Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.7 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0F5EC43612 for ; Thu, 10 Jan 2019 00:37:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 94A6E214C6 for ; Thu, 10 Jan 2019 00:37:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="TvkBrWqn" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726496AbfAJAhL (ORCPT ); Wed, 9 Jan 2019 19:37:11 -0500 Received: from mail-qk1-f194.google.com ([209.85.222.194]:40991 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbfAJAhL (ORCPT ); Wed, 9 Jan 2019 19:37:11 -0500 Received: by mail-qk1-f194.google.com with SMTP id 189so5593453qkj.8 for ; Wed, 09 Jan 2019 16:37:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=stcIERtmfBf4OUPksp5F+c127Pcta3Des2QgohpNl4M=; b=TvkBrWqnDzN2Be0+vaROMbLDEBapp3cKy7gMdUtvb6dB1j3f70x+zprm+q4qn3vB39 ZuSxLrN0tFIT6U2uJUYXMaQCy+2uu85Vpb51WiPEsNJO8s3UiMI1T4OJ0gsjMxaETgox hkKv1SCVAFfwvm4q53cWXiC20A03EtLxwe3+g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=stcIERtmfBf4OUPksp5F+c127Pcta3Des2QgohpNl4M=; b=q7Bvv/lirhnjBPXo2xPFjIUBY88bEZX3vzQuten5OiUTE/wHvilAFa//pmgruoFcVs X9Sss5mWOGmn9kV+wWQp1HAg38Qv6FbSnHoOUyzYrCWns6/0wi3EZvO9EnDvr3Jt205D Gq6Pdm0GnTAl8FGZ3xsCxPzyigh5Uj1ZL36bDMABop+pf75Nfd+NBGJsXI1Za6DMqEBr B1uTHHU5t6O0gEo2rB31AefRvSHXiDuaF4rt/l+Tg1/sMJqacl6qDcTYnFAfgJZ0Cmo9 GvCbUuCMd+R4Ca37UNnKorrjKDBauxS3CBFqPeo4JnK8kkGBRuKPA9vq5eFeL3vzhAa6 +2WA== X-Gm-Message-State: AJcUukffHr3wxY3jwLkzih64znnoaUI/4zpfOdt4ldEXJs29TijdY3im etTjZOtmLKAc/7OczK6bW/yD1E8ga+g= X-Google-Smtp-Source: ALg8bN6DVeZewLVKPN8UkKGosEBUJzJUW5lAwiyh2mm69AlpB72MxEvxGG8d1cjDGcLfa207C7fikA== X-Received: by 2002:a37:4c41:: with SMTP id z62mr7277345qka.206.1547080629441; Wed, 09 Jan 2019 16:37:09 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id j38sm46296425qtj.72.2019.01.09.16.37.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 16:37:09 -0800 (PST) Subject: Re: [PATCH] mls stuff To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190108085240.GA28781@xev> From: Chris PeBenito Message-ID: Date: Wed, 9 Jan 2019 19:24:28 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190108085240.GA28781@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/8/19 3:52 AM, Russell Coker wrote: > Here are the patches I used last time I tried to get MLS going on Debian. > > Index: refpolicy-2.20180701/policy/modules/kernel/kernel.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/kernel/kernel.te > +++ refpolicy-2.20180701/policy/modules/kernel/kernel.te > @@ -39,6 +39,7 @@ role unconfined_r; > ifdef(`enable_mls',` > role secadm_r; > role auditadm_r; > + mls_process_set_level(kernel_t) > ') > > # > Index: refpolicy-2.20180701/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20180701/policy/modules/system/systemd.te > @@ -251,7 +251,13 @@ systemd_log_parse_environment(systemd_gp > > allow systemd_cgroups_t self:capability net_admin; > > -kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > +ifdef(`enable_mls',` > + kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh) > + mls_fd_use_all_levels(systemd_cgroups_t) > +',` > + kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > +') > + > kernel_dgram_send(systemd_cgroups_t) > # for /proc/cmdline > kernel_read_system_state(systemd_cgroups_t) > Index: refpolicy-2.20180701/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/init.te > +++ refpolicy-2.20180701/policy/modules/system/init.te > @@ -191,6 +191,7 @@ mls_file_read_all_levels(init_t) > mls_file_write_all_levels(init_t) > mls_process_write_all_levels(init_t) > mls_fd_use_all_levels(init_t) > +mls_process_set_level(init_t) > > # the following one is needed for libselinux:is_selinux_enabled() > # otherwise the call fails and sysvinit tries to load the policy > @@ -384,6 +385,8 @@ ifdef(`init_systemd',` > > # systemd_socket_activated policy > mls_socket_write_all_levels(init_t) > + # read from systemd-journal and similar > + mls_socket_read_to_clearance(init_t) > > selinux_unmount_fs(init_t) > selinux_validate_context(init_t) > Index: refpolicy-2.20180701/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/logging.if > +++ refpolicy-2.20180701/policy/modules/system/logging.if > @@ -422,6 +422,9 @@ interface(`logging_domtrans_syslog',` > > corecmd_search_bin($1) > domtrans_pattern($1, syslogd_exec_t, syslogd_t) > + ifdef(`enable_mls',` > + range_transition $1 syslogd_exec_t:process mls_systemhigh; > + ') > ') > > ######################################## > Merged, though I changed the style a bit. -- Chris PeBenito