From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Tue, 26 Aug 2014 19:22:15 +0200 Subject: [refpolicy] [PATCH 5/7] Add socket and dccp_socket to socket_class_set In-Reply-To: <53FB514C.6090405@tresys.com> References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> <1408793751-11289-6-git-send-email-nicolas.iooss@m4x.org> <53FB514C.6090405@tresys.com> Message-ID: <53FCC247.1020500@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-08-25 17:07 GMT+02:00 Christopher J. PeBenito: > On 8/23/2014 7:35 AM, Nicolas Iooss wrote: >> --- >> policy/support/obj_perm_sets.spt | 3 +-- >> 1 file changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt >> index 6e9131723cf4..5e8718a8be67 100644 >> --- a/policy/support/obj_perm_sets.spt >> +++ b/policy/support/obj_perm_sets.spt >> @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') >> # >> # All socket classes. >> # >> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') >> - >> +define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') > > I don't think we want to add socket to this set. We need to be able to > detect when there is generic socket class usage, as that means we need a > kernel change and a corresponding new object class. > I agree with this point of view, if "socket" class means "generic socket which is never used in practice" (and which defines access vectors common to all socket classes, as stated on the SELinux wiki [1]). In fact, this patch comes from the old Debian patch to support systemd [2]. It contained an awful amount of small changes not so much related to systemd and the current Debian patches are much cleaner [3]. However I applied the old patch on my Arch Linux policy to ease its development and now I am splitting this patch in smaller patches which are much easier to review (like the journald patches I sent a few days ago). This is how I found this change, which made sense to me as socket and dccp_socket are obviously in the socket class. Moreover Fedora policy also has socket and dccp_socket in socket_class_set [4]. Now that you said that "socket" should be used to detect new socket class (if I understood correctly), there is something I no longer understand in the current policy. Why does contrib/mozilla.te contains this? [5] allow mozilla_t self:socket create_socket_perms; A quick "grep :socket -r policy" shows other domains allowed to use this kind of socket. Do you know where I could find a good documentation about the socket class to understand why these allow rules are needed? -- Nicolas [1] http://www.selinuxproject.org/page/ObjectClassesPerms#common_socket [2] http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches/0100-systemd?id=b932d84a24c8edc07c95f92a96093e16bef043c8#n58 [3] http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches [4] https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/support/obj_perm_sets.spt?h=rawhide-base&id=f85b52d1c6805e9b0a8bd2a4a4332e66e4b52c00#n31 [5] https://github.com/TresysTechnology/refpolicy-contrib/blob/21f961a147a9a08583825bdbe7cce43cf8fdc43d/mozilla.te#L80