From: "Justin P. Mattock" <justinmattock@gmail.com>
To: "David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: tresys <refpolicy@oss.tresys.com>, SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: class kernel_service not defined in policy
Date: Tue, 30 Dec 2008 13:59:58 -0800 [thread overview]
Message-ID: <495A99DE.8040702@gmail.com> (raw)
In-Reply-To: <1230660825.31766.102.camel@moss-terrapins.epoch.ncsc.mil>
David P. Quigley wrote:
> On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
>
>> Hello;
>> this was received when doing a git-pull
>> today from the linus tree.
>> class kernel_service not defined in policy
>>
>>
>> [ 0.000999] SELinux: Initializing.
>> [ 0.000999] SELinux: Starting in enforcing mode
>> [ 0.263823] SELinux: Registering netfilter hooks
>> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
>> sens, 256 cats
>> [ 2.525821] SELinux: 73 classes, 145624 rules
>> [ 2.540472] SELinux: class kernel_service not defined in policy
>> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
>> [ 2.557235] SELinux: Completing initialization.
>> [ 2.565527] SELinux: Setting up existing superblocks.
>> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
>> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
>> uses genfs_contexts
>> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
>> transition SIDs
>> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
>> uses genfs_contexts
>> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
>> transition SIDs
>> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
>> uses genfs_contexts
>> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
>> anon_inodefs), uses genfs_contexts
>> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
>> genfs_contexts
>> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
>> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
>> genfs_contexts
>> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>>
>> I've been running the latest svn from tresys for(I think a week or so);
>> So the message might already be fixed.
>>
>> regards;
>>
>
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
>
> Dave
>
>
>
No worries, I figured it was better to send
a post, rather than to say nothing at all.
I did notice the commit, looks nice,
although the graphics module is broken
with the capability i.g. current_euid();
eventually in time that will be fixed.
As for the policy, everything seems good.
just one question what is UBAC
how to I use that? or is it something alse!
regards;
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: justinmattock@gmail.com (Justin P. Mattock)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] class kernel_service not defined in policy
Date: Tue, 30 Dec 2008 13:59:58 -0800 [thread overview]
Message-ID: <495A99DE.8040702@gmail.com> (raw)
In-Reply-To: <1230660825.31766.102.camel@moss-terrapins.epoch.ncsc.mil>
David P. Quigley wrote:
> On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
>
>> Hello;
>> this was received when doing a git-pull
>> today from the linus tree.
>> class kernel_service not defined in policy
>>
>>
>> [ 0.000999] SELinux: Initializing.
>> [ 0.000999] SELinux: Starting in enforcing mode
>> [ 0.263823] SELinux: Registering netfilter hooks
>> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
>> sens, 256 cats
>> [ 2.525821] SELinux: 73 classes, 145624 rules
>> [ 2.540472] SELinux: class kernel_service not defined in policy
>> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
>> [ 2.557235] SELinux: Completing initialization.
>> [ 2.565527] SELinux: Setting up existing superblocks.
>> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
>> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
>> uses genfs_contexts
>> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
>> transition SIDs
>> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
>> uses genfs_contexts
>> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
>> transition SIDs
>> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
>> uses genfs_contexts
>> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
>> anon_inodefs), uses genfs_contexts
>> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
>> genfs_contexts
>> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
>> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
>> genfs_contexts
>> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>>
>> I've been running the latest svn from tresys for(I think a week or so);
>> So the message might already be fixed.
>>
>> regards;
>>
>
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
>
> Dave
>
>
>
No worries, I figured it was better to send
a post, rather than to say nothing at all.
I did notice the commit, looks nice,
although the graphics module is broken
with the capability i.g. current_euid();
eventually in time that will be fixed.
As for the policy, everything seems good.
just one question what is UBAC
how to I use that? or is it something alse!
regards;
Justin P. Mattock
next prev parent reply other threads:[~2008-12-30 21:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-30 5:56 class kernel_service not defined in policy Justin Mattock
2008-12-30 5:56 ` [refpolicy] " Justin Mattock
2008-12-30 18:13 ` David P. Quigley
2008-12-30 18:13 ` [refpolicy] " David P. Quigley
2008-12-30 21:59 ` Justin P. Mattock [this message]
2008-12-30 21:59 ` Justin P. Mattock
2008-12-30 23:36 ` Eric Paris
2008-12-30 23:36 ` [refpolicy] " Eric Paris
2008-12-31 1:04 ` Justin P. Mattock
2008-12-31 1:04 ` [refpolicy] " Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=495A99DE.8040702@gmail.com \
--to=justinmattock@gmail.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.