From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 22 Dec 2016 15:57:51 -0500 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/21/16 15:39, Guido Trentalancia via refpolicy wrote: > Another naming option would be more simply "allow_initramfs". I'd prefer kernel_dracut_initramfs. > Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened. I'd also keep it false by default for refpolicy. Then individual distros can turn it to true by default if they use it. > I look forward to hearing from you about this. > On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy wrote: >> Hello again. >> >> The initramfs is just a gzipped cpio archive, which therefore hasn't >> extended attributes... >> >> Dracut is kernel.org official and widely used. >> >> I am neutral about making it tuneable, but since you proposed it, I'll >> offer my help to change the patch... >> >> Do you fancy the name "boot_initramfs" for the boolean that you >> suggested di ? >> >> Please let me know and I'll prepare a new version of this patch. >> >> Regards, >> >> Guido >> >> >> >> On the 21st December 2016 20:25:04 CET, Chris PeBenito >> wrote: >>> On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote: >>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via >> refpolicy >>>> wrote: >>>> >>>> [...] >>>> >>>>>>> This patch adds missing permissions in the kernel module that >>>>>>> prevent >>>>>>> to run it without the unconfined module. >>>>>> >>>>>> I will need more clarification on these rules, especially all the >>>>>> new >>>>>> root_t access. The only thing that should normally be root_t is >> /. >>>> >>>> [...] >>>> >>>>> As you can see, it is trying to execute a /bin/umount executable >>> file >>>>> that is labeled root_t (this is before switching to the new root, >> so >>>>> it's in the initramfs). >>>>> >>>>> This is from the following two dracut initramfs modules: >>>>> >>>>> 98selinux/selinux-loadpolicy.sh >>>>> 99base/init.sh >>>>> >>>>> Eventually, no relabeling is done by dracut after loading the >>> policy. >>>> >>>> I don't know if it makes sense, but it is a bit like the chicken or >>> egg >>>> problem ! >>>> >>>> Even if you relabel from initramfs after loading the policy, you >>> still >>>> have to execute setfiles as root_t ! So, it doesn't make much sense >>> to >>>> relabel (and enlarge the initramfs) just for executing umount and a >>> few >>>> other core utilities. >>> >>> It's too bad dracut seems to generate sloppy initramfs. It is a lot >> of >>> >>> unnecessary access to force on anyone that doesn't use dracut. I'm >>> tempted to make it tunable. -- Chris PeBenito