From: cgzones@googlemail.com (cgzones)
Date: Tue, 27 Dec 2016 21:32:34 +0100
Subject: [refpolicy] [PATCH v2] kernel: missing permissions for confined
	execution
In-Reply-To: <1078174712.17762.1482870141948.JavaMail.open-xchange@popper10.register.it>
References: <1482021787.10349.1.camel@trentalancia.net>
	<1482094724.22132.12.camel@trentalancia.net>
	<8317c7e0-7d87-6726-837c-1c39b0bfb8c1@ieee.org>
	<1078174712.17762.1482870141948.JavaMail.open-xchange@popper10.register.it>
Message-ID: <CAJ2a_Dc-APv+OHL-8zHzDTAU8-yycjPOtcOAvbp4UsDg-4q=-Q@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Maybe we can crib from dwalsh:
https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html

During the development phase between releases implement the unconfined
domains via a permissive statement, which causes audits, instead of
using the almost almighty unconfined_domain_noaudit interface?

Kindly Regards,
     Christian G?ttsche

2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com>:
> Hello Christopher.
>
> Thanks for merging this. We should now have a fully functional kernel module
> that,
> as such, should not need the unconfined_domain interface calls anymore.
>
> Unfortunately, version 2 of this patch did not actually removed such interface
> call.
>
> Now, we have two options:
>
> - remove it in a new simple patch today or tomorrow;
> - wait to remove it until after the next release, so that we can benefit from
> some
>   more development-stage testing, just in case some kernel installation around
>   needs some other permission which did not show up in the tests that I carried
> out.
>
> For sure, we shall strive to get rid of it, for maximum security.
>
>> On the 27th of December 2016 at 16.52 Chris PeBenito <pebenito@ieee.org>
>> wrote:
>>
>>
>> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
>> > This patch adds missing permissions in the kernel module that prevent
>> > to run it without the unconfined module.
>> >
>> > This second version improves the comment section of new interfaces:
>> > "Domain" is replaced by "Domain allowed access".
>>
>> I thought that all of the added rules were for the initramfs.  Since
>> only a few are, I'm fine without the tunable, so I merged this version
>> of the patch.
>>
>>
>>
>> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> > ---
>> >  policy/modules/kernel/devices.if    |   56 +++++++++++++++
>> >  policy/modules/kernel/files.if      |  131
>> > ++++++++++++++++++++++++++++++++++++
>> >  policy/modules/kernel/filesystem.if |   18 ++++
>> >  policy/modules/kernel/kernel.if     |   18 ++++
>> >  policy/modules/kernel/kernel.te     |   34 +++++++++
>> >  policy/modules/kernel/terminal.if   |   20 +++++
>> >  6 files changed, 277 insertions(+)
>
> [...]
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy