From: Steve Lawrence <slawrence@tresys.com>
To: Sven Vermeulen <sven.vermeulen@siphos.be>,
SELinux <selinux@tycho.nsa.gov>
Subject: Re: SELinux Userspace Release: 20140826-rc5
Date: Mon, 3 Nov 2014 08:36:02 -0500 [thread overview]
Message-ID: <545784C2.30203@tresys.com> (raw)
In-Reply-To: <CAPzO=NyRKK=jJ151W6xk_cs7dHKJQCwCxoJc2jZmTLZ_DaXPUA@mail.gmail.com>
On 11/02/2014 10:17 AM, Sven Vermeulen wrote:
> On Wed, Oct 29, 2014 at 4:34 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>> The fifth release candidate for the next release of SELinux Userspace
>> [1] is now available. The tarballs have been built and can be downloaded
>> from the Releases wiki page [2]. Changes since rc4 include:
> [...]
>> Please give this a test and let us know if you find any problems.
>
> Hi Steve
>
> I notice a regression that I can't quite place yet.
>
> I am running with a policy that does not have the unconfined module
> loaded (so a strict environment). In the past (same policy, 2.3
> utilities) that also prevented those "unconfined domains" to get their
> privileges. For instance, initrc_t does not have the
> files_unconfined_type assigned to it.
>
> With the 2.4 series, this attribute is assigned to the domain. I
> *think* that it is ignoring the gen_require(`type unconfined_t') that
> is in unconfined_domain_noaudit() in the sense that the rules that do
> not use unconfined_t are now loaded as well. In the past, this would
> ignore the entire block.
>
It looks like you are correct, that unconfined_t is the problem. The
unconfined_domain_noaudit interface has a gen_require on unconfined_t.
However, CIL does not have a concept of gen_require. It just tries to
resolve all statements inside an optional block, and if any of them fail
then the optional is disabled. So in refpolicy, this interface depends
on the unconfined_t type, even though it never uses it.
One solution would create a tyepattribute that isn't used in any
statements (and so won't become part of the final kernel policy) but
that types that are gen_required are associated with. This should cause
a failure of the optional without affecting anything alse. Kindof a
hack, and it only works for types/roles since with have attributes for
those, but probably the only way to mimic gen_require in CIL.
Another option would be to change refpolicy so that the unconfined
attributes are defined in the unconfined module rather than in
kernel/domain/fs/etc, but maybe the way unconfined works would make the
difficult. It's also not backwards compatible, so we'd probably still
need the pp change anyway.
- Steve
next prev parent reply other threads:[~2014-11-03 13:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-29 15:34 SELinux Userspace Release: 20140826-rc5 Steve Lawrence
2014-11-02 15:17 ` Sven Vermeulen
2014-11-03 13:36 ` Steve Lawrence [this message]
2014-11-04 18:08 ` Sven Vermeulen
2014-11-04 20:26 ` James Carter
2014-11-06 14:12 ` Steve Lawrence
2014-11-06 14:19 ` James Carter
2014-11-06 18:45 ` Sven Vermeulen
2014-11-06 18:59 ` Steve Lawrence
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=545784C2.30203@tresys.com \
--to=slawrence@tresys.com \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.