From: domg472@gmail.com (Dominick Grift) Date: Fri, 1 Oct 2010 16:30:01 +0200 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <4CA5E90E.3030206@tresys.com> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> Message-ID: <20101001143000.GB14548@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: > On 09/24/10 15:37, Dominick Grift wrote: > > > >I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. > > A couple questions inline. > > >diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > >index b354128..052f0a6 100644 > >--- a/policy/modules/services/dbus.te > >+++ b/policy/modules/services/dbus.te > > >@@ -141,6 +137,11 @@ optional_policy(` > > ') > > > > optional_policy(` > >+ # should this be dbus_system_domain instead? > >+ networkmanager_initrc_domtrans(system_dbusd_t) > >+') system_dbusd_t runs the network manager rc script (to start network manager) > > It seems that you mean for netorkmanager to transition to initrc_t. > Dbus_system_domain would transition from the system bus to > networkmanager_t. These don't seem at all alike. Not sure which > one you want, though dbus_system_domain() seems unlikely. > > >diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > >index 2dad3c8..a20543a 100644 > >--- a/policy/modules/services/ssh.te > >+++ b/policy/modules/services/ssh.te > >@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > > manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > > files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) > > > >+kernel_read_crypto_sysctls(sshd_t) > >+kernel_request_load_module(sshd_t) > > kernel_search_key(sshd_t) > > kernel_link_key(sshd_t) Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. > > Why does sshd need to request a kernel module? > > >diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > >index fca6947..5f5f331 100644 > >--- a/policy/modules/system/mount.te > >+++ b/policy/modules/system/mount.te > > >@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) > > fs_unmount_all_fs(mount_t) > > fs_remount_all_fs(mount_t) > > fs_relabelfrom_all_fs(mount_t) > >-fs_list_auto_mountpoints(mount_t) > >+# wants to list usbfs_t > >+fs_list_all(mount_t) > > If you know it wants to list usbfs, why list all? Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. > >diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > >index f976344..fbf02ec 100644 > >--- a/policy/modules/system/unconfined.te > >+++ b/policy/modules/system/unconfined.te > >@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) > > mcs_killall(unconfined_t) > > mcs_ptrace_all(unconfined_t) > > > >+ubac_process_exempt(unconfined_t) > >+ubac_file_exempt(unconfined_t) > >+ubac_fd_exempt(unconfined_t) > > I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, > MLS/MCS, etc. > Yes i gathered you would say that. You actually told us before. So ignore this. The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. So i guess its just a matter of personal preference. After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) Also udev creates a bunch of devices in /var/lib/udev and some other stuff... So be carefull with what you adopt if anything. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101001/ab0284bb/attachment.bin