Hello;
this was received when doing a git-pull
today from the linus tree.
class kernel_service not defined in policy
[ 0.000999] SELinux: Initializing.
[ 0.000999] SELinux: Starting in enforcing mode
[ 0.263823] SELinux: Registering netfilter hooks
[ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
sens, 256 cats
[ 2.525821] SELinux: 73 classes, 145624 rules
[ 2.540472] SELinux: class kernel_service not defined in policy
[ 2.548944] SELinux: the above unknown classes and permissions will be denied
[ 2.557235] SELinux: Completing initialization.
[ 2.565527] SELinux: Setting up existing superblocks.
[ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
[ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
uses genfs_contexts
[ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
transition SIDs
[ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
uses genfs_contexts
[ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
transition SIDs
[ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
uses genfs_contexts
[ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 2.778693] SELinux: initialized (dev anon_inodefs, type
anon_inodefs), uses genfs_contexts
[ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
[ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
genfs_contexts
[ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
[ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
[ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
[ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
genfs_contexts
[ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
[ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
[ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
I've been running the latest svn from tresys for(I think a week or so);
So the message might already be fixed.
regards;
--
Justin P. Mattock
On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
> Hello;
> this was received when doing a git-pull
> today from the linus tree.
> class kernel_service not defined in policy
>
>
> [ 0.000999] SELinux: Initializing.
> [ 0.000999] SELinux: Starting in enforcing mode
> [ 0.263823] SELinux: Registering netfilter hooks
> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
> sens, 256 cats
> [ 2.525821] SELinux: 73 classes, 145624 rules
> [ 2.540472] SELinux: class kernel_service not defined in policy
> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
> [ 2.557235] SELinux: Completing initialization.
> [ 2.565527] SELinux: Setting up existing superblocks.
> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
> uses genfs_contexts
> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
> transition SIDs
> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
> uses genfs_contexts
> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
> transition SIDs
> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
> uses genfs_contexts
> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
> anon_inodefs), uses genfs_contexts
> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
> genfs_contexts
> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
> genfs_contexts
> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
>
> I've been running the latest svn from tresys for(I think a week or so);
> So the message might already be fixed.
>
> regards;
So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
security tree into Linus's main tree. On of the patch sets in there is
the new credentials work from David Howells. One of those patches adds a
kernel service object class to selinux so policy can be written to all
that service to be granted the ability to override certain permission
checks. I just built a policy from refpolicy and the policy.conf doesn't
have a kernel_service object class. I'm not sure if the policy engine
uses the kernel headers, the dynamic object class discovery mechanism,
or a built in list to generate the boilerplate with all the object
classes and permissions. Regardless it is mainly so things like cachefs
and NFSD can be granted the ability to act as other entities when
making/fulfilling requests. I don't think there is a need to be
concerned about it yet unless something is no longer working for you.
Dave
David P. Quigley wrote:
> On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
>
>> Hello;
>> this was received when doing a git-pull
>> today from the linus tree.
>> class kernel_service not defined in policy
>>
>>
>> [ 0.000999] SELinux: Initializing.
>> [ 0.000999] SELinux: Starting in enforcing mode
>> [ 0.263823] SELinux: Registering netfilter hooks
>> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
>> sens, 256 cats
>> [ 2.525821] SELinux: 73 classes, 145624 rules
>> [ 2.540472] SELinux: class kernel_service not defined in policy
>> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
>> [ 2.557235] SELinux: Completing initialization.
>> [ 2.565527] SELinux: Setting up existing superblocks.
>> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
>> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
>> uses genfs_contexts
>> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
>> transition SIDs
>> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
>> uses genfs_contexts
>> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
>> transition SIDs
>> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
>> uses genfs_contexts
>> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
>> anon_inodefs), uses genfs_contexts
>> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
>> genfs_contexts
>> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
>> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
>> genfs_contexts
>> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>>
>> I've been running the latest svn from tresys for(I think a week or so);
>> So the message might already be fixed.
>>
>> regards;
>>
>
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
>
> Dave
>
>
>
No worries, I figured it was better to send
a post, rather than to say nothing at all.
I did notice the commit, looks nice,
although the graphics module is broken
with the capability i.g. current_euid();
eventually in time that will be fixed.
As for the policy, everything seems good.
just one question what is UBAC
how to I use that? or is it something alse!
regards;
Justin P. Mattock
On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <[email protected]> wrote:
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
It shouldn't be of concern to you. But refpolicy needs to add at
least the class (if not the perms) so it doesn't get assigned to
anything else...
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
Looks like it is class number 74 (and if it's already used in policy
we need to fix one or the other quickly....)
Eric Paris wrote:
> On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <[email protected]> wrote:
>
>
>> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
>> security tree into Linus's main tree. On of the patch sets in there is
>> the new credentials work from David Howells. One of those patches adds a
>> kernel service object class to selinux so policy can be written to all
>> that service to be granted the ability to override certain permission
>> checks. I just built a policy from refpolicy and the policy.conf doesn't
>> have a kernel_service object class. I'm not sure if the policy engine
>> uses the kernel headers, the dynamic object class discovery mechanism,
>> or a built in list to generate the boilerplate with all the object
>> classes and permissions. Regardless it is mainly so things like cachefs
>> and NFSD can be granted the ability to act as other entities when
>> making/fulfilling requests. I don't think there is a need to be
>> concerned about it yet unless something is no longer working for you.
>>
>
> It shouldn't be of concern to you. But refpolicy needs to add at
> least the class (if not the perms) so it doesn't get assigned to
> anything else...
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
>
> Looks like it is class number 74 (and if it's already used in policy
> we need to fix one or the other quickly....)
>
>
No worries man!!
regards;
Justin P. Mattock