[PATCH refpolicy] kernel: remove some unused initial SID contexts

[PATCH refpolicy] kernel: remove some unused initial SID contexts

[Stephen Smalley]

Remove some unused initial SID contexts that can be safely removed
without compatibility issues. This does not remove any initial SID
declarations, only the corresponding initial SID context assignment.

Linux kernel commit e3e0b582c321ae ("selinux: remove unused initial
SIDs and improve handling"), merged in Linux v5.7, removed unused
initial SIDs from the kernel and improved the handling to support
safely reclaiming and reusing of many of the initial SIDs without
compatibility issues as well as enabling future addition of new
initial SIDs.

SELinux userspace commit 8677ce5e8f5929 ("libsepol,checkpolicy:
support omitting unused initial sid contexts"), merged in userspace
release 3.1 (20200710), supported omitting unused initial SID contexts
from the kernel binary policy. Previously this was treated as an error
at policy compilation/linking time.

Since refpolicy already specifies a minimum SELinux userspace of 3.2,
we can finally remove the unused initial SID contexts from the
refpolicy kernel module. This does not depend on the kernel commit; it
will work with kernels before and after that commit.

This change retains the initial SID contexts for the init SID and the
any_socket SID. Kernel use of the init SID was restored by Linux
kernel commit ae254858ce0745 ("selinux: introduce an initial SID for
early boot processes") although this is transparently remapped to the
kernel SID context unless the "userspace_initial_context" policy
capability is enabled. Since this policy capability is not currently
enabled by default in refpolicy, we leave the init SID with the
unlabeled context for now but it should be assigned some other context
if this policy capability is ever enabled. Kernel use of the
any_socket SID was reintroduced by Linux kernel commit d28d1e080132f28
("[LSM-IPSec]: Per-packet access control.") to provide a default
socket label for use in checks when no socket is available.

This change also retains the initial SID contexts for the fs and
sysctl initial SIDs for backward compatibility until such a time as
refpolicy increases its minimum supported kernel version to one that
includes the aforementioned Linux kernel commit.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/modules/kernel/kernel.te | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 26578a26d..6e7302bf5 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -215,23 +215,12 @@ sid file gen_context(system_u:object_r:unlabeled_t,s0)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 neverallow * unlabeled_t:file entrypoint;
 
-# These initial sids are no longer used, and can be removed:
+# Default socket label if no kernel sock is available
 sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
-sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+
+# Label for userspace tasks surviving from early boot if
+# userspace_initial_context policycap is defined.
 sid init		gen_context(system_u:object_r:unlabeled_t,s0)
-sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
-sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
-sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 
 ########################################
 #
-- 
2.51.0

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Chris PeBenito]

On 10/30/2025 4:07 PM, Stephen Smalley wrote:
> Remove some unused initial SID contexts that can be safely removed
> without compatibility issues. This does not remove any initial SID
> declarations, only the corresponding initial SID context assignment.
> 
> Linux kernel commit e3e0b582c321ae ("selinux: remove unused initial
> SIDs and improve handling"), merged in Linux v5.7, removed unused
> initial SIDs from the kernel and improved the handling to support
> safely reclaiming and reusing of many of the initial SIDs without
> compatibility issues as well as enabling future addition of new
> initial SIDs.
> 
> SELinux userspace commit 8677ce5e8f5929 ("libsepol,checkpolicy:
> support omitting unused initial sid contexts"), merged in userspace
> release 3.1 (20200710), supported omitting unused initial SID contexts
> from the kernel binary policy. Previously this was treated as an error
> at policy compilation/linking time.
> 
> Since refpolicy already specifies a minimum SELinux userspace of 3.2,
> we can finally remove the unused initial SID contexts from the
> refpolicy kernel module. This does not depend on the kernel commit; it
> will work with kernels before and after that commit.
> 
> This change retains the initial SID contexts for the init SID and the
> any_socket SID. Kernel use of the init SID was restored by Linux
> kernel commit ae254858ce0745 ("selinux: introduce an initial SID for
> early boot processes") although this is transparently remapped to the
> kernel SID context unless the "userspace_initial_context" policy
> capability is enabled. Since this policy capability is not currently
> enabled by default in refpolicy, we leave the init SID with the
> unlabeled context for now but it should be assigned some other context
> if this policy capability is ever enabled. Kernel use of the
> any_socket SID was reintroduced by Linux kernel commit d28d1e080132f28
> ("[LSM-IPSec]: Per-packet access control.") to provide a default
> socket label for use in checks when no socket is available.
> 
> This change also retains the initial SID contexts for the fs and
> sysctl initial SIDs for backward compatibility until such a time as
> refpolicy increases its minimum supported kernel version to one that
> includes the aforementioned Linux kernel commit.
> 
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>   policy/modules/kernel/kernel.te | 19 ++++---------------
>   1 file changed, 4 insertions(+), 15 deletions(-)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 26578a26d..6e7302bf5 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -215,23 +215,12 @@ sid file gen_context(system_u:object_r:unlabeled_t,s0)
>   sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
>   neverallow * unlabeled_t:file entrypoint;
>   
> -# These initial sids are no longer used, and can be removed:
> +# Default socket label if no kernel sock is available
>   sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> +
> +# Label for userspace tasks surviving from early boot if
> +# userspace_initial_context policycap is defined.
>   sid init		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
> -sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)

Merged.

-- 
Chris PeBenito

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Russell Coker]

After upgrading the policy on my workstation from a git version of 20251017 
a37b0c2fadea600429ac91ed58910859c5a6ea3f to the latest git version 
dda7660c7903a021553b98d941137213669d1ea0 I get the following:

type=AVC msg=audit(1762045404.084:3676985): avc:  denied  { node_bind } for  
pid=2364 comm="named" src=40910 scontext=system_u:system_r:named_t:s0 
tcontext=system_u:object_r:sysctl_t:s0 tclass=udp_socket permissive=0

type=AVC msg=audit(1762045606.407:3800560): avc:  denied  { node_bind } for  
pid=33214 comm="Chrome_ChildIOT" src=6877 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_t:s0 tclass=udp_socket permissive=0

The above are just a sample of the many messages.  This prevents unconfined_t 
from talking to the DNS cache and the DNS cache from talking to the outside 
world.

# sesearch -A -s named_t -c udp_socket -p node_bind
allow named_t node_t:udp_socket node_bind;

The above is what apparently used to be the policy so it looks like node_t is 
being changed to sysctl_t.

I'm using kernel 6.16.12+deb14+1-amd64 (the Debian/Unstable packaging of 
upstream 6.16.12) with the 3.9 userspace.

The comments on this say that kernel 5.7 and userspace 3.1 will work with this 
change but that doesn't seem to be the case for me.

Am I missing some update?


On Saturday, 1 November 2025 02:40:48 AEDT Chris PeBenito wrote:
> On 10/30/2025 4:07 PM, Stephen Smalley wrote:
> > Remove some unused initial SID contexts that can be safely removed
> > without compatibility issues. This does not remove any initial SID
> > declarations, only the corresponding initial SID context assignment.
> > 
> > Linux kernel commit e3e0b582c321ae ("selinux: remove unused initial
> > SIDs and improve handling"), merged in Linux v5.7, removed unused
> > initial SIDs from the kernel and improved the handling to support
> > safely reclaiming and reusing of many of the initial SIDs without
> > compatibility issues as well as enabling future addition of new
> > initial SIDs.
> > 
> > SELinux userspace commit 8677ce5e8f5929 ("libsepol,checkpolicy:
> > support omitting unused initial sid contexts"), merged in userspace
> > release 3.1 (20200710), supported omitting unused initial SID contexts
> > from the kernel binary policy. Previously this was treated as an error
> > at policy compilation/linking time.
> > 
> > Since refpolicy already specifies a minimum SELinux userspace of 3.2,
> > we can finally remove the unused initial SID contexts from the
> > refpolicy kernel module. This does not depend on the kernel commit; it
> > will work with kernels before and after that commit.
> > 
> > This change retains the initial SID contexts for the init SID and the
> > any_socket SID. Kernel use of the init SID was restored by Linux
> > kernel commit ae254858ce0745 ("selinux: introduce an initial SID for
> > early boot processes") although this is transparently remapped to the
> > kernel SID context unless the "userspace_initial_context" policy
> > capability is enabled. Since this policy capability is not currently
> > enabled by default in refpolicy, we leave the init SID with the
> > unlabeled context for now but it should be assigned some other context
> > if this policy capability is ever enabled. Kernel use of the
> > any_socket SID was reintroduced by Linux kernel commit d28d1e080132f28
> > ("[LSM-IPSec]: Per-packet access control.") to provide a default
> > socket label for use in checks when no socket is available.
> > 
> > This change also retains the initial SID contexts for the fs and
> > sysctl initial SIDs for backward compatibility until such a time as
> > refpolicy increases its minimum supported kernel version to one that
> > includes the aforementioned Linux kernel commit.
> > 
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > ---
> > 
> >   policy/modules/kernel/kernel.te | 19 ++++---------------
> >   1 file changed, 4 insertions(+), 15 deletions(-)
> > 
> > diff --git a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te index 26578a26d..6e7302bf5 100644
> > --- a/policy/modules/kernel/kernel.te
> > +++ b/policy/modules/kernel/kernel.te
> > @@ -215,23 +215,12 @@ sid file
> > gen_context(system_u:object_r:unlabeled_t,s0)> 
> >   sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> >   neverallow * unlabeled_t:file entrypoint;
> > 
> > -# These initial sids are no longer used, and can be removed:
> > +# Default socket label if no kernel sock is available
> > 
> >   sid
> >   any_socket		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > 
> > -sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid
> > icmp_socket		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > -sid
> > igmp_packet		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > +
> > +# Label for userspace tasks surviving from early boot if
> > +# userspace_initial_context policycap is defined.
> > 
> >   sid init		gen_context(system_u:object_r:unlabeled_t,s0)
> > 
> > -sid kmod		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > -sid policy		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > -sid
> > scmp_packet		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > -sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
> > -sid tcp_socket		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> 
> Merged.


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Russell Coker]

On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> The above is what apparently used to be the policy so it looks like node_t
> is being changed to sysctl_t.

allow sshd_t sysctl_t:tcp_socket node_bind;

I also tried rebooting a VM running that policy (previously I had loaded it on 
a running system) and got the same result with TCP as an additional issue.

Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie 
the latest stable release).

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Russell Coker]

On Monday, 3 November 2025 12:07:08 AEDT Russell Coker wrote:
> On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> > The above is what apparently used to be the policy so it looks like node_t
> > is being changed to sysctl_t.
> 
> allow sshd_t sysctl_t:tcp_socket node_bind;
> 
> I also tried rebooting a VM running that policy (previously I had loaded it
> on a running system) and got the same result with TCP as an additional
> issue.
> 
> Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie
> the latest stable release).

When I apply the following patch it works correctly, without this I get the 
problem of mislabelling described previously.

Index: refpolicy-2.20251102/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20251102.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20251102/policy/modules/kernel/kernel.te
@@ -220,6 +220,7 @@ neverallow * unlabeled_t:file entrypoint
 
 # Default socket label if no kernel sock is available
 sid any_socket		
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid file_labels		gen_context(system_u:object_r:unlabeled_t,s0)
 
 # Label for userspace tasks surviving from early boot if
 # userspace_initial_context policycap is defined.


The below is the only patch that I have for kernel.te.

Index: refpolicy-2.20250903/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20250903.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20250903/policy/modules/kernel/kernel.te
@@ -37,6 +37,9 @@ role sysadm_r;
 role staff_r;
 role user_r;
 
+# until build issue is fixed
+role unconfined_r;
+
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;

When I don't have that patch I get the following errors on build, two errors 
for MLS and MCS builds.

/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
Compiling default base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on 
line 699886:

	user unconfined_u roles { unconfined_r system_r } level s0 range s0 - 
s15:c0.c1023;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[2]: *** [Rules.modular:116: tmp/base.mod] Error 1
make[2]: Leaving directory '/home/etbe/se/ref-git/refpolicy-2.20251102/debian/
build-mls'
make[1]: *** [debian/rules:114: build-mls-policy] Error 2
make[1]: *** Waiting for unfinished jobs....
support/fatal_error.m4:42:ERROR 'unknown role unconfined_r' at token ';' on 
line 695868:
	user unconfined_u roles { unconfined_r system_r } level s0 range s0 - 
s0:c0.c1023;

/usr/bin/checkmodule:  error(s) encountered while parsing configuration

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Stephen Smalley]

On Sun, Nov 2, 2025 at 8:07 PM Russell Coker <russell@coker.com.au> wrote:
>
> On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> > The above is what apparently used to be the policy so it looks like node_t
> > is being changed to sysctl_t.
>
> allow sshd_t sysctl_t:tcp_socket node_bind;
>
> I also tried rebooting a VM running that policy (previously I had loaded it on
> a running system) and got the same result with TCP as an additional issue.
>
> Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie
> the latest stable release).

My apologies, please revert. Due to differences between Fedora selinux
policy and refpolicy, I did NOT test loading of the patched refpolicy
itself but instead manually patched the base module (i.e. semodule -cE
base, edit base.cil to remove the CIL sidcontext statements for the
"UNKNOWN*" sids, then semodule -i base.cil) and tested that behavior,
which worked correctly. Looking at the generated base module from the
patched refpolicy, it is removed not only the sidcontext statements
but also the sid declarations and omitting them from the sidorder
statement, thereby perturbing the SID assignments. Not yet sure where
this is happening in refpolicy build.

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Stephen Smalley]

On Mon, Nov 3, 2025 at 8:33 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Sun, Nov 2, 2025 at 8:07 PM Russell Coker <russell@coker.com.au> wrote:
> >
> > On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> > > The above is what apparently used to be the policy so it looks like node_t
> > > is being changed to sysctl_t.
> >
> > allow sshd_t sysctl_t:tcp_socket node_bind;
> >
> > I also tried rebooting a VM running that policy (previously I had loaded it on
> > a running system) and got the same result with TCP as an additional issue.
> >
> > Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for Debian/Trixie
> > the latest stable release).
>
> My apologies, please revert. Due to differences between Fedora selinux
> policy and refpolicy, I did NOT test loading of the patched refpolicy
> itself but instead manually patched the base module (i.e. semodule -cE
> base, edit base.cil to remove the CIL sidcontext statements for the
> "UNKNOWN*" sids, then semodule -i base.cil) and tested that behavior,
> which worked correctly. Looking at the generated base module from the
> patched refpolicy, it is removed not only the sidcontext statements
> but also the sid declarations and omitting them from the sidorder
> statement, thereby perturbing the SID assignments. Not yet sure where
> this is happening in refpolicy build.

Ok, if I semodule_unpackage base.pp base.mod and dismod base.mod, then
select 0 (Display initial SIDs), I see the initial SIDs with the
expected SID values and gaps for those that lack a context. But if I
run checkmodule -C -o base.cil base.mod, the resulting CIL file omits
any SID declarations that lack a context and therefore ends up
renumbering them when they are compiled into a kernel policy.

Re: [PATCH refpolicy] kernel: remove some unused initial SID contexts

[Christopher J. PeBenito]

On Monday, November 3, 2025 9:23:11 AM Eastern Standard Time Stephen Smalley 
wrote:
> On Mon, Nov 3, 2025 at 8:33 AM Stephen Smalley
> 
> <stephen.smalley.work@gmail.com> wrote:
> > On Sun, Nov 2, 2025 at 8:07 PM Russell Coker <russell@coker.com.au> wrote:
> > > On Sunday, 2 November 2025 12:28:21 AEDT Russell Coker wrote:
> > > > The above is what apparently used to be the policy so it looks like
> > > > node_t
> > > > is being changed to sysctl_t.
> > > 
> > > allow sshd_t sysctl_t:tcp_socket node_bind;
> > > 
> > > I also tried rebooting a VM running that policy (previously I had loaded
> > > it on a running system) and got the same result with TCP as an
> > > additional issue.
> > > 
> > > Also I tried kernel 6.12.48+deb13-amd64 (the latest kernel for
> > > Debian/Trixie the latest stable release).
> > 
> > My apologies, please revert. Due to differences between Fedora selinux
> > policy and refpolicy, I did NOT test loading of the patched refpolicy
> > itself but instead manually patched the base module (i.e. semodule -cE
> > base, edit base.cil to remove the CIL sidcontext statements for the
> > "UNKNOWN*" sids, then semodule -i base.cil) and tested that behavior,
> > which worked correctly. Looking at the generated base module from the
> > patched refpolicy, it is removed not only the sidcontext statements
> > but also the sid declarations and omitting them from the sidorder
> > statement, thereby perturbing the SID assignments. Not yet sure where
> > this is happening in refpolicy build.
> 
> Ok, if I semodule_unpackage base.pp base.mod and dismod base.mod, then
> select 0 (Display initial SIDs), I see the initial SIDs with the
> expected SID values and gaps for those that lack a context. But if I
> run checkmodule -C -o base.cil base.mod, the resulting CIL file omits
> any SID declarations that lack a context and therefore ends up
> renumbering them when they are compiled into a kernel policy.

I reverted the patch. We can reapply it once a fix for this is in a release 
checkpolicy.


-- 
Chris PeBenito