[RFC][PATCH] selinux: Remove unused permission definitions

[RFC][PATCH] selinux: Remove unused permission definitions

[Stephen Smalley]

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/include/classmap.h | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 1d8b924..5a4eef5 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -2,12 +2,12 @@
     "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
 
 #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
-    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
+    "rename", "execute", "quotaon", "mounton", "audit_access", \
     "open", "execmod"
 
 #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
     "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
-    "sendto", "recv_msg", "send_msg", "name_bind"
+    "sendto", "name_bind"
 
 #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
 	    "write", "associate", "unix_read", "unix_write"
@@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
 	    "audit_control", "setfcap", NULL } },
 	{ "filesystem",
 	  { "mount", "remount", "unmount", "getattr",
-	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
+	    "relabelfrom", "relabelto", "associate", "quotamod",
 	    "quotaget", NULL } },
 	{ "file",
 	  { COMMON_FILE_PERMS,
@@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "tcp_socket",
 	  { COMMON_SOCK_PERMS,
-	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
+	    "node_bind", "name_connect",
 	    NULL } },
 	{ "udp_socket",
 	  { COMMON_SOCK_PERMS,
@@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_SOCK_PERMS,
 	    "node_bind", NULL } },
 	{ "node",
-	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
-	    "rawip_recv", "rawip_send", "enforce_dest",
-	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
+	  { "recvfrom", "sendto", NULL } },
 	{ "netif",
-	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
-	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
-	     "ingress", "egress", NULL } },
+	  { "ingress", "egress", NULL } },
 	{ "netlink_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet_socket",
@@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
 	{ "key_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "unix_stream_socket",
-	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
-	  } },
+	  { COMMON_SOCK_PERMS, "connectto", NULL } },
 	{ "unix_dgram_socket",
-	  { COMMON_SOCK_PERMS, NULL
-	  } },
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "sem",
 	  { COMMON_IPC_PERMS, NULL } },
 	{ "msg", { "send", "receive", NULL } },
-- 
2.1.0

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Paul Moore]

On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Remove unused permission definitions from SELinux.
> Many of these were only ever used in pre-mainline
> versions of SELinux, prior to Linux 2.6.0.  Some of them
> were used in the legacy network or compat_net=1 checks
> that were disabled by default in Linux 2.6.18 and
> fully removed in Linux 2.6.30.
>
> Permissions never used in mainline Linux:
> file swapon
> filesystem transition
> tcp_socket { connectto newconn acceptfrom }
> node enforce_dest
> unix_stream_socket { newconn acceptfrom }
>
> Legacy network checks, removed in 2.6.30:
> socket { recv_msg send_msg }
> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/include/classmap.h | 22 ++++++++--------------
>  1 file changed, 8 insertions(+), 14 deletions(-)

Seems very reasonable to me.  Chris, any objections from a policy point of view?

> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 1d8b924..5a4eef5 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -2,12 +2,12 @@
>      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
>
>  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> +    "rename", "execute", "quotaon", "mounton", "audit_access", \
>      "open", "execmod"
>
>  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
>      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> -    "sendto", "recv_msg", "send_msg", "name_bind"
> +    "sendto", "name_bind"
>
>  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
>             "write", "associate", "unix_read", "unix_write"
> @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
>             "audit_control", "setfcap", NULL } },
>         { "filesystem",
>           { "mount", "remount", "unmount", "getattr",
> -           "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> +           "relabelfrom", "relabelto", "associate", "quotamod",
>             "quotaget", NULL } },
>         { "file",
>           { COMMON_FILE_PERMS,
> @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
>           { COMMON_SOCK_PERMS, NULL } },
>         { "tcp_socket",
>           { COMMON_SOCK_PERMS,
> -           "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> +           "node_bind", "name_connect",
>             NULL } },
>         { "udp_socket",
>           { COMMON_SOCK_PERMS,
> @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
>           { COMMON_SOCK_PERMS,
>             "node_bind", NULL } },
>         { "node",
> -         { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -           "rawip_recv", "rawip_send", "enforce_dest",
> -           "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> +         { "recvfrom", "sendto", NULL } },
>         { "netif",
> -         {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -            "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> -            "ingress", "egress", NULL } },
> +         { "ingress", "egress", NULL } },
>         { "netlink_socket",
>           { COMMON_SOCK_PERMS, NULL } },
>         { "packet_socket",
> @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
>         { "key_socket",
>           { COMMON_SOCK_PERMS, NULL } },
>         { "unix_stream_socket",
> -         { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> -         } },
> +         { COMMON_SOCK_PERMS, "connectto", NULL } },
>         { "unix_dgram_socket",
> -         { COMMON_SOCK_PERMS, NULL
> -         } },
> +         { COMMON_SOCK_PERMS, NULL } },
>         { "sem",
>           { COMMON_IPC_PERMS, NULL } },
>         { "msg", { "send", "receive", NULL } },
> --
> 2.1.0
>



-- 
paul moore
www.paul-moore.com

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 5236 bytes --]

On Fri, May 29, 2015 at 05:14:53PM -0400, Paul Moore wrote:
> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > Remove unused permission definitions from SELinux.
> > Many of these were only ever used in pre-mainline
> > versions of SELinux, prior to Linux 2.6.0.  Some of them
> > were used in the legacy network or compat_net=1 checks
> > that were disabled by default in Linux 2.6.18 and
> > fully removed in Linux 2.6.30.
> >
> > Permissions never used in mainline Linux:
> > file swapon
> > filesystem transition
> > tcp_socket { connectto newconn acceptfrom }
> > node enforce_dest
> > unix_stream_socket { newconn acceptfrom }
> >
> > Legacy network checks, removed in 2.6.30:
> > socket { recv_msg send_msg }
> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> >
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> >  security/selinux/include/classmap.h | 22 ++++++++--------------
> >  1 file changed, 8 insertions(+), 14 deletions(-)
> 
> Seems very reasonable to me.  Chris, any objections from a policy point of view?

I do not mean to reply on Chris' behalf but in light of what he said earlier:

"The short answer is that I'd prefer to remove policy known to be unusable."

I just want to mention that i like the idea of losing some dead weight where it makes sense as well.

> 
> > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> > index 1d8b924..5a4eef5 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -2,12 +2,12 @@
> >      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
> >
> >  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> > -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> > +    "rename", "execute", "quotaon", "mounton", "audit_access", \
> >      "open", "execmod"
> >
> >  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
> >      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> > -    "sendto", "recv_msg", "send_msg", "name_bind"
> > +    "sendto", "name_bind"
> >
> >  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
> >             "write", "associate", "unix_read", "unix_write"
> > @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
> >             "audit_control", "setfcap", NULL } },
> >         { "filesystem",
> >           { "mount", "remount", "unmount", "getattr",
> > -           "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> > +           "relabelfrom", "relabelto", "associate", "quotamod",
> >             "quotaget", NULL } },
> >         { "file",
> >           { COMMON_FILE_PERMS,
> > @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "tcp_socket",
> >           { COMMON_SOCK_PERMS,
> > -           "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> > +           "node_bind", "name_connect",
> >             NULL } },
> >         { "udp_socket",
> >           { COMMON_SOCK_PERMS,
> > @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
> >           { COMMON_SOCK_PERMS,
> >             "node_bind", NULL } },
> >         { "node",
> > -         { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -           "rawip_recv", "rawip_send", "enforce_dest",
> > -           "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> > +         { "recvfrom", "sendto", NULL } },
> >         { "netif",
> > -         {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -            "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> > -            "ingress", "egress", NULL } },
> > +         { "ingress", "egress", NULL } },
> >         { "netlink_socket",
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "packet_socket",
> > @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
> >         { "key_socket",
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "unix_stream_socket",
> > -         { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> > -         } },
> > +         { COMMON_SOCK_PERMS, "connectto", NULL } },
> >         { "unix_dgram_socket",
> > -         { COMMON_SOCK_PERMS, NULL
> > -         } },
> > +         { COMMON_SOCK_PERMS, NULL } },
> >         { "sem",
> >           { COMMON_IPC_PERMS, NULL } },
> >         { "msg", { "send", "receive", NULL } },
> > --
> > 2.1.0
> >
> 
> 
> 
> -- 
> paul moore
> www.paul-moore.com
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Paul Moore]

On Fri, May 29, 2015 at 5:38 PM, Dominick Grift <dac.override@gmail.com> wrote:
> On Fri, May 29, 2015 at 05:14:53PM -0400, Paul Moore wrote:
>> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> > Remove unused permission definitions from SELinux.
>> > Many of these were only ever used in pre-mainline
>> > versions of SELinux, prior to Linux 2.6.0.  Some of them
>> > were used in the legacy network or compat_net=1 checks
>> > that were disabled by default in Linux 2.6.18 and
>> > fully removed in Linux 2.6.30.
>> >
>> > Permissions never used in mainline Linux:
>> > file swapon
>> > filesystem transition
>> > tcp_socket { connectto newconn acceptfrom }
>> > node enforce_dest
>> > unix_stream_socket { newconn acceptfrom }
>> >
>> > Legacy network checks, removed in 2.6.30:
>> > socket { recv_msg send_msg }
>> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> >
>> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> > ---
>> >  security/selinux/include/classmap.h | 22 ++++++++--------------
>> >  1 file changed, 8 insertions(+), 14 deletions(-)
>>
>> Seems very reasonable to me.  Chris, any objections from a policy point of view?
>
> I do not mean to reply on Chris' behalf but in light of what he said earlier:
>
> "The short answer is that I'd prefer to remove policy known to be unusable."
>
> I just want to mention that i like the idea of losing some dead weight where it makes sense as well.

Me too.  I doubt Chris will have a problem with it, but there is no
particular rush with this patch so I figured I would check with him
first just to make sure.

-- 
paul moore
www.paul-moore.com

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Christopher J. PeBenito]

On 5/29/2015 5:14 PM, Paul Moore wrote:
> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Remove unused permission definitions from SELinux.
>> Many of these were only ever used in pre-mainline
>> versions of SELinux, prior to Linux 2.6.0.  Some of them
>> were used in the legacy network or compat_net=1 checks
>> that were disabled by default in Linux 2.6.18 and
>> fully removed in Linux 2.6.30.
>>
>> Permissions never used in mainline Linux:
>> file swapon
>> filesystem transition
>> tcp_socket { connectto newconn acceptfrom }
>> node enforce_dest
>> unix_stream_socket { newconn acceptfrom }
>>
>> Legacy network checks, removed in 2.6.30:
>> socket { recv_msg send_msg }
>> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>  security/selinux/include/classmap.h | 22 ++++++++--------------
>>  1 file changed, 8 insertions(+), 14 deletions(-)
> 
> Seems very reasonable to me.  Chris, any objections from a policy point of view?

Nope.  Please remove dead permissions :)


>> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
>> index 1d8b924..5a4eef5 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -2,12 +2,12 @@
>>      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
>>
>>  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
>> -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
>> +    "rename", "execute", "quotaon", "mounton", "audit_access", \
>>      "open", "execmod"
>>
>>  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
>>      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
>> -    "sendto", "recv_msg", "send_msg", "name_bind"
>> +    "sendto", "name_bind"
>>
>>  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
>>             "write", "associate", "unix_read", "unix_write"
>> @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
>>             "audit_control", "setfcap", NULL } },
>>         { "filesystem",
>>           { "mount", "remount", "unmount", "getattr",
>> -           "relabelfrom", "relabelto", "transition", "associate", "quotamod",
>> +           "relabelfrom", "relabelto", "associate", "quotamod",
>>             "quotaget", NULL } },
>>         { "file",
>>           { COMMON_FILE_PERMS,
>> @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
>>           { COMMON_SOCK_PERMS, NULL } },
>>         { "tcp_socket",
>>           { COMMON_SOCK_PERMS,
>> -           "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
>> +           "node_bind", "name_connect",
>>             NULL } },
>>         { "udp_socket",
>>           { COMMON_SOCK_PERMS,
>> @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
>>           { COMMON_SOCK_PERMS,
>>             "node_bind", NULL } },
>>         { "node",
>> -         { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
>> -           "rawip_recv", "rawip_send", "enforce_dest",
>> -           "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
>> +         { "recvfrom", "sendto", NULL } },
>>         { "netif",
>> -         {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
>> -            "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
>> -            "ingress", "egress", NULL } },
>> +         { "ingress", "egress", NULL } },
>>         { "netlink_socket",
>>           { COMMON_SOCK_PERMS, NULL } },
>>         { "packet_socket",
>> @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
>>         { "key_socket",
>>           { COMMON_SOCK_PERMS, NULL } },
>>         { "unix_stream_socket",
>> -         { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
>> -         } },
>> +         { COMMON_SOCK_PERMS, "connectto", NULL } },
>>         { "unix_dgram_socket",
>> -         { COMMON_SOCK_PERMS, NULL
>> -         } },
>> +         { COMMON_SOCK_PERMS, NULL } },
>>         { "sem",
>>           { COMMON_IPC_PERMS, NULL } },
>>         { "msg", { "send", "receive", NULL } },
>> --
>> 2.1.0
>>
> 
> 
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Paul Moore]

On Wednesday, May 27, 2015 11:03:25 AM Stephen Smalley wrote:
> Remove unused permission definitions from SELinux.
> Many of these were only ever used in pre-mainline
> versions of SELinux, prior to Linux 2.6.0.  Some of them
> were used in the legacy network or compat_net=1 checks
> that were disabled by default in Linux 2.6.18 and
> fully removed in Linux 2.6.30.
> 
> Permissions never used in mainline Linux:
> file swapon
> filesystem transition
> tcp_socket { connectto newconn acceptfrom }
> node enforce_dest
> unix_stream_socket { newconn acceptfrom }
> 
> Legacy network checks, removed in 2.6.30:
> socket { recv_msg send_msg }
> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv
> dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv
> rawip_send dccp_recv dccp_send }
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/include/classmap.h | 22 ++++++++--------------
>  1 file changed, 8 insertions(+), 14 deletions(-)

Applied, thanks all.

> diff --git a/security/selinux/include/classmap.h
> b/security/selinux/include/classmap.h index 1d8b924..5a4eef5 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -2,12 +2,12 @@
>      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
> 
>  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> +    "rename", "execute", "quotaon", "mounton", "audit_access", \
>      "open", "execmod"
> 
>  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
>      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> -    "sendto", "recv_msg", "send_msg", "name_bind"
> +    "sendto", "name_bind"
> 
>  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read",
> \ "write", "associate", "unix_read", "unix_write"
> @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
>  	    "audit_control", "setfcap", NULL } },
>  	{ "filesystem",
>  	  { "mount", "remount", "unmount", "getattr",
> -	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> +	    "relabelfrom", "relabelto", "associate", "quotamod",
>  	    "quotaget", NULL } },
>  	{ "file",
>  	  { COMMON_FILE_PERMS,
> @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "tcp_socket",
>  	  { COMMON_SOCK_PERMS,
> -	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> +	    "node_bind", "name_connect",
>  	    NULL } },
>  	{ "udp_socket",
>  	  { COMMON_SOCK_PERMS,
> @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
>  	  { COMMON_SOCK_PERMS,
>  	    "node_bind", NULL } },
>  	{ "node",
> -	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -	    "rawip_recv", "rawip_send", "enforce_dest",
> -	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> +	  { "recvfrom", "sendto", NULL } },
>  	{ "netif",
> -	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> -	     "ingress", "egress", NULL } },
> +	  { "ingress", "egress", NULL } },
>  	{ "netlink_socket",
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "packet_socket",
> @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
>  	{ "key_socket",
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "unix_stream_socket",
> -	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> -	  } },
> +	  { COMMON_SOCK_PERMS, "connectto", NULL } },
>  	{ "unix_dgram_socket",
> -	  { COMMON_SOCK_PERMS, NULL
> -	  } },
> +	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "sem",
>  	  { COMMON_IPC_PERMS, NULL } },
>  	{ "msg", { "send", "receive", NULL } },

-- 
paul moore
www.paul-moore.com

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 4419 bytes --]

On Wed, May 27, 2015 at 11:03:25AM -0400, Stephen Smalley wrote:
> Remove unused permission definitions from SELinux.
> Many of these were only ever used in pre-mainline
> versions of SELinux, prior to Linux 2.6.0.  Some of them
> were used in the legacy network or compat_net=1 checks
> that were disabled by default in Linux 2.6.18 and
> fully removed in Linux 2.6.30.
> 
> Permissions never used in mainline Linux:
> file swapon

I think that blk_file (fixed disk) swapon is actually used in my policy by fstools (i think swapon command)

> filesystem transition
> tcp_socket { connectto newconn acceptfrom }
> node enforce_dest
> unix_stream_socket { newconn acceptfrom }
> 
> Legacy network checks, removed in 2.6.30:
> socket { recv_msg send_msg }
> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/include/classmap.h | 22 ++++++++--------------
>  1 file changed, 8 insertions(+), 14 deletions(-)
> 
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 1d8b924..5a4eef5 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -2,12 +2,12 @@
>      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
>  
>  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> +    "rename", "execute", "quotaon", "mounton", "audit_access", \
>      "open", "execmod"
>  
>  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
>      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> -    "sendto", "recv_msg", "send_msg", "name_bind"
> +    "sendto", "name_bind"
>  
>  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
>  	    "write", "associate", "unix_read", "unix_write"
> @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
>  	    "audit_control", "setfcap", NULL } },
>  	{ "filesystem",
>  	  { "mount", "remount", "unmount", "getattr",
> -	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> +	    "relabelfrom", "relabelto", "associate", "quotamod",
>  	    "quotaget", NULL } },
>  	{ "file",
>  	  { COMMON_FILE_PERMS,
> @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "tcp_socket",
>  	  { COMMON_SOCK_PERMS,
> -	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> +	    "node_bind", "name_connect",
>  	    NULL } },
>  	{ "udp_socket",
>  	  { COMMON_SOCK_PERMS,
> @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
>  	  { COMMON_SOCK_PERMS,
>  	    "node_bind", NULL } },
>  	{ "node",
> -	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -	    "rawip_recv", "rawip_send", "enforce_dest",
> -	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> +	  { "recvfrom", "sendto", NULL } },
>  	{ "netif",
> -	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> -	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> -	     "ingress", "egress", NULL } },
> +	  { "ingress", "egress", NULL } },
>  	{ "netlink_socket",
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "packet_socket",
> @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
>  	{ "key_socket",
>  	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "unix_stream_socket",
> -	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> -	  } },
> +	  { COMMON_SOCK_PERMS, "connectto", NULL } },
>  	{ "unix_dgram_socket",
> -	  { COMMON_SOCK_PERMS, NULL
> -	  } },
> +	  { COMMON_SOCK_PERMS, NULL } },
>  	{ "sem",
>  	  { COMMON_IPC_PERMS, NULL } },
>  	{ "msg", { "send", "receive", NULL } },
> -- 
> 2.1.0
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 5092 bytes --]

On Sun, Jun 14, 2015 at 07:33:49AM +0200, Dominick Grift wrote:
> On Wed, May 27, 2015 at 11:03:25AM -0400, Stephen Smalley wrote:
> > Remove unused permission definitions from SELinux.
> > Many of these were only ever used in pre-mainline
> > versions of SELinux, prior to Linux 2.6.0.  Some of them
> > were used in the legacy network or compat_net=1 checks
> > that were disabled by default in Linux 2.6.18 and
> > fully removed in Linux 2.6.30.
> > 
> > Permissions never used in mainline Linux:
> > file swapon
> 
> I think that blk_file (fixed disk) swapon is actually used in my policy by fstools (i think swapon command)

Nah, Probably added to my policy by assumption (Sometimes i just can't resist the temptation to assume..)

We'll see .. i won't be removing these permissions from my policy until Fedora 23 (Kernel 4.2) at the least anyway's

> 
> > filesystem transition
> > tcp_socket { connectto newconn acceptfrom }
> > node enforce_dest
> > unix_stream_socket { newconn acceptfrom }
> > 
> > Legacy network checks, removed in 2.6.30:
> > socket { recv_msg send_msg }
> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > 
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> >  security/selinux/include/classmap.h | 22 ++++++++--------------
> >  1 file changed, 8 insertions(+), 14 deletions(-)
> > 
> > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> > index 1d8b924..5a4eef5 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -2,12 +2,12 @@
> >      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
> >  
> >  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> > -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> > +    "rename", "execute", "quotaon", "mounton", "audit_access", \
> >      "open", "execmod"
> >  
> >  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
> >      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> > -    "sendto", "recv_msg", "send_msg", "name_bind"
> > +    "sendto", "name_bind"
> >  
> >  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
> >  	    "write", "associate", "unix_read", "unix_write"
> > @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
> >  	    "audit_control", "setfcap", NULL } },
> >  	{ "filesystem",
> >  	  { "mount", "remount", "unmount", "getattr",
> > -	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> > +	    "relabelfrom", "relabelto", "associate", "quotamod",
> >  	    "quotaget", NULL } },
> >  	{ "file",
> >  	  { COMMON_FILE_PERMS,
> > @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
> >  	  { COMMON_SOCK_PERMS, NULL } },
> >  	{ "tcp_socket",
> >  	  { COMMON_SOCK_PERMS,
> > -	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> > +	    "node_bind", "name_connect",
> >  	    NULL } },
> >  	{ "udp_socket",
> >  	  { COMMON_SOCK_PERMS,
> > @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
> >  	  { COMMON_SOCK_PERMS,
> >  	    "node_bind", NULL } },
> >  	{ "node",
> > -	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -	    "rawip_recv", "rawip_send", "enforce_dest",
> > -	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> > +	  { "recvfrom", "sendto", NULL } },
> >  	{ "netif",
> > -	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> > -	     "ingress", "egress", NULL } },
> > +	  { "ingress", "egress", NULL } },
> >  	{ "netlink_socket",
> >  	  { COMMON_SOCK_PERMS, NULL } },
> >  	{ "packet_socket",
> > @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
> >  	{ "key_socket",
> >  	  { COMMON_SOCK_PERMS, NULL } },
> >  	{ "unix_stream_socket",
> > -	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> > -	  } },
> > +	  { COMMON_SOCK_PERMS, "connectto", NULL } },
> >  	{ "unix_dgram_socket",
> > -	  { COMMON_SOCK_PERMS, NULL
> > -	  } },
> > +	  { COMMON_SOCK_PERMS, NULL } },
> >  	{ "sem",
> >  	  { COMMON_IPC_PERMS, NULL } },
> >  	{ "msg", { "send", "receive", NULL } },
> > -- 
> > 2.1.0
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift



-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Stephen Smalley]

On 06/14/2015 01:33 AM, Dominick Grift wrote:
> On Wed, May 27, 2015 at 11:03:25AM -0400, Stephen Smalley wrote:
>> Remove unused permission definitions from SELinux.
>> Many of these were only ever used in pre-mainline
>> versions of SELinux, prior to Linux 2.6.0.  Some of them
>> were used in the legacy network or compat_net=1 checks
>> that were disabled by default in Linux 2.6.18 and
>> fully removed in Linux 2.6.30.
>>
>> Permissions never used in mainline Linux:
>> file swapon
> 
> I think that blk_file (fixed disk) swapon is actually used in my policy by fstools (i think swapon command)

It isn't checked anywhere in the SELinux kernel code, so it might be
defined in your policy but it has no meaning.  The LSM hook and SELinux
hook function implementation that applied the check was never merged
into mainline.

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Nick Kralevich]

[-- Attachment #1: Type: text/plain, Size: 1621 bytes --]

On Mon, Jun 15, 2015 at 5:41 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On 06/14/2015 01:33 AM, Dominick Grift wrote:
> > On Wed, May 27, 2015 at 11:03:25AM -0400, Stephen Smalley wrote:
> >> Remove unused permission definitions from SELinux.
> >> Many of these were only ever used in pre-mainline
> >> versions of SELinux, prior to Linux 2.6.0.  Some of them
> >> were used in the legacy network or compat_net=1 checks
> >> that were disabled by default in Linux 2.6.18 and
> >> fully removed in Linux 2.6.30.
> >>
> >> Permissions never used in mainline Linux:
> >> file swapon
> >
> > I think that blk_file (fixed disk) swapon is actually used in my policy
> by fstools (i think swapon command)
>
> It isn't checked anywhere in the SELinux kernel code, so it might be
> defined in your policy but it has no meaning.  The LSM hook and SELinux
> hook function implementation that applied the check was never merged
> into mainline.
>

Why was the LSM hook and SELinux hook function implementation for swapon
never mainlined?

In particular, without some kind of swapon check, a process with
CAP_SYS_ADMIN could take any readable-writeable file, call swapon on the
file, force swapping, and gain read-write access to another process memory.

Can we try to get these patches mainlined again?



>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>



-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

[-- Attachment #2: Type: text/html, Size: 2665 bytes --]

Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Stephen Smalley]

On 11/21/2016 03:48 PM, Nick Kralevich wrote:
> 
> 
> On Mon, Jun 15, 2015 at 5:41 AM, Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>> wrote:
> 
>     On 06/14/2015 01:33 AM, Dominick Grift wrote:
>     > On Wed, May 27, 2015 at 11:03:25AM -0400, Stephen Smalley wrote:
>     >> Remove unused permission definitions from SELinux.
>     >> Many of these were only ever used in pre-mainline
>     >> versions of SELinux, prior to Linux 2.6.0.  Some of them
>     >> were used in the legacy network or compat_net=1 checks
>     >> that were disabled by default in Linux 2.6.18 and
>     >> fully removed in Linux 2.6.30.
>     >>
>     >> Permissions never used in mainline Linux:
>     >> file swapon
>     >
>     > I think that blk_file (fixed disk) swapon is actually used in my policy by fstools (i think swapon command)
> 
>     It isn't checked anywhere in the SELinux kernel code, so it might be
>     defined in your policy but it has no meaning.  The LSM hook and SELinux
>     hook function implementation that applied the check was never merged
>     into mainline.
> 
> 
> Why was the LSM hook and SELinux hook function implementation for swapon
> never mainlined? 
> 
> In particular, without some kind of swapon check, a process with
> CAP_SYS_ADMIN could take any readable-writeable file, call swapon on the
> file, force swapping, and gain read-write access to another process memory. 
> 
> Can we try to get these patches mainlined again?

I think it just wasn't a high priority, since the operation was already
being controlled via CAP_SYS_ADMIN (and thus also SELinux :capability
sys_admin check) and there wasn't a clear use case for distinguishing
it.  Given that there are over 500 CAP_SYS_ADMIN checks in the kernel,
it is unclear how much we would gain by separately restricting just
swapon.  A more comprehensive audit of all CAP_SYS_ADMIN checks and
adding finer-grained LSM hooks and/or new finer-grained capabilities
would likely be useful, but is not a trivial undertaking.  One can
disable swap altogether via CONFIG_SWAP=n if you don't need that
functionality at all.