From: cgzones@googlemail.com (cgzones) Date: Tue, 27 Dec 2016 21:32:34 +0100 Subject: [refpolicy] [PATCH v2] kernel: missing permissions for confined execution In-Reply-To: <1078174712.17762.1482870141948.JavaMail.open-xchange@popper10.register.it> References: <1482021787.10349.1.camel@trentalancia.net> <1482094724.22132.12.camel@trentalancia.net> <8317c7e0-7d87-6726-837c-1c39b0bfb8c1@ieee.org> <1078174712.17762.1482870141948.JavaMail.open-xchange@popper10.register.it> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Maybe we can crib from dwalsh: https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html During the development phase between releases implement the unconfined domains via a permissive statement, which causes audits, instead of using the almost almighty unconfined_domain_noaudit interface? Kindly Regards, Christian G?ttsche 2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy : > Hello Christopher. > > Thanks for merging this. We should now have a fully functional kernel module > that, > as such, should not need the unconfined_domain interface calls anymore. > > Unfortunately, version 2 of this patch did not actually removed such interface > call. > > Now, we have two options: > > - remove it in a new simple patch today or tomorrow; > - wait to remove it until after the next release, so that we can benefit from > some > more development-stage testing, just in case some kernel installation around > needs some other permission which did not show up in the tests that I carried > out. > > For sure, we shall strive to get rid of it, for maximum security. > >> On the 27th of December 2016 at 16.52 Chris PeBenito >> wrote: >> >> >> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote: >> > This patch adds missing permissions in the kernel module that prevent >> > to run it without the unconfined module. >> > >> > This second version improves the comment section of new interfaces: >> > "Domain" is replaced by "Domain allowed access". >> >> I thought that all of the added rules were for the initramfs. Since >> only a few are, I'm fine without the tunable, so I merged this version >> of the patch. >> >> >> >> > Signed-off-by: Guido Trentalancia >> > --- >> > policy/modules/kernel/devices.if | 56 +++++++++++++++ >> > policy/modules/kernel/files.if | 131 >> > ++++++++++++++++++++++++++++++++++++ >> > policy/modules/kernel/filesystem.if | 18 ++++ >> > policy/modules/kernel/kernel.if | 18 ++++ >> > policy/modules/kernel/kernel.te | 34 +++++++++ >> > policy/modules/kernel/terminal.if | 20 +++++ >> > 6 files changed, 277 insertions(+) > > [...] > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy