From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 21 Dec 2016 21:39:20 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Another naming option would be more simply "allow_initramfs". Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened. I look forward to hearing from you about this. Regards, Guido On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy wrote: >Hello again. > >The initramfs is just a gzipped cpio archive, which therefore hasn't >extended attributes... > >Dracut is kernel.org official and widely used. > >I am neutral about making it tuneable, but since you proposed it, I'll >offer my help to change the patch... > >Do you fancy the name "boot_initramfs" for the boolean that you >suggested di ? > >Please let me know and I'll prepare a new version of this patch. > >Regards, > >Guido > > > >On the 21st December 2016 20:25:04 CET, Chris PeBenito > wrote: >>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote: >>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via >refpolicy >>> wrote: >>> >>> [...] >>> >>>>>> This patch adds missing permissions in the kernel module that >>>>>> prevent >>>>>> to run it without the unconfined module. >>>>> >>>>> I will need more clarification on these rules, especially all the >>>>> new >>>>> root_t access. The only thing that should normally be root_t is >/. >>> >>> [...] >>> >>>> As you can see, it is trying to execute a /bin/umount executable >>file >>>> that is labeled root_t (this is before switching to the new root, >so >>>> it's in the initramfs). >>>> >>>> This is from the following two dracut initramfs modules: >>>> >>>> 98selinux/selinux-loadpolicy.sh >>>> 99base/init.sh >>>> >>>> Eventually, no relabeling is done by dracut after loading the >>policy. >>> >>> I don't know if it makes sense, but it is a bit like the chicken or >>egg >>> problem ! >>> >>> Even if you relabel from initramfs after loading the policy, you >>still >>> have to execute setfiles as root_t ! So, it doesn't make much sense >>to >>> relabel (and enlarge the initramfs) just for executing umount and a >>few >>> other core utilities. >> >>It's too bad dracut seems to generate sloppy initramfs. It is a lot >of >> >>unnecessary access to force on anyone that doesn't use dracut. I'm >>tempted to make it tunable. > >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy