From: paul@city-fan.org (Paul Howarth) Date: Fri, 01 Oct 2010 16:09:15 +0100 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <4CA5F5A3.2080708@tresys.com> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> <4CA5F5A3.2080708@tresys.com> Message-ID: <4CA5F99B.3090308@city-fan.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/10/10 15:52, Christopher J. PeBenito wrote: > On 10/01/10 10:30, Dominick Grift wrote: >> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: >>> On 09/24/10 15:37, Dominick Grift wrote: >>>> >>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. >>> >>> A couple questions inline. >>> >>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te >>>> index b354128..052f0a6 100644 >>>> --- a/policy/modules/services/dbus.te >>>> +++ b/policy/modules/services/dbus.te >>> >>>> @@ -141,6 +137,11 @@ optional_policy(` >>>> ') >>>> >>>> optional_policy(` >>>> + # should this be dbus_system_domain instead? >>>> + networkmanager_initrc_domtrans(system_dbusd_t) >>>> +') >> >> system_dbusd_t runs the network manager rc script (to start network manager) > > Ok, then what you have is right. > >>> >>> It seems that you mean for netorkmanager to transition to initrc_t. >>> Dbus_system_domain would transition from the system bus to >>> networkmanager_t. These don't seem at all alike. Not sure which >>> one you want, though dbus_system_domain() seems unlikely. >>> >>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te >>>> index 2dad3c8..a20543a 100644 >>>> --- a/policy/modules/services/ssh.te >>>> +++ b/policy/modules/services/ssh.te >>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) >>>> >>>> +kernel_read_crypto_sysctls(sshd_t) >>>> +kernel_request_load_module(sshd_t) >>>> kernel_search_key(sshd_t) >>>> kernel_link_key(sshd_t) >> >> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. > > That seems odd. If the interface is up and running already, I would > think that that module would be loaded already. I don't want to give > this permission if at all possible. > >>> Why does sshd need to request a kernel module? >>> >>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te >>>> index fca6947..5f5f331 100644 >>>> --- a/policy/modules/system/mount.te >>>> +++ b/policy/modules/system/mount.te >>> >>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) >>>> fs_unmount_all_fs(mount_t) >>>> fs_remount_all_fs(mount_t) >>>> fs_relabelfrom_all_fs(mount_t) >>>> -fs_list_auto_mountpoints(mount_t) >>>> +# wants to list usbfs_t >>>> +fs_list_all(mount_t) >>> >>> If you know it wants to list usbfs, why list all? >> >> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. > > Unless Dan has additional reasons, I'd prefer that you try that. > >>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>>> index f976344..fbf02ec 100644 >>>> --- a/policy/modules/system/unconfined.te >>>> +++ b/policy/modules/system/unconfined.te >>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) >>>> mcs_killall(unconfined_t) >>>> mcs_ptrace_all(unconfined_t) >>>> >>>> +ubac_process_exempt(unconfined_t) >>>> +ubac_file_exempt(unconfined_t) >>>> +ubac_fd_exempt(unconfined_t) >>> >>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, >>> MLS/MCS, etc. >>> >> >> Yes i gathered you would say that. You actually told us before. So ignore this. >> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. >> So i guess its just a matter of personal preference. > > The thing is that sysadm is clearly an admin. Whereas unconfined could > be a regular user (in the old targeted sense) or an admin (in the strict > sense). So I could go back and forth on if unconfined should have this > access, but for now I'm sticking with what I said above. > >> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. >> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. >> >> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) > > Really? How can init not be in /sbin? systemd (the replacement init that will be in Fedora 15) lives in /bin as it call be a user session manager too. Paul.