From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 19 Dec 2016 18:15:17 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: <1482159003.3800.8.camel@trentalancia.net> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> Message-ID: <1482167717.2676.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy wrote: [...] > > > This patch adds missing permissions in the kernel module that > > > prevent > > > to run it without the unconfined module. > > > > I will need more clarification on these rules, especially all the > > new? > > root_t access.??The only thing that should normally be root_t is /. [...] > As you can see, it is trying to execute a /bin/umount executable file > that is labeled root_t (this is before switching to the new root, so > it's in the initramfs). > > This is from the following two dracut initramfs modules: > > 98selinux/selinux-loadpolicy.sh > 99base/init.sh > > Eventually, no relabeling is done by dracut after loading the policy. I don't know if it makes sense, but it is a bit like the chicken or egg problem ! Even if you relabel from initramfs after loading the policy, you still have to execute setfiles as root_t ! So, it doesn't make much sense to relabel (and enlarge the initramfs) just for executing umount and a few other core utilities. [...] > > > Signed-off-by: Guido Trentalancia > > > --- > > > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++ > > > ?policy/modules/kernel/files.if??????|??131 > > > ++++++++++++++++++++++++++++++++++++ > > > ?policy/modules/kernel/filesystem.if |???18 ++++ > > > ?policy/modules/kernel/kernel.if?????|???18 ++++ > > > ?policy/modules/kernel/kernel.te?????|???34 +++++++++ > > > ?policy/modules/kernel/terminal.if???|???20 +++++ > > > ?6 files changed, 277 insertions(+) [...] Regards, Guido