @@ -231,6 +231,7 @@
>  # Mount root file system.  Used when loading a policy
>  # from initrd, then mounting the root filesystem
>  fs_mount_all_fs(kernel_t)
> +fs_unmount_all_fs(kernel_t)
>  
>  selinux_load_policy(kernel_t)
>  
> @@ -253,6 +254,8 @@
>  
>  mls_process_read_up(kernel_t)
>  mls_process_write_down(kernel_t)
> +mls_file_write_all_levels(kernel_t)
> +mls_file_read_all_levels(kernel_t) 
>  
>  ifdef(`distro_redhat',`
>  	# Bugzilla 222337

These are merged.

> @@ -372,3 +375,6 @@
>  allow kern_unconfined unlabeled_t:association *;
>  allow kern_unconfined unlabeled_t:packet *;
>  allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
> +
> +kernel_rw_all_sysctls(kern_unconfined)
> +

This one is redundant.  A few lines up is:

allow kern_unconfined sysctl_type:{ dir file } *;

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: kernel/kernel.* diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1733 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
| On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote:
|> Mainly adding additional dontaudits for permissive domains.
|
|> Subject: [PATCH] refpolicy: kernel_kernel changes
|> --text follows this line--
|> --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-05-23
09:15:06.224337000 -0400
|> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if	2008-05-23
10:29:05.107838000 -0400
|> @@ -1198,6 +1198,7 @@
|>  	')
|>
|>  	dontaudit $1 proc_type:dir list_dir_perms;
|> +	dontaudit $1 proc_type:file getattr;
|>  ')
|>
|>  ########################################
|> @@ -1768,6 +1769,7 @@
|>  	')
|>
|>  	dontaudit $1 sysctl_type:dir list_dir_perms;
|> +	dontaudit $1 sysctl_type:file read_file_perms;
|>  ')
|>
|>  ########################################
|
| These two violate the intention of the interface.
|
I though the intention of the interface was to dontaudit list of all
proc or sysctl.  I believe this means we know this app tries to list
sysctl or proc so dontaudit the listing.  Well part of the listing in
permissive mode is the getattr or read.  So to make this work the way
customers would expect we need to add interfaces all over the place and
patch every call to this will a dontaudit file, which seems to be a
colossal waste of time.

Maybe we need a way to indicate whether this should be dontaudited in
enforcing mode versus permissive.

Added patch for

cgroup_t.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhQBckACgkQrlYvE4MpobM7GwCfTcHGsZQV8ZRuKTD9I6/YJ2e4
snkAoM+HSsJzbfDEfAvXfxb0ZeXbZWo/
=j1e0
-----END PGP SIGNATURE-----

[-- Attachment #2: kernel_kernel.patch --]
[-- Type: text/plain, Size: 449 bytes --]

--- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-06-11 08:15:43.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te	2008-06-11 10:06:56.000000000 -0400
@@ -45,6 +45,15 @@
 sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
 #
+# cgroup fs
+#
+
+type cgroup_t;
+fs_type(cgroup_t)
+allow cgroup_t self:filesystem associate;
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+#
 # DebugFS
 #
 
+

[-- Attachment #3: kernel_kernel.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]

Re: kernel/kernel.* diffs

[Christopher J. PeBenito]

On Wed, 2008-06-11 at 13:05 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> | On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote:
> |> Mainly adding additional dontaudits for permissive domains.
> |
> |> Subject: [PATCH] refpolicy: kernel_kernel changes
> |> --text follows this line--
> |> --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-05-23
> 09:15:06.224337000 -0400
> |> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if	2008-05-23
> 10:29:05.107838000 -0400
> |> @@ -1198,6 +1198,7 @@
> |>  	')
> |>
> |>  	dontaudit $1 proc_type:dir list_dir_perms;
> |> +	dontaudit $1 proc_type:file getattr;
> |>  ')
> |>
> |>  ########################################
> |> @@ -1768,6 +1769,7 @@
> |>  	')
> |>
> |>  	dontaudit $1 sysctl_type:dir list_dir_perms;
> |> +	dontaudit $1 sysctl_type:file read_file_perms;
> |>  ')
> |>
> |>  ########################################
> |
> | These two violate the intention of the interface.
> |
> I though the intention of the interface was to dontaudit list of all
> proc or sysctl.  I believe this means we know this app tries to list
> sysctl or proc so dontaudit the listing.  Well part of the listing in
> permissive mode is the getattr or read.

As with every other list interface in the policy, list means
list_dir_perms on the object type(s) and thats it.

>   So to make this work the way
> customers would expect we need to add interfaces all over the place and
> patch every call to this will a dontaudit file, which seems to be a
> colossal waste of time.

I don't agree with your characterization.  Making this change would make
the interfaces inconsistent with all of the other list interfaces, thus
violating their expectations.  If they are expecting that list
interfaces behave like your modified interfaces, then we aren't managing
their expectations correctly.

As for these two interfaces, they're both called once, from selinuxutil.

> Maybe we need a way to indicate whether this should be dontaudited in
> enforcing mode versus permissive.
> 
> Added patch for
> 
> cgroup_t.

Merged.

> plain text document attachment (kernel_kernel.patch)
> --- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-06-11 08:15:43.000000000 -0400
> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te	2008-06-11 10:06:56.000000000 -0400
> @@ -45,6 +45,15 @@
>  sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
>  
>  #
> +# cgroup fs
> +#
> +
> +type cgroup_t;
> +fs_type(cgroup_t)
> +allow cgroup_t self:filesystem associate;
> +genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> +
> +#
>  # DebugFS
>  #
>  
> +
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.