[refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain
@ 2014-05-10 14:45 Nicolas Iooss
  2014-05-13 12:46 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Nicolas Iooss @ 2014-05-10 14:45 UTC (permalink / raw)
  To: refpolicy

When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device.  This program works with udev to configure the
new device and uses SysV semaphores to synchronize states.  As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.

More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
---
 policy/modules/system/unconfined.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 472a39e..79f2909 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -108,6 +108,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	modutils_run_update_mods(unconfined_t, unconfined_r)
 ')
 
-- 
1.9.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain
  2014-05-10 14:45 [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain Nicolas Iooss
@ 2014-05-13 12:46 ` Christopher J. PeBenito
  2014-05-13 13:55   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2014-05-13 12:46 UTC (permalink / raw)
  To: refpolicy

On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
> called to setup a new device.  This program works with udev to configure the
> new device and uses SysV semaphores to synchronize states.  As udev runs
> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
> 
> More details are available in the archives on the ML:
> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
> ---
>  policy/modules/system/unconfined.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 472a39e..79f2909 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -108,6 +108,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	lvm_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
>  	modutils_run_update_mods(unconfined_t, unconfined_r)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain
  2014-05-13 12:46 ` Christopher J. PeBenito
@ 2014-05-13 13:55   ` Daniel J Walsh
  2014-05-14 13:32     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2014-05-13 13:55 UTC (permalink / raw)
  To: refpolicy


On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote:
> On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
>> called to setup a new device.  This program works with udev to configure the
>> new device and uses SysV semaphores to synchronize states.  As udev runs
>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>>
>> More details are available in the archives on the ML:
>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
>> ---
>>  policy/modules/system/unconfined.te | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>> index 472a39e..79f2909 100644
>> --- a/policy/modules/system/unconfined.te
>> +++ b/policy/modules/system/unconfined.te
>> @@ -108,6 +108,10 @@ optional_policy(`
>>  ')
>>  
>>  optional_policy(`
>> +	lvm_run(unconfined_t, unconfined_r)
>> +')
>> +
>> +optional_policy(`
>>  	modutils_run_update_mods(unconfined_t, unconfined_r)
>>  ')
> Merged.
>
Why would we add a confinement to the unconfined domain?  I believe
unconfined_t should stay unconfined as much as possible.

I wrote a blog about this.

https://danwalsh.livejournal.com/30084.html

The only reason to do this in the past was for correct labeling, but
with file name transition rules, I believe almost all transitions from
unconfined_t should be eliminated.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain
  2014-05-13 13:55   ` Daniel J Walsh
@ 2014-05-14 13:32     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2014-05-14 13:32 UTC (permalink / raw)
  To: refpolicy

On 05/13/2014 09:55 AM, Daniel J Walsh wrote:
> 
> On 05/13/2014 08:46 AM, Christopher J. PeBenito wrote:
>> On 05/10/2014 10:45 AM, Nicolas Iooss wrote:
>>> When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
>>> called to setup a new device.  This program works with udev to configure the
>>> new device and uses SysV semaphores to synchronize states.  As udev runs
>>> dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
>>> semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
>>>
>>> More details are available in the archives on the ML:
>>> http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
>>> ---
>>>  policy/modules/system/unconfined.te | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 472a39e..79f2909 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -108,6 +108,10 @@ optional_policy(`
>>>  ')
>>>  
>>>  optional_policy(`
>>> +	lvm_run(unconfined_t, unconfined_r)
>>> +')
>>> +
>>> +optional_policy(`
>>>  	modutils_run_update_mods(unconfined_t, unconfined_r)
>>>  ')
>> Merged.
>>
> Why would we add a confinement to the unconfined domain?  I believe
> unconfined_t should stay unconfined as much as possible.
> 
> I wrote a blog about this.
> 
> https://danwalsh.livejournal.com/30084.html
> 
> The only reason to do this in the past was for correct labeling, but
> with file name transition rules, I believe almost all transitions from
> unconfined_t should be eliminated.
 
The file name transitions don't apply, as we're concerned about SysV semaphores in this case.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-05-14 13:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-10 14:45 [refpolicy] [PATCH] Make unconfined user run lvm programs in confined domain Nicolas Iooss
2014-05-13 12:46 ` Christopher J. PeBenito
2014-05-13 13:55   ` Daniel J Walsh
2014-05-14 13:32     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.