From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 01 Oct 2010 09:58:38 -0400
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora
 13.
In-Reply-To: <20100924193754.GA28777@localhost.localdomain>
References: <20100924193754.GA28777@localhost.localdomain>
Message-ID: <4CA5E90E.3030206@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/24/10 15:37, Dominick Grift wrote:
>
> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc.

A couple questions inline.

> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b354128..052f0a6 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te

> @@ -141,6 +137,11 @@ optional_policy(`
>   ')
>
>   optional_policy(`
> +	# should this be dbus_system_domain instead?
> +	networkmanager_initrc_domtrans(system_dbusd_t)
> +')

It seems that you mean for netorkmanager to transition to initrc_t. 
Dbus_system_domain would transition from the system bus to 
networkmanager_t.  These don't seem at all alike.  Not sure which one 
you want, though dbus_system_domain() seems unlikely.

> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 2dad3c8..a20543a 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>   manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>   files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
>
> +kernel_read_crypto_sysctls(sshd_t)
> +kernel_request_load_module(sshd_t)
>   kernel_search_key(sshd_t)
>   kernel_link_key(sshd_t)

Why does sshd need to request a kernel module?

> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fca6947..5f5f331 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te

> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>   fs_unmount_all_fs(mount_t)
>   fs_remount_all_fs(mount_t)
>   fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> +# wants to list usbfs_t
> +fs_list_all(mount_t)

If you know it wants to list usbfs, why list all?

> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index f976344..fbf02ec 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t)
>   mcs_killall(unconfined_t)
>   mcs_ptrace_all(unconfined_t)
>
> +ubac_process_exempt(unconfined_t)
> +ubac_file_exempt(unconfined_t)
> +ubac_fd_exempt(unconfined_t)

I'm not sure we want this.  Unconfined doesn't mean exempt on UBAC, 
MLS/MCS, etc.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com