From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 01 Oct 2010 11:28:07 -0400 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <20101001151000.GE14548@localhost.localdomain> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> <4CA5F5A3.2080708@tresys.com> <20101001151000.GE14548@localhost.localdomain> Message-ID: <4CA5FE07.80504@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2010 11:10 AM, Dominick Grift wrote: > On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote: >> On 10/01/10 10:30, Dominick Grift wrote: >>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: >>>> On 09/24/10 15:37, Dominick Grift wrote: >>>>> >>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. >>>> >>>> A couple questions inline. >>>> >>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te >>>>> index b354128..052f0a6 100644 >>>>> --- a/policy/modules/services/dbus.te >>>>> +++ b/policy/modules/services/dbus.te >>>> >>>>> @@ -141,6 +137,11 @@ optional_policy(` >>>>> ') >>>>> >>>>> optional_policy(` >>>>> + # should this be dbus_system_domain instead? >>>>> + networkmanager_initrc_domtrans(system_dbusd_t) >>>>> +') >>> >>> system_dbusd_t runs the network manager rc script (to start network manager) >> >> Ok, then what you have is right. >> >>>> >>>> It seems that you mean for netorkmanager to transition to initrc_t. >>>> Dbus_system_domain would transition from the system bus to >>>> networkmanager_t. These don't seem at all alike. Not sure which >>>> one you want, though dbus_system_domain() seems unlikely. >>>> >>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te >>>>> index 2dad3c8..a20543a 100644 >>>>> --- a/policy/modules/services/ssh.te >>>>> +++ b/policy/modules/services/ssh.te >>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) >>>>> >>>>> +kernel_read_crypto_sysctls(sshd_t) >>>>> +kernel_request_load_module(sshd_t) >>>>> kernel_search_key(sshd_t) >>>>> kernel_link_key(sshd_t) >>> >>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. >> >> That seems odd. If the interface is up and running already, I would >> think that that module would be loaded already. I don't want to >> give this permission if at all possible. >> >>>> Why does sshd need to request a kernel module? Yes this came from disabling IPV6 I believe. Turns out that if you turn off ipv6 on a machine every app that tries to use a socket ends up trying to load the kernel module. So AVC's appear all over the place when people disable ipv6 (Surprisingly common in Fedora.) We now has an setroubleshoot that will ignore this avc. Eric looked into getting the kernel to not deliver all of the AVC's but his patch was too invasive and was rejected. >>>> >>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te >>>>> index fca6947..5f5f331 100644 >>>>> --- a/policy/modules/system/mount.te >>>>> +++ b/policy/modules/system/mount.te >>>> >>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) >>>>> fs_unmount_all_fs(mount_t) >>>>> fs_remount_all_fs(mount_t) >>>>> fs_relabelfrom_all_fs(mount_t) >>>>> -fs_list_auto_mountpoints(mount_t) >>>>> +# wants to list usbfs_t >>>>> +fs_list_all(mount_t) >>>> >>>> If you know it wants to list usbfs, why list all? I am pretty sure this comes up with things like debugfs and others. I don't see why you would not accept this since mount is a powerfull domain and this hardly seems like a preventive measure. You are just enabling a lot of stupid AVC messages by not allowing it to list. >>> >>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. >> >> Unless Dan has additional reasons, I'd prefer that you try that. >> >>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>>>> index f976344..fbf02ec 100644 >>>>> --- a/policy/modules/system/unconfined.te >>>>> +++ b/policy/modules/system/unconfined.te >>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) >>>>> mcs_killall(unconfined_t) >>>>> mcs_ptrace_all(unconfined_t) >>>>> >>>>> +ubac_process_exempt(unconfined_t) >>>>> +ubac_file_exempt(unconfined_t) >>>>> +ubac_fd_exempt(unconfined_t) >>>> >>>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, >>>> MLS/MCS, etc. >>>> >>> >>> Yes i gathered you would say that. You actually told us before. So ignore this. >>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. >>> So i guess its just a matter of personal preference. >> >> The thing is that sysadm is clearly an admin. Whereas unconfined >> could be a regular user (in the old targeted sense) or an admin (in >> the strict sense). So I could go back and forth on if unconfined >> should have this access, but for now I'm sticking with what I said >> above. >> >>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. >>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. >>> >>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) >> >> Really? How can init not be in /sbin? > > Sorry i meant /sbin/init is a symlinks to /sbin/upstart. > >> >>> Also udev creates a bunch of devices in /var/lib/udev and some other stuff... >>> >>> So be carefull with what you adopt if anything. >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyl/gcACgkQrlYvE4MpobNoywCgq31JdAPnk3rkS9VJ0caw6VSr PjYAoIf3Kda3mU1La2nWSwhGhd58Rsp3 =1p+R -----END PGP SIGNATURE-----