From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 01 Oct 2010 11:42:41 -0400 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <20101001151000.GE14548@localhost.localdomain> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> <4CA5F5A3.2080708@tresys.com> <20101001151000.GE14548@localhost.localdomain> Message-ID: <4CA60171.6070506@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2010 11:10 AM, Dominick Grift wrote: > On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote: >> On 10/01/10 10:30, Dominick Grift wrote: >>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: >>>> On 09/24/10 15:37, Dominick Grift wrote: >>>>> >>>>> I had to add this to make a minimal fedora 13 installation boot with refpolicy. I also added some policy for unconfined users suchs a ubac exemption, allow unconfined users to run run_init, groupadd, passwd etc. >>>> >>>> A couple questions inline. >>>> >>>>> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te >>>>> index b354128..052f0a6 100644 >>>>> --- a/policy/modules/services/dbus.te >>>>> +++ b/policy/modules/services/dbus.te >>>> >>>>> @@ -141,6 +137,11 @@ optional_policy(` >>>>> ') >>>>> >>>>> optional_policy(` >>>>> + # should this be dbus_system_domain instead? >>>>> + networkmanager_initrc_domtrans(system_dbusd_t) >>>>> +') >>> >>> system_dbusd_t runs the network manager rc script (to start network manager) >> >> Ok, then what you have is right. >> >>>> >>>> It seems that you mean for netorkmanager to transition to initrc_t. >>>> Dbus_system_domain would transition from the system bus to >>>> networkmanager_t. These don't seem at all alike. Not sure which >>>> one you want, though dbus_system_domain() seems unlikely. >>>> >>>>> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te >>>>> index 2dad3c8..a20543a 100644 >>>>> --- a/policy/modules/services/ssh.te >>>>> +++ b/policy/modules/services/ssh.te >>>>> @@ -238,6 +238,8 @@ manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) >>>>> files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) >>>>> >>>>> +kernel_read_crypto_sysctls(sshd_t) >>>>> +kernel_request_load_module(sshd_t) >>>>> kernel_search_key(sshd_t) >>>>> kernel_link_key(sshd_t) >>> >>> Not sure but i thibk ipv6. Not that i think it matters because if its allowed to request the kernel one module its allowed to request any module. >> >> That seems odd. If the interface is up and running already, I would >> think that that module would be loaded already. I don't want to >> give this permission if at all possible. >> >>>> Why does sshd need to request a kernel module? >>>> >>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te >>>>> index fca6947..5f5f331 100644 >>>>> --- a/policy/modules/system/mount.te >>>>> +++ b/policy/modules/system/mount.te >>>> >>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) >>>>> fs_unmount_all_fs(mount_t) >>>>> fs_remount_all_fs(mount_t) >>>>> fs_relabelfrom_all_fs(mount_t) >>>>> -fs_list_auto_mountpoints(mount_t) >>>>> +# wants to list usbfs_t >>>>> +fs_list_all(mount_t) >>>> >>>> If you know it wants to list usbfs, why list all? >>> >>> Because usbfs is the only dir i confirmed and Fedora has fs_list_all so i was kind of assuming this was only the top of the mountain. I guess i could do fs_list_automountpoints and fs_list_usbfs and see where that gets me. >> >> Unless Dan has additional reasons, I'd prefer that you try that. >> >>>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>>>> index f976344..fbf02ec 100644 >>>>> --- a/policy/modules/system/unconfined.te >>>>> +++ b/policy/modules/system/unconfined.te >>>>> @@ -33,6 +33,10 @@ files_create_boot_flag(unconfined_t) >>>>> mcs_killall(unconfined_t) >>>>> mcs_ptrace_all(unconfined_t) >>>>> >>>>> +ubac_process_exempt(unconfined_t) >>>>> +ubac_file_exempt(unconfined_t) >>>>> +ubac_fd_exempt(unconfined_t) >>>> >>>> I'm not sure we want this. Unconfined doesn't mean exempt on UBAC, >>>> MLS/MCS, etc. >>>> >>> >>> Yes i gathered you would say that. You actually told us before. So ignore this. >>> The issue is that i see unconfined_t as an enhanced sysadm_t and sysadm_t has these ubac exemptions i believe. >>> So i guess its just a matter of personal preference. >> >> The thing is that sysadm is clearly an admin. Whereas unconfined >> could be a regular user (in the old targeted sense) or an admin (in >> the strict sense). So I could go back and forth on if unconfined >> should have this access, but for now I'm sticking with what I said >> above. >> >>> After some consideration i think you should probably ignore this whole patch or cherry pick only some fixes that you are positive about. Some of the stuff in the patch i have already changed like how interaction with keys is done. >>> Also this patch was based on fedora 13, in fedora 14 some things have changed so on f14 this isnt enough to make it work. >>> >>> for example in f14 /usr/sbin/init is a symbolic link to /usr/sbin/upstart which is currently labeled bin_t so kernel_t never transitions to init_t (need to label /usr/sbin/upstart type initrc_t) >> >> Really? How can init not be in /sbin? > > Sorry i meant /sbin/init is a symlinks to /sbin/upstart. > >> >>> Also udev creates a bunch of devices in /var/lib/udev and some other stuff... >>> >>> So be carefull with what you adopt if anything. >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy I am not sure if Chris would accept that change. Since the ability to read a link could trick an application to go down a different code path. I think adding files_dontaudit_read_all_symlinks(locate_t) Since locate is already trying to read the entire file system. And in certain situations, and admin might be tryng to not have certain sections of his file system read. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkymAXEACgkQrlYvE4MpobNMFACeNGPKlfDt6//PBGZdP98IHS08 PLEAoK1j5Yfw999VPJR8jm1iDuErvVHU =n3zW -----END PGP SIGNATURE-----