From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 01 Oct 2010 10:52:19 -0400 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <20101001143000.GB14548@localhost.localdomain> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> Message-ID: <4CA5F5A3.2080708@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/01/10 10:30, Dominick Grift wrote: > On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: >> On 09/24/10 15:37, Dominick Grift wrote: >>> >>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. >> >> A couple questions inline. >> >>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te >>> index b354128..052f0a6 100644 >>> --- a/policy/modules/services/dbus.te >>> +++ b/policy/modules/services/dbus.te >> >>> @@ -141,6 +137,11 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + # should this be dbus_system_domain instead? >>> + networkmanager_initrc_domtrans(system_dbusd_t) >>> +') > > system_dbusd_t runs the network manager rc script (to start network manager) Ok, then what you have is right. >> >> It seems that you mean for netorkmanager to transition to initrc_t. >> Dbus_system_domain would transition from the system bus to >> networkmanager_t. These don't seem at all alike. Not sure which >> one you want, though dbus_system_domain() seems unlikely. >> >>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te >>> index 2dad3c8..a20543a 100644 >>> --- a/policy/modules/services/ssh.te >>> +++ b/policy/modules/services/ssh.te >>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) >>> >>> +kernel_read_crypto_sysctls(sshd_t) >>> +kernel_request_load_module(sshd_t) >>> kernel_search_key(sshd_t) >>> kernel_link_key(sshd_t) > > Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. That seems odd. If the interface is up and running already, I would think that that module would be loaded already. I don't want to give this permission if at all possible. >> Why does sshd need to request a kernel module? >> >>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te >>> index fca6947..5f5f331 100644 >>> --- a/policy/modules/system/mount.te >>> +++ b/policy/modules/system/mount.te >> >>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) >>> fs_unmount_all_fs(mount_t) >>> fs_remount_all_fs(mount_t) >>> fs_relabelfrom_all_fs(mount_t) >>> -fs_list_auto_mountpoints(mount_t) >>> +# wants to list usbfs_t >>> +fs_list_all(mount_t) >> >> If you know it wants to list usbfs, why list all? > > Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. Unless Dan has additional reasons, I'd prefer that you try that. >>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>> index f976344..fbf02ec 100644 >>> --- a/policy/modules/system/unconfined.te >>> +++ b/policy/modules/system/unconfined.te >>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) >>> mcs_killall(unconfined_t) >>> mcs_ptrace_all(unconfined_t) >>> >>> +ubac_process_exempt(unconfined_t) >>> +ubac_file_exempt(unconfined_t) >>> +ubac_fd_exempt(unconfined_t) >> >> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, >> MLS/MCS, etc. >> > > Yes i gathered you would say that. You actually told us before. So ignore this. > The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. > So i guess its just a matter of personal preference. The thing is that sysadm is clearly an admin. Whereas unconfined could be a regular user (in the old targeted sense) or an admin (in the strict sense). So I could go back and forth on if unconfined should have this access, but for now I'm sticking with what I said above. > After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. > Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. > > for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) Really? How can init not be in /sbin? > Also udev creates a bunch of devices in /var/lib/udev and some other stuff... > > So be carefull with what you adopt if anything. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com