From: domg472@gmail.com (Dominick Grift) Date: Fri, 1 Oct 2010 17:10:01 +0200 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <4CA5F5A3.2080708@tresys.com> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> <4CA5F5A3.2080708@tresys.com> Message-ID: <20101001151000.GE14548@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote: > On 10/01/10 10:30, Dominick Grift wrote: > >On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: > >>On 09/24/10 15:37, Dominick Grift wrote: > >>> > >>>I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. > >> > >>A couple questions inline. > >> > >>>diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > >>>index b354128..052f0a6 100644 > >>>--- a/policy/modules/services/dbus.te > >>>+++ b/policy/modules/services/dbus.te > >> > >>>@@ -141,6 +137,11 @@ optional_policy(` > >>> ') > >>> > >>> optional_policy(` > >>>+ # should this be dbus_system_domain instead? > >>>+ networkmanager_initrc_domtrans(system_dbusd_t) > >>>+') > > > >system_dbusd_t runs the network manager rc script (to start network manager) > > Ok, then what you have is right. > > >> > >>It seems that you mean for netorkmanager to transition to initrc_t. > >>Dbus_system_domain would transition from the system bus to > >>networkmanager_t. These don't seem at all alike. Not sure which > >>one you want, though dbus_system_domain() seems unlikely. > >> > >>>diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > >>>index 2dad3c8..a20543a 100644 > >>>--- a/policy/modules/services/ssh.te > >>>+++ b/policy/modules/services/ssh.te > >>>@@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > >>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) > >>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) > >>> > >>>+kernel_read_crypto_sysctls(sshd_t) > >>>+kernel_request_load_module(sshd_t) > >>> kernel_search_key(sshd_t) > >>> kernel_link_key(sshd_t) > > > >Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. > > That seems odd. If the interface is up and running already, I would > think that that module would be loaded already. I don't want to > give this permission if at all possible. > > >>Why does sshd need to request a kernel module? > >> > >>>diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > >>>index fca6947..5f5f331 100644 > >>>--- a/policy/modules/system/mount.te > >>>+++ b/policy/modules/system/mount.te > >> > >>>@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) > >>> fs_unmount_all_fs(mount_t) > >>> fs_remount_all_fs(mount_t) > >>> fs_relabelfrom_all_fs(mount_t) > >>>-fs_list_auto_mountpoints(mount_t) > >>>+# wants to list usbfs_t > >>>+fs_list_all(mount_t) > >> > >>If you know it wants to list usbfs, why list all? > > > >Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. > > Unless Dan has additional reasons, I'd prefer that you try that. > > >>>diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te > >>>index f976344..fbf02ec 100644 > >>>--- a/policy/modules/system/unconfined.te > >>>+++ b/policy/modules/system/unconfined.te > >>>@@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) > >>> mcs_killall(unconfined_t) > >>> mcs_ptrace_all(unconfined_t) > >>> > >>>+ubac_process_exempt(unconfined_t) > >>>+ubac_file_exempt(unconfined_t) > >>>+ubac_fd_exempt(unconfined_t) > >> > >>I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, > >>MLS/MCS, etc. > >> > > > >Yes i gathered you would say that. You actually told us before. So ignore this. > >The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. > >So i guess its just a matter of personal preference. > > The thing is that sysadm is clearly an admin. Whereas unconfined > could be a regular user (in the old targeted sense) or an admin (in > the strict sense). So I could go back and forth on if unconfined > should have this access, but for now I'm sticking with what I said > above. > > >After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. > >Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. > > > >for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) > > Really? How can init not be in /sbin? Sorry i meant /sbin/init is a symlinks to /sbin/upstart. > > >Also udev creates a bunch of devices in /var/lib/udev and some other stuff... > > > >So be carefull with what you adopt if anything. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101001/86ef0b18/attachment-0001.bin