From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Thu, 6 Aug 2009 02:56:49 +0000 Subject: [refpolicy] Questions about TE rules in refpolicy-20081210 Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi all, I have several questions about some TE rules in the refpolicy-20081210, when I am playing with it with MLS enabled, I run into several issues and I am not clear if they are deliberately to be designed to be this way or they might be potential problems, I certainly don't want to open any security holes so I would very much like to post my questions and patches to the mailing list for comments. 1, after log in, if I do "mount" then it will display nothing, neither "cat /etc/mtab" would show anything; I glanced at mount.te, files_manage_etc_runtime_files() has already been called for the mount_t, however, I think we have to call files_manage_generic_locks() too, since the mount program needs to grab some lock of /var/lock/mtab~ when writing into /etc/mtab. Otherwise, there would be error messages like "Can't create lock file /var/lock/mtab~2093: Permission denied(use -n flag to override)" during kernel bootup. 2, if log in the root user through serial console which is mapped with the system console(/dev/console), I would be unable to assume another administrator roles(auditadm_r, secadm_r) by the newrole program on top of the system console, the error message says that newrole is unable to relabel the /dev/console device. I guess we not only need to append console_device_t to securetty_types file but also grant newrole_t permission to relabeto and relabelfrom the system console. 3, The /root/ directory is used to be labeled as "sysadm_home_t" or "sysadm_home_dir_t", but I found them are labeled as "default_t" now and it seems that only the sysadm_t has read permission to the /root/ directory. If I assume another administrator role such as secadm_r, then secadm_t would have trouble to read or write /root/: root at d610-2:/root> id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c255 root at d610-2:/root> newrole -r secadm_r Password: bash: /root/.profile: Permission denied root at d610-2:~# id -Z root:secadm_r:secadm_t:s0-s15:c0.c255 root at d610-2:~# touch 1 touch: cannot touch `1': Permission denied root at d610-2:~# Shouldn't secadm_t and auditadm_t also have enough rights to the /root/ directory? Any comments to above thress questions are greatly appreciated! Best regards, Harry _________________________________________________________________ ????? Windows Live ????????????? http://www.microsoft.com/china/windows/windowslive/products/photo-gallery-edit.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090806/47dd71d4/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-strict-mount-rw-etc-locks.patch Type: text/x-diff Size: 805 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090806/47dd71d4/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-strict-newrole-relabel-console.patch Type: text/x-diff Size: 1567 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090806/47dd71d4/attachment-0001.bin