2010-02-23 22:09:52

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch

Changes for handling leaks

Handling fusefs and hugetlbfs, cgroups

gpfs file system
devtmpfs file system


2010-03-12 16:41:05

by cpebenito

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
>
> Changes for handling leaks
>
> Handling fusefs and hugetlbfs, cgroups

I'm confused by this:

+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)

If its a filesystem, its not a regular file.

> gpfs file system
> devtmpfs file system

I'm thinking that perhaps devtmpfs should be moved to devices and use
device_t, since thats its only purpose.

Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
dontauditing).

Otherwise merged, with some rearrangement.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2010-03-12 20:24:17

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
>>
>> Changes for handling leaks
>>
>> Handling fusefs and hugetlbfs, cgroups
>>
> I'm confused by this:
>
> +files_type(hugetlbfs_t)
> +files_poly_parent(hugetlbfs_t)
>
> If its a filesystem, its not a regular file.
>
>
Looks like a cut and paste error.
>> gpfs file system
>> devtmpfs file system
>>
> I'm thinking that perhaps devtmpfs should be moved to devices and use
> device_t, since thats its only purpose.
>
>
Sounds good to me.

Will this work?

fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);


> Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
> dontauditing).
>
> Otherwise merged, with some rearrangement.
>
>
Thanks.

2010-03-12 20:52:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> >> devtmpfs file system
> >>
> > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > device_t, since thats its only purpose.
> >
> >
> Sounds good to me.
>
> Will this work?
>
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);

I don't have a system with devtmpfs, so I can't be sure, but I would
think it would work. That line would go in the devices module.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2010-03-13 15:39:57

by domg472

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > >> devtmpfs file system
> > >>
> > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > device_t, since thats its only purpose.
> > >
> > >
> > Sounds good to me.
> >
> > Will this work?
> >
> > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>
> I don't have a system with devtmpfs, so I can't be sure, but I would
> think it would work. That line would go in the devices module.

Yes that works i can confirm that.

>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100313/689ab977/attachment.bin

2010-03-13 18:17:44

by domg472

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > >> devtmpfs file system
> > >>
> > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > device_t, since thats its only purpose.
> > >
> > >
> > Sounds good to me.
> >
> > Will this work?
> >
> > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>
> I don't have a system with devtmpfs, so I can't be sure, but I would
> think it would work. That line would go in the devices module.

Although we might get some of these:

allow devlog_t device_t:filesystem associate;
allow tty_device_t device_t:filesystem associate;

>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100313/72db90f3/attachment.bin

2010-03-13 23:38:08

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
> in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > > >> devtmpfs file system
> > > >>
> > > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > > device_t, since thats its only purpose.
> > > >
> > > >
> > > Sounds good to me.
> > >
> > > Will this work?
> > >
> > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> >
> > I don't have a system with devtmpfs, so I can't be sure, but I would
> > think it would work. That line would go in the devices module.
>
> Although we might get some of these:
>
> allow devlog_t device_t:filesystem associate;
> allow tty_device_t device_t:filesystem associate;

Thats easy enough to fix, just put this in devices.te:

allow device_node device_t:filesystem associate;

along with something similar in dev_filetrans(). Thanks for testing it
out.

--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

2010-03-20 15:59:55

by domg472

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote:
> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
> > in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> > > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > > > >> devtmpfs file system
> > > > >>
> > > > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > > > device_t, since thats its only purpose.
> > > > >
> > > > >
> > > > Sounds good to me.
> > > >
> > > > Will this work?
> > > >
> > > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> > >
> > > I don't have a system with devtmpfs, so I can't be sure, but I would
> > > think it would work. That line would go in the devices module.
> >
> > Although we might get some of these:
> >
> > allow devlog_t device_t:filesystem associate;
> > allow tty_device_t device_t:filesystem associate;
>
> Thats easy enough to fix, just put this in devices.te:
>
> allow device_node device_t:filesystem associate;
>
> along with something similar in dev_filetrans(). Thanks for testing it
> out.

I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why.

>
> --
> Chris PeBenito
> <[email protected]>
> Developer,
> Hardened Gentoo Linux
>
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100320/8b27e069/attachment.bin

2010-03-22 13:49:22

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] kernel_filesystem.patch

On 03/20/2010 11:59 AM, Dominick Grift wrote:
> On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote:
>
>> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
>>
>>> in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
>>>
>>>> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
>>>>
>>>>> On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
>>>>>
>>>>>> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
>>>>>>
>>>>>>> devtmpfs file system
>>>>>>>
>>>>>>>
>>>>>> I'm thinking that perhaps devtmpfs should be moved to devices and use
>>>>>> device_t, since thats its only purpose.
>>>>>>
>>>>>>
>>>>>>
>>>>> Sounds good to me.
>>>>>
>>>>> Will this work?
>>>>>
>>>>> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>>>>>
>>>> I don't have a system with devtmpfs, so I can't be sure, but I would
>>>> think it would work. That line would go in the devices module.
>>>>
>>> Although we might get some of these:
>>>
>>> allow devlog_t device_t:filesystem associate;
>>> allow tty_device_t device_t:filesystem associate;
>>>
>> Thats easy enough to fix, just put this in devices.te:
>>
>> allow device_node device_t:filesystem associate;
>>
>> along with something similar in dev_filetrans(). Thanks for testing it
>> out.
>>
> I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why.
>
>
I started on this but pulled back when I had too many problems. I think
we can work on this in F14, We need to identify what kind of files can
be associated with a device_t file system. And then set up the rules.