All of lore.kernel.org
 help / color / mirror / Atom feed
From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.
Date: Fri, 01 Oct 2010 11:28:07 -0400	[thread overview]
Message-ID: <4CA5FE07.80504@redhat.com> (raw)
In-Reply-To: <20101001151000.GE14548@localhost.localdomain>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:10 AM, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
>> On 10/01/10 10:30, Dominick Grift wrote:
>>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>>
>>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>>>
>>>> A couple questions inline.
>>>>
>>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>>>> index b354128..052f0a6 100644
>>>>> --- a/policy/modules/services/dbus.te
>>>>> +++ b/policy/modules/services/dbus.te
>>>>
>>>>> @@ -141,6 +137,11 @@ optional_policy(`
>>>>>  ')
>>>>>
>>>>>  optional_policy(`
>>>>> +	# should this be dbus_system_domain instead?
>>>>> +	networkmanager_initrc_domtrans(system_dbusd_t)
>>>>> +')
>>>
>>> system_dbusd_t runs the network manager rc script (to start network manager)
>>
>> Ok, then what you have is right.
>>
>>>>
>>>> It seems that you mean for netorkmanager to transition to initrc_t.
>>>> Dbus_system_domain would transition from the system bus to
>>>> networkmanager_t.  These don't seem at all alike.  Not sure which
>>>> one you want, though dbus_system_domain() seems unlikely.
>>>>
>>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>>>> index 2dad3c8..a20543a 100644
>>>>> --- a/policy/modules/services/ssh.te
>>>>> +++ b/policy/modules/services/ssh.te
>>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>>  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>>  files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>>>
>>>>> +kernel_read_crypto_sysctls(sshd_t)
>>>>> +kernel_request_load_module(sshd_t)
>>>>>  kernel_search_key(sshd_t)
>>>>>  kernel_link_key(sshd_t)
>>>
>>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.
>>
>> That seems odd.  If the interface is up and running already, I would
>> think that that module would be loaded already.  I don't want to
>> give this permission if at all possible.
>>
>>>> Why does sshd need to request a kernel module?
Yes this came from disabling IPV6 I believe.  Turns out that if you turn
off ipv6 on a machine every app that tries to use a socket ends up
trying to load the kernel module.  So AVC's appear all over the place
when people disable ipv6 (Surprisingly common in Fedora.)  We now has an
setroubleshoot that will ignore this avc.

Eric looked into getting the kernel to not deliver all of the AVC's but
his patch was too invasive and was rejected.
>>>>
>>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>>> index fca6947..5f5f331 100644
>>>>> --- a/policy/modules/system/mount.te
>>>>> +++ b/policy/modules/system/mount.te
>>>>
>>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>>>  fs_unmount_all_fs(mount_t)
>>>>>  fs_remount_all_fs(mount_t)
>>>>>  fs_relabelfrom_all_fs(mount_t)
>>>>> -fs_list_auto_mountpoints(mount_t)
>>>>> +# wants to list usbfs_t
>>>>> +fs_list_all(mount_t)
>>>>
>>>> If you know it wants to list usbfs, why list all?
I am pretty sure this comes up with things like debugfs and others.  I
don't see why you would not accept this since mount is a powerfull
domain and this hardly seems like a preventive measure.  You are just
enabling a lot of stupid AVC messages by not allowing it to list.
>>>
>>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.
>>
>> Unless Dan has additional reasons, I'd prefer that you try that.
>>
>>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>>>> index f976344..fbf02ec 100644
>>>>> --- a/policy/modules/system/unconfined.te
>>>>> +++ b/policy/modules/system/unconfined.te
>>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>>>>  mcs_killall(unconfined_t)
>>>>>  mcs_ptrace_all(unconfined_t)
>>>>>
>>>>> +ubac_process_exempt(unconfined_t)
>>>>> +ubac_file_exempt(unconfined_t)
>>>>> +ubac_fd_exempt(unconfined_t)
>>>>
>>>> I'm not sure we want this.  Unconfined doesn't mean exempt on UBAC,
>>>> MLS/MCS, etc.
>>>>
>>>
>>> Yes i gathered you would say that. You actually told us before. So ignore this.
>>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
>>> So i guess its just a matter of personal preference.
>>
>> The thing is that sysadm is clearly an admin.  Whereas unconfined
>> could be a regular user (in the old targeted sense) or an admin (in
>> the strict sense).  So I could go back and forth on if unconfined
>> should have this access, but for now I'm sticking with what I said
>> above.
>>
>>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
>>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>>>
>>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>>
>> Really? How can init not be in /sbin?
> 
> Sorry i meant /sbin/init is a symlinks to /sbin/upstart.
> 
>>
>>> Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
>>>
>>> So be carefull with what you adopt if anything.
>>
>> -- 
>> Chris PeBenito
>> Tresys Technology, LLC
>> www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyl/gcACgkQrlYvE4MpobNoywCgq31JdAPnk3rkS9VJ0caw6VSr
PjYAoIf3Kda3mU1La2nWSwhGhd58Rsp3
=1p+R
-----END PGP SIGNATURE-----

  reply	other threads:[~2010-10-01 15:28 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-24 19:37 [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13 Dominick Grift
2010-10-01 13:58 ` Christopher J. PeBenito
2010-10-01 14:30   ` Dominick Grift
2010-10-01 14:52     ` Christopher J. PeBenito
2010-10-01 15:09       ` Paul Howarth
2010-10-01 18:00         ` Christopher J. PeBenito
2010-10-01 15:10       ` Dominick Grift
2010-10-01 15:28         ` Daniel J Walsh [this message]
2010-10-01 19:01           ` Christopher J. PeBenito
2010-10-01 19:06             ` Dominick Grift
2010-10-04  9:18             ` Dominick Grift
2010-10-01 15:42         ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CA5FE07.80504@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.