* kernel/kernel.* diffs @ 2008-05-23 14:34 Daniel J Walsh 2008-06-09 14:02 ` Christopher J. PeBenito 0 siblings, 1 reply; 4+ messages in thread From: Daniel J Walsh @ 2008-05-23 14:34 UTC (permalink / raw) To: Christopher J. PeBenito, SE Linux Mainly adding additional dontaudits for permissive domains. http://people.fedoraproject.org/~dwalsh/SELinux/Policy/kernel_kernel.patch -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: kernel/kernel.* diffs 2008-05-23 14:34 kernel/kernel.* diffs Daniel J Walsh @ 2008-06-09 14:02 ` Christopher J. PeBenito 2008-06-11 17:05 ` Daniel J Walsh 0 siblings, 1 reply; 4+ messages in thread From: Christopher J. PeBenito @ 2008-06-09 14:02 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote: > Mainly adding additional dontaudits for permissive domains. > Subject: [PATCH] refpolicy: kernel_kernel changes > --text follows this line-- > --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-05-23 09:15:06.224337000 -0400 > +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if 2008-05-23 10:29:05.107838000 -0400 > @@ -1198,6 +1198,7 @@ > ') > > dontaudit $1 proc_type:dir list_dir_perms; > + dontaudit $1 proc_type:file getattr; > ') > > ######################################## > @@ -1768,6 +1769,7 @@ > ') > > dontaudit $1 sysctl_type:dir list_dir_perms; > + dontaudit $1 sysctl_type:file read_file_perms; > ') > > ######################################## These two violate the intention of the interface. > --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-05-23 09:15:06.211350000 -0400 > +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te 2008-05-23 10:27:34.127426000 -0400 > @@ -231,6 +231,7 @@ > # Mount root file system. Used when loading a policy > # from initrd, then mounting the root filesystem > fs_mount_all_fs(kernel_t) > +fs_unmount_all_fs(kernel_t) > > selinux_load_policy(kernel_t) > > @@ -253,6 +254,8 @@ > > mls_process_read_up(kernel_t) > mls_process_write_down(kernel_t) > +mls_file_write_all_levels(kernel_t) > +mls_file_read_all_levels(kernel_t) > > ifdef(`distro_redhat',` > # Bugzilla 222337 These are merged. > @@ -372,3 +375,6 @@ > allow kern_unconfined unlabeled_t:association *; > allow kern_unconfined unlabeled_t:packet *; > allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; > + > +kernel_rw_all_sysctls(kern_unconfined) > + This one is redundant. A few lines up is: allow kern_unconfined sysctl_type:{ dir file } *; -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: kernel/kernel.* diffs 2008-06-09 14:02 ` Christopher J. PeBenito @ 2008-06-11 17:05 ` Daniel J Walsh 2008-06-18 13:18 ` Christopher J. PeBenito 0 siblings, 1 reply; 4+ messages in thread From: Daniel J Walsh @ 2008-06-11 17:05 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SE Linux [-- Attachment #1: Type: text/plain, Size: 1733 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: | On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote: |> Mainly adding additional dontaudits for permissive domains. | |> Subject: [PATCH] refpolicy: kernel_kernel changes |> --text follows this line-- |> --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-05-23 09:15:06.224337000 -0400 |> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if 2008-05-23 10:29:05.107838000 -0400 |> @@ -1198,6 +1198,7 @@ |> ') |> |> dontaudit $1 proc_type:dir list_dir_perms; |> + dontaudit $1 proc_type:file getattr; |> ') |> |> ######################################## |> @@ -1768,6 +1769,7 @@ |> ') |> |> dontaudit $1 sysctl_type:dir list_dir_perms; |> + dontaudit $1 sysctl_type:file read_file_perms; |> ') |> |> ######################################## | | These two violate the intention of the interface. | I though the intention of the interface was to dontaudit list of all proc or sysctl. I believe this means we know this app tries to list sysctl or proc so dontaudit the listing. Well part of the listing in permissive mode is the getattr or read. So to make this work the way customers would expect we need to add interfaces all over the place and patch every call to this will a dontaudit file, which seems to be a colossal waste of time. Maybe we need a way to indicate whether this should be dontaudited in enforcing mode versus permissive. Added patch for cgroup_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkhQBckACgkQrlYvE4MpobM7GwCfTcHGsZQV8ZRuKTD9I6/YJ2e4 snkAoM+HSsJzbfDEfAvXfxb0ZeXbZWo/ =j1e0 -----END PGP SIGNATURE----- [-- Attachment #2: kernel_kernel.patch --] [-- Type: text/plain, Size: 449 bytes --] --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-06-11 08:15:43.000000000 -0400 +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te 2008-06-11 10:06:56.000000000 -0400 @@ -45,6 +45,15 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) # +# cgroup fs +# + +type cgroup_t; +fs_type(cgroup_t) +allow cgroup_t self:filesystem associate; +genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) + +# # DebugFS # + [-- Attachment #3: kernel_kernel.patch.sig --] [-- Type: application/pgp-signature, Size: 72 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: kernel/kernel.* diffs 2008-06-11 17:05 ` Daniel J Walsh @ 2008-06-18 13:18 ` Christopher J. PeBenito 0 siblings, 0 replies; 4+ messages in thread From: Christopher J. PeBenito @ 2008-06-18 13:18 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On Wed, 2008-06-11 at 13:05 -0400, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > | On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote: > |> Mainly adding additional dontaudits for permissive domains. > | > |> Subject: [PATCH] refpolicy: kernel_kernel changes > |> --text follows this line-- > |> --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-05-23 > 09:15:06.224337000 -0400 > |> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if 2008-05-23 > 10:29:05.107838000 -0400 > |> @@ -1198,6 +1198,7 @@ > |> ') > |> > |> dontaudit $1 proc_type:dir list_dir_perms; > |> + dontaudit $1 proc_type:file getattr; > |> ') > |> > |> ######################################## > |> @@ -1768,6 +1769,7 @@ > |> ') > |> > |> dontaudit $1 sysctl_type:dir list_dir_perms; > |> + dontaudit $1 sysctl_type:file read_file_perms; > |> ') > |> > |> ######################################## > | > | These two violate the intention of the interface. > | > I though the intention of the interface was to dontaudit list of all > proc or sysctl. I believe this means we know this app tries to list > sysctl or proc so dontaudit the listing. Well part of the listing in > permissive mode is the getattr or read. As with every other list interface in the policy, list means list_dir_perms on the object type(s) and thats it. > So to make this work the way > customers would expect we need to add interfaces all over the place and > patch every call to this will a dontaudit file, which seems to be a > colossal waste of time. I don't agree with your characterization. Making this change would make the interfaces inconsistent with all of the other list interfaces, thus violating their expectations. If they are expecting that list interfaces behave like your modified interfaces, then we aren't managing their expectations correctly. As for these two interfaces, they're both called once, from selinuxutil. > Maybe we need a way to indicate whether this should be dontaudited in > enforcing mode versus permissive. > > Added patch for > > cgroup_t. Merged. > plain text document attachment (kernel_kernel.patch) > --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-06-11 08:15:43.000000000 -0400 > +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te 2008-06-11 10:06:56.000000000 -0400 > @@ -45,6 +45,15 @@ > sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) > > # > +# cgroup fs > +# > + > +type cgroup_t; > +fs_type(cgroup_t) > +allow cgroup_t self:filesystem associate; > +genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) > + > +# > # DebugFS > # > > + -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-06-18 13:19 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-05-23 14:34 kernel/kernel.* diffs Daniel J Walsh 2008-06-09 14:02 ` Christopher J. PeBenito 2008-06-11 17:05 ` Daniel J Walsh 2008-06-18 13:18 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.