[refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.
Date: Fri, 01 Oct 2010 10:52:19 -0400	[thread overview]
Message-ID: <4CA5F5A3.2080708@tresys.com> (raw)
In-Reply-To: <20101001143000.GB14548@localhost.localdomain>

On 10/01/10 10:30, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>> On 09/24/10 15:37, Dominick Grift wrote:
>>>
>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>
>> A couple questions inline.
>>
>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>> index b354128..052f0a6 100644
>>> --- a/policy/modules/services/dbus.te
>>> +++ b/policy/modules/services/dbus.te
>>
>>> @@ -141,6 +137,11 @@ optional_policy(`
>>>   ')
>>>
>>>   optional_policy(`
>>> +	# should this be dbus_system_domain instead?
>>> +	networkmanager_initrc_domtrans(system_dbusd_t)
>>> +')
>
> system_dbusd_t runs the network manager rc script (to start network manager)

Ok, then what you have is right.

>>
>> It seems that you mean for netorkmanager to transition to initrc_t.
>> Dbus_system_domain would transition from the system bus to
>> networkmanager_t.  These don't seem at all alike.  Not sure which
>> one you want, though dbus_system_domain() seems unlikely.
>>
>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>> index 2dad3c8..a20543a 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>   manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>   files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>
>>> +kernel_read_crypto_sysctls(sshd_t)
>>> +kernel_request_load_module(sshd_t)
>>>   kernel_search_key(sshd_t)
>>>   kernel_link_key(sshd_t)
>
> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.

That seems odd.  If the interface is up and running already, I would 
think that that module would be loaded already.  I don't want to give 
this permission if at all possible.

>> Why does sshd need to request a kernel module?
>>
>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>> index fca6947..5f5f331 100644
>>> --- a/policy/modules/system/mount.te
>>> +++ b/policy/modules/system/mount.te
>>
>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>   fs_unmount_all_fs(mount_t)
>>>   fs_remount_all_fs(mount_t)
>>>   fs_relabelfrom_all_fs(mount_t)
>>> -fs_list_auto_mountpoints(mount_t)
>>> +# wants to list usbfs_t
>>> +fs_list_all(mount_t)
>>
>> If you know it wants to list usbfs, why list all?
>
> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.

Unless Dan has additional reasons, I'd prefer that you try that.

>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index f976344..fbf02ec 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>>   mcs_killall(unconfined_t)
>>>   mcs_ptrace_all(unconfined_t)
>>>
>>> +ubac_process_exempt(unconfined_t)
>>> +ubac_file_exempt(unconfined_t)
>>> +ubac_fd_exempt(unconfined_t)
>>
>> I'm not sure we want this.  Unconfined doesn't mean exempt on UBAC,
>> MLS/MCS, etc.
>>
>
> Yes i gathered you would say that. You actually told us before. So ignore this.
> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
> So i guess its just a matter of personal preference.

The thing is that sysadm is clearly an admin.  Whereas unconfined could 
be a regular user (in the old targeted sense) or an admin (in the strict 
sense).  So I could go back and forth on if unconfined should have this 
access, but for now I'm sticking with what I said above.

> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>
> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)

Really? How can init not be in /sbin?

> Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
>
> So be carefull with what you adopt if anything.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2010-10-01 14:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-24 19:37 [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13 Dominick Grift
2010-10-01 13:58 ` Christopher J. PeBenito
2010-10-01 14:30   ` Dominick Grift
2010-10-01 14:52     ` Christopher J. PeBenito [this message]
2010-10-01 15:09       ` Paul Howarth
2010-10-01 18:00         ` Christopher J. PeBenito
2010-10-01 15:10       ` Dominick Grift
2010-10-01 15:28         ` Daniel J Walsh
2010-10-01 19:01           ` Christopher J. PeBenito
2010-10-01 19:06             ` Dominick Grift
2010-10-04  9:18             ` Dominick Grift
2010-10-01 15:42         ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CA5F5A3.2080708@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.