From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 21 Dec 2016 14:25:04 -0500 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: <1482167717.2676.5.camel@trentalancia.net> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> Message-ID: <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote: > On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy > wrote: > > [...] > >>>> This patch adds missing permissions in the kernel module that >>>> prevent >>>> to run it without the unconfined module. >>> >>> I will need more clarification on these rules, especially all the >>> new >>> root_t access. The only thing that should normally be root_t is /. > > [...] > >> As you can see, it is trying to execute a /bin/umount executable file >> that is labeled root_t (this is before switching to the new root, so >> it's in the initramfs). >> >> This is from the following two dracut initramfs modules: >> >> 98selinux/selinux-loadpolicy.sh >> 99base/init.sh >> >> Eventually, no relabeling is done by dracut after loading the policy. > > I don't know if it makes sense, but it is a bit like the chicken or egg > problem ! > > Even if you relabel from initramfs after loading the policy, you still > have to execute setfiles as root_t ! So, it doesn't make much sense to > relabel (and enlarge the initramfs) just for executing umount and a few > other core utilities. It's too bad dracut seems to generate sloppy initramfs. It is a lot of unnecessary access to force on anyone that doesn't use dracut. I'm tempted to make it tunable. -- Chris PeBenito