2010-09-24 19:37:57

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.


I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2b12a37... aa9f935... M policy/modules/admin/consoletype.te
:100644 100644 39e901a... 0bfab9b... M policy/modules/services/dbus.if
:100644 100644 b354128... 052f0a6... M policy/modules/services/dbus.te
:100644 100644 b3ace16... 58a4736... M policy/modules/services/modemmanager.te
:100644 100644 0619395... 2f9a857... M policy/modules/services/networkmanager.te
:100644 100644 c61adc8... b4a1419... M policy/modules/services/ntp.te
:100644 100644 2dad3c8... a20543a... M policy/modules/services/ssh.te
:100644 100644 54d122b... 25bfbd4... M policy/modules/system/authlogin.te
:100644 100644 fca6947... 5f5f331... M policy/modules/system/mount.te
:100644 100644 dfbe736... eac173f... M policy/modules/system/sysnetwork.te
:100644 100644 f976344... fbf02ec... M policy/modules/system/unconfined.te
:100644 100644 2aa8928... 5cb411a... M policy/modules/system/userdomain.if
policy/modules/admin/consoletype.te | 4 ++++
policy/modules/services/dbus.if | 18 ++++++++++++++++++
policy/modules/services/dbus.te | 9 +++++----
policy/modules/services/modemmanager.te | 2 +-
policy/modules/services/networkmanager.te | 1 +
policy/modules/services/ntp.te | 1 +
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/authlogin.te | 1 +
policy/modules/system/mount.te | 11 ++++++++++-
policy/modules/system/sysnetwork.te | 4 ++++
policy/modules/system/unconfined.te | 7 +++++++
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
12 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37..aa9f935 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -75,6 +75,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_use_fd(consoletype_t)
+')
+
+optional_policy(`
files_read_etc_files(consoletype_t)
firstboot_use_fds(consoletype_t)
firstboot_rw_pipes(consoletype_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..0bfab9b 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -479,3 +479,21 @@ interface(`dbus_unconfined',`

typeattribute $1 dbusd_unconfined;
')
+
+########################################
+## <summary>
+## Use and inherit system DBUS file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_use_fd',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:fd use;
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b354128..052f0a6 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -108,10 +108,6 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)

-corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_pipes(system_dbusd_t)
-corecmd_read_bin_sockets(system_dbusd_t)
-
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)

@@ -141,6 +137,11 @@ optional_policy(`
')

optional_policy(`
+ # should this be dbus_system_domain instead?
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace16..58a4736 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,7 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#

-allow modemmanager_t self:process signal;
+allow modemmanager_t self:process { getsched setsched signal };
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..2f9a857 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -141,6 +141,7 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
# in /etc created by NetworkManager will be labelled net_conf_t.
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..b4a1419 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -74,6 +74,7 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)

kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_crypto_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
kernel_request_load_module(ntpd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..a20543a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })

+kernel_read_crypto_sysctls(sshd_t)
+kernel_request_load_module(sshd_t)
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)

@@ -249,6 +251,8 @@ term_relabelto_all_ptys(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)

+userdom_write_all_users_keys(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b..25bfbd4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -90,6 +90,7 @@ files_list_etc(chkpwd_t)

# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)

domain_dontaudit_use_interactive_fds(chkpwd_t)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..5f5f331 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -36,6 +36,7 @@ application_domain(unconfined_mount_t, mount_exec_t)

# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:fifo_file rw_fifo_file_perms;

allow mount_t mount_loopback_t:file read_file_perms;

@@ -48,13 +49,16 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })

kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
+kernel_setsched(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)

# required for mount.smbfs
corecmd_exec_bin(mount_t)
+corecmd_exec_shell(mount_t)

dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+# wants to list usbfs_t
+fs_list_all(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)

@@ -180,6 +185,10 @@ optional_policy(`
')
')

+optional_policy(`
+ dbus_use_fd(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..eac173f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
')

optional_policy(`
+ dbus_use_fd(ifconfig_t)
+')
+
+optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f976344..fbf02ec 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)

+ubac_process_exempt(unconfined_t)
+ubac_file_exempt(unconfined_t)
+ubac_fd_exempt(unconfined_t)
+
init_run_daemon(unconfined_t, unconfined_r)

libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -42,6 +46,7 @@ logging_run_auditctl(unconfined_t, unconfined_r)

mount_run_unconfined(unconfined_t, unconfined_r)

+seutil_run_runinit(unconfined_t, unconfined_r)
seutil_run_setfiles(unconfined_t, unconfined_r)
seutil_run_semanage(unconfined_t, unconfined_r)

@@ -192,6 +197,8 @@ optional_policy(`

optional_policy(`
usermanage_run_admin_passwd(unconfined_t, unconfined_r)
+ usermanage_run_groupadd(unconfined_t, unconfined_r)
+ usermanage_run_useradd(unconfined_t, unconfined_r)
')

optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2aa8928..5cb411a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3112,6 +3112,24 @@ interface(`userdom_create_all_users_keys',`

########################################
## <summary>
+## Write and link keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { search write link };
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
1.7.2.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100924/a752884d/attachment.bin


2010-10-01 13:58:38

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On 09/24/10 15:37, Dominick Grift wrote:
>
> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.

A couple questions inline.

> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b354128..052f0a6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te

> @@ -141,6 +137,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # should this be dbus_system_domain instead?
> + networkmanager_initrc_domtrans(system_dbusd_t)
> +')

It seems that you mean for netorkmanager to transition to initrc_t.
Dbus_system_domain would transition from the system bus to
networkmanager_t. These don't seem at all alike. Not sure which one
you want, though dbus_system_domain() seems unlikely.

> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..a20543a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>
> +kernel_read_crypto_sysctls(sshd_t)
> +kernel_request_load_module(sshd_t)
> kernel_search_key(sshd_t)
> kernel_link_key(sshd_t)

Why does sshd need to request a kernel module?

> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fca6947..5f5f331 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te

> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> +# wants to list usbfs_t
> +fs_list_all(mount_t)

If you know it wants to list usbfs, why list all?

> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index f976344..fbf02ec 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
> mcs_killall(unconfined_t)
> mcs_ptrace_all(unconfined_t)
>
> +ubac_process_exempt(unconfined_t)
> +ubac_file_exempt(unconfined_t)
> +ubac_fd_exempt(unconfined_t)

I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
MLS/MCS, etc.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-01 14:30:01

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
> On 09/24/10 15:37, Dominick Grift wrote:
> >
> >I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>
> A couple questions inline.
>
> >diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> >index b354128..052f0a6 100644
> >--- a/policy/modules/services/dbus.te
> >+++ b/policy/modules/services/dbus.te
>
> >@@ -141,6 +137,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> >+ # should this be dbus_system_domain instead?
> >+ networkmanager_initrc_domtrans(system_dbusd_t)
> >+')

system_dbusd_t runs the network manager rc script (to start network manager)

>
> It seems that you mean for netorkmanager to transition to initrc_t.
> Dbus_system_domain would transition from the system bus to
> networkmanager_t. These don't seem at all alike. Not sure which
> one you want, though dbus_system_domain() seems unlikely.
>
> >diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> >index 2dad3c8..a20543a 100644
> >--- a/policy/modules/services/ssh.te
> >+++ b/policy/modules/services/ssh.te
> >@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> > manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> > files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
> >
> >+kernel_read_crypto_sysctls(sshd_t)
> >+kernel_request_load_module(sshd_t)
> > kernel_search_key(sshd_t)
> > kernel_link_key(sshd_t)

Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.

>
> Why does sshd need to request a kernel module?
>
> >diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> >index fca6947..5f5f331 100644
> >--- a/policy/modules/system/mount.te
> >+++ b/policy/modules/system/mount.te
>
> >@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> > fs_unmount_all_fs(mount_t)
> > fs_remount_all_fs(mount_t)
> > fs_relabelfrom_all_fs(mount_t)
> >-fs_list_auto_mountpoints(mount_t)
> >+# wants to list usbfs_t
> >+fs_list_all(mount_t)
>
> If you know it wants to list usbfs, why list all?

Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.

> >diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> >index f976344..fbf02ec 100644
> >--- a/policy/modules/system/unconfined.te
> >+++ b/policy/modules/system/unconfined.te
> >@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
> > mcs_killall(unconfined_t)
> > mcs_ptrace_all(unconfined_t)
> >
> >+ubac_process_exempt(unconfined_t)
> >+ubac_file_exempt(unconfined_t)
> >+ubac_fd_exempt(unconfined_t)
>
> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
> MLS/MCS, etc.
>

Yes i gathered you would say that. You actually told us before. So ignore this.
The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
So i guess its just a matter of personal preference.

After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.

for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)

Also udev creates a bunch of devices in /var/lib/udev and some other stuff...

So be carefull with what you adopt if anything.


>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101001/ab0284bb/attachment.bin

2010-10-01 14:52:19

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On 10/01/10 10:30, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>> On 09/24/10 15:37, Dominick Grift wrote:
>>>
>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>
>> A couple questions inline.
>>
>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>> index b354128..052f0a6 100644
>>> --- a/policy/modules/services/dbus.te
>>> +++ b/policy/modules/services/dbus.te
>>
>>> @@ -141,6 +137,11 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + # should this be dbus_system_domain instead?
>>> + networkmanager_initrc_domtrans(system_dbusd_t)
>>> +')
>
> system_dbusd_t runs the network manager rc script (to start network manager)

Ok, then what you have is right.

>>
>> It seems that you mean for netorkmanager to transition to initrc_t.
>> Dbus_system_domain would transition from the system bus to
>> networkmanager_t. These don't seem at all alike. Not sure which
>> one you want, though dbus_system_domain() seems unlikely.
>>
>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>> index 2dad3c8..a20543a 100644
>>> --- a/policy/modules/services/ssh.te
>>> +++ b/policy/modules/services/ssh.te
>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>
>>> +kernel_read_crypto_sysctls(sshd_t)
>>> +kernel_request_load_module(sshd_t)
>>> kernel_search_key(sshd_t)
>>> kernel_link_key(sshd_t)
>
> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.

That seems odd. If the interface is up and running already, I would
think that that module would be loaded already. I don't want to give
this permission if at all possible.

>> Why does sshd need to request a kernel module?
>>
>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>> index fca6947..5f5f331 100644
>>> --- a/policy/modules/system/mount.te
>>> +++ b/policy/modules/system/mount.te
>>
>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>> fs_unmount_all_fs(mount_t)
>>> fs_remount_all_fs(mount_t)
>>> fs_relabelfrom_all_fs(mount_t)
>>> -fs_list_auto_mountpoints(mount_t)
>>> +# wants to list usbfs_t
>>> +fs_list_all(mount_t)
>>
>> If you know it wants to list usbfs, why list all?
>
> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.

Unless Dan has additional reasons, I'd prefer that you try that.

>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index f976344..fbf02ec 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>> mcs_killall(unconfined_t)
>>> mcs_ptrace_all(unconfined_t)
>>>
>>> +ubac_process_exempt(unconfined_t)
>>> +ubac_file_exempt(unconfined_t)
>>> +ubac_fd_exempt(unconfined_t)
>>
>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
>> MLS/MCS, etc.
>>
>
> Yes i gathered you would say that. You actually told us before. So ignore this.
> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
> So i guess its just a matter of personal preference.

The thing is that sysadm is clearly an admin. Whereas unconfined could
be a regular user (in the old targeted sense) or an admin (in the strict
sense). So I could go back and forth on if unconfined should have this
access, but for now I'm sticking with what I said above.

> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>
> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)

Really? How can init not be in /sbin?

> Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
>
> So be carefull with what you adopt if anything.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-01 15:09:15

by paul

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On 01/10/10 15:52, Christopher J. PeBenito wrote:
> On 10/01/10 10:30, Dominick Grift wrote:
>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>
>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>>
>>> A couple questions inline.
>>>
>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>>> index b354128..052f0a6 100644
>>>> --- a/policy/modules/services/dbus.te
>>>> +++ b/policy/modules/services/dbus.te
>>>
>>>> @@ -141,6 +137,11 @@ optional_policy(`
>>>> ')
>>>>
>>>> optional_policy(`
>>>> + # should this be dbus_system_domain instead?
>>>> + networkmanager_initrc_domtrans(system_dbusd_t)
>>>> +')
>>
>> system_dbusd_t runs the network manager rc script (to start network manager)
>
> Ok, then what you have is right.
>
>>>
>>> It seems that you mean for netorkmanager to transition to initrc_t.
>>> Dbus_system_domain would transition from the system bus to
>>> networkmanager_t. These don't seem at all alike. Not sure which
>>> one you want, though dbus_system_domain() seems unlikely.
>>>
>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>>> index 2dad3c8..a20543a 100644
>>>> --- a/policy/modules/services/ssh.te
>>>> +++ b/policy/modules/services/ssh.te
>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>>
>>>> +kernel_read_crypto_sysctls(sshd_t)
>>>> +kernel_request_load_module(sshd_t)
>>>> kernel_search_key(sshd_t)
>>>> kernel_link_key(sshd_t)
>>
>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.
>
> That seems odd. If the interface is up and running already, I would
> think that that module would be loaded already. I don't want to give
> this permission if at all possible.
>
>>> Why does sshd need to request a kernel module?
>>>
>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>> index fca6947..5f5f331 100644
>>>> --- a/policy/modules/system/mount.te
>>>> +++ b/policy/modules/system/mount.te
>>>
>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>> fs_unmount_all_fs(mount_t)
>>>> fs_remount_all_fs(mount_t)
>>>> fs_relabelfrom_all_fs(mount_t)
>>>> -fs_list_auto_mountpoints(mount_t)
>>>> +# wants to list usbfs_t
>>>> +fs_list_all(mount_t)
>>>
>>> If you know it wants to list usbfs, why list all?
>>
>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.
>
> Unless Dan has additional reasons, I'd prefer that you try that.
>
>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>>> index f976344..fbf02ec 100644
>>>> --- a/policy/modules/system/unconfined.te
>>>> +++ b/policy/modules/system/unconfined.te
>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>>> mcs_killall(unconfined_t)
>>>> mcs_ptrace_all(unconfined_t)
>>>>
>>>> +ubac_process_exempt(unconfined_t)
>>>> +ubac_file_exempt(unconfined_t)
>>>> +ubac_fd_exempt(unconfined_t)
>>>
>>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
>>> MLS/MCS, etc.
>>>
>>
>> Yes i gathered you would say that. You actually told us before. So ignore this.
>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
>> So i guess its just a matter of personal preference.
>
> The thing is that sysadm is clearly an admin. Whereas unconfined could
> be a regular user (in the old targeted sense) or an admin (in the strict
> sense). So I could go back and forth on if unconfined should have this
> access, but for now I'm sticking with what I said above.
>
>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>>
>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>
> Really? How can init not be in /sbin?

systemd (the replacement init that will be in Fedora 15) lives in /bin
as it call be a user session manager too.

Paul.

2010-10-01 15:10:01

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
> On 10/01/10 10:30, Dominick Grift wrote:
> >On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
> >>On 09/24/10 15:37, Dominick Grift wrote:
> >>>
> >>>I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
> >>
> >>A couple questions inline.
> >>
> >>>diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> >>>index b354128..052f0a6 100644
> >>>--- a/policy/modules/services/dbus.te
> >>>+++ b/policy/modules/services/dbus.te
> >>
> >>>@@ -141,6 +137,11 @@ optional_policy(`
> >>> ')
> >>>
> >>> optional_policy(`
> >>>+ # should this be dbus_system_domain instead?
> >>>+ networkmanager_initrc_domtrans(system_dbusd_t)
> >>>+')
> >
> >system_dbusd_t runs the network manager rc script (to start network manager)
>
> Ok, then what you have is right.
>
> >>
> >>It seems that you mean for netorkmanager to transition to initrc_t.
> >>Dbus_system_domain would transition from the system bus to
> >>networkmanager_t. These don't seem at all alike. Not sure which
> >>one you want, though dbus_system_domain() seems unlikely.
> >>
> >>>diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> >>>index 2dad3c8..a20543a 100644
> >>>--- a/policy/modules/services/ssh.te
> >>>+++ b/policy/modules/services/ssh.te
> >>>@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> >>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> >>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
> >>>
> >>>+kernel_read_crypto_sysctls(sshd_t)
> >>>+kernel_request_load_module(sshd_t)
> >>> kernel_search_key(sshd_t)
> >>> kernel_link_key(sshd_t)
> >
> >Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.
>
> That seems odd. If the interface is up and running already, I would
> think that that module would be loaded already. I don't want to
> give this permission if at all possible.
>
> >>Why does sshd need to request a kernel module?
> >>
> >>>diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> >>>index fca6947..5f5f331 100644
> >>>--- a/policy/modules/system/mount.te
> >>>+++ b/policy/modules/system/mount.te
> >>
> >>>@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> >>> fs_unmount_all_fs(mount_t)
> >>> fs_remount_all_fs(mount_t)
> >>> fs_relabelfrom_all_fs(mount_t)
> >>>-fs_list_auto_mountpoints(mount_t)
> >>>+# wants to list usbfs_t
> >>>+fs_list_all(mount_t)
> >>
> >>If you know it wants to list usbfs, why list all?
> >
> >Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.
>
> Unless Dan has additional reasons, I'd prefer that you try that.
>
> >>>diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> >>>index f976344..fbf02ec 100644
> >>>--- a/policy/modules/system/unconfined.te
> >>>+++ b/policy/modules/system/unconfined.te
> >>>@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
> >>> mcs_killall(unconfined_t)
> >>> mcs_ptrace_all(unconfined_t)
> >>>
> >>>+ubac_process_exempt(unconfined_t)
> >>>+ubac_file_exempt(unconfined_t)
> >>>+ubac_fd_exempt(unconfined_t)
> >>
> >>I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
> >>MLS/MCS, etc.
> >>
> >
> >Yes i gathered you would say that. You actually told us before. So ignore this.
> >The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
> >So i guess its just a matter of personal preference.
>
> The thing is that sysadm is clearly an admin. Whereas unconfined
> could be a regular user (in the old targeted sense) or an admin (in
> the strict sense). So I could go back and forth on if unconfined
> should have this access, but for now I'm sticking with what I said
> above.
>
> >After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
> >Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
> >
> >for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>
> Really? How can init not be in /sbin?

Sorry i meant /sbin/init is a symlinks to /sbin/upstart.

>
> >Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
> >
> >So be carefull with what you adopt if anything.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101001/86ef0b18/attachment-0001.bin

2010-10-01 15:28:07

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:10 AM, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
>> On 10/01/10 10:30, Dominick Grift wrote:
>>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>>
>>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>>>
>>>> A couple questions inline.
>>>>
>>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>>>> index b354128..052f0a6 100644
>>>>> --- a/policy/modules/services/dbus.te
>>>>> +++ b/policy/modules/services/dbus.te
>>>>
>>>>> @@ -141,6 +137,11 @@ optional_policy(`
>>>>> ')
>>>>>
>>>>> optional_policy(`
>>>>> + # should this be dbus_system_domain instead?
>>>>> + networkmanager_initrc_domtrans(system_dbusd_t)
>>>>> +')
>>>
>>> system_dbusd_t runs the network manager rc script (to start network manager)
>>
>> Ok, then what you have is right.
>>
>>>>
>>>> It seems that you mean for netorkmanager to transition to initrc_t.
>>>> Dbus_system_domain would transition from the system bus to
>>>> networkmanager_t. These don't seem at all alike. Not sure which
>>>> one you want, though dbus_system_domain() seems unlikely.
>>>>
>>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>>>> index 2dad3c8..a20543a 100644
>>>>> --- a/policy/modules/services/ssh.te
>>>>> +++ b/policy/modules/services/ssh.te
>>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>>>
>>>>> +kernel_read_crypto_sysctls(sshd_t)
>>>>> +kernel_request_load_module(sshd_t)
>>>>> kernel_search_key(sshd_t)
>>>>> kernel_link_key(sshd_t)
>>>
>>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.
>>
>> That seems odd. If the interface is up and running already, I would
>> think that that module would be loaded already. I don't want to
>> give this permission if at all possible.
>>
>>>> Why does sshd need to request a kernel module?
Yes this came from disabling IPV6 I believe. Turns out that if you turn
off ipv6 on a machine every app that tries to use a socket ends up
trying to load the kernel module. So AVC's appear all over the place
when people disable ipv6 (Surprisingly common in Fedora.) We now has an
setroubleshoot that will ignore this avc.

Eric looked into getting the kernel to not deliver all of the AVC's but
his patch was too invasive and was rejected.
>>>>
>>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>>> index fca6947..5f5f331 100644
>>>>> --- a/policy/modules/system/mount.te
>>>>> +++ b/policy/modules/system/mount.te
>>>>
>>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>>> fs_unmount_all_fs(mount_t)
>>>>> fs_remount_all_fs(mount_t)
>>>>> fs_relabelfrom_all_fs(mount_t)
>>>>> -fs_list_auto_mountpoints(mount_t)
>>>>> +# wants to list usbfs_t
>>>>> +fs_list_all(mount_t)
>>>>
>>>> If you know it wants to list usbfs, why list all?
I am pretty sure this comes up with things like debugfs and others. I
don't see why you would not accept this since mount is a powerfull
domain and this hardly seems like a preventive measure. You are just
enabling a lot of stupid AVC messages by not allowing it to list.
>>>
>>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.
>>
>> Unless Dan has additional reasons, I'd prefer that you try that.
>>
>>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>>>> index f976344..fbf02ec 100644
>>>>> --- a/policy/modules/system/unconfined.te
>>>>> +++ b/policy/modules/system/unconfined.te
>>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>>>> mcs_killall(unconfined_t)
>>>>> mcs_ptrace_all(unconfined_t)
>>>>>
>>>>> +ubac_process_exempt(unconfined_t)
>>>>> +ubac_file_exempt(unconfined_t)
>>>>> +ubac_fd_exempt(unconfined_t)
>>>>
>>>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
>>>> MLS/MCS, etc.
>>>>
>>>
>>> Yes i gathered you would say that. You actually told us before. So ignore this.
>>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
>>> So i guess its just a matter of personal preference.
>>
>> The thing is that sysadm is clearly an admin. Whereas unconfined
>> could be a regular user (in the old targeted sense) or an admin (in
>> the strict sense). So I could go back and forth on if unconfined
>> should have this access, but for now I'm sticking with what I said
>> above.
>>
>>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
>>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>>>
>>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>>
>> Really? How can init not be in /sbin?
>
> Sorry i meant /sbin/init is a symlinks to /sbin/upstart.
>
>>
>>> Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
>>>
>>> So be carefull with what you adopt if anything.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyl/gcACgkQrlYvE4MpobNoywCgq31JdAPnk3rkS9VJ0caw6VSr
PjYAoIf3Kda3mU1La2nWSwhGhd58Rsp3
=1p+R
-----END PGP SIGNATURE-----

2010-10-01 15:42:41

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2010 11:10 AM, Dominick Grift wrote:
> On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
>> On 10/01/10 10:30, Dominick Grift wrote:
>>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>>
>>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.
>>>>
>>>> A couple questions inline.
>>>>
>>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
>>>>> index b354128..052f0a6 100644
>>>>> --- a/policy/modules/services/dbus.te
>>>>> +++ b/policy/modules/services/dbus.te
>>>>
>>>>> @@ -141,6 +137,11 @@ optional_policy(`
>>>>> ')
>>>>>
>>>>> optional_policy(`
>>>>> + # should this be dbus_system_domain instead?
>>>>> + networkmanager_initrc_domtrans(system_dbusd_t)
>>>>> +')
>>>
>>> system_dbusd_t runs the network manager rc script (to start network manager)
>>
>> Ok, then what you have is right.
>>
>>>>
>>>> It seems that you mean for netorkmanager to transition to initrc_t.
>>>> Dbus_system_domain would transition from the system bus to
>>>> networkmanager_t. These don't seem at all alike. Not sure which
>>>> one you want, though dbus_system_domain() seems unlikely.
>>>>
>>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
>>>>> index 2dad3c8..a20543a 100644
>>>>> --- a/policy/modules/services/ssh.te
>>>>> +++ b/policy/modules/services/ssh.te
>>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>>>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>>>>>
>>>>> +kernel_read_crypto_sysctls(sshd_t)
>>>>> +kernel_request_load_module(sshd_t)
>>>>> kernel_search_key(sshd_t)
>>>>> kernel_link_key(sshd_t)
>>>
>>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module.
>>
>> That seems odd. If the interface is up and running already, I would
>> think that that module would be loaded already. I don't want to
>> give this permission if at all possible.
>>
>>>> Why does sshd need to request a kernel module?
>>>>
>>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>>> index fca6947..5f5f331 100644
>>>>> --- a/policy/modules/system/mount.te
>>>>> +++ b/policy/modules/system/mount.te
>>>>
>>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>>> fs_unmount_all_fs(mount_t)
>>>>> fs_remount_all_fs(mount_t)
>>>>> fs_relabelfrom_all_fs(mount_t)
>>>>> -fs_list_auto_mountpoints(mount_t)
>>>>> +# wants to list usbfs_t
>>>>> +fs_list_all(mount_t)
>>>>
>>>> If you know it wants to list usbfs, why list all?
>>>
>>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me.
>>
>> Unless Dan has additional reasons, I'd prefer that you try that.
>>
>>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>>>> index f976344..fbf02ec 100644
>>>>> --- a/policy/modules/system/unconfined.te
>>>>> +++ b/policy/modules/system/unconfined.te
>>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>>>>> mcs_killall(unconfined_t)
>>>>> mcs_ptrace_all(unconfined_t)
>>>>>
>>>>> +ubac_process_exempt(unconfined_t)
>>>>> +ubac_file_exempt(unconfined_t)
>>>>> +ubac_fd_exempt(unconfined_t)
>>>>
>>>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC,
>>>> MLS/MCS, etc.
>>>>
>>>
>>> Yes i gathered you would say that. You actually told us before. So ignore this.
>>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe.
>>> So i guess its just a matter of personal preference.
>>
>> The thing is that sysadm is clearly an admin. Whereas unconfined
>> could be a regular user (in the old targeted sense) or an admin (in
>> the strict sense). So I could go back and forth on if unconfined
>> should have this access, but for now I'm sticking with what I said
>> above.
>>
>>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
>>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>>>
>>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>>
>> Really? How can init not be in /sbin?
>
> Sorry i meant /sbin/init is a symlinks to /sbin/upstart.
>
>>
>>> Also udev creates a bunch of devices in /var/lib/udev and some other stuff...
>>>
>>> So be carefull with what you adopt if anything.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

I am not sure if Chris would accept that change. Since the ability to
read a link could trick an application to go down a different code path.


I think adding

files_dontaudit_read_all_symlinks(locate_t)

Since locate is already trying to read the entire file system. And in
certain situations, and admin might be tryng to not have certain
sections of his file system read.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkymAXEACgkQrlYvE4MpobNMFACeNGPKlfDt6//PBGZdP98IHS08
PLEAoK1j5Yfw999VPJR8jm1iDuErvVHU
=n3zW
-----END PGP SIGNATURE-----

2010-10-01 18:00:57

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On 10/01/10 11:09, Paul Howarth wrote:
> On 01/10/10 15:52, Christopher J. PeBenito wrote:
>> On 10/01/10 10:30, Dominick Grift wrote:
>>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done.
>>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work.
>>>
>>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t)
>>
>> Really? How can init not be in /sbin?
>
> systemd (the replacement init that will be in Fedora 15) lives in /bin
> as it call be a user session manager too.

My point was that it wouldn't be available if /usr was on a different
partition than /. But the /usr part was a typo from Dominick, so its a
moot point.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-01 19:01:12

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On 10/01/10 11:28, Daniel J Walsh wrote:
> On 10/01/2010 11:10 AM, Dominick Grift wrote:
>> On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
>>> On 10/01/10 10:30, Dominick Grift wrote:
>>>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>>>> index fca6947..5f5f331 100644
>>>>>> --- a/policy/modules/system/mount.te
>>>>>> +++ b/policy/modules/system/mount.te
>>>>>
>>>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>>>> fs_unmount_all_fs(mount_t)
>>>>>> fs_remount_all_fs(mount_t)
>>>>>> fs_relabelfrom_all_fs(mount_t)
>>>>>> -fs_list_auto_mountpoints(mount_t)
>>>>>> +# wants to list usbfs_t
>>>>>> +fs_list_all(mount_t)
>>>>>
>>>>> If you know it wants to list usbfs, why list all?
> I am pretty sure this comes up with things like debugfs and others. I
> don't see why you would not accept this since mount is a powerfull
> domain and this hardly seems like a preventive measure. You are just
> enabling a lot of stupid AVC messages by not allowing it to list.

I didn't say I was rejecting it. I was asking a question.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-10-01 19:06:58

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On Fri, Oct 01, 2010 at 03:01:12PM -0400, Christopher J. PeBenito wrote:
> On 10/01/10 11:28, Daniel J Walsh wrote:
> >On 10/01/2010 11:10 AM, Dominick Grift wrote:
> >>On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
> >>>On 10/01/10 10:30, Dominick Grift wrote:
> >>>>On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
> >>>>>On 09/24/10 15:37, Dominick Grift wrote:
> >>>>>>diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> >>>>>>index fca6947..5f5f331 100644
> >>>>>>--- a/policy/modules/system/mount.te
> >>>>>>+++ b/policy/modules/system/mount.te
> >>>>>
> >>>>>>@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> >>>>>> fs_unmount_all_fs(mount_t)
> >>>>>> fs_remount_all_fs(mount_t)
> >>>>>> fs_relabelfrom_all_fs(mount_t)
> >>>>>>-fs_list_auto_mountpoints(mount_t)
> >>>>>>+# wants to list usbfs_t
> >>>>>>+fs_list_all(mount_t)
> >>>>>
> >>>>>If you know it wants to list usbfs, why list all?
> >I am pretty sure this comes up with things like debugfs and others. I
> >don't see why you would not accept this since mount is a powerfull
> >domain and this hardly seems like a preventive measure. You are just
> >enabling a lot of stupid AVC messages by not allowing it to list.
>
> I didn't say I was rejecting it. I was asking a question.

i added dev_list_usbfs instead with fs_list_auto_mountpoints, and i will load it in a f14 kvm guest tomorrow to see what happens and report back
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101001/c96a354c/attachment.bin

2010-10-04 09:18:08

by domg472

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13.

On Fri, Oct 01, 2010 at 03:01:12PM -0400, Christopher J. PeBenito wrote:
> On 10/01/10 11:28, Daniel J Walsh wrote:
> >On 10/01/2010 11:10 AM, Dominick Grift wrote:
> >>On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
> >>>On 10/01/10 10:30, Dominick Grift wrote:
> >>>>On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
> >>>>>On 09/24/10 15:37, Dominick Grift wrote:
> >>>>>>diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> >>>>>>index fca6947..5f5f331 100644
> >>>>>>--- a/policy/modules/system/mount.te
> >>>>>>+++ b/policy/modules/system/mount.te
> >>>>>
> >>>>>>@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
> >>>>>> fs_unmount_all_fs(mount_t)
> >>>>>> fs_remount_all_fs(mount_t)
> >>>>>> fs_relabelfrom_all_fs(mount_t)
> >>>>>>-fs_list_auto_mountpoints(mount_t)
> >>>>>>+# wants to list usbfs_t
> >>>>>>+fs_list_all(mount_t)
> >>>>>
> >>>>>If you know it wants to list usbfs, why list all?
> >I am pretty sure this comes up with things like debugfs and others. I
> >don't see why you would not accept this since mount is a powerfull
> >domain and this hardly seems like a preventive measure. You are just
> >enabling a lot of stupid AVC messages by not allowing it to list.
>
> I didn't say I was rejecting it. I was asking a question.

I just tested it and it seems to only need the listing of usbfs dirs so far. I havent executed any exotic mount commands but i did do a simple mount to get a listing of all mounts and i rebooted a couple times.

So for now i will do what PeBenito suggests and keep an eye on this issue.

>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101004/c1aa264f/attachment.bin