From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
Paul Moore <paul.moore@hp.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Joshua Brindle <jbrindle@tresys.com>
Subject: Re: [PATCH v4 2/2] selinux: generate flask headers during kernel build
Date: Wed, 30 Sep 2009 11:32:13 +0900 [thread overview]
Message-ID: <4AC2C32D.3010405@ak.jp.nec.com> (raw)
In-Reply-To: <1254247383.2252.192.camel@moss-pluto.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 3416 bytes --]
Stephen Smalley wrote:
> There are several legacy permissions that are no longer used by SELinux.
> We could remove these from the kernel's classmap.h definitions without
> breaking anything (subsequent permissions would get mapped to policy
> values appropriately by the new logic), but removing them from the
> policy would be harder as it would break all kernels that predate these
> patches. Thus, I'm not sure we benefit from removing them from
> classmap.h.
>
> The unused permissions include:
> # LSM hook never merged to mainline
> file swapon
> # compat_net=1 checks
> socket { recv_msg send_msg }
> # Only added so that subsequent permissions (execmod) would get the same value as class file
> chr_file { execute_no_trans entrypoint }
> # Original socket controls; never merged to mainline
> tcp_socket { connectto newconn acceptfrom }
> # legacy network or compat_net=1 checks
> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send }
> # legacy network or compat_net=1 checks
> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> # Original socket controls; never merged to mainline - only connectto is used
> unix_stream_socket { newconn acceptfrom }
> # Patches merged prematurely by Fedora, never merged to mainline
> packet { flow_in flow_out }
It is just a report. I could not reach origin of the matter yet.
When I applies your patch as is, build, install and reboot,
I could not find any *obvious* matter (such as boot failed). Good.
Then, I modified the classmap.h for the test purpose.
The object classes and access vectors are ramdomized as the
attached claasmap.h.
This patch enables to map value of them using text identifier,
so we can expect it works fine independent from the order of
classes and access vectors.
Did you already remove the unused kernel permissions?
-- kernel boot messages
:
Creating initial device nodes
plymouthd used greatest stack depth: 6532 bytes left
async/0 used greatest stack depth: 6284 bytes left
async/1 used greatest stack depth: 5828 bytes left
input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
kjournald starting. Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
type=1404 audit(1254231627.600:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
SELinux: Permission module_request in class system not defined in policy.
SELinux: the above unknown classes and permissions will be allowed
type=1403 audit(1254231628.088:3): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1254231628.100:4): avc: denied { transition } for pid=58 comm="init" path="/bin/plymouth" dev=rootfs ino=3512 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=process
type=1400 audit(1254231628.438:5): avc: denied { transition } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:init_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=process
type=1400 audit(1254231628.458:6): avc: denied { entrypoint } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:bin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
init used greatest stack depth: 5684 bytes left
init: Not being executed as init
------
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: classmap.h --]
[-- Type: text/plain, Size: 5738 bytes --]
/* These definitions must match the definitions in av_permissions.h. */
#define COMMON_FILE_PERMS "mounton", "quotaon", "swapon", "execute", "rename", \
"link", "unlink", "append", "relabelto", "relabelfrom", "lock", \
"setattr", "getattr", "create", "write", "read", "ioctl"
#define COMMON_SOCK_PERMS "append", "bind", "connect", "listen", "accept", \
"getopt", "setopt", "shutdown", "recvfrom", \
"setattr", "lock", "relabelfrom", "relabelto", \
"sendto", "recv_msg", "send_msg", "name_bind", \
"ioctl", "read", "write", "create", "getattr"
struct security_class_mapping secclass_map[] = {
{ "dir",
{ COMMON_FILE_PERMS, "add_name", "remove_name",
"reparent", "search", "rmdir", "open", NULL } },
{ "fd", { "use", NULL } },
{ "lnk_file",
{ COMMON_FILE_PERMS, NULL } },
{ "chr_file",
{ COMMON_FILE_PERMS,
"execute_no_trans", "entrypoint", "execmod", "open", NULL } },
{ "file",
{ COMMON_FILE_PERMS,
"execute_no_trans", "entrypoint", "execmod", "open", NULL } },
{ "packet",
{ "send", "recv", "relabelto", "flow_in", "flow_out",
"forward_in", "forward_out", NULL } },
{ "blk_file",
{ COMMON_FILE_PERMS, "open", NULL } },
{ "sock_file",
{ COMMON_FILE_PERMS, "open", NULL } },
{ "fifo_file",
{ COMMON_FILE_PERMS, "open", NULL } },
{ "socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "tcp_socket",
{ COMMON_SOCK_PERMS,
"connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
NULL } },
{ "udp_socket",
{ COMMON_SOCK_PERMS,
"node_bind", NULL } },
{ "rawip_socket",
{ COMMON_SOCK_PERMS,
"node_bind", NULL } },
{ "netlink_nflog_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "netlink_xfrm_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_selinux_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "netlink_audit_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
"nlmsg_tty_audit", NULL } },
{ "netlink_ip6fw_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_dnrt_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "association",
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
{ "node",
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
"rawip_recv", "rawip_send", "enforce_dest",
"dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
{ "netif",
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
"rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
"ingress", "egress", NULL } },
{ "netlink_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "packet_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "key_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "unix_stream_socket",
{ COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
} },
{ "unix_dgram_socket",
{ COMMON_SOCK_PERMS, NULL
} },
{ "sem",
{ "create", "destroy", "getattr", "setattr", "read",
"write", "associate", "unix_read", "unix_write", NULL } },
{ "msg", { "send", "receive", NULL } },
{ "msgq",
{ "create", "destroy", "getattr", "setattr", "read",
"write", "associate", "unix_read", "unix_write",
"enqueue", NULL } },
{ "shm",
{ "create", "destroy", "getattr", "setattr", "read",
"write", "associate", "unix_read", "unix_write", "lock",
NULL } },
{ "ipc",
{ "create", "destroy", "getattr", "setattr", "read",
"write", "associate", "unix_read", "unix_write", NULL } },
{ "netlink_route_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_firewall_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_tcpdiag_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_kobject_uevent_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "appletalk_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "security",
{ "compute_av", "compute_create", "compute_member",
"check_context", "load_policy", "compute_relabel",
"compute_user", "setenforce", "setbool", "setsecparam",
"setcheckreqprot", NULL } },
{ "process",
{ "fork", "transition", "sigchld", "sigkill",
"sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
"getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
"execmem", "execstack", "execheap", "setkeycreate",
"setsockcreate", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", NULL } },
{ "capability",
{ "chown", "dac_override", "dac_read_search",
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
"linux_immutable", "net_bind_service", "net_broadcast",
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
"sys_boot", "sys_nice", "sys_resource", "sys_time",
"sys_tty_config", "mknod", "lease", "audit_write",
"audit_control", "setfcap", NULL } },
{ "filesystem",
{ "mount", "remount", "unmount", "getattr",
"relabelfrom", "relabelto", "transition", "associate", "quotamod",
"quotaget", NULL } },
{ "key",
{ "view", "read", "write", "search", "link", "setattr", "create",
NULL } },
{ "dccp_socket",
{ COMMON_SOCK_PERMS,
"node_bind", "name_connect", NULL } },
{ "memprotect", { "mmap_zero", NULL } },
{ "peer", { "recv", NULL } },
{ "capability2", { "mac_override", "mac_admin", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ NULL }
};
next prev parent reply other threads:[~2009-09-30 2:32 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-29 17:09 [PATCH v4 1/2] selinux: dynamic class/perm discovery Stephen Smalley
2009-09-29 17:14 ` [PATCH v4 2/2] selinux: generate flask headers during kernel build Stephen Smalley
2009-09-29 18:03 ` Stephen Smalley
2009-09-29 18:52 ` Stephen Smalley
2009-09-30 3:00 ` KaiGai Kohei
2009-09-30 2:32 ` KaiGai Kohei [this message]
2009-09-30 12:39 ` Stephen Smalley
2009-09-30 12:53 ` Stephen Smalley
2009-09-30 21:46 ` James Morris
2009-10-01 12:32 ` Stephen Smalley
2009-10-01 12:55 ` Joshua Brindle
2009-10-01 13:46 ` Paul Moore
2009-10-01 15:31 ` Stephen Smalley
2009-10-03 0:33 ` Chris PeBenito
2009-10-03 18:30 ` 欧珂塔维亚
2009-09-30 13:54 ` Stephen Smalley
2009-09-30 14:47 ` Stephen Smalley
2009-09-30 15:10 ` Stephen Smalley
2009-09-30 15:25 ` Stephen Smalley
2009-09-30 16:40 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC2C32D.3010405@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=eparis@parisplace.org \
--cc=jbrindle@tresys.com \
--cc=jmorris@namei.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.